TY - JOUR
T1 - TAMBUS
T2 - A novel authentication method through covert channels for securing industrial networks
AU - Bernieri, Giuseppe
AU - Cecconello, Stefano
AU - Conti, Mauro
AU - Lain, Gianluca
PY - 2020/12/24
Y1 - 2020/12/24
N2 - Nowadays, many companies still use old and insecure protocols in Industrial Control Systems (ICSs). An example of such protocols is Modbus, one of the most employed industrial protocols. Also, companies are moving to Modbus/TCP when there are TCP devices involved in the facility. While remaining insecure, this migration also disrupts the assumption of air-gapped industrial networks, opening more attack surface to previously isolated systems. Due to legacy and efficiency constraint, the replacement of Modbus/TCP with secure protocols is not possible, generating big security issues. In this paper, we present TAMBUS (Transmitter Authentication and packet integrity in Modbus/TCP). This method is the first that at the same time: is not implemented in a secure by obscurity design and keeps the Modbus/TCP protocol compatible with legacy devices. TAMBUS allows detecting attacks with high statistical confidence, by leveraging two covert channels as a mean of providing security: 1) Storage-based, that hides authentication messages into the Modbus/TCP protocol fields; 2) Timing-based, that considers the inter-arrival time of packets. We demonstrate the feasibility and effectiveness of our method through a prototype implementation and testing in an industrial testbed environment. Our experiments confirm that TAMBUS introduces only a small overhead, negligible in most application, and it preserves the regular functioning of industrial systems. In particular, considering the storage-based covert channel, TAMBUS introduces an error into transmitted values of only 1.19×10−5%, without traffic overhead. On the other hand, TAMBUS can transmit correct security information through the timing-based covert channel with an accuracy of more than 99.99%.
AB - Nowadays, many companies still use old and insecure protocols in Industrial Control Systems (ICSs). An example of such protocols is Modbus, one of the most employed industrial protocols. Also, companies are moving to Modbus/TCP when there are TCP devices involved in the facility. While remaining insecure, this migration also disrupts the assumption of air-gapped industrial networks, opening more attack surface to previously isolated systems. Due to legacy and efficiency constraint, the replacement of Modbus/TCP with secure protocols is not possible, generating big security issues. In this paper, we present TAMBUS (Transmitter Authentication and packet integrity in Modbus/TCP). This method is the first that at the same time: is not implemented in a secure by obscurity design and keeps the Modbus/TCP protocol compatible with legacy devices. TAMBUS allows detecting attacks with high statistical confidence, by leveraging two covert channels as a mean of providing security: 1) Storage-based, that hides authentication messages into the Modbus/TCP protocol fields; 2) Timing-based, that considers the inter-arrival time of packets. We demonstrate the feasibility and effectiveness of our method through a prototype implementation and testing in an industrial testbed environment. Our experiments confirm that TAMBUS introduces only a small overhead, negligible in most application, and it preserves the regular functioning of industrial systems. In particular, considering the storage-based covert channel, TAMBUS introduces an error into transmitted values of only 1.19×10−5%, without traffic overhead. On the other hand, TAMBUS can transmit correct security information through the timing-based covert channel with an accuracy of more than 99.99%.
KW - Covert channel
KW - Cyber–physical system (CPS) security
KW - Modbus TCP
UR - http://www.scopus.com/inward/record.url?scp=85092043788&partnerID=8YFLogxK
U2 - 10.1016/j.comnet.2020.107583
DO - 10.1016/j.comnet.2020.107583
M3 - Article
AN - SCOPUS:85092043788
SN - 1389-1286
VL - 183
JO - Computer Networks
JF - Computer Networks
M1 - 107583
ER -