Protecting Modbus/TCP-Based Industrial Automation and Control Systems Using Message Authentication Codes
Critical infrastructure (CI), such as energy and water distribution systems, is essential for the stability and well-being of the modern society. Industrial automation and control systems (IACSs) form the backbone of CIs and enable the operation of such systems in a safe and reliable manner. However...
Main Authors: | , , , |
---|---|
Format: | Article |
Language: | English |
Published: |
IEEE
2023-01-01
|
Series: | IEEE Access |
Subjects: | |
Online Access: | https://ieeexplore.ieee.org/document/10122945/ |
_version_ | 1797823414872834048 |
---|---|
author | Filip Katulic Damir Sumina Stjepan Gros Igor Erceg |
author_facet | Filip Katulic Damir Sumina Stjepan Gros Igor Erceg |
author_sort | Filip Katulic |
collection | DOAJ |
description | Critical infrastructure (CI), such as energy and water distribution systems, is essential for the stability and well-being of the modern society. Industrial automation and control systems (IACSs) form the backbone of CIs and enable the operation of such systems in a safe and reliable manner. However, with the increasing use of industrial Ethernet communication protocols, such as Modbus-over-TCP (Modbus/TCP), once air-gapped IACSs are becoming vulnerable to potential cybersecurity threats. This paper presents a novel method for enhancing the cybersecurity of Modbus/TCP-based IACSs by implementing an authentication method based on message authentication codes (MACs). To provide partial protection of communication even when communicating with legacy Modbus/TCP peers, we propose a novel supervising device that analyzes exchanged messages and verifies the authenticity of the protected messages. To experimentally verify the protection method, a water-treatment cyber-physical system (CPS) was implemented as a digital twin in a programmable logic controller (PLC). The underlying MAC is the Chaskey-12, lightweight MAC defined in IEC 29192-6. It was implemented in the PLC program using the programming languages defined in IEC 61131-3. As an additional contribution, the presented implementation allows protection of communication between PLCs and other Modbus/TCP peers installed in existing IACSs without hardware or firmware modifications. The results show that the method provides protection against network attacks without significantly affecting performance, also demonstrating the feasibility of such protection in IACSs. |
first_indexed | 2024-03-13T10:23:41Z |
format | Article |
id | doaj.art-4388e4afca8943649bf8f9970e95d28c |
institution | Directory Open Access Journal |
issn | 2169-3536 |
language | English |
last_indexed | 2024-03-13T10:23:41Z |
publishDate | 2023-01-01 |
publisher | IEEE |
record_format | Article |
series | IEEE Access |
spelling | doaj.art-4388e4afca8943649bf8f9970e95d28c2023-05-19T23:00:51ZengIEEEIEEE Access2169-35362023-01-0111470074702310.1109/ACCESS.2023.327544310122945Protecting Modbus/TCP-Based Industrial Automation and Control Systems Using Message Authentication CodesFilip Katulic0https://orcid.org/0009-0001-7332-7843Damir Sumina1https://orcid.org/0000-0001-8474-125XStjepan Gros2https://orcid.org/0000-0001-6619-2859Igor Erceg3https://orcid.org/0000-0002-2913-6249Faculty of Electrical Engineering and Computing, University of Zagreb, Zagreb, CroatiaFaculty of Electrical Engineering and Computing, University of Zagreb, Zagreb, CroatiaFaculty of Electrical Engineering and Computing, University of Zagreb, Zagreb, CroatiaFaculty of Electrical Engineering and Computing, University of Zagreb, Zagreb, CroatiaCritical infrastructure (CI), such as energy and water distribution systems, is essential for the stability and well-being of the modern society. Industrial automation and control systems (IACSs) form the backbone of CIs and enable the operation of such systems in a safe and reliable manner. However, with the increasing use of industrial Ethernet communication protocols, such as Modbus-over-TCP (Modbus/TCP), once air-gapped IACSs are becoming vulnerable to potential cybersecurity threats. This paper presents a novel method for enhancing the cybersecurity of Modbus/TCP-based IACSs by implementing an authentication method based on message authentication codes (MACs). To provide partial protection of communication even when communicating with legacy Modbus/TCP peers, we propose a novel supervising device that analyzes exchanged messages and verifies the authenticity of the protected messages. To experimentally verify the protection method, a water-treatment cyber-physical system (CPS) was implemented as a digital twin in a programmable logic controller (PLC). The underlying MAC is the Chaskey-12, lightweight MAC defined in IEC 29192-6. It was implemented in the PLC program using the programming languages defined in IEC 61131-3. As an additional contribution, the presented implementation allows protection of communication between PLCs and other Modbus/TCP peers installed in existing IACSs without hardware or firmware modifications. The results show that the method provides protection against network attacks without significantly affecting performance, also demonstrating the feasibility of such protection in IACSs.https://ieeexplore.ieee.org/document/10122945/Automationcommunication system securitycyber-physical systemsindustrial communication |
spellingShingle | Filip Katulic Damir Sumina Stjepan Gros Igor Erceg Protecting Modbus/TCP-Based Industrial Automation and Control Systems Using Message Authentication Codes IEEE Access Automation communication system security cyber-physical systems industrial communication |
title | Protecting Modbus/TCP-Based Industrial Automation and Control Systems Using Message Authentication Codes |
title_full | Protecting Modbus/TCP-Based Industrial Automation and Control Systems Using Message Authentication Codes |
title_fullStr | Protecting Modbus/TCP-Based Industrial Automation and Control Systems Using Message Authentication Codes |
title_full_unstemmed | Protecting Modbus/TCP-Based Industrial Automation and Control Systems Using Message Authentication Codes |
title_short | Protecting Modbus/TCP-Based Industrial Automation and Control Systems Using Message Authentication Codes |
title_sort | protecting modbus tcp based industrial automation and control systems using message authentication codes |
topic | Automation communication system security cyber-physical systems industrial communication |
url | https://ieeexplore.ieee.org/document/10122945/ |
work_keys_str_mv | AT filipkatulic protectingmodbustcpbasedindustrialautomationandcontrolsystemsusingmessageauthenticationcodes AT damirsumina protectingmodbustcpbasedindustrialautomationandcontrolsystemsusingmessageauthenticationcodes AT stjepangros protectingmodbustcpbasedindustrialautomationandcontrolsystemsusingmessageauthenticationcodes AT igorerceg protectingmodbustcpbasedindustrialautomationandcontrolsystemsusingmessageauthenticationcodes |