1 / 41

How AGA 12-1 Protects SCADA Data In Transit

A Presentation To The COTF1 Group By Bill Rush Gas Technology Institute April 26, 2003 Sun Valley, Idaho. How AGA 12-1 Protects SCADA Data In Transit. We Will Overview AGA 12-1 And Develop Background. Project History Threats And Attacks Cryptographic Fundamentals

ilya
Download Presentation

How AGA 12-1 Protects SCADA Data In Transit

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. A Presentation To The COTF1 Group By Bill Rush Gas Technology Institute April 26, 2003 Sun Valley, Idaho How AGA 12-1 Protects SCADA Data In Transit

  2. We Will Overview AGA 12-1 And Develop Background • Project History • Threats And Attacks • Cryptographic Fundamentals • How AGA 12 Protects Communications • Future Developments

  3. HISTORY OF AGA 12

  4. The AGA 12 Group Adopted A Broad Charter • AGA = American Gas Association • AGA Report = Recommended Practice • AGA 12-1, “Cryptographic Protection Of SCADA Communications” • Launched Effort In October 2001 • Goal: Cover Gas, Water, and Electric • Balloting: March 25 to April 24 “We have no competitors – only partners we have not yet met !”

  5. SCADA Communications Are Vulnerable • Assailants Can Attack SCADA Communications Control Room Network Is Insecure RTU (Secure) (Secure)

  6. AGA 12-1 Has Several Goals • Solid Cryptographic Communication Protection • Retrofit To Existing Systems • Reasonable Cost • Tolerable Message Delays • Reliable Certification Methods • Interoperability Among Manufacturers Today, Focus Is “What Attacks We Protect Against And How”

  7. THREATS AND ATTACKS

  8. There Are Several Possible SCADA Attackers • Hackers • Organized Crime • Financial Traders • Terrorists • Foreign Governments • Insiders/Disgruntled Employees • Combinations

  9. We Protect Against 5 Attacks • Interception – Listening To Messages • Fabrication – Creating Forged Messages • Alteration – Changing Valid Messages • Replay – Copying Message, Sending Later • Key Guessing/Extraction – Trial & Error OR Taking Key From Module

  10. AGA 12-1 Protects SCADA Communications • Technical Approach: Attackers can’t read “Open A Valve!” “Open A Valve!” Encrypt Decrypt “^fD%b*m>s#H!j“ Even Intercepted SCADA Commands Are Secure Until They Reach Their Destination

  11. CRYPTOGRAPHIC FUNDAMENTALS

  12. YES - And In Fact, It Is The Best Way. How Can This Be? Can A Published, Known Standard Encryption Mechanism Really Keep Data A Secret? The Key, Not Algorithm Secrecy, Provides Security

  13. The Mechanism Of Locks Is Public Knowledge But Without The Key Or Combination - You Can’t Open A Single One !

  14. Substitute One Letter For Another Rotate Letters By “N” Positions A Simple Rotation Algorithm Provides A Simple Example GOAL: An Algorithm Simple Enough To See, But Real Enough To Show Issues

  15. Plaintext Maps To Ciphertext Easily - With The Key Key = Rotate Each Letter 2 To The Right Plaintext: A B C D E F G H …Z Cyphertext: A B C D E F G H I J … C With Rotation Key: 2 “HAD” Becomes “JCF” 3 “HAD” Becomes “KDG”

  16. Substitute One Letter For Another Rotate Letters By “N” Positions N Is The (Shared, Secret) Key 0 < N < 25 A Rotation Algorithm Is A Simple Example GOAL: An Algorithm Simple Enough To See, But Real Enough To Show Issues

  17. The Rotation Algorithm Has General Characteristics • Algorithm Is Known, Key Provides Security • Unique Mapping Of Plaintext To Ciphertext • Coding/Decoding Easy With The Key • Decoding Hard Without The Key • Can Be Broken By Guessing • Longer Keys Harder To Break

  18. A Digression: How Hard Is “Hard”? • A $250,000 Computer Can Guess A 56-Bit Key In 2 Hours • Each Additional Bit Doubles Guessing Time • 64 Bits Takes 128x2=256 hours • 128 Bits Takes 2x293 hours

  19. The Rotation Algorithm Has General Characteristics (Cont) • “Symmetric Key” Means Both Keys The Same • Both Parties Have Common, SECRET Key • If One Key For Many Units, Getting 1 Gets All • “Symmetric Key” Management An Issue • Changing Keys Adds Security • Never Use A Key To Send A New Key

  20. There Are Three Kinds Of Algorithm • Symmetric Key - Same, Secret Key • Public Key - Publish Half Of A Key • Common Number - Parties Get Same Keys AGA 12-1 Uses Only Symmetric Key. AGA 12-2 Will Include Public Key, Too

  21. Symmetric Keys Are The Same For Both Parties • Key Must Be Secret • One Key For All Raises Risk • One Key Per Pair Is Hard On A Big Network • Key Knowledge Is Weak Authentication • Must “Introduce” Units To Each Other • “AES” Is An Example Of A Symmetric Key

