Security Issues and Power Line Communication - ISPLC

Download PDF
5 downloads 42241 Views 492KB Size Report
Comment
society factors supporting a potential take-up of the business idea, Figure 1 below. ... Internet). Power Line Communication (PLC) has, in this context, a distinctive ..... The Bell-LaPadula disclosure model introduces a level structure on theĀ ...
Security Issues and Power Line Communication Rune Gustavsson Blekinge Institute of Technology Box 520 S- 372 25 Ronneby SWEDEN E-mail: [email protected]

Key words: Time Based Security, Bell-LaPetula, Clark-Wilson, trustworthiness, PLC-security, PLC-integrity.

Summary Present and future technologies supporting Power Line Communication (PLC) allow us to integrate the power grid into the emergent Embedded Internet. A natural role of the PLC is to provide communication between smart equipment already connected to the power line and thus form a natural local communication network in 'Smart homes 'and 'Smart offices&actories: Another role is to provide meansfor smart monitoring and management of the electric grid itselJ:New PLC-based applications will be connected to the Internet to take advantage of all possibilities. The paper focuses on addressing security and integrity vulnerabilities offuture PLC applications. We introduce a B2B scenario on information trading and a process model supporting security as well as an information security-integrity framework addressing issues from the scenario.

/'

1. Introduction

The success of innovative business applications depends on several trends and forces in a given context. In order to assess the potential of an innovative business idea we thus have to evaluate key success factors in a proper setting. A way to illustrate this context is the 'Co-evolution triangle' of technologies, people, and organisation1 society factors supporting a potential take-up of the business idea, Figure 1 below. Organisation/Society

Technologies

People

Figure 1. The Coevolution triangle capturing the basic pre-conditions of take-up of new technologies in innovative business processes

Figure 1 captures three basic pre-conditions of a successful take-up of new technologies in new business processedservicedproducts. A bottom line is that a business idea based solely on a technological push is not enough to create a successful business. A recent example is the 'hypes of 2000' the WAP and the Broadband. The WAPprotocol for mobile communication did not itself, as we know by now, create the success story for WAP-phones as expected by the telecommunication industry a year ago. In this case neither a sufficient infrastructure (applications of added value to the customer) nor a user acceptance (difficult and expansive to use) exist at the moment. As a matter of fact the present WAP protocol also suffers from technological and security vulnerabilities. The present technology push of UMTS (3G mobile systems) suffers from the same weaknesses as WAP, but to a larger extent. In the Broadband example we saw a peculiar alliance between technology pushers and politicians towards 'A networked Sweden'. In this case it is fair to state that we again have a failure due to an incomplete triangle of coevolution. The public acceptance of broadband technology was low due to several factors, including the vulnerabilities of unprotected continuous presence (fixed IP-addresses) at the user's side, and lack of interesting applications. We will return to these issues in Section 5 below. In summary, technological push is not sufficient in order to create successful applications. There also has to be a sufficient infrastructure to support new servicedproductsbased on the technologies as well as user acceptance of the cost/benefits of the new ~ e ~ i ~ e d p r 0 d In ~ ~completely t.S. new application areas the building up of supportive infrastructures typically takes decades. Examples include our communication systems (phones, radio, TV,fax, Internet). Power Line Communication (PLC) has, in this context, a distinctive advantage as the physical infrastructure already exists. Furthermore, a set of innovative services based on PLC and of clear potential added-value to

customers have al-ready been identified and tested in simulations or field tests [I]. Take-up of PLC based applications thus crucially depends on user acceptance as the other two pre-conditions, of Figure 1, are to a sufficient extent in place. User acceptance depends on several factors. Firstly, the new service/product should have a distinctive added value to the customer. Secondly, and more importantly, the new service/product should be trustworthy. The main message of the paper is that in order to have trustworthy net-based systems we have to address security and integrity issues up-front in the design, implementation and maintenance of applications using PLC and related technologies.

