Yuan Tao,Wei Hu,Sheng Li

DOI: https://doi.org/10.1109/icaa53760.2021.00155

2021-01-01

Abstract:Industrial control system requires high availability. In principle, security measures should not adversely affect the basic functions of high availability industrial control system. The method of building a secure and trusted PLC are proposed based on trusted computing. Under the premise of ensuring business security, the security protection system of industrial control system is built through trusted computing, and hardware solutions are provided on the security master controller. In order to prevent the attack from the industrial control system network, the encryption technology is used to ensure the confidentiality and integrity of the communication session, which are between the field of control equipment layer and the process monitoring equipment layer, so as to make the industrial control system in a stable and reliable state.

Tong Sun,Borui Li,Yixiao Teng,Yi Gao,Wei Dong

DOI: https://doi.org/10.1109/ipsn61024.2024.00021

2024-01-01

Abstract:Internet of Things (IoT) applications have recently been widely used in safety-critical scenarios. To prevent sensitive information leaks, IoT device vendors provide hardware-assisted protections, called Trusted Execution Environments (TEEs), like ARM Trust-Zone. Programming a TEE-based application requires separate code for two components, significantly slowing down the development process. Existing solutions tackle this issue by automatic code partition while not successfully applying it in two complicated scenarios: adding trusted logic and interactions with secure peripherals.We propose dTEE, a declarative approach to secure IoT applications based on TrustZone. dTEE proposes a rapid approach that enables developers to declare tiered-sensitive variables and functions of existing applications. Besides, dTEE automatically transforms device drivers into trusted ones. We evaluate dTEE on four real-world IoT applications and seven micro-benchmarks. Results show that dTEE achieves high expressiveness for supporting 50% more applications than existing approaches and reduces 90% of the lines of code against handcrafted development.

Qiang Wu,Ran Wang,Xincheng Yan,Chunming Wu,Rongxing Lu

DOI: https://doi.org/10.1109/MWC.001.2100251

IF: 12.777

2022-01-01

IEEE Wireless Communications

Abstract:Opening-up sharing has prompted the multi-tenancy architecture, whereby different vendors (including outsourcees) work together with network operators to form a vibrant service ecosystem, resulting in several advantages as well as risks. In particular, the static nature of existing architectures in network functions virtualization-based (NFV-based) clouds facilitate hacking. Thus, much attention has been focused on determining how to avoid the uncontrollable cloud security induced by complex production relations and non-trustworthy software/hardware sources when the two sets of security risks intersect. In this article, we investigate latent persistent threats against cloud environments and determine a high degree of complementarity and consistency between the NFV-based cloud environment and the dynamic defense concept. More specifically, new NFV-based cloud features provide an effective implementation for dynamic defense, while the generalized robustness of dynamic defense theory allows for high security gains. Intrinsic cloud security (iCS) is then proposed to align NFV-based clouds, mimicking defense and the moving target defense (MTD) paradigm to implement a seamless integration and symbiosis evolution between security and NFV-based clouds. We quantify the impact on system overhead to account for efficiency and cost issues. The simulation analysis demonstrates that the enhanced mode is able to consistently obtain a more beneficial and stable defense compared with the counterparts.

Jing Bai,Xiao Zhang,Longyun Qi,Wei Liu,Xianfei Zhou,Yin Liu,Xiaoliang Lv,Boyan Sun,Binbin Duan,Siyuan Zhang,Xin Che

