工控协议安全研究综述

黄涛; 王郅伟; 刘家池; 龙千禧; 况博裕; 付安民; 张玉清

doi:10.11959/j.issn.1000-436x.2024104

您当前的位置：

首页 >

文章列表页 >

工控协议安全研究综述

专题：工业互联网安全技术 | 更新时间：2024-08-08

- 工控协议安全研究综述
- Survey on industrial control protocol security research
- 通信学报 2024年45卷第6期页码：60-74
- 作者机构：
  
  1.南京理工大学计算机科学与工程学院,江苏南京 210094
  2.中国科学院大学国家计算机网络入侵防范中心,北京 101408
  3.中关村实验室,北京 100194
  4.海南大学网络空间安全学院(密码学院),海南海口 571835
- 作者简介：
  
  [ "黄涛（1988- ），男，江苏扬州人，南京理工大学博士生，主要研究方向为工控系统安全和协议逆向等。" ]
  [ "王郅伟（2000- ），男，河南信阳人，中国科学院大学博士生，主要研究方向为工控协议模糊测试、APT攻击与防御技术等。" ]
  [ "刘家池（2000- ），男，河南安阳人，南京理工大学硕士生，主要研究方向为工控协议安全和协议逆向等。" ]
  [ "龙千禧（2000- ），女，湖北咸宁人，南京理工大学硕士生，主要研究方向为工控系统安全和协议逆向等。" ]
  [ "况博裕（1994- ），男，四川绵阳人，南京理工大学在站博士后，主要研究方向为物联网安全和隐私保护等。" ]
  [ "付安民（1981- ），男，湖北通城人，博士，南京理工大学教授、博士生导师，主要研究方向为物联网安全、密码学和隐私保护等。" ]
  [ "张玉清（1966- ），男，陕西宝鸡人，博士，中国科学院大学博士生导师，主要研究方向为网络攻防与系统安全、大数据与智能安全、物联网系统安全。" ]
- 基金信息：
  
  国家重点研发计划基金资助项目(2023QY1202);国家自然科学基金资助项目(U1836210;62372236);海南省重点研发计划基金资助项目(GHYF2022010)
- DOI：10.11959/j.issn.1000-436x.2024104
  中图分类号： TP393
- 收稿日期：2023-12-08，
  
  修回日期：2024-05-13，
  
  纸质出版日期：2024-06-25
- 稿件说明：
移动端阅览
黄涛,王郅伟,刘家池等.工控协议安全研究综述[J].通信学报,2024,45(06):60-74.

HUANG Tao,WANG Zhiwei,LIU Jiachi,et al.Survey on industrial control protocol security research[J].Journal on Communications,2024,45(06):60-74.
黄涛,王郅伟,刘家池等.工控协议安全研究综述[J].通信学报,2024,45(06):60-74. DOI： 10.11959/j.issn.1000-436x.2024104.

HUANG Tao,WANG Zhiwei,LIU Jiachi,et al.Survey on industrial control protocol security research[J].Journal on Communications,2024,45(06):60-74. DOI： 10.11959/j.issn.1000-436x.2024104.

摘要

工控协议安全是保障ICS稳定运行的关键，大量工控协议在设计阶段忽视了对安全性的考量，导致目前大部分主流工控协议普遍存在脆弱性问题。结合ICS架构和工控协议的发展特征，深入解析目前工控协议普遍面临的脆弱性问题和攻击威胁。同时，针对工控协议的潜在漏洞，深入分析基于静态符号执行、代码审计和模糊测试等工控协议漏洞挖掘技术，并从工控协议的规范设计、通信机制以及第三方中间件3个方面全面剖析协议设计的安全防护技术。另外，从沙箱研制、安全防护及漏洞挖掘等方面，对工控协议安全的未来发展趋势进行展望。

Abstract

The security of industrial control protocol is the cornerstone to ensure ICS’s stable operation

a large number of industrial control protocols in the design phase ignore the consideration of security

resulting in most of the mainstream industrial control protocols generally having vulnerabilities. Considering the ICS architecture and the developmental characteristics of industrial control protocols

the various vulnerabilities and attack threats commonly faced by industrial control protocols were systematically summarized. At the same time

for the unknown potential vulnerabilities of industrial control protocols

the vulnerability mining techniques of industrial control protocols were analyzed in-depth

including the static symbolic execution-based

code audit-based

and fuzzing-based. The protocol design security protection technology was comprehensively dissected from the three directions of industrial control protocol specification design

communication mechanism

and third-party middleware. In addition

the future development trend of industrial control protocol security was further prospected from the aspects of sandbox development

security protection

and vulnerability mining.