,

The paper is organised as follows. In Section 2, Power Line Communication and applications, we summarise the technological context of PLC and some applications that have been identified. In Section 3 the focus is on Thrustworthy systems. Innovative PLC applications typically mean that several actors have to share similar information as illustrated in Section 4. As the PCL-network typically also has to be connected to the Internet in order to have take full advantage of the PLC applications we also have to take into account the potential security and integrity risks associated with the application in that context. An important aspect of thrustworthiness in PLC applications is thus related to security and integrity of net-based services. In Section 4, we introduce a realistic scenario in order to capture the main aspects of risks and security issues relevant to us, i.e., e-Business processes based on information trading and smart equipment using PLC. In Section 5, we give some basic definitions as well as a process model framework of system security assessments. Using this framework we also discuss some fundamental issues related to security products and processes. In Section 6, we introduce an information framework and show that the major security and integrity concerns in the scenario of Section 4 can be satisfactory addressed within this framework. The paper summarises the main findings of the paper in a last Section 7, Conclusions.

1 2. Power Line Communication and applications

Present and future technologies supporting power line communication (PLC) allow us to integrate the power grid into the emergent Embedded Internet, i.e., the global network connecting people and smart equipmentlservices in a global network. ~echnologiessuch as UMTS (3G mobile systems) and 4G mobile systems add mobility of users and services to the possibilities of the Embedded Internet. A natural role of the PLC is to provide communication between smart equipment already connected to the power line and thus form a natural local communication network in 'Smart homes' and 'Smart offices/factoriesO.Another role is to provide means for smart monitoring and management of the electric grid itself. The role of PLC in the future information society has been in focus of several international R&D efforts. One example is PALAS - Powerline as an Alternative Local Access, IST -199-1 1379, [I] and [2]. However security aspects of PLC as a part of a LAN (or Internet) has so far only been addressed in a superficial way. However, as we will argue below, security aspects of PLC applications will be crucial in delivering thrustworthy systems and hence to support user take-up of related services. There is by now a wealth of application ideas based on PLC. Besides those which focus on the communication aspects of the power line there are also interesting possibilities of using 'Leaky feeder' technology-based services. That is to use the electricity networks to provide antennas and connectivity for mobile communication equipment. The 'Leaky feeder' technology in combination with 4G technology allows us to reduce the transmission power of the mobile entities without sacrificing quality of service. In all cases the benefit of using existing power networks is the ubiquity of the power system, the relatively low power needed to sustain a high quality communication, the limited cost of achieving the application and the low public disruption associated with its installation and maintenance. Power Line Communications has also unique attributes in the field of security applications. It is inherently secure at the lowest physical level, e.g. eavesdropping and unauthonsed signal removal and interruption is difficult and dangerous. This inherent security contrasts the technologies of 4G mobile,(radio broad casting) systems such as Bluetooth. Thus, use of PLC give rise to innovative applications such as, [I]: Connection and control of passive and active alarm switches to the central processing unit in building. Remote monitoring of the local security nodes. Video and audio surveillance. Access control telemetry and monitoring. Remote enabling, disabling and logging of individual access routes for general site control. External barrier and gate control and communications.

In all the above applications the primary advantage of using PLC is in the ease, speed and cost of installation, coupled with the added security afforded due to the communications being carried on live power distribution cables. However, when a PLC sub-network (LAN) is connected to other networks via gateways or routers we end up with the standard set of network vulnerabilities and threats involving the whole system, including the PLC parts.

3. Trustworthy systems As we have earlier stated in Section 1, user take-up of innovative net-based applications, not the least of PLCbased applications, will to a large extent depend on the user's perception of the thrustworthiness of the system/ services. The concept of trust has been a topic of investigation in several disciplines from philosophy to engineering. We take in this paper a pragmatic point of view, i.e., how to design, implement and maintain Trustworthy systems. A challenge is to operationalise aspects of trust, i.e., aspkts 'of system attributes that can support trust in the behaviour of a system. Well-known examples of operationalisations are support for good explanations of system behaviour and good support at breakdowns of services. These, and similar kinds of operationalisations, can be grouped under the general heading of: Trust in a proper behaviour of the artefact. The artefact should have the intendedfunctionality with an understandable degree of quality of service. In fact, this is a common criterion of trustworthiness of artefacts in our physical world. Techniques to achieve these criteria include validating selected criteria using different kinds of testing. In certain safety-critical systems we also try to verifi implementations against design specifications. However, it is well known that even if we have successfully validated parts of a software system there still remains vulnerabilities due to the complexity of the software (could be millions of lines of code). Illustrative exampl'es include operating systems such as Windows (NT) and implementations of complex security functions! These vulnerabilities are detected regularly during the lifetime of the product. Often this detection appears when the product is used in a new context, integrated with other software products or on new platforms. Vendors on a regular basis release repairs 'patches' to address those vulnerabilities. Most of those known vulnerabilities remain unattended by most users due to lack of information, resources, or policies. The important point is, however, that complex software will always have known and unknown vulnerabilities throughout their lifetime. We will return to these aspects in Section 5, below. An adversary can exploit these vulnerabilities into serious threats and attacks towards the owners and users of the systemlsoftware. Especially this can happen when the system is connected to larger networks such as Internet. This means that new concerns affecting trust in system behaviour emerges. These concerns can be summarised as:

