Trusted Software Updates for Secure Enclaves in Industrial Control Systems

Abstract

Industrial Control Systems (ICSs) manage critical infrastructures such as water treatment facilities, petroleum refineries, and power plants. ICSs are networked through Information Technology (IT) infrastructure for remote monitoring and control of physical processes. As ICSs integrate with IT infrastructure, IT vulnerabilities are carried over to the ICS environment. Previously proposed process controller security architectures maintain safe and stable plant operation even in the presence of attacks that exploit ICS vulnerabilities. Security architectures are process control system-level solutions that leverage isolated and trusted hardware (secure enclaves) for ICS security. Upon detecting an intrusion, the secure enclave switches control of the physical process to a high assurance controller, making a fail-safe plant operation.

The process control loop components have an average lifespan of several decades. During this time, electromechanical components of process control loop may undergo aging that alters their characteristics and affects control loop performance. To deal with component aging and to improve control algorithm flexibility, updates to control loop parameters are required. Plant model, process control loop system specifications, and control algorithm-based security mechanisms at the secure enclave require parameter updates. ICSs have hundreds of process control components that may need be installed in hazardous environments and distributed across hundreds of square kilometers. Updating each component physically may lead to accidents, expensive travel, and increased downtime. Some ICS have allowable downtime of only 5 minutes per year. Hence, remote updates are desirable.

A proposed dedicated and isolated hardware module at the secure enclave provides authentication of the update and ensures safe storage in a non-volatile memory. A protocol designed for update transmission through an untrusted ICS network provides resilience against network integrity attacks such as replay attacks. Encryption and authentication of the updates maintain integrity and confidentiality. During the normal plant operation, the hardware module is invisible to the other modules of the process control loop. The proposed solution is implemented on Xilinx Zynq-7000 programmable System-on-Chip to provide secure enclave updates.