Abstract
Critical infrastructure such as power generation and water distribution systems have become a priority target in cyber warfare because of their recent computerization and introduction to the internet. As a result, Supervisory Control and Data Acquisition (SCADA) system security has become a hot topic in academic and industrial research. Among these topics, Remote Attestation is a security method intended to detect the presence of fileless malware in remote devices as they continue to operate. This allows for the detection of malware in the absence of long-term storage artifacts before symptoms of compromise begin to appear. In general, a trusted device (the verifier) makes a request for evidence of innocence from the untrusted device (the prover). In software-based schemes, the verifier can then measure the delay between its request and the prover’s response. If this delay is greater than the known computational time of the evidence gathering algorithm performed by the prover, then evidence may have been forged. Multi-hop networks often introduce too much network jitter to allow accurate measurement of prover response time, which limits the effectiveness of software based Remote Attestation in a real-world setting. In this work, we introduce a companion device that the verifier can trust to perform a subset of attestation, thereby removing any network jitter. This device is a Field Programmable Gate Array (FPGA) that is physically connected to the prover. We provide a communication protocol between the verifier, prover, and companion. To evaluate our scheme, we simulate it in a common SCADA network environment under normal and heavy traffic loads. Our simulations are performed in the discrete event network simulator NS-3, and we perform statistical analysis over our results to show that our scheme allows for tight timing constraints to be placed on the prover such that the verifier can more easily determine the validity of the evidence that it receives.