Trust in that no hidden or unintended side effects appears during the use of the services/products. The artefact should not do anything else than the intended function. That is, allow adversaries to harm you, your system, or your electronic assets. The issues of electronic privacy, integrity, and security are addressing these kinds of unintended behaviour. It should be noted that these kinds of behaviour are almost impossible to detect by testing individual components of the system. This also means that there is a continuous task to protect a system against malicious intruders. We will return to this aspect in Section 5 below.

As a matter of fact, several studies show that distrust in electronic services (e.g. electronic payment) is of a major concern and an obstacle to take-up of e-business applications at this moment. As world wide efforts focus on designing and implementing new services and product of the Embedded Internet both kinds of trustworthiness, mentioned above, in embedded services have to be addressed up-front.

4. Scenario: e-Business processes based on information trading and smart equipment In order to highlight natural security and safety concerns coupled to PLC applications we outline the following realistic example of a Business-to-Business (B2B) application based on PLC and power management.

In the scenario, we are focusing on information trading based on information created by and communicated between smart embedded equipment in a process industry. The 'smartness' component of the already installed equipment of the process industry is installed by an energy company and primary used by that company for energy management. The incentive for the utility in this co-operation is that the gained surplus energy can be sold on the energy spot market with a substantial profit. The incentive for the process industry is prospects of lower energy consumption and better process management. However, the data from the equipment potentially also inform the utility about the processes of the process industry. Furthermore, the information also gives valuable insights of the working of the equipment themselves, which is of high value to the manufacturer of that equipment. We thus have in this scenario a very interesting emerging system around the generation, processing (manipulation and misuse!), sharing, and trading of information where possibilities of innovative business processes emerges. However, preconditions for trusted co-operation between parties in this potential Business-toBusiness (B2B) information system includes trust in that, although information is partly shared, no harm to either party can evolve intended or not. In summary, the actors in this scenario would demand a trustworthiness of the information system both with respect to functionality and security as stated in Section 3 above. Note that these trust criteria are independent of whether or not the shared intranet is connected to Internet or not. In the latter case the demands remains the same but are enforced by the risk of possible malicious intruders. As a matter of fact these concerns of security and integrity of information handling is valid for most non-trivial applications of 'Smart housesloff~ces'!

5. Vulnerabilities, Threats, and Attacks. A process view on security. In this section we give an overview of basic concepts security concepts and a short introduction to our Time Based Security (TBS) model which supports a process view on computer and network security.

5.1 Basic defmitions A threat to a computer system is defined as any potential occurrenc~maliciousor otherwise, that can have an undesirable effect on the assets and resources associated with a computer system. A vulnerability of a computer system is some unfortunate characteristic that makes it possible for a threat to potentially occur. An attack on a computer system is some action taken by a malicious intruder that involves the exploitation of certain vulnerabilities in order to cause an existing threat to occur. Threats to a network system take specifically into account the distributed aspects of data transmission and routing. A threat to an IT system is a combination of threat to a computer system (isolated or as a serverlgatewayhidge) and to the communication network. The following types of threats to a IT system have been identified [3]: Disclosure threat. The disclosure threat involves the dissemination of information to an individual for whom that information should not be seen. Integrity threat. The integrity threat involves any unauthorised change to information stored on a computer system or in transit between computer systems. Denial of Service (DoS) threat. The DOS threat arises whenever access to some computer systems resources is intentionally blocked as a result of malicious actions taken by another user. Network security threats. These kinds of threats are due to the distributed nature of the systems.