DOI: https://doi.org/10.3390/electronics12194182

IF: 2.9

2023-10-10

Electronics

Abstract:The Fourth Industrial Revolution, also known as Industrial 4.0, has greatly accelerated inter-connectivity and smart automation in industrial control systems (ICSs), which has introduced new challenges to their security. With the fast growth of the Internet of Things and the advent of 5G/6G, the collaboration of Artificial Intelligence (Al) and the Internet of Things (loT) in ICSs has also introduced lots of security issues as it highly relies on advanced communication and networking techniques. Frequent ICS security incidents have demonstrated that attackers have the ability to stealthily breach the current system defenses and cause catastrophic effects to ICSs. Thankfully, trusted computing technology, which has been a popular research topic in the field of information security in recent years, offers distinct advantages when applied to ICSs. In this paper, we first analyze the vulnerabilities of ICSs and the limitations of existing protection technologies. Then, we introduce the concept of trusted computing and present a security framework for ICSs based on Trusted Computing 3.0. Finally, we discuss potential future research directions.

engineering, electrical & electronic,computer science, information systems,physics, applied

Rui Chang,Liehui Jiang,Wenzhi Chen,Yaobin Xie,Zhongyong Lu

DOI: https://doi.org/10.23919/tst.2017.8030534

2017-01-01

Tsinghua Science & Technology

Abstract:The run-time security guarantee is a hotspot in current cyberspace security research, especially on embedded terminals, such as smart hardware as well as wearable and mobile devices. Typically, these devices use universal hardware and software to connect with public networks via the Internet, and are probably open to security threats from Trojan viruses and other malware. As a result, the security of sensitive personal data is threatened and economic interests in the industry are compromised. To address the run-time security problems efficiently, first, a TrustEnclave-based secure architecture is proposed, and the trusted execution environment is constructed by hardware isolation technology. Then the prototype system is implemented on real TrustZone-enabled hardware devices. Finally, both analytical and experimental evaluations are provided. The experimental results demonstrate the effectiveness and feasibility of the proposed security scheme.

Quanqi Ye,Heng Chuan Tan,Daisuke Mashima,Binbin Chen,Zbigniew Kalbarczyk

DOI: https://doi.org/10.36227/techrxiv.15147171

2021-08-12

Abstract:Industrial Control Systems (ICS) are traditionally designed to operate in an "air-gapped" environment. With the advent of digital technologies, many ICS are adopting IT solutions to improve interoperability and operational efficiency. Thus, the air-gap assumption no longer holds in practice. Most ICS devices today are modernized with networking capabilities to facilitate system maintenance, upgrades, and troubleshooting. Since these devices are connected to the Internet, ICS networks face the same security threats as regular IT systems. In addition, ICS operators can connect commercial off-the-shelf (COTS) equipment to ICS networks to perform operational tasks. Those COTS devices are usually personal computers or even mobile devices, which can be infected with malware and become weapons against ICS. In this position paper, we examine the design challenges of establishing trust between COTS equipment and ICS. We also present some commonly used security solutions and discuss their deployment challenges due to issues caused by legacy systems. Finally, we introduce the Trusted Execution Environment (TEE), a technology commonly available on modern COTS devices, as a trust anchor for establishing secure communications with the ICS infrastructure. We discuss some research gaps related to the use of TEE and propose some recommendations to guide future research.

Liming Fang,Hanyi Zhang,Minghui Li,Chunpeng Ge,Liang Liu,Zhe Liu

DOI: https://doi.org/10.1109/jiot.2020.2996664

IF: 10.6

2020-09-01

IEEE Internet of Things Journal

Abstract:With the high popularity of IoT devices, industrial IoT platforms, such as smart factories and oilfield industrial control systems, have become a new trend in the development of smart city. Although various manufacturers pay wide attention to the different functional requirements of IoT platforms, they seldom consider security issues, especially in terms of data security, which has led to a large number of cases of privacy leakage. Some works have been made to provide secure and reliable communication solutions for industrial IoT platforms, unfortunately, as different communication protocols and interaction models are adopted in different scenarios, these solutions are mainly isolated and fragmented. Therefore, it is an urgent challenge to construct a universal cross-platform secure communication scheme for industrial IoT platforms. In this article, we analyze the logic and requirements of different industrial IoT scenarios to abstracts them into a universal model. We summarize the possible attacks on different industrial IoT platforms and design a security scheme to capture these attacks based on the conditional proxy re-encryption primitive. The proposed scheme ensures that data cannot be accessed by an unauthorized user. We also evaluate the security and performance of our scheme, and the experimental results show that our scheme can achieve the functionality and security requirements with low overhead.

