IDEAS home Printed from https://ideas.repec.org/a/eee/ijocip/v6y2013i1p12-24.html
   My bibliography  Save this article

A security-hardened appliance for implementing authentication and access control in SCADA infrastructures with legacy field devices

Author

Listed:
  • Hieb, Jeffrey L.
  • Schreiver, Jacob
  • Graham, James H.

Abstract

Considerable progress has been made with regard to securing industrial control systems. However, security challenges remain for field devices, and these challenges are compounded by the presence of legacy field devices. This paper describes the design, implementation and performance of a security-hardened, bolt-on, security appliance for legacy field devices. The approach uses a microkernel-based architecture and employs Bloom filters to implement challenge-response authentication and role-based access control for in an in-line field device security pre-processor. The microkernel-based architecture isolates network-interacting software from security-enforcing components, reducing the size of the trusted computing base of the device. Bloom filters provide a fast and constant access time solution for authentication and authorization checks. An analysis of the impact of Bloom filter false positive rates is provided, and it is shown that the false positive rates can be made arbitrarily low. Experimental results are also presented for a prototype device. Security-related computations on the pre-processor take less than one millisecond to perform, indicating that the prototype and the underlying approach are well-suited to a variety of industrial control system environments. Penetration tests demonstrate that the device is robust to attack, except for certain denial-of-service attacks.

Suggested Citation

  • Hieb, Jeffrey L. & Schreiver, Jacob & Graham, James H., 2013. "A security-hardened appliance for implementing authentication and access control in SCADA infrastructures with legacy field devices," International Journal of Critical Infrastructure Protection, Elsevier, vol. 6(1), pages 12-24.
    • Handle: RePEc:eee:ijocip:v:6:y:2013:i:1:p:12-24
    DOI: 10.1016/j.ijcip.2013.01.001
    as

    Download full text from publisher

    File URL: http://www.sciencedirect.com/science/article/pii/S1874548213000024
    Download Restriction: Full text for ScienceDirect subscribers only
    File URL: https://libkey.io/10.1016/j.ijcip.2013.01.001?utm_source=ideas
    LibKey link: if access is restricted and if your library uses this service, LibKey will redirect you to where you can use your library subscription to access this item
    ---><---

    As the access to this document is restricted, you may want to search for a different version of it.

    Corrections

    All material on this site has been provided by the respective publishers and authors. You can help correct errors and omissions. When requesting a correction, please mention this item's handle: RePEc:eee:ijocip:v:6:y:2013:i:1:p:12-24. See general information about how to correct material in RePEc.

    If you have authored this item and are not yet registered with RePEc, we encourage you to do it here. This allows to link your profile to this item. It also allows you to accept potential citations to this item that we are uncertain about.

    We have no bibliographic references for this item. You can help adding them by using this form .

    If you know of missing items citing this one, you can help us creating those links by adding the relevant references in the same way as above, for each refering item. If you are a registered author of this item, you may also want to check the "citations" tab in your RePEc Author Service profile, as there may be some citations waiting for confirmation.

    For technical questions regarding this item, or to correct its authors, title, abstract, bibliographic or download information, contact: Catherine Liu (email available below). General contact details of provider: https://www.journals.elsevier.com/international-journal-of-critical-infrastructure-protection .

    Please note that corrections may take a couple of weeks to filter through the various RePEc services.

    IDEAS is a RePEc service. RePEc uses bibliographic data supplied by the respective publishers.