Building and maintaining Thrustworthy systems includes a vulnerability analysis, assessment of values to be protected, development and evaluation of threat models followed by a cost benefit analysis to take appropriate security measures at an appropriate risk level. A useful tool in this analysis is the standard BS7799 (IS0 17799). Selection of appropriate technologies (cryptography, key management, firewalls, VPN, IPSec, and so on) gives means to protect against unintended disclosure, integrity, DoS, and network threats. These mechanisms, including assessments of the value of assets and models of threats, are the focus of vulnerabiliry analysis and a p p ropriate security measures in a particular context, as in the Scenario of Section 4 above. Other crucial factors for Trustworthy systems are mechanisms supporting accountability and liability. Issues of ownership and responsibilities coupled with mechanisms of authentication, nomepudiation and logging are basic in this context. We will address these issues in Section 6 below. Lastly, proper implementations of security measures include a choice on appropriate levels of the computer and communication architectures to address (application oriented versus generic security measures) as well as assessments of other trade-offs.

5.2 A process view on security It is very important to understand that IT security is not only about products; it is in effect an ongoing process. This process is guided by a well grounded and operationalised security policy. In effect we need all aspects of the co-evolution triangle of Figure 1, above. We introduce the following time based security framework to il-

lustrate the basic underlying principles of a process oriented IT-security model. The model is an extension of a Time Based Security (TBS) model of Schwartau [41. We have the following basic notations: P(s(t), AP(a, s, t)) denotes the Protection of an IT system at time t, where s(t) is the strength of the protection at time t, and AP(a, s, t) denotes the duration of the Protection with strength s under an attack of type a at time t. D(s(t), a, AD(& s, t)) denotes the Detection capabilities of an IT system at time t, where s(t) is the strength of the detection mechanisms to detect an attack of type a at time t. AD(a, s, t) denotes the time interval it takes to detect an attack of type a occurring at time t. R(s(t), a, AR(a, s, t)) denotes the Response of an IT system under an a attack of type a, where s(t) is the strength of the response measures to counter an attack of type a at time t, and AR(a, s, t) denotes the time it takes to effectuate a proper response of attack of type a occurring at time t. We can now quantify the Exposure time AE(a, t) related to an attack of type a on a IT system with protection P, detection D, response P at time t.

From (1) it follows that we will have control of the situation of an a attack by an adversary (internal or external) ifand only ifthe Exposure time AE(a, t) is non-positive. If AE(a, t) is a positive number (a time intend) we have L to address an open exposure to the adversary during that time interval. We often have the situation that AP(a, s, t) = 0, due to, e.g., new types of attacks, bad implementations or neglect of known vulnerabilities (Section 3, above). This means that despite installed firewalls we might have a total exposure to certain attacks. A specific case is broadband installations in homes/offices where the general rules is that N ( a , s, t) = O! We also can have the situation that AD(a, s, t) andlor AR(a, s, t)'can be too long (e.g., longer than AP(a, s, t)). The strengths of Detection and Protection depends to a high degree on how well security policies are set up, implemented and perceived by people involved. The same situation holds for the strengthening factors (learning and enforcement) s(t) of P, D, and R. In short: A good protection (a non-positive AJ3(a, t) of (1)) depends on a continuous assessment involving all aspects of the co-evolution triangle of Figure 1. That is, a choice of appropriate technologies, policies and implementations to meet potential attacks on valuable assets of the parties involved. The Centre of Electronic Security (CES) at Blekinge Institute of Technology (BIT) have this comprehensive approach on IT security. As a matter of fact, robustness of the electric grid (overload protection and so on) also follows an equation of type (1) above. In this sense there are several common features of some of the mechanisms involved. An interesting common field is development of smart Detection systems based on patterns and early warning models with learning capabilities (smart sensors). Running smart automatic and continuous vulnerability tests and upgrading can also simplify strengthening of security components. Promising technologies here are adaptations of multi agent systems (MAS).