computer science, information systems,telecommunications,engineering, electrical & electronic

CHEN Wen-zhi,HUANG Wei,XIE Cheng,HE Qin-ming

DOI: https://doi.org/10.3785/j.issn.1008-973x.2009.02.016

2009-01-01

Abstract:Virtualization was introduced to increase the security of embedded devices while avoiding the shortcomings caused by the hardware-based approach such as poor flexibility,high complexity and high production cost of equipments.Virtualization platform SmartVP offers a secure system environment by the software-based approach.SmartVP partitions the computing resources on the ARM processor into two parallel sets,one for standard real-time operating system T-Kernel and the other for general-purpose operating system Linux.The trusted computing base of SmartVP is constructed by protecting the code and data of the software on T-Kernel,as well as by implementing the fundamental security services and interfaces.Both performance benchmark and applications show that SmartVP improves the security of embedded devices and reduces the implementing risk together with developing time and cost.

Zhongran Zhou,Cheng Huang,Xuxi Zou,Lei Mao

DOI: https://doi.org/10.1145/3654446.3654508

2023-01-01

Abstract:In industrial Internet system, data security and privacy protection are very important, and data interaction and collaboration need fast and reliable network connection. Lightweight trusted identity architecture needs to support high-speed data transmission and processing, and provide secure authentication and access control mechanisms to prevent unauthorized access and malicious attacks. Therefore, a lightweight trusted identity architecture based on cloud-side collaboration technology of industrial Internet is designed. The data collector is used to collect the lightweight trusted identification data of industrial Internet, and a task scheduling model of industrial Internet is constructed based on cloud-side collaboration technology. On this basis, combined with industrial Internet, trusted applications and logo authorities, the lightweight trusted logo architecture is designed. The experimental results show that the proposed method has high confidence and accuracy of verification information, and can accurately detect and identify industrial Internet attacks, and take corresponding countermeasures in time, thus protecting users' network security.

Rui Chang,Liehui Jiang,Wenzhi Chen,Yaobin Xie,Zhongyong Lu

2016-01-01

Abstract:The run-time security guarantee is a hotspot in current cyberspace security research, especially on embedded terminals, e.g., smart hardware, wearable devices, mobile devices. Typically, these devices use universal hardware and software to connect with public network by internet, and are probably open to security threats from Trojan, virus and other malware. As a result, not only personal sensitive data is threatened, economic interests in industry are also compromised. To address the run-time security problems efficiently, first a TrustEnclave-based secure architecture is proposed, and the trusted execution environment is constructed by hardware isolation technology. Then the prototype system is implemented on real TrustZone-enabled hardware devices. Last, both analytical and experimental evaluations are given in the end. The experimental results demonstrate that the proposed security scheme is effective and feasible.

Zhiang Li,Daisuke Mashima,Wen Shei Ong,Ertem Esiner,Zbigniew Kalbarczyk,Ee-Chien Chang

