Resilient End-to-End Message Protection for Cyber-Physical System Communications

Abstract

Cyber-physical system (CPS) communications for safely and effectively operating a mission-critical infrastructure must be securely protected to prevent the infrastructure from becoming vulnerable. The protection scheme used must be resilient and light-weighted for CPS field devices having constrained computing and communicating resources, and also scalable for control servers associating with a large number of the field devices. In addition, CPS applications such as smart metering require end-to-end privacy protection. However, as shown in this paper, none of conventional security schemes comprehensively meets the above requirements; group security schemes scale well for a massive number of devices but are weak in terms of privacy protection and resilience; point-to-point security schemes such as IPsec inherently have resilience but are limited to address scalability and thinness requirements. Motivated by the limitations of conventional security schemes, we design new group security scheme, resilient end-to-end message protection (REMP), exploiting the following notions: long-term keys per-node that are given by REMP authentication server, encryption keys per message sent that are probabilistically derived from a long-term key, and end-to-end authenticators per message sent that consist of a message sender's identity and a message authentication code. Compared with conventional group security schemes, we improve end-to-end security strength in terms of confidentiality, integrity, message source authentication, and key exposure resilience, while preserving scalability and extensibility.