6. An information framework for trustworthy net-based business processes From the B2B scenario of Section 4, on information trading among partners, we face the challenge to provide an information model that fulfils the following criteria: Collect information fiom sensors in 'Smart network components' and 'Smart equipment' to be used in different applications. Manage the threats towards disclosure and integrity of information Manage proper operations of actuators Support trust by enabling liabilities and possibilities of proving violations of rules or norms Operations in dynamic environments! We propose a combination of the Bell-LaPadula (BLP) model originating from defence applications and the Clark-Wilson (CW) model building on business practises, [5] and [6]. The first model protects against disclosure threats whence the second models protects against integrity threats, c.f., Section 4. The second model

also provides means to address issues of accountability and liability. Furthermore, the models support scalability and change. The Bell-LaPadula disclosure model introduces a level structure on the information. That is, collecting data from sensors of 'smart equipment' and 'lifting' the raw data into higher-level application specific information objects. This allows us to re-use data, collected by sensors, in distinct higher-level application objects. The BLP rules of NoWriteDown (NWD) and NoReadUp (NRU)will protect against unwanted disclosure of the higherlevel information objects. Returning our scenario of Section 4, we can thus create higher-level information objects own by the different actors and protected against unwanted disclosure. The well-known shortcomings of BLP are not applicable in our case. Furthermore, the BLP 'lifting' also provide us with an information model structure suitable for the CW model supporting information integrity. The Clark-Wilson integrity model is used on the high-level application data objects created by the BLP model. The C W model has 9 model rules (Transformation Procedures) and a CW triple relation (s, ,t d), where s denotes the subject acting on the data object d using the transformationrule t. We extend this model to include a context c. That is, our extended CW relation is the quadruple (s, o, t, d). The inclusion of a context c allows us to connect the transformation rule to a context where it could be applied. The context could for instance specify the role or competence for the subject to be allowed to execute the transformation t in the given context. The data set of the CW model is a union of the Constrained Data Items (CDI) and the Unconstrained Data Items (UDI). \

The CW model rules are: Integrity validation procedures (IVP). Application of a Transformation Procedure (TP) must maintain the data integrity of CDI. A CDI can only be changed by a TP. Subjects can only initiate certain TPs on certain CDIs. CW-quadruples must enforce some appropriate separation of duty policy on subjects. Certain special TPs on UDIs can produce CDIs as output. Each TP application must cause information sufficient to reconstruct the application to be written to a special append-only CDI. The system must authenticate subjects attempting to initiate a TI?. The system must only permit special subjects (e.g., security actors) to make changes to any authorisation related lists. The extended CW model is summarised in the following figure.

Subjects (Separation of Duty, Cwq~ples, Authentication)

Figure 2. The extended Clark-Wilson integrity model

Our proposed framework for protection of information integrity and unintended disclosure also provides means for auditing enabling liabilities and assessing compliance of rules and norms (rules 5 and 7 above). In short, we

I

have a tool for addressing basic trust aspects mentioned in Sections 3 and 4 above. Again instantiations of the framework in dynamic contexts might be facilitated by proper use of multi agent technologies (MAS).

7. Conclusion We have argued that successful take-up of innovative PLC applications has to take into account all aspects of a co-evolution triangle. That is the co-evolution of suitable infrastructures and user acceptance of technology enabled products/se~ices.We also argue that an essential factor of user acceptance can be formulated in terms of thrustworthy systems. We illustrate this claim with a scenario based on a PLC Business-to-Business application involving information trading. From that scenario we can derive the important trust factors of security and integrity. We put forward two models to cope with dynamic potentially distrusted systems. The first model gives a framework for a process model of security, based on aspects highlighted by the co-evolution triangle. The second framework provides an information model addressing information disclosure and integrity threats as well as means to enforce accountability and liability of actors. Finally, we argue that agent technologies provide interesting and promising means in instantiating and implementing the two models in dynamic environments.

References [I] [2] [3] [4] [5] [6]

Ottosson, H and Akkermans, H. (eds.): Sate of the Art and Initial Analysis of PLC Services. Deliverable D5, PALAS IST-1999-11373,2000. Karnphuis, R. and Warmer, Cor: Software architecture requirements. Deliverable D6. PALAS IST-199911373,2000. Arnoroso, E.: Fundumentals of Computer Security Technology. Prentice Hall, 1994. Schwartau, W.: Time Based Security. Practical and Provable Methods to Protect Enterprise and Infratructure, Networks and Nation. Interpact Press, 1999. Bell, D. and LaPadula, L.: Secure Computer Systems. MITRE Technical Report 2547. Reprinted in J o u m l of Computer Security, 4(2/3) pages 239-263, 1996. Clark, D.R. and Wilson, D.R.: A comparison of commercial and military computer security policies. In Proceedings of the 1987 IEEE symposium on Security and Privacy, pages 184-194, 1987.