关键词

Keywords

references

杨婷 , 张嘉元 , 黄在起 , 等 . 工业控制系统安全综述 [J ] . 计算机研究与发展 , 2022 , 59 ( 5 ): 1035 - 1053 .

YANG T , ZHANG J Y , HUANG Z Q , et al . Survey of industrial control systems security [J ] . Journal of Computer Research and Development , 2022 , 59 ( 5 ): 1035 - 1053 .

CONTI M , DONADEL D , TURRIN F . A survey on industrial control system testbeds and datasets for security research [J ] . IEEE Communications Surveys & Tutorials , 2021 , 23 ( 4 ): 2248 - 2294 .

ANTON S D D , FRAUNHOLZ D , KROHMER D , et al . The global state of security in industrial control systems: an empirical analysis of vulnerabilities around the world [J ] . IEEE Internet of Things Journal , 2021 , 8 ( 24 ): 17525 - 17540 .

方栋梁 , 刘圃卓 , 秦川 , 等 . 工业控制系统协议安全综述 [J ] . 计算机研究与发展 , 2022 , 59 ( 5 ): 978 - 993 .

FANG D L , LIU P Z , QIN C , et al . Survey of protocol security of industrial control system [J ] . Journal of Computer Research and Development , 2022 , 59 ( 5 ): 978 - 993 .

VOLKOVA A , NIEDERMEIER M , BASMADJIAN R , et al . Security challenges in control network protocols: a survey [J ] . IEEE Communications Surveys & Tutorials , 2019 , 21 ( 1 ): 619 - 639 .

JAVADPOUR A , SANGAIAH A K , JAFARI F , et al . Toward a secure industrial wireless body area network focusing MAC layer protocols: an analytical review [J ] . IEEE Transactions on Industrial Informatics , 2023 , 19 ( 2 ): 2028 - 2038 .

MAJDALAWIEH M , PARISI-PRESICCE F , WIJESEKERA D . DNPSec: distributed network protocol version 3 (DNP3) security framework [C ] // Advances in Computer， Information, and Systems Sciences, and Engineering . Berlin : Springer , 2007 : 227 - 234 .

黄涛 , 付安民 , 季宇凯 , 等 . 工控协议逆向分析技术研究与挑战 [J ] . 计算机研究与发展 , 2022 , 59 ( 5 ): 1015 - 1034 .

HUANG T , FU A M , JI Y K , et al . Research and challenges on reverse analysis technology of industrial control protocol [J ] . Journal of Computer Research and Development , 2022 , 59 ( 5 ): 1015 - 1034 .

冯涛 , 鲁晔 , 方君丽 . 工业以太网协议脆弱性与安全防护技术综述 [J ] . 通信学报 , 2017 , 38 ( S2 ): 185 - 196 .

FENG T , LU Y , FANG J L . Research on vulnerability and security technology of industrial Ethernet protocol [J ] . Journal on Communications , 2017 , 38 ( S2 ): 185 - 196 .

ERDŐDI L , KALIYAR P , HOUMB S H , et al . Attacking power grid substations: an experiment demonstrating how to attack the SCADA protocol IEC 60870-5-104 [C ] // Proceedings of the 17th International Conference on Availability, Reliability and Security . New York : ACM Press , 2022 : 1 - 10 .

EAST S , BUTTS J , PAPA M , et al . A taxonomy of attacks on the DNP3 protocol [C ] // Critical Infrastructure Protection III: third Annual IFIP WG 11.10 International Conference on Critical Infrastructure Protection . Berlin : Springer , 2009 : 67 - 81 .

RRUSHI J L . SCADA protocol vulnerabilities [M ] . Berlin : Springer , 2012 .

FOVINO I N , CARCANO A , MASERA M , et al . Design and implementation of a secure modbus protocol [C ] // International Conference on Critical Infrastructure Protection . Berlin : Springer , 2009 : 83 - 96 .

SHAHZAD A , LEE M , LEE Y K , et al . Real time MODBUS transmissions and cryptography security designs and enhancements of protocol sensitive information [J ] . Symmetry , 2015 , 7 ( 3 ): 1176 - 1210 .

