ASSESSMENT OF OPERATOR AUTHENTICATION METHODS IN INDUSTRIAL CONTROL SYSTEMS

Capa

Citar

Texto integral

Resumo

This paper considers the authentication of operators in instrumentation and control (I&C) systems for industrial facilities. The main emphasis is on such systems for critical facilities, on an example of nuclear power plants (NPPs). Authentication methods known for public information systems (password, token, and biometrics) are surveyed, and their applicability in typical operating conditions of an I&C operator is analyzed. The analysis includes experimental testing of password and biometric authentication methods and an expert assessment of their advantages and disadvantages for I&C systems. According to the testing results, all the methods under consideration have somewhat worse values of the false rejection rate (FRR) compared with the known characteristics from available sources. The best results are shown by biometric identification by the face oval. However, the percentage of FRR for this method is significant, which can affect the availability of the control function for a legitimate operator. As concluded, a promising approach for industrial control systems is to implement multi-factor authentication: token or password protection for blocking authentication jointly with biometric authentication by the face oval with a non-blocking security policy.

Sobre autores

V. Promyslov

Trapeznikov Institute of Control Sciences, Russian Academy of Sciences

Autor responsável pela correspondência
Email: vp@ipu.ru
Moscow, Russia

K. Semenkov

Trapeznikov Institute of Control Sciences, Russian Academy of Sciences

Email: semenkovk@ipu.ru
Moscow, Russia

N. Mengazetdinov

Trapeznikov Institute of Control Sciences, Russian Academy of Sciences

Email: mengazne@mail.ru
Moscow, Russia

Bibliografia

  1. ГОСТ Р 58833-2020. Защита информации. Идентификация и аутентификация. Общие положения.
  2. Исхаков С.Ю., Шелупанов А.А., Исхаков А.Ю. Имитационная модель комплексной сети систем безопасности // Доклады Томского государственного университета систем управления и радиоэлектроники. - 2014. - № 2(32). - С. 82-86. - EDN SEBGNR.
  3. Dierks, T. and Rescorla, E. The Transport Layer Security (TLS) Protocol Version 1.1. - RFC 4346, 2006.
  4. Conte de Leon, D., Makrakis, G.M., Kolias, C. "Cybersecurity," in Resilient Control Architectures and Power Systems. - IEEE, 2022. - P. 89-111. - doi: 10.1002/9781119660446.ch7.
  5. Hu, G. On Password Strength: A Survey and Analysis. - Springer International Publishing, 2018. - doi: 10.1007/978-3-319-62048-0_12.
  6. Менгазетдинов Н.Э., Полетыкин А.Г., Промыслов В.Г. и др. Комплекс работ по созданию первой управляющей системы верхнего блочного уровня АСУ ТП ДЛЯ АЭС «БУШЕР» на основе отечественных технологий. - М.: ИПУ РАН. - 2013. - 95 с.
  7. O'Gorman, L.Comparing Passwords, Tokens, and Biometrics for User Authentication / Proceedings of the IEEE. - 2003. - Vol. 91, no. 12. - P. 2021-2040. - doi: 10.1109/JPROC.2003.819611.
  8. Dworkin, M., Barker, E., Nechvatal, J., et al. Advanced Encryption Standard (AES). - Federal Inf. Process. Stds. (NIST FIPS), National Institute of Standards and Technology, Gaithersburg, MD, 2001. - doi: 10.6028/NIST.FIPS.197.
  9. Jobusch, D.L., Oldehoeft, A.E. A Survey of Password Mechanisms: Weaknesses and Potential Improvements. Part 1 // Computers & Security. - 1989. - Vol. 8, iss. 7. - P. 587-604. - doi: 10.1016/0167-4048(89)90051-5.
  10. The 200 Worst Passwords of 2021 Are Here and Oh My God. - https://gizmodo.com/the-200-worst-passwords-of-2021-are-here-and-oh-my-god-1848073946 (дата обращения 7.03.2022).
  11. Most Common Passwords of 2021. - https://nordpass.com/most-common-passwords-list/(дата обращения 7.03.2022).
