An Automated, Disruption-Tolerant Device Authentication and Key Management Framework for Critical Systems

Key management is critical to secure operation. Distributed control systems, such as Supervisory Control and Data Acquisition (SCADA) systems, have unique operational requirements that make conventional key management solutions less effective and burdensome. This paper presents a novel Kerberos-based framework for automated, disruption-tolerant key management for control system environments. Experimental tests and their results are presented to quantify the expected performance overhead of this approach. Additionally, Zeek sensor analytics are presented to aid in monitoring the health and security of the key management framework operation. Key Management, ICS, SCADA, Authentication, Disruption Tolerant, Kerberos Introduction Key management and access control infrastructure are fundamental to building secure systems; however, current key management and trust models were designed for enterprise Information Technology (IT) environments and do not suit the requirements of process and distributed control system environments (Baumeister 2011). These environments are geographically distributed with high-availability requirements that limit the ability of traditional centralised authentication and authorisation mechanisms Due to operational management di culties, the lack of a scalable technology to manage cryptographic keys for distributed nergy Delivery Systems DSs hinders asset owners deployment of products to secure communications This problem is ampli ed as more renewable and distributed energy resources emerge and are integrated into the grid, increasing the number and complexity of DS resources ithout an industry-accepted, scalable, secure, and robust key management, authentication, and authorisation service meeting operational requirements, development of secure cyber-physical applications will be di cult Industry re uires a cryptographic key and access control management solution to further the deployment of technical ournal of Information arfare : ISS Print ISS Online An Automated, Disruption-Tolerant Device Authentication... 86 Journal of Information Warfare solutions and to limit the risk associated with increased communication and functionality of smart grid applications. Current key management and authorisation frameworks have been built around Internet operations and an always connected state. However, in some environments, the ability to query an online service for every authentication cannot be guaranteed, and the burden of updating and distributing revocation lists is too great. The electric utility industry, among others, needs a solution that provides the ability for distributed, intermittently connected systems to authenticate, while still providing robust centralised policy control and auditing to meet regulatory and best practice guidance. Also, most key management and authentication systems are designed for users and expect human interfaces and interaction. Control systems are designed to operate independently with limited human interaction. Providing automated services that enable devices to receive key material and authenticate each other is necessary for control systems. A new approach is needed that is tailored to the unique aspects of distributed control systems. While a new protocol could be developed to address these problems, leveraging existing standardised and accepted protocols enables deployment and integration at a much more rapid pace. The Kerberos protocol is a well-established, widely accepted authentication and key management protocol that is already deployed and utilised in most enterprise environments. Through use of a novel architecture and deployment, Kerberos can be leveraged to provide the needed feature set for SCADA environments while providing a wealth of knowledge, experience, and software to support a usable and manageable rollout. This paper describes an Automated Disruption-Tolerant Key Management ADTKM system built upon the Kerberos protocol for distributed automation and other control systems The ADTKM leverages the unique characteristics of Kerberos for multiple domains of trust to enable centrally controlled authentication and remotely managed authorisation of devices to distribute key material for utilisation in secure applications. The Kerberos ticketing system provides the ability to operate in a disconnected state for a period of time. With some creative utilisation and operation, Kerberos can be the solution needed for this industry. Key management itself is often targeted in attacks; and, as such, developments for monitoring the health and security of the ADTKM approach are also presented xperimental tests were performed to uantify the cost of this approach and to validate self-monitoring. The experiments, their results, and lessons learned are documented at the end of this paper. Related Works Key management and authentication are foundational to security operations. As such, there are various approaches, some well-established and used extensively, for distributed key material and authenticating access. This section provides an overview of the relevant work that has been done for applying key management frameworks to control system environments. The issues with disruption tolerance of common key management techniques is also detailed. Theoretical models of trust and key management have been developed for varying conditions. When sharing keys, it is crucial to validate the identity of the parties involved in case one party is deceived into sending secure data to the wrong destination. As such, there a variety of ways An Automated, Disruption-Tolerant Device Authentication... Journal of Information Warfare 87 identities can be authenticated and trust distributed. The most basic is symmetric key management where trust is evaluated and approved by the communicator on a case-by-case basis and each pair of communicating partners shares the cryptographic material through some mechanism such as manual or key agreement protocols Pi tre-Cambac d s Sitbon Secure Shell is an example of symmetric trust where each partner must negotiate accounts and each new server ngerprint must be approved as trusted. The most common form of trust used is brokered trust, where some chosen authority is selected to bestow and validate identities. Public Key Infrastructure (PKI) is the most common implementation of brokered trust for key distribution Certi cate authorities are the selected central authorities around which PKI works and certi cates are bestowed to users with various levels of validated identity The certi ed authority then provides authentication of identity for others Pi tre-Cambac d s Sitbon Second after PKI is distributed trust, or web of trust, where trust is organically organised through peers validating and authenticating identities immerman For example, if Alice trusts Bob, who in turn validates Charlie s identity, Alice can extend that trust to Charlie. Pretty Good Privacy (PGP) is the de facto implementation of web of trust. Finally, there is the trust-free model where everyone can validate the authenticity of data without validating identities of peers. Blockchain ledgers are an example of distributed trust (Sun, Yan & hang ach model has strengths and weaknesses Brokered trust enables strong control and enforcement of policy Distributed trust is exible and dynamic and obviates the need for identities These features are valuable or counterproductive depending on each speci c use case Currently, no key management framework has been accepted or deployed in great numbers across process control environments International lectrotechnical Commission I C Part I C is a standard for implementing key management for the I C protocol suite I C TC57 2019) and is the most formalised approach to key management in industry. Otherwise, there is a lack of deployment of general key management frameworks within SCADA systems. There have been multiple key management frameworks and protocols developed to address various issues within process control. Some address the complexity and performance issues of deploying complex PKI systems Beaver et al Tawde, ivangune Sankhe brahimi, Koropi a i Re ai, Keshavar i Morave Others provide improvements to create a consistent process across the hierarchy of SCADA communicating devices (Dawson et al. 2006) or group key management facilities for speci c communication re uirements of some protocols (Choi et al. 2009; Choi et al Mittra iang et al. 2013). The SSP-21 secure communication protocol (Crain 2017) supports multiple key management approaches but has devised its own modi cations to the certi cate format to address some shortcomings with PKI owever, this makes modi ed certi cate non-compliant with the entrenched PKI space and large number of tools provided which add further di culty to the deployment The framework discussed in this paper is focused on solving the challenge of central policy control while enabling remote disconnected operation. Previous designs were developed using new hybrid protocol to achieve the desired feature set Man , dgar Fink hile the previous work met the functionality requirements design, it required a new, untested protocol with a lack of tool and technology support. Leveraging accepted standard protocols is necessary to increase An Automated, Disruption-Tolerant Device Authentication... 88 Journal of Information Warfare operational viability. The objectives of the work documented in this paper were to utilise standards-based solutions in a novel architecture to solve the problem while having readily available tools, expertise, and infrastructure to support deployments. Process Control Authentication and Key Management Requirements Process control systems have unique operational characteristics that require additional functionality for a key management solution DSs have a hierarchy of communication where many distributed substations must operate independently and coordinate with a master station (Wang & Lu 2013). Th