DOI: https://doi.org/10.48550/arxiv.2403.05448

2024-03-08

Cryptography and Security

Abstract:Programmable logic controllers (PLCs) are crucial devices for implementing automated control in various industrial control systems (ICS), such as smart power grids, water treatment systems, manufacturing, and transportation systems. Owing to their importance, PLCs are often the target of cyber attackers that are aiming at disrupting the operation of ICS, including the nation's critical infrastructure, by compromising the integrity of control logic execution. While a wide range of cybersecurity solutions for ICS have been proposed, they cannot counter strong adversaries with a foothold on the PLC devices, which could manipulate memory, I/O interface, or PLC logic itself. These days, many ICS devices in the market, including PLCs, run on ARM-based processors, and there is a promising security technology called ARM TrustZone, to offer a Trusted Execution Environment (TEE) on embedded devices. Envisioning that such a hardware-assisted security feature becomes available for ICS devices in the near future, this paper investigates the application of the ARM TrustZone TEE technology for enhancing the security of PLC. Our aim is to evaluate the feasibility and practicality of the TEE-based PLCs through the proof-of-concept design and implementation using open-source software such as OP-TEE and OpenPLC. Our evaluation assesses the performance and resource consumption in real-world ICS configurations, and based on the results, we discuss bottlenecks in the OP-TEE secure OS towards a large-scale ICS and desired changes for its application on ICS devices. Our implementation is made available to public for further study and research.

FENG Dengguo,LIU Jingbin,QIN Yu,FENG Wei,Wei FENG,Yu QIN,Jingbin LIU,Dengguo FENG

DOI: https://doi.org/10.1360/ssi-2020-0096

2020-08-01

Scientia Sinica Informationis

Abstract:Trusted computing is based on a hardware security mechanism establishing a trusted computing environment and comprehensively enhances the system and network trust from the architectural perspective. With the development of information technology and continuous emergence of new application scenarios, security threats in the cyberspace are becoming increasingly serious; hence, trusted computing is actively researched in both academia and industry to find solutions against such treats. This paper summarizes the development process of trusted computing theory from the perspective of innovation and development. The study centers around one of the authors research results in trusted computing over the past 20 years. It proposes a trusted computing technology architecture that covers two method foundations, three trust cores, and four key technologies. Furthermore, the paper summarizes important research problems in mobile trusted computing, quantum-resistant trusted computing, trusted Internet of Things (IoT), trusted cloud, and trusted blockchain, elaborating on the integration and development of trusted computing in these fields. In mobile trusted computing, the design and implementation of a trusted execution environment architecture with software/hardware co-design is the focus of research. Another two important research issues in mobile trusted computing are the runtime security isolation and protection of the mobile operating systems kernel and trusted execution environment-based mobile application security protection. Due to the characteristics of embedded environments and limitation of resources, the construction of lightweight trusted roots, efficient and secure software attestation, practical secure code update mechanism, and swarm device attestation are important issues for further research in trusted IoT. In new scenarios such as quantum-resistant trusted computing, trusted cloud, and trusted blockchain, trusted computing is also constantly expanding its application boundaries and playing an increasingly important role. Finally, this paper looks ahead and discusses the development trends in trusted computing.

Heng Zhang,Yinchu Wang,Yawen Xue,Ruilong Deng,Hongran Li,Jian Zhang

DOI: https://doi.org/10.23919/ccc63176.2024.10662787

2024-01-01

Abstract:Industrial network control systems (INCSs) are easy to be targeted by attackers due to their high economic value. Most of the existing defense methods are deployed at the network boundary, which causes high-security risks to INCS once an attacker enters the system. In addition, many existing intrusion detection systems (IDSs) build detection models based on historical data. When INCS lacks sufficient historical data, it is difficult to build detection models with high accuracy. In this paper, we propose a trust assessment model for INCS based on Fourier series fitting employing concept of zero trust to assess the real-time trust of INCS. The model alerts when INCS has low trust. We test two data injection attacks in the experiment to prove the effectiveness of our approach.

