Towards End-to-End Data Protection in Low-Powered Networks 1University of Mannheim, 2SAP Product Security Research, 3SAP IoT & Industrie 4.0 Presented at 3rd Workshop On The Security Of Industrial Control Systems & Of Cyber-Physical Systems (CyberICPS 2017) In Conjunction With ESORICS 2017

Contents Problem Solution Evaluation and Deployment Conclusion 2017-09-15 | CyberICPS2017 Towards End-To-End Data Protection in Low-Power Networks | Vasily Mikhalev

Problem 2017-09-15 | CyberICPS2017 Towards End-To-End Data Protection in Low-Power Networks | Vasily Mikhalev

Smart City Water Distribution Network The city of Antibes owns and operates its water & gas distribution network instrumented with 2000 sensors for water flow, temperature, pressure for 315 kms of water pipeline, storages and maintenance points. The most mature segment of the emerging market for IoT applications is enterprise asset management. SAP has developed two applications to address opportunities in this space: SAP Predictive Maintenance and Service SAP Asset Intelligence Network As an example, we will look at a real customer situation of an owner and operator of around 2,000 electric trains, 2,000 locomotives, and 30,000 wagons. This company spends in excess of €1bn in annual maintenance, thereof 40% for corrective maintenance. The business case not only envisions to reduce corrective maintenance cost by at least 5%, but also to extend the lifetime of replacement parts, increase asset availability, and increase passenger satisfaction (e.g. by detecting issues with heating, cooling, or sanitary systems early and reducing train cancelations due to corrective action). The main business process transformation is to move from time- and mileage-based maintenance to dynamically optimized maintenance schedules. @ 2016 SAP SE or an SAP affiliate company. All rights reserved. Internal 4

Smart City Water Distribution Network Need to ensure the continuous provisioning of utilities for the population. Predictive maintenance has been identified as one aspect of the city digital transformation. The most mature segment of the emerging market for IoT applications is enterprise asset management. SAP has developed two applications to address opportunities in this space: SAP Predictive Maintenance and Service SAP Asset Intelligence Network As an example, we will look at a real customer situation of an owner and operator of around 2,000 electric trains, 2,000 locomotives, and 30,000 wagons. This company spends in excess of €1bn in annual maintenance, thereof 40% for corrective maintenance. The business case not only envisions to reduce corrective maintenance cost by at least 5%, but also to extend the lifetime of replacement parts, increase asset availability, and increase passenger satisfaction (e.g. by detecting issues with heating, cooling, or sanitary systems early and reducing train cancelations due to corrective action). The main business process transformation is to move from time- and mileage-based maintenance to dynamically optimized maintenance schedules. @ 2016 SAP SE or an SAP affiliate company. All rights reserved. Internal 5

Retro fit on Physical Assets Low-Power Wide-Area Networks Reliable and cost effective, meeting industrial needs Powered Wide Area Networks (LPWAN) Reduced packet size High latency Low throughput. Low-Powered Devices Don’t consume much power to work & communicate Do not require a continuous communication link. 2017-09-15 | CyberICPS2017 Towards End-To-End Data Protection in Low-Power Networks | Vasily Mikhalev

Security Requirements End-to-end security Confidentiality Authenticity Integrity Follow standards (e.g. NIST) Applicable to different existing low-power networks Deployable on the low-power devices When bidirectional communication not supported Low communication complexity Low payload size (e.g. 12 bytes SIGFOX) Compliant with different encryption algorithms (e.g. AES in Counter mode, FF1) 2017-09-15 | CyberICPS2017 Towards End-To-End Data Protection in Low-Power Networks | Vasily Mikhalev

State of the Art Industrial Solutions Proposals from Academia No confidentiality (e.g. SigFox) Single keys (e.g. LoRaWan) Rely on the security of gateway (e.g. WirelessHART) Proposals from Academia Need asymmetric algorithms Rely on third party Use group keys High communication complexity Long computation time 2017-09-15 | CyberICPS2017 Towards End-To-End Data Protection in Low-Power Networks | Vasily Mikhalev

Solution 2017-09-15 | CyberICPS2017 Towards End-To-End Data Protection in Low-Power Networks | Vasily Mikhalev

Our Contribution Guarantee Secure End-to-End Communication over LPWAN’s from the device to the SAP backend, regardless of the provider & protocol. 2017-09-15 | CyberICPS2017 Towards End-To-End Data Protection in Low-Power Networks | Vasily Mikhalev

Ideas Key Management Data Protection Pre-shared master keys Intermediate keys for synchronization One-time keys for encryption and authentication Data Protection Independent encryption and authentication First encrypt then authenticate Preserving size AES in counter mode Format preserving encryption 2017-09-15 | CyberICPS2017 Towards End-To-End Data Protection in Low-Power Networks | Vasily Mikhalev

Key management … … … Master key Kmaster Intermediate keys Ki = CMAC(Kmaster; i) K0 Ki Ki+1 … … Encryption and Authentication keys KEnc = CMAC(Ki , SN ||DeviceID|| 0) KMac= CMAC(Ki, SN ||DeviceID|| 1) KEnci,0 KMaci,0 KEnci,j KMaci,j KEnci,j+1 KMaci,j+1 2017-09-15 | CyberICPS2017 Towards End-To-End Data Protection in Low-Power Networks | Vasily Mikhalev

Data Protection – Device Keys derivation 2017-09-15 | CyberICPS2017 Towards End-To-End Data Protection in Low-Power Networks | Vasily Mikhalev

Data Protection – Device Message Encryption 2017-09-15 | CyberICPS2017 Towards End-To-End Data Protection in Low-Power Networks | Vasily Mikhalev

Data Protection – Device Authentication Tag Authent. tag 2017-09-15 | CyberICPS2017 Towards End-To-End Data Protection in Low-Power Networks | Vasily Mikhalev

Data Protection – Device Send Message Authent. tag SN||DeviceID 2017-09-15 | CyberICPS2017 Towards End-To-End Data Protection in Low-Power Networks | Vasily Mikhalev

Data Protection - Device 2017-09-15 | CyberICPS2017 Towards End-To-End Data Protection in Low-Power Networks | Vasily Mikhalev

Data Protection – Back-end Keys Derivation Authent. tag SN||DeviceID 2017-09-15 | CyberICPS2017 Towards End-To-End Data Protection in Low-Power Networks | Vasily Mikhalev

Data Protection – Back-end Integrity Check Authent. tag SN||DeviceID Are equal? Authent. tag 2017-09-15 | CyberICPS2017 Towards End-To-End Data Protection in Low-Power Networks | Vasily Mikhalev

Data Protection – Back-end Message Decryption Authent. tag SN||DeviceID Are equal Authent. tag 2017-09-15 | CyberICPS2017 Towards End-To-End Data Protection in Low-Power Networks | Vasily Mikhalev

Data Protection – Back-end 2017-09-15 | CyberICPS2017 Towards End-To-End Data Protection in Low-Power Networks | Vasily Mikhalev

Security Analysis Authentication of the Sender Data integrity 𝑟𝑖𝑠𝑘 = 2 −𝐿 𝑛 𝑚𝑎𝑥 , 𝐿 - length of MAC, 𝑛 𝑚𝑎𝑥 - max number of attempts Data integrity 𝑟𝑖𝑠𝑘 = 2 −𝐿 Data confidentiality Co𝑚𝑝𝑙𝑒𝑥𝑖𝑡𝑦 𝑜𝑓 𝑎𝑡𝑡𝑎𝑐𝑘𝑠 𝑂( 2 128 ) Replay attacks Excluded by using sequence numbers Generic Side-channel attacks Countermeasures