How AGA 12-1 Protects SCADA Data In Transit

A Presentation To TheCOTF1 Group

ByBill Rush

Gas Technology InstituteApril 26, 2003

Sun Valley, Idaho

We Will Overview AGA 12-1 And Develop Background> Project History

> Threats And Attacks

> Cryptographic Fundamentals

> How AGA 12 Protects Communications

> Future Developments

>

HISTORY OF AGA 12

The AGA 12 Group Adopted A Broad Charter> AGA = American Gas Association

> AGA Report = Recommended Practice

> AGA 12-1, “Cryptographic Protection Of SCADA Communications”

> Launched Effort In October 2001

> Goal: Cover Gas, Water, and Electric

> Balloting: March 25 to April 24

“We have no competitors – only partners we have not yet met !”

SCADA Communications Are Vulnerable> Assailants Can Attack SCADA

Communications

Control Control RoomRoom RTURTUNetwork Is Network Is

InsecureInsecure

(Secure)(Secure)(Secure)(Secure)

AGA 12-1 Has Several Goals

> Solid Cryptographic Communication Protection

> Retrofit To Existing Systems

> Reasonable Cost

> Tolerable Message Delays

> Reliable Certification Methods

> Interoperability Among Manufacturers

Today, Focus Is “What Attacks We Protect Against And How”

>

THREATS AND ATTACKS

There Are Several Possible SCADA Attackers> Hackers

> Organized Crime

> Financial Traders

> Terrorists

> Foreign Governments

> Insiders/Disgruntled Employees

> Combinations

We Protect Against 5 Attacks

> Interception – Listening To Messages

> Fabrication – Creating Forged Messages

> Alteration – Changing Valid Messages

> Replay – Copying Message, Sending Later

> Key Guessing/Extraction – Trial & Error OR Taking Key From Module

AGA 12-1 Protects SCADA Communications> Technical Approach: Attackers can’t read

““Open A Valve!”Open A Valve!”

““^fD%b*m>s#H!j“^fD%b*m>s#H!j“

““Open A Valve!”Open A Valve!”

Encrypt Decrypt

Even Intercepted SCADA Commands Are Secure Even Intercepted SCADA Commands Are Secure Until They Reach Their DestinationUntil They Reach Their Destination

>

CRYPTOGRAPHIC FUNDAMENTALS

Can A Published, Known Standard Encryption Mechanism Really Keep Data A Secret?

YES - And In Fact, It Is The Best Way. How Can This Be?

The Key, Not Algorithm The Key, Not Algorithm Secrecy, Provides SecuritySecrecy, Provides Security

The Mechanism Of Locks Is Public Knowledge

But Without The Key Or Combination -But Without The Key Or Combination - You Can’t Open A Single One !You Can’t Open A Single One !

A Simple Rotation Algorithm Provides A Simple Example> Substitute One Letter For Another

> Rotate Letters By “N” Positions

GOAL: An Algorithm Simple Enough ToGOAL: An Algorithm Simple Enough To See, But Real Enough To Show IssuesSee, But Real Enough To Show Issues

Plaintext Maps To Ciphertext Easily - With The Key

A B C D E F G H …ZA B C D E F G H …Z

A B C D E F G H I J … CA B C D E F G H I J … C

Plaintext:Plaintext:

CyphertextCyphertext:

With Rotation Key:With Rotation Key: 2 “HAD” Becomes “JCF”2 “HAD” Becomes “JCF” 3 “HAD” Becomes “KDG”3 “HAD” Becomes “KDG”

Key = Rotate Each Letter 2 To The Right Key = Rotate Each Letter 2 To The Right

A Rotation Algorithm Is A Simple Example> Substitute One Letter For Another

> Rotate Letters By “N” Positions

> N Is The (Shared, Secret) Key

> 0 < N < 25

GOAL: An Algorithm Simple Enough ToGOAL: An Algorithm Simple Enough To See, But Real Enough To Show IssuesSee, But Real Enough To Show Issues

The Rotation Algorithm Has General Characteristics

> Algorithm Is Known, Key Provides Security

> Unique Mapping Of Plaintext To Ciphertext

> Coding/Decoding Easy With The Key

> Decoding Hard Without The Key

> Can Be Broken By Guessing

> Longer Keys Harder To Break

A Digression: How Hard Is “Hard”?> A $250,000 Computer Can Guess A 56-Bit

Key In 2 Hours

> Each Additional Bit Doubles Guessing Time

> 64 Bits Takes 128x2=256 hours

> 128 Bits Takes 2x293 hours

The Rotation Algorithm Has General Characteristics (Cont)

> “Symmetric Key” Means Both Keys The Same

> Both Parties Have Common, SECRET Key

> If One Key For Many Units, Getting 1 Gets All

> “Symmetric Key” Management An Issue

> Changing Keys Adds Security

> Never Use A Key To Send A New Key

There Are Three Kinds Of Algorithm

> Symmetric Key - Same, Secret Key

> Public Key - Publish Half Of A Key

> Common Number - Parties Get Same Keys

AGA 12-1 Uses Only Symmetric Key. AGA 12-1 Uses Only Symmetric Key. AGA 12-2 Will Include Public Key, TooAGA 12-2 Will Include Public Key, Too

