TAMBUS: A novel authentication method through covert channels for securing industrial networks

Nowadays, many companies still use old and insecure protocols in Industrial Control Systems (ICSs). An example of such protocols is Modbus, one of the most employed industrial protocols. Also, companies are moving to Modbus/TCP when there are TCP devices involved in the facility. While remaining insecure, this migration also disrupts the assumption of air-gapped industrial networks, opening more attack surface to previously isolated systems. Due to legacy and efficiency constraint, the replacement of Modbus/TCP with secure protocols is not possible, generating big security issues. In this paper, we present TAMBUS (Transmitter Authentication and packet integrity in Modbus/TCP). This method is the first that at the same time: is not implemented in a secure by obscurity design and keeps the Modbus/TCP protocol compatible with legacy devices. TAMBUS allows detecting attacks with high statistical confidence, by leveraging two covert channels as a mean of providing security: 1) Storage-based, that hides authentication messages into the Modbus/TCP protocol fields; 2) Timing-based, that considers the inter-arrival time of packets. We demonstrate the feasibility and effectiveness of our method through a prototype implementation and testing in an industrial testbed environment. Our experiments confirm that TAMBUS introduces only a small overhead, negligible in most application, and it preserves the regular functioning of industrial systems. In particular, considering the storage-based covert channel, TAMBUS introduces an error into transmitted values of only 1.19×10⁻⁵%, without traffic overhead. On the other hand, TAMBUS can transmit correct security information through the timing-based covert channel with an accuracy of more than 99.99%.