Xiaoheng Deng,Bin Chen,Xuechen Chen,Xinjun Pei,Shaohua Wan,Sotirios K. Goudos

DOI: https://doi.org/10.1109/tii.2023.3245681

IF: 12.3

2023-01-01

IEEE Transactions on Industrial Informatics

Abstract:The Internet of Things (IoT) mainly consists of a large number of Internet-connected devices. The proliferation of untrusted third-party IoT applications has led to an increase in IoT-based malware attacks. In addition, it is infeasible for the IoT devices to support the sophisticated detection systems due to the restricted resources. Edge computing is considered to be promising. It provides solutions to the data security and privacy leakage brought by untrusted third-party IoT applications. In this article, an intelligent trusted and secure edge computing (ITEC) system is proposed for IoT malware detection. In this system, a signature-based preidentification mechanism is built for matching and identifying the malicious behaviors of untrusted third-party IoT applications. A delay strategy is then embedded into the risk detection engine in order to “buy time” for threat analysis and rate-limit the impact of suspicious third-party IoT applications in the system. We conduct extensive experiments to verify the effectiveness of the ITEC system and show that we can achieve accuracies of up to 98.52%.

automation & control systems,computer science, interdisciplinary applications,engineering, industrial

Boran Yang,Dapeng Wu,Ruyan Wang,Zhigang Yang,Yu Yang

DOI: https://doi.org/10.1016/j.dcan.2022.11.007

IF: 6.348

2022-11-01

Digital Communications and Networks

Abstract:The phenomenal popularity of smart mobile computing hardware is enabling pervasive edge intelligence and ushering us into a digital twin era. However, the natural barrier between edge equipment owned by different interested parties poses unique challenges for cross-domain trust management. In addition, the openness of radio access and the accessibility of edge services render edge intelligence systems vulnerable and put sensitive user data in jeopardy. This paper presents an intrusion protection mechanism for edge trust transfer to address the inter-edge trust management issue and the conundrum of detecting indistinguishable malevolent nodes launching weak attacks. First, an inter-edge reputation transfer framework is established to leverage the trust quality of different edges to retain the accumulated trust histories of users when they roam in multi-edge environments structurally. Second, a fine-grained intrusion protection system is proposed to reduce the negative impact of attacks on user interactions and improve the overall trust quality and system security of edge intelligence services. The experimental results validate the effectiveness and superior performance of the proposed intrusion protection for edge trust transfer in securing, enhancing, and consolidating edge intelligence services.

telecommunications

Keping Yu,Liang Tan,Caixia Yang,Kim-Kwang Raymond Choo,Ali Kashif Bashir,Joel J. P. C. Rodrigues,Takuro Sato

DOI: https://doi.org/10.1109/jiot.2021.3125190

IF: 10.6

2021-01-01

IEEE Internet of Things Journal

Abstract:The Industrial Internet of Things (IIoT), a typical Internet of Things (IoT) application, integrates the global industrial system with other advanced computing, analysis, and sensing technologies through Internet connectivity. Due to the limited storage and computing capacity of edge and IIoT devices, data sensed and collected by these devices are usually stored in the cloud. Encryption is commonly used to ensure privacy and confidentiality of IIoT data. However, the key used for data encryption and decryption is usually directly stored and managed by users or third-party organizations, which has security and privacy implications. To address this potential security and privacy risk, we propose a Shamir threshold cryptography scheme for IIoT data protection using blockchain: STCChain. Specifically, in our solution, the edge gateway uses a symmetric key to encrypt the data uploaded by the IoT device and stores it in the cloud. The symmetric key is protected by a private key generated by the edge gateway. To prevent the loss of the private key and privacy leakage, we use a Shamir secret sharing algorithm to divide the private key, encrypt it, and publish it on the blockchain. We implement a prototype of STCChain using Xuperchain, and the results show that STCChain can effectively prevent attackers from stealing data as well as ensuring the security of the encryption key.

computer science, information systems,telecommunications,engineering, electrical & electronic

Yong-Qiang Lv,Qiang Zhou,Yi-Ci Cai,Gang Qu

DOI: https://doi.org/10.1007/s11390-014-1479-9

IF: 1.871

2014-01-01

Journal of Computer Science and Technology

Abstract:Hardware security has become more and more important in current information security architecture.Recently collected reports have shown that there may have been considerable hardware attacks prepared for possible military usage from all over the world.Due to the intrinsic difference from software security,hardware security has some special features and challenges.In order to guarantee hardware security,academia has proposed the concept of trusted integrated circuits,which aims at a secure circulation of IC design,manufacture and chip using.This paper reviews the main problems of trusted integrated circuits,and concludes four key domains of the trusted IC,namely the trusted IC design,trusted manufacture,trusted IP protection,and trusted chip authentication.The main challenges in those domains are also analyzed based on the current known techniques.Finally,the main limitations of the current techniques and possible future trends are discussed.