ÁDÁMKÓ É , JAKABÓCZKI G , TAMÁS S P . Roposal of a secure modbus RTU communication with ADI Shamir’s secret sharing method [J ] . International Journal of Electronics and Telecommunications , 2018 , 64 ( 2 ): 107 - 114 .

NARDONE R , RODRÍGUEZ R J , MARRONE S . Formal security assessment of Modbus protocol [C ] // Proceedings of the 2016 11th International Conference for Internet Technology and Secured Transactions (ICITST) . Piscataway : IEEE Press , 2016 : 142 - 147 .

MAYNARD P , MCLAUGHLIN K , HABERLER B . Towards understanding man-in-the-middle attacks on IEC 60870-5-104 SCADA networks [C ] // Proceedings of the 2nd International Symposium on ICS & SCADA Cyber Security Research 2014 . New York : ACM Press , 2014 : 30 - 42 .

SCHWARZ M H , BÖRCSÖK J . A survey on OPC and OPC-UA: about the standard, developments and investigations [C ] // Proceedings of the 2013 XXIV International Conference on Information, Communication and Automation Technologies (ICAT) . Piscataway : IEEE Press , 2013 : 1 - 6 .

PUYS M , POTET M L , LAFOURCADE P . Formal analysis of security properties on the OPC-UA SCADA protocol [C ] // International Conference on Computer Safety, Reliability, and Security . Berlin : Springer , 2016 : 67 - 75 .

BIHAM E , BITAN S , CARMEL A , et al . Rogue7: rogue engineering-station attacks on S7 simatic PLCs [C ] // Conference of . Black Hat 2019 . San Francisco : CMP , 2019: 1 - 21 .

KALLE S , AMEEN N , YOO H , et al . CLIK on PLCs! attacking control logic with decompilation and virtual PLC [C ] // Proceedings 2019 Workshop on Binary Analysis Research . Reston : Internet Society , 2019 : 1 - 12 .

董一帆 , 熊荫乔 , 王宝耀 . 智能电网通信协议安全威胁与防御技术 [J ] . 计算机技术与发展 , 2019 , 29 ( 2 ): 1 - 6 .

DONG Y F , XIONG Y Q , WANG B Y . Security threat and defense technology of smart grid communication protocol [J ] . Computer Technology and Development , 2019 , 29 ( 2 ): 1 - 6 .

SUN Y , LI Z , LYU S C , et al . Spenny: extensive ICS protocol reverse analysis via field guided symbolic execution [J ] . IEEE Transactions on Dependable and Secure Computing , 2023 , 20 ( 6 ): 4502 - 4518 .

LI Y , WU S H , PAN Q . Network security in the industrial control system: a survey [J ] . arXiv Preprint , arXiv: 2308.03478 , 2023 .

KANG B , MAYNARD P , MCLAUGHLIN K , et al . Investigating cyber-physical attacks against IEC 61850 photovoltaic inverter installations [C ] // Proceedings of the 2015 IEEE 20th Conference on Emerging Technologies & Factory Automation (ETFA) . Piscataway : IEEE Press , 2015 : 1 - 8 .

KELLI V , RADOGLOU-GRAMMATIKIS P , LAGKAS T , et al . Risk analysis of DNP3 attacks [C ] // Proceedings of the 2022 IEEE International Conference on Cyber Security and Resilience (CSR) . Piscataway : IEEE Press , 2022 : 351 - 356 .

HOYOS J , DEHUS M , BROWN T X . Exploiting the GOOSE protocol: a practical attack on cyber-infrastructure [C ] // Proceedings of the 2012 IEEE Globecom Workshops . Piscataway : IEEE Press , 2012 : 1508 - 1513 .

MERXELL B , FORNER E . Out of control: demostrasting scada exploitation [C ] // Conference of Black Hat 2013 . San Francisco : CMP , 2013 : 1 - 7 .

CHAU S Y , CHOWDHURY O , HOQUE E , et al . SymCerts: practical symbolic execution for exposing noncompliance in X.509 certificate validation implementations [C ] // Proceedings of the 2017 IEEE Symposium on Security and Privacy (SP) . Piscataway : IEEE Press , 2017 : 503 - 520 .

CORIN R , MANZANO F A . Efficient symbolic execution for analysing cryptographic protocol implementations [C ] // International Symposium on Engineering Secure Software and Systems . Berlin : Springer , 2011 : 58 - 72 .

SONG J , CADAR C , PIETZUCH P . SymbexNet: testing network protocol implementations with symbolic execution and rule-based specifications [J ] . IEEE Transactions on Software Engineering , 2014 , 40 ( 7 ): 695 - 709 .

