Cyber-attacks on Industrial Automation and Control Systems (IACS) are rising in numbers and sophistication. Embedded controller devices such as Programmable Logic Controllers (PLCs), which are central to controlling physical processes, must be secured against attacks on confidentiality, integrity and availability. The focus of this paper is to add design-level support for security in IACS applications, especially around inter-PLC communications. We propose an end-to-end solution to develop IACS applications with inherent, and parametric support for security. Built using the IEC 61499 Function Blocks standard, this solution allows us to annotate certain communications as 'secure' during design time. When the application is compiled, these annotations are transformed into a security layer that implements encrypted communication between PLCs. In this paper, we implement a part of this security layer focussed on confidentiality, called Confidentiality Layer for Function Blocks (CL4FB), which provides a range of encryption/decryption and secure key exchange functionalities. We study the impact of using CL4FB in IACS applications with real-time constraints. Through a case study focussing on protection functions in smart-grids, we show that varying levels of confidentiality can be achieved while also meeting hard real-time deadlines.
翻译:对工业自动化和控制系统的网络攻击在数量和复杂性上都在增加。 嵌入式控制器装置,例如程序化逻辑控制器(PLC),对于控制物理过程至关重要,必须保证不受到对保密、完整性和可用性的攻击。 本文的重点是增加对工业自动化和控制系统的应用程序安全的设计支持, 特别是围绕工业自动化和控制系统的通信。 我们提出一个端到端的解决方案, 开发ICAS应用程序, 提供内在支持和安全的参数支持。 使用 IEC 61499 函数区块标准, 这个解决方案使我们能够在设计期间将某些通信说明为“ 安全 ” 。 当应用程序编译时, 这些说明会变成一个安全层, 执行PLCs之间的加密通信。 在本文中,我们执行这一安全层的一部分以保密为主, 称为功能屏障的保密层( CLO4FB), 提供一系列加密/ 解密和安全的关键交换功能。 我们研究了在ICS 应用程序中使用 CL4FB 的影响, 在实时限制下使用 CL4FB 的应用程序中, 我们研究这些功能的影响。 通过一个智能的加密的保密性研究, 同时显示我们实现了硬格的保密水平。