  22. AES Shuffles And Changes Bits According To A Key 0 1 0 0 0 1 0 1 0 1 0 0 1 1 0 1 Move Change 0 1 1 0 1 1 1 0

  23. AES Encrypts Messages • Advanced Encryption Standard (AES) • AES-128, 192, or 256 -> Key Length • Winner Of NIST “Shoot-out” • Both Units Have SHARED, SECRET Key • NIST/FIPS Approved Algorithm • Changing One Bit In Plain (Cipher) Text Changes Half The Bits In Cipher (Plain) Text

  24. RSA Uses A Public And A Private Key • Public Key Is 2 Numbers, N And E • N Is A Modulus • E Is A Large Number Used To Encrypt • D Is A Large Number Used To Decode

  25. RSA Is Easy In Principle • Message Is Called M • Encrypt Message With RECIPIENT’S (N, E) • C = Cyphertext = (M)E Mod N • Mod N = Remainder After Dividing By N • Recipient Decrypts With Private Half Of Key • P = Plaintext = (C)D Mod N

  26. RSA Uses Overflow In Modular Arithmetic • Cyphertext = C = (M)E Mod N • Plaintext = P = (C)D Mod N • P = (C)D Mod N = (ME)D Mod N = (MED) Mod N • Note EITHER D Or E Can Encrypt E And D Are Chosen So Raising M To The ED Power Is M1

  27. RSA Is Easy To Demonstrate By Example • Take (E,N) As (7, 33) • Take D = 3 • Take M = 15 • C = (15)7 Mod 33 = 27 (Transmit This) • P = (27)3 Mod 33 = 15 (Original Message, M) The Security Comes From How Hard It Is To Find D, Given (E, N)

  28. Public Key Has Many Advantages • No Need To Track Key Pairs • Can Authenticate AND Encrypt

  29. RSA Will Send Session Keys And Authenticate • Public Key • 1024 Bit Key • Relatively Slow • Authentic Signature (With Valid Public Key)

  30. Algorithm Classes Require Different Resources • Public Code Length 3 Times Symmetric • Public Key Is 10 Times Symmetric Key • Public Key Execution = 100 Symmetric Assumes Same Security, (128 Bit Symmetric Key, 1024 Public Key)

  31. BUT WAIT! We Have A Problem! • Formulas Are Deterministic • Same Messages Give Same Ciphertext • Assailants Can Deduce SCADA Messages • “Cipher Block Chaining” Is The Solution

  32. Protocol Requires Using The “CBC Mode” • Communicate In Sessions • Unit A Generates A Random Number • A Encrypts & Sends To B • B Decrypts, Both Units Call This The “IV” • IV = “Initialization Vector • XOR Message With IV • Encrypt XORed Message • Same Plaintext -> Different Ciphertext • Use Last Ciphertext As Next IV

  33. HOW AGA 12 PROTECTS COMMUNICATIONS

  34. AGA 12-1 Scrambles To Protect Against Interception • AES-128, 192, or 256 Give Privacy • Winner Of NIST “Shoot-out” • Both Units Have SHARED, SECRET Key • Operates In “CBC Mode” • “Cipher Block Chaining” • Same Plaintext -> Different Ciphertext • XOR Plaintext With Last Ciphertext • Both Units Have Same IV • XOR Is Self-Inverse Operation

  35. AGA 12-1 Protects Against Fabrication • Shared Secret Key Helps • CMID (Unique ID #) • Public Key Coming • AGA 12-1.1 • “Digital Certificates”

  36. AGA 12-1 Protects Against Alteration & Replay • CBC Mode Prevents • Block Insertion • Block Deletion • Block Re-ordering • Replay Won’t Decrypt Properly Either • Messages Change Due To XOR With NEW Number

  37. AGA 12-1 Indicates Key Guessing / Extraction • “Guessing” Possible, But Slow • Millions of Years • Change Keys Per Policy • Minimum: Tamper Indication • Can Specify Tamper Resistant/Envelope

  38. FUTURE DEVELOPMENTS

  39. A Few Things We Did Not Have Time To Mention • Need A Security Policy • A Certification Program Exists • Work Is Starting To Embed • There Is A Cryptographic Protocol (SLS) • Lab & Field Tests Starting • . . . And A Lot More !

  40. What Should You Do? • Take A Full Course/Read The Standard • Contact Bill Rush For Details/Questions • 847/768-0554 • Bill.Rush@gastechnology.org • Champion AGA 12 As A Standard • Champion AGA 12 In Your Company

  41. Use AGA 12-1 To Protect SCADA Communications • Gas, Water, Electric • Protects Against Many Attacks • Retrofits Many Systems • Under 100 Millisecond Latency Added • Reasonable Cost • Will Be Upgraded AGA 12-1 Uses Only Symmetric Key. AGA 12-1.1 Will Include Public Key, Too

More Related