Wenli Shang,Xudong Wen,Zhuo Chen,Wenze Xiong,Zhiwei Chang,Zhong Cao

DOI: https://doi.org/10.1631/fitee.2400497

IF: 2.526

2024-11-06

Frontiers of Information Technology & Electronic Engineering

Abstract:In edge control systems (ECSs), edge computing demands more local data processing power, while traditional industrial programmable logic controllers (PLCs) cannot meet this demand. Thus, edge intelligent controllers (EICs) have been developed, making their secure and reliable operation crucial. However, as EICs communicate sensitive information with resource-limited terminal devices (TDs), a low-cost, efficient authentication solution is urgently needed since it is challenging to implement traditional asymmetric cryptography on TDs. In this paper, we design a lightweight authentication scheme for ECSs using low-computational-cost hash functions and exclusive OR (XOR) operations; this scheme can achieve bidirectional anonymous authentication and key agreement between the EIC and TDs to protect the privacy of the devices. Through security analysis, we demonstrate that the authentication scheme can provide the necessary security features and resist major known attacks. Performance analysis and comparisons indicate that the proposed authentication scheme is effective and feasible for deployment in ECSs.

engineering, electrical & electronic,computer science, information systems, software engineering

Yan Zhao,Ning Hu,Yue Zhao,Zhihan Zhu

DOI: https://doi.org/10.1007/s10586-021-03400-6

2021-11-02

Cluster Computing

Abstract:AI-driven edge computing is a development trend of the Industrial Internet of Things (IIoT). However, most existing solutions ignore the limitations of flexibility, security, and real-time performance caused by the rigid architecture of industrial control systems and the “end-to-end” computing paradigm of IIoT. This paper proposes an edge computing scheme for AI-driven IIoT. Specifically, we design a novel software-defined industry control architecture to enhance the flexibility and security of IIoT edge systems. The architecture decouples the software and hardware of Industrial devices by virtualization and industrial modeling technologies, which improves the flexibility and programmability of IIoT edge systems and alleviates the privacy issue of industrial data. Moreover, we adopt a new edge computing method, dispersed computing, to AI-driven IIoT to achieves better real-time performance and resource utilization. The proposed computing method optimizes the computing and networking of AI-driven industrial applications jointly by a multiobjective optimization scheduling algorithm. We also evaluated the performance of our scheme through experiments.

Peiying Zhang,Chunxiao Jiang,Xue Pang,Yi Qian

DOI: https://doi.org/10.48550/arXiv.2202.04300

2022-02-09

Networking and Internet Architecture

Abstract:To a large extent, the deployment of edge computing (EC) can reduce the burden of the explosive growth of the Internet of things. As a powerful hub between the Internet of things and cloud servers, edge devices make the transmission of cloud to things no longer complicated. However, edge nodes are faced with a series of problems, such as large number, a wide range of distribution, and complex environment, the security of edge computing should not be underestimated. Based on this, we propose a tactic to improve the safety of edge computing by virtualizing edge nodes. In detail, first of all, we propose a strategy of edge node partition, virtualize the edge nodes dealing with different types of things into various virtual networks, which are deployed between the edge nodes and the cloud server. Second, considering that different information transmission has different security requirement, we propose a security tactic based on security level measurement. Finally, through simulation experiments, we compare with the existing advanced algorithms which are committed to virtual network security, and prove that the model proposed in this paper has definite progressiveness in enhancing the security of edge computing.