Up to now, many engineers think about industrial security as a limitation of physical access to security-relevant systems. The main reason for this idea originates from the fact that process control is typically done at the so-called shop floor level (also called field level) with just minimum connectivity to the higher levels (“SCADA level and Enterprise level with MES and ERP). Even the machine to machine connectivity at the shop floor level is often reduced to a minimum.
With this scenario in mind, it needs only limited physical access to the controllers to achieve a sufficient security level. You lock them up in a cabinet and hand the key only to selected people.
But things do drastically change when you implement lager connectivity and TCP/IP networks to transport data between machines or between field level and enterprise level. Suddenly there are strong entry points for intruders. Security in such a scenario needs to be much more sophisticated. And we all know and use this kind of security mechanisms when we use the https protocol or VPN on an internet connection. We rely on this security level even when doing online bank business. Yet for many of us engineers, this security technology is a black box.
This is a series of six articles about security technology. The series aims to embedded and automation engineers. I will explain the basic concepts in part 1 to 4. In part 5 and 6, I will show possible implementations into embedded systems and hardware. If you are familiar with security concepts, I suggest you check the headlines of the first four parts for any unknown terms and wait for part 5 to be published. Just follow me so that you do not miss the date.
Using keys instead of secret mechanisms
Think of a confidential letter you want to keep secure by putting it into a closed box. You could use a box with a hidden mechanism. Because you have constructed this mechanism and never told anyone how to open it you trust in this protection. It gives you a sufficient level of security. But what if you need to send this box to your friend Helen a hundred miles away? Then she would need to know the secret too. And you would need to visit her first to tell her the secret privately (sending a letter with the instruction on how to open the box would not be the best idea). Now imagine you would have several friends and you want to share confidential letters which each of them. But Shelly should not be able to read the letter you sent to Helen. You would need to invent different secret mechanisms for each of your friends. And you could not even reuse the box for different people because once you shared the secret with Helen, you can no longer securely use the box with other friends.
Here is where the invention of a lock and a key becomes the solution for your problem:
Instead of using secret mechanisms, you are using keys and locks. Everyone may know the general construction of a lock and how to open it with a key. But this knowledge would not help to open the box without the fitting key. So instead of sharing a secret, you share keys. Anyone who possesses a suitable key can open the box and read the confidential letter laying inside. Here are some advantages of this concept:
- You can have more than one key per lock.
- You can easily have more than one lock per box to force the presence of multiple keys.
- If a key gets lost, you can exchange the lock.
- Copying a key can be made impossible or at least very difficult compared to protecting a secret from being spread around (you could not even know who has broken the confidentiality if more than two people know the secret).
- You can have complex master-keyed systems with one key being able to unlock several locks of a group but other keys being able to open only individual locks of this group.
Yes, I know what you are thinking: Keys can be copied, they can be lost, and locks can be opened by lock picks. There we are: You just found out another security concept:
Hundred per cent security does not exist, and it will never exist
There are ways to offence every security concept. You only have levels of security. The higher the security level, the more it gets difficult or expensive for an intruder to overcome the security measures. E.g. modern security concepts in IT do use keys which can be reconstructed by intruders. But they would need hundreds of years for the highest existing computing powers to do so. This automatically shows us another essential principle of security:
Like computing power is not a static value but increases exponential from decade to decade, security concepts cannot be static. They fight a permanent battle against intruders’ concepts, and the primary goal is to be better than the intruders’ concepts.
Do you realise the necessity for a change of mind in the automation industry? You cannot build a machine which will provide 20 years of sufficient security level. Security is everything else but “never touch a running system”. A secure device will need constant security updates during its life cycle.
But back to the concept of keys. You all know combination locks. So you already know that a key does not need to be a physical device which you can possess, but it can well be a secret knowledge: The key code.
It is a common practice to use security concepts which combine physical ownership and secret knowledge to compensate the odds of both types: If you lose the key or it gets stolen the new possessor cannot use it without the secret. If the secret knowledge gets spied out from a distance, you would still need to gain access to the physical key.
So a key may be a number or a digital value. How can we use this concept in IT? That is the inner core of what is called:
Cryptography is a method to lock up secret information by encryption. The easiest way to encrypt a message would be, e.g. to use numbers for each letter (A=1, B=2, and so on). But this would be a secret method again. Using a secret key instead would offer all the mentioned advantages compared to a secret method. A common known method is to use a translation table as a key. Each sign is replaced by its code derived from a table. This method is called “codifying”, and the coding matrix is the key for decryption. But there are more sophisticated methods: Imagine you would write the information on a sheet of paper and you would place lots of additional letters on this sheet in a random way. The letters of your information would be embedded in between these other letters. To read the information, you place a masking layer with cutouts over the sheet with the information. With this key-mask, you can only see the relevant letters of the information. Voilá: you are using encryption with a key mechanism. I will show you digital encryption methods later in this series. But you can think of it as mathematical calculation rule. The encrypted result X is calculated from the original message M by applying a calculation which is always the same (method) but uses a different parameter K (key) each time you encrypt the message. X = M + K would be a straightforward encryption rule. Without knowing K, you would not be able to calculate X from M. You would need to know the key to decrypt the message M. But with this simple encryption rule, you can also perfectly realise the pitfall:
Let’s assume M to be an ASCII code of the message. For coding the word “HELLO”, you would use the numeric representation 72, 69, 76, 76, 79. Using the key K = 10, you would get the encrypted numeric representation of 82 79 86 86 89 (R). With the knowledge of the rule itself, an intruder would already have several clues to guess the key value. You need to look for a word with letters having the alphabetical distance of 0, -3, +4, +4, +7. So you take each letter from A to Z and use it as the first one of the word. You get a list starting with AXEEH, BYFFI, CZGGJ… up to ZWDDG.
Please download the attached EXCEL-Sheet with a complete calculated list. You can also try the method with different key values.
The only key which gives you an existing English word has the value 10! So having lots of M, in our case just 5 of them (the five letters of the word HELLO), you get a perfect clue to find the key K. In other words: The security level of this encryption formula is weak because it is a simple shift of the numeric code. You could improve it by using more than one key value in your calculation rule to get the encrypted item:
X = (N + K1 –K2).
That rule would be like using two padlocks like this:
It does not improve your security at all. But using the two keys more intelligent does help:
X = (M+K1)*K2.
Yes, we could also build an EXCEL-sheet for this formula, but we would have 26 * 26 = 676 rows to check. This also increases the chance to get more than just one valid English word.
Please note that none of such algorithms is used for secure encryption. They are just easy to understand examples to demonstrate problems which have to be solved when searching for useful encryption principles.
If you are eager to learn more about keys and industrial security, then wait for the second part of this sequential. It will be about asymmetric keys.