Abstract
This paper presents a Policy Engine for securing building energy management systems (BEMSs), a class of industrial control systems (ICSs) requiring additional protection due to their complex and interconnected nature. The Policy Engine supports multiple deployment modes for legacy compliance and features seamless integration of new security policies. We have implemented a provenance verification solution and integrated it into the Policy Engine. To evaluate the effectiveness of the proposed solution, we have established a testbed that utilizes real BEMS equipment. We compared the security features and performance of the Policy Engine with a state-of-the-art security solution in BEMS, i.e., MQTT using TLS. Results indicate that the Policy Engine with provenance verification policy can secure BEMSs against signal injection, duplication, and remote attacks, with minimal operational impact.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
IEEE standard communication delivery time performance requirements for electric power substation automation. IEEE Std 1646ā2004, pp. 1ā36 (2005). https://doi.org/10.1109/IEEESTD.2005.95748
Alexander, O., Belisle, M., Steele, J.: Mitre att &ck for industrial control systems: design and philosophy. The MITRE Corporation: Bedford, MA, USA, p. 29 (2020)
Cassottana, B., Roomi, M.M., Mashima, D., Sansavini, G.: Resilience analysis of cyber-physical systems: a review of models and methods. Risk Anal. (2023)
Cybersecurity and Infrastructure Security Agency: Crashoverride malware (2017). www.us-cert.gov/ncas/alerts/TA17-163A. Accessed 17 Mar 2023
Case, D.U.: Analysis of the cyber attack on the Ukrainian power grid. Electr. Inf. Sharing Anal. Center (E-ISAC) 388, 1ā29 (2016)
Esiner, E., Mashima, D., Chen, B., Kalbarczyk, Z., Nicol, D.: F-pro: a fast and flexible provenance-aware message authentication scheme for smart grid. In: 2019 IEEE International Conference on Communications, Control, and Computing Technologies for Smart Grids (SmartGridComm), pp. 1ā7. IEEE (2019)
Esiner, E., et al.: LoMoS: less-online/more-offline signatures for extremely time-critical systems. IEEE Trans. Smart Grid 13(4), 3214ā3226 (2022)
Fauri, D., de Wijs, B., den Hartog, J., Costante, E., Zambon, E., Etalle, S.: Encryption in ICS networks: a blessing or a curse? In: 2017 IEEE International Conference on Smart Grid Communications (SmartGridComm) (2017)
Hayes, G., El-Khatib, K.: Securing modbus transactions using hash-based message authentication codes and stream transmission control protocol. In: 2013 Third International Conference on Communications and Information Technology (ICCIT), pp. 179ā184. IEEE (2013)
Hussain, S.S., Farooq, S.M., Ustun, T.S.: Analysis and implementation of message authentication code (MAC) algorithms for goose message security. IEEE Access 7, 80980ā80984 (2019)
IEC 62351ā6:2020: Power systems management and associated information exchange-data and communications security-part 6: Security for IEC 61850 (2020)
Johnson, D., Menezes, A., Vanstone, S.: The elliptic curve digital signature algorithm (ECDSA). Int. J. Inf. Secur. 1(1), 36ā63 (2001)
Li, J., Chen, R., Su, J., Huang, X., Wang, X.: ME-TLS: middlebox-enhanced TLS for internet-of-things devices. IEEE Internet Things J. 7(2), 1216ā1229 (2020)
Rivest, R.L., Shamir, A., Adleman, L.: A method for obtaining digital signatures and public-key cryptosystems. Commun. ACM 21(2), 120ā126 (1978). https://doi.org/10.1145/359340.359342
Securosys SA: Centurion network encryptor securosys (2020). www.securosys.com/en/product/network-encryptor
Symantec Security Response: Shellshock: All you need to know about the bash bug vulnerability (2014). www.symantec.com/connect/blogs/shellshock-all-you-need-know-about-bash-bug-vulnerability. Accessed 17 Mar 2023
Tefek, U., Esiner, E., Mashima, D., Chen, B., Hu, Y.C.: Caching-based multicast message authentication in time-critical industrial control systems. In: IEEE INFOCOM 2022-IEEE Conference on Computer Communications, pp. 1039ā1048. IEEE (2022)
Tefek, U., Esiner, E., Mashima, D., Hu, Y.C.: Analysis of message authentication solutions for IEC 61850 in substation automation systems. In: 2022 IEEE International Conference on Communications, Control, and Computing Technologies for Smart Grids (SmartGridComm), pp. 224ā230. IEEE (2022)
Thales: High speed encryption network encryptor thales (2020). www.cpl.thalesgroup.com/encryption/network-encryption
Acknowledgements
This research is supported in part by the National Research Foundation, Prime Ministerās Office, Singapore under its Campus for Research Excellence and Technological Enterprise (CREATE) programme, and in part by National Research Foundation, Singapore, Singapore University of Technology and Design under its National Satellite of Excellence in Design Science and Technology for Secure Critical Infrastructure Grant (NSoE_DeST-SCI2021TG-0002).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
Ā© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Lim, J., Ong, W., Tefek, U., Esiner, E. (2023). A Security Policy Engine forĀ Building Energy Management Systems. In: Zhou, J., et al. Applied Cryptography and Network Security Workshops. ACNS 2023. Lecture Notes in Computer Science, vol 13907. Springer, Cham. https://doi.org/10.1007/978-3-031-41181-6_13
Download citation
DOI: https://doi.org/10.1007/978-3-031-41181-6_13
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-41180-9
Online ISBN: 978-3-031-41181-6
eBook Packages: Computer ScienceComputer Science (R0)