CHO C Y , BABI D , POOSANKAM P , et al . MACE: model-inference-assisted concolic exploration for protocol and vulnerability discovery [C ] // 20th USENIX Security Symposium (USENIX Security 11) . Berkeley : USENIX Association , 2011 : 1 - 16 .

ZHANG X L , ZHU Y F , GU C X , et al . Security protocol code analysis method combining model learning and symbolic execution [J ] . Chinese Journal of Network and Information Security , 2021 , 7 ( 5 ): 93 - 104 .

谢肖飞 , 李晓红 , 陈翔 , 等 . 基于符号执行与模糊测试的混合测试方法 [J ] . 软件学报 , 2019 , 30 ( 10 ): 3071 - 3089 .

XIE X F , LI X H , CHEN X , et al . Hybrid testing based on symbolic execution and fuzzing [J ] . Journal of Software , 2019 , 30 ( 10 ): 3071 - 3089 .

RODRÍGUEZ R J , MARRONE S , MARCOS I , et al . MOSTO: a toolkit to facilitate security auditing of ICS devices using modbus/TCP [J ] . Computers & Security , 2023 , 132 : 1 - 12 .

杜江 , 罗权 . 基于代码审计技术的OpenSSL脆弱性分析 [J ] . 计算机系统应用 , 2017 , 26 ( 9 ): 253 - 258 .

DU J , LUO Q . Vulnerability analysis of OpenSSL based on code audit technology [J ] . Computer Systems & Applications , 2017 , 26 ( 9 ): 253 - 258 .

TANG G G , MENG L X , WANG H Q , et al . A comparative study of neural network techniques for automatic software vulnerability detection [C ] // Proceedings of the 2020 International Symposium on Theoretical Aspects of Software Engineering (TASE) . Piscataway : IEEE Press , 2020 : 1 - 8 .

LEE H R , SHIN S H , CHOI K H , et al . Detecting the vulnerability of software with cyclic behavior using Sulley [C ] // Proceedings of the 2011 7th International Conference on Advanced Information Management and Service (ICIPM) . Piscataway : IEEE Press , 2011 : 83 - 88 .

TACLIAD F , NGUYEN T D , GONDREE M . DoS exploitation of Allen-Bradley’s legacy protocol through fuzz testing [C ] // Proceedings of the 3rd Annual Industrial Control System Security Workshop . New York : ACM Press , 2017 : 24 - 31 .

BRATUS S , HANSEN A , SHUBINA A . LZfuzz: a fast compression-based fuzzer for poorly documented protocols [J ] . Computer Science , 2008 , 9 ( 1 ): 1 - 22 .

VOYIATZIS A G , KATSIGIANNIS K , KOUBIAS S . A modbus/TCP fuzzer for testing internetworked industrial systems [C ] // Proceedings of the 2015 IEEE 20th Conference on Emerging Technologies & Factory Automation (ETFA) . Piscataway : IEEE Press , 2015 : 1 - 6 .

TACLIAD F . ENIP fuzz: a scapy-based EtherNet/IP fuzzer for security testing [D ] . California : Naval Postgraduate School (Monterey) , 2016 .

NIEDERMAIER M , FISCHER F , VON B A . PropFuzz—an IT-security fuzzing framework for proprietary ICS protocols [C ] // Proceedings of the 2017 International Conference on Applied Electronics (AE) . Piscataway : IEEE Press , 2017 : 1 - 4 .

HU Z C , SHI J Q , HUANG Y H , et al . GANFuzz: a GAN-based industrial network protocol fuzzing framework [C ] // Proceedings of the Proceedings of the 15th ACM International Conference on Computing Frontiers . New York : ACM Press , 2018 : 138 - 145 .

ZHAO H , LI Z H , WEI H S , et al . SeqFuzzer: an industrial protocol fuzzing framework from a deep learning perspective [C ] // Proceedings of the 2019 12th IEEE Conference on Software Testing, Validation and Verification (ICST) . Piscataway : IEEE Press , 2019 : 59 - 67 .

BYTES A , RAJPUT P H N , DOUMANIDIS C , et al . FieldFuzz: in situ blackbox fuzzing of proprietary industrial automation runtimes via the network [C ] // Proceedings of the 26th International Symposium on Research in Attacks, Intrusions and Defenses . New York : ACM Press , 2023 : 499 - 512 .