Symmetric Keys Are The Same For Both Parties

> Key Must Be Secret

> One Key For All Raises Risk

> One Key Per Pair Is Hard On A Big Network

> Key Knowledge Is Weak Authentication

> Must “Introduce” Units To Each Other

> “AES” Is An Example Of A Symmetric Key

AES Shuffles And Changes Bits According To A Key

0 1 0 0 0 1 0 10 1 0 0 0 1 0 1

0 1 0 0 1 1 0 10 1 0 0 1 1 0 1

MoveMove

ChangeChange

0 1 1 0 1 1 1 00 1 1 0 1 1 1 0

AES Encrypts Messages

> Advanced Encryption Standard (AES)

> AES-128, 192, or 256 -> Key Length

> Winner Of NIST “Shoot-out”

> Both Units Have SHARED, SECRET Key

> NIST/FIPS Approved Algorithm

> Changing One Bit In Plain (Cipher) Text Changes Half The Bits In Cipher (Plain) Text

RSA Uses A Public And A Private Key> Public Key Is 2 Numbers, N And E

> N Is A Modulus

> E Is A Large Number Used To Encrypt

> D Is A Large Number Used To Decode

RSA Is Easy In Principle

> Message Is Called M

> Encrypt Message With RECIPIENT’S (N, E)

> C = Cyphertext = (M)E Mod N

> Mod N = Remainder After Dividing By N

> Recipient Decrypts With Private Half Of Key

> P = Plaintext = (C)D Mod N

RSA Uses Overflow In Modular Arithmetic> Cyphertext = C = (M)E Mod N

> Plaintext = P = (C)D Mod N

> P = (C)D Mod N = (ME)D Mod N = (MED) Mod N

> Note EITHER D Or E Can Encrypt

E And D Are Chosen So Raising M ToE And D Are Chosen So Raising M ToThe ED Power Is MThe ED Power Is M11

RSA Is Easy To Demonstrate By Example

> Take (E,N) As (7, 33)

> Take D = 3

> Take M = 15

> C = (15)7 Mod 33 = 27 (Transmit This)

> P = (27)3 Mod 33 = 15 (Original Message, M)

The Security Comes From How HardThe Security Comes From How HardIt Is To Find D, Given (E, N)It Is To Find D, Given (E, N)

Public Key Has Many Advantages> No Need To Track Key Pairs

> Can Authenticate AND Encrypt

RSA Will Send Session Keys And Authenticate> Public Key

> 1024 Bit Key

> Relatively Slow

> Authentic Signature (With Valid Public Key)

Algorithm Classes Require Different Resources> Public Code Length 3 Times Symmetric

> Public Key Is 10 Times Symmetric Key

> Public Key Execution = 100 Symmetric

Assumes Same Security, (128 Bit Assumes Same Security, (128 Bit Symmetric Key, 1024 Public Key)Symmetric Key, 1024 Public Key)

BUT WAIT! We Have A Problem!

> Formulas Are Deterministic

> Same Messages Give Same Ciphertext

> Assailants Can Deduce SCADA Messages

> “Cipher Block Chaining” Is The Solution

Protocol Requires Using The “CBC Mode”> Communicate In Sessions

> Unit A Generates A Random Number

> A Encrypts & Sends To B

> B Decrypts, Both Units Call This The “IV”

> IV = “Initialization Vector

> XOR Message With IV

> Encrypt XORed Message

> Same Plaintext -> Different Ciphertext

> Use Last Ciphertext As Next IV

>

HOW AGA 12 PROTECTS COMMUNICATIONS

AGA 12-1 Scrambles To Protect Against Interception

> AES-128, 192, or 256 Give Privacy

> Winner Of NIST “Shoot-out”

> Both Units Have SHARED, SECRET Key

> Operates In “CBC Mode”– “Cipher Block Chaining”– Same Plaintext -> Different Ciphertext– XOR Plaintext With Last Ciphertext– Both Units Have Same IV– XOR Is Self-Inverse Operation

AGA 12-1 Protects Against Fabrication> Shared Secret Key Helps

> CMID (Unique ID #)

> Public Key Coming – AGA 12-1.1– “Digital Certificates”

AGA 12-1 Protects Against Alteration & Replay> CBC Mode Prevents

– Block Insertion– Block Deletion– Block Re-ordering

> Replay Won’t Decrypt Properly Either– Messages Change Due To XOR With NEW

Number

AGA 12-1 Indicates Key Guessing / Extraction> “Guessing” Possible, But Slow

– Millions of Years– Change Keys Per Policy

> Minimum: Tamper Indication

> Can Specify Tamper Resistant/Envelope

>

FUTURE DEVELOPMENTS

A Few Things We Did Not Have Time To Mention> Need A Security Policy

> A Certification Program Exists

> Work Is Starting To Embed

> There Is A Cryptographic Protocol (SLS)

> Lab & Field Tests Starting

> . . . And A Lot More !

What Should You Do?

> Take A Full Course/Read The Standard

> Contact Bill Rush For Details/Questions– 847/768-0554– Bill.Rush@gastechnology.org

> Champion AGA 12 As A Standard

> Champion AGA 12 In Your Company

Use AGA 12-1 To Protect SCADA Communications> Gas, Water, Electric

> Protects Against Many Attacks

> Retrofits Many Systems

> Under 100 Millisecond Latency Added

> Reasonable Cost

> Will Be Upgraded

AGA 12-1 Uses Only Symmetric Key. AGA 12-1 Uses Only Symmetric Key. AGA 12-1.1 Will Include Public Key, TooAGA 12-1.1 Will Include Public Key, Too