  12. Köhler, D., Klieme, E., Kreuseler, M., et al. Assessment of Remote Biometric Authentication Systems: Another Take on the Quest to Replace Passwords / 2021 IEEE 5th International Conference on Cryptography, Security and Privacy (CSP). - 2021. - P. 22-31. - doi: 10.1109/CSP51677.2021.9357504.
  13. Alanezi, N.A., Alharbi, N.H., Alharthi, Z.S., and Alhazmi, O.H. POSTER: A Brief Overview of Biometrics in Cybersecurity: A Comparative Analysis / 2020 First International Conference of Smart Systems and Emerging Technologies (SMARTTECH). - 2020. - P. 257-258. - doi: 10.1109/SMART-TECH49988.2020.00067.
  14. Антонова В.М., Балакин К.А., Гречишкина Н.А., Кузнецов Н.А. Разработка системы аутентификации с использованием верификации диктора по голосу / Информационные процессы. - 2020. - Т. 20, № 1. - С. 10-21.
  15. Machine Learning Masters the Fingerprint to Fool Biometric Systems: https://engineering.nyu.edu/news/machine-learning-masters-fingerprint-fool-biometric-systems (дата обращения 12.07.2022)
  16. ГОСТ Р 52633.0-2006. Требования к средствам высоконадежной биометрической аутентификации.
  17. Мао В. Современная криптография: теория и практика. Пер. с англ. - М.: Издательский дом «Вильямс». - 2005. - 768 с.
  18. Burrows, M., Abadi, M., and Needham, R.M. A Logic for Authentication / DEC System Research Center Technical Report. - 1989. - No. 39.
  19. Krawczyk, H., Bellare, M., Canetti, R. HMAC: Keyed-Hashing for Message Authentication. - RFC 2104, 1997.
  20. Agorithms for Challenge/Response Authentication. - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-cifs/4d1a2cb0-0951-462a-8582-121fd1afe28e (дата обращения 7.03.2022).
  21. Исхаков А.Ю. Система двухфакторной аутентификации на основе QR-кодов / Безопасность информационных технологий. - 2014. - Т. 21. - № 3. - С. 97-101. - EDN TRZJLN.
  22. Giri, D., Sherratt, R.S., Maitra, T., and Amin, R. Efficient Biometric and Password Based Mutual Authentication for Consumer USB Mass Storage Devices / IEEE Transactions on Consumer Electronics. - 2015. - Vol. 61, no. 4. - P. 491-499. - doi: 10.1109/TCE.2015.7389804.
  23. Razaque, K.K. Myrzabekovna, S.Y. Magbatkyzy, M., et al. Secure Password-Driven Fingerprint Biometrics Authentication / 2020 Seventh International Conference on Software Defined Systems (SDS). - 2020. - P. 95-99. -doi: 10.1109/SDS49854.2020.9143881.
  24. Eastlake, D., Jones, P. US Secure Hash Algorithm 1 (SHA1). - RFC 3174, 2001.
  25. Dinca, L. and Hancke, G. User-Centric Key Entropy: Study of Biometric Key Derivation Subject to Spoofing Attacks // Entropy. - 2017. - Vol. 19, no. 2. - doi: 10.3390/e19020070.
  26. Fouque, P.-A., Pointcheval, D., Zimmer, S. HMAC is a Randomness Extractor and Applications to TLS / Proceedings of the 3rd ACM Symposium on Information, Computer and Communications Security (ASIACCS '08). - Tokyo, Japan, 2008. - P. 21-32.
  27. Jain, A.K., Deb, D., and Engelsma, J.J. Biometrics: Trust, but Verify / IEEE Transactions on Biometrics, Behavior, and Identity Science. - 2021. - doi: 10.1109/TBIOM.2021.3115465.
  28. Alsellami, B., Deshmukh, P.D., Ahmed, Z.A.T. Overview of Biometric Traits / 2021 Third International Conference on Inventive Research in Computing Applications (ICIRCA). - 2021. - P. 807-813. doi: 10.1109/ICIRCA51532.2021. 9545069.

Arquivos suplementares

Arquivos suplementares
Ação
1. JATS XML
Baixar


Creative Commons License
Este artigo é disponível sob a Licença Creative Commons Atribuição 4.0 Internacional.

Согласие на обработку персональных данных

 

Используя сайт https://journals.rcsi.science, я (далее – «Пользователь» или «Субъект персональных данных») даю согласие на обработку персональных данных на этом сайте (текст Согласия) и на обработку персональных данных с помощью сервиса «Яндекс.Метрика» (текст Согласия).