YU X J , WU Y B , ZHANG Y Q . Research on the design of cloud security architecture [J ] . Netinfo Security , 2020 , 20 ( 9 ): 62 - 66 .

EDDINGTON M . Peach fuzzing platform [J ] . Peach Fuzzer , 2011 , 34 : 32 - 43 .

LUO Z X , ZUO F L , SHEN Y H , et al . ICS protocol fuzzing: coverage guided packet crack and generation [C ] // Proceedings of the 2020 57th ACM/IEEE Design Automation Conference (DAC) . Piscataway : IEEE Press , 2020 : 1 - 6 .

PHAM V T , BÖHME M , ROYCHOUDHURY A . AFLNet: a greybox fuzzer for network protocols [C ] // Proceedings of the 2020 IEEE 13th International Conference on Software Testing, Validation and Verification (ICST) . Piscataway : IEEE Press , 2020 : 460 - 465 .

BA J S , MARCEL B , ZAHRA M , et al . Stateful greybox fuzzing [C ] // 31st USENIX Security Symposium (USENIX Security 22) . Berkeley : USENIX Association , 2022 : 3255 - 3272 .

YU Z H , WANG H L , WANG D , et al . CGFuzzer: a fuzzing approach based on coverage-guided generative adversarial networks for industrial IoT protocols [J ] . IEEE Internet of Things Journal , 2022 , 9 ( 21 ): 21607 - 21619 .

AL-SHAREEDA M A , MANICKAM S , LAGHARI S A , et al . Replay-attack detection and prevention mechanism in industry 4.0 landscape for secure SECS/GEM communications [J ] . Sustainability , 2022 , 14 ( 23 ): 1 - 15 .

WANG F , WU J , NAN Y , et al . ProFactory: improving IoT Security via formalized protocol customization [C ] // 31st USENIX Security Symposium (USENIX Security 22) . Berkeley : USENIX Association , 2022 : 3879 - 3896 .

闫爽 . 智能电网DNP3协议安全机制研究与实现 [D ] . 长沙 : 国防科学技术大学 , 2016 .

YAN S . The research and implementation of security mechanism for smart grid DNP3 [D ] . Changsha : National University of Defense Technology , 2016 .

LUO X , LI Y Z . Research and implementation of modbus TCP security enhancement protocol [J ] . Journal of Physics: Conference Series , 2019 , 1213 ( 5 ): 1 - 12 .

LU X , WANG W Y , MA J F . Authentication and integrity in the smart grid: an empirical study in substation automation systems [J ] . International Journal of Distributed Sensor Networks , 2012 , 8 ( 6 ): 1 - 17 .

PREMNATH A P , JO J Y , KIM Y . Application of NTRU cryptographic algorithm for SCADA security [C ] // Proceedings of the 2014 11th International Conference on Information Technology: New Generations . Piscataway : IEEE Press , 2014 : 341 - 346 .

CHAN A C F , WONG J W , ZHOU J , et al . Scalable two-factor authentication using historical data [C ] // European Symposium on Research in Computer Security . Berlin : Springer , 2016 : 91 - 110 .

JIN C L , YANG Z , XIANG T , et al . HMACCE: establishing authenticated and confidential channel from historical data for industrial Internet of things [J ] . IEEE Transactions on Information Forensics and Security , 2023 , 18 : 1080 - 1094 .

MIYAZAWA H . A latency-aware container scheduling in edge cloud computing environment [C ] // Proceedings of the 2023 Congress in Computer Science , Computer Engineering & Applied Computing (CSCE) . Piscataway : IEEE Press , 2023 : 1728 - 1731 .

ZHAN M Q , LI Y , YU G X , et al . GuardBox: a high-performance middlebox providing confidentiality and integrity for packets [J ] . IEEE Transactions on Information Forensics and Security , 2023 , 18 : 2413 - 2426 .

PODDAR R , LAN C , POPA R A , et al . SafeBricks: shielding network functions in the cloud [C ] // Proceedings of the 15th USENIX Conference on Networked Systems Design and Implementation . Berkeley : USENIX Association , 2018 : 201 - 216 .

DUAN H Y , WANG C , YUAN X L , et al . LightBox: full-stack protected stateful middlebox at lightning speed [C ] // Proceedings of the Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security . New York : ACM Press , 2019 : 2351 - 2367 .

浏览量

129

下载量

CSCD

文章被引用时，请邮件提醒。

提交

工具集

关联资源

人工智能技术在安全漏洞领域的应用

商业银行移动支付安全研究