Encryption

From Open SCADA Security Project

Jump to: navigation, search

Encryption should be used through potentially hostile environments. Protocols, such as SNMP version 1, disclose the community strings in the clear.

Remote

Remote devices can be in locations with minimal physical security. In many situations without encryption, network segregation, or tamper proofing this provide a means for network access.

Clear Communication

In many SCADA systems it doesn't matter that people can see the level of a water storage tank or how many kVA are being sent to some substation down the road. Encryption is a relatively expensive use of bandwidth when one considers that it would be used on a multi-drop 9600 BPS radio channel. An example of such a standard would be AGA-12/IEEE P1631. It is also known as a "Bump-in-the-Wire" solution. The one advantage is that it can be used with any protocol.

Authentication

An alternative is secure authentication. An example of this approach can be found in IEC 62351. The DNP3 protocol uses this approach. Basically, using symmetric keys, a master or an RTU can choose to challenge certain commands or status reports by comparing hash codes. This is a lightweight approach because the overhead is only present when the challenge/response transaction takes place. Everything is still sent in the clear. However, when a command of some significance is sent, the RTU will challenge it and the Master will have to respond to it. This prevents unauthorized users from commanding something they should not have access to.

Secure authentication can also leave a record at the RTU of who commanded some critical function to happen. Such records may prove to be very important for analysis after a major disaster.

These are complementary approaches to the problem of operating in a hostile communications environment. They are not mutually exclusive, though the use of both on the same system may be very unwieldy.


Differing views exist on this article. You can help the Open SCADA Security Project by adding your opinion.


This entry is a stub. You can help the Open SCADA Security Project by expanding it.

Retrieved from "http://www.scadasecurity.org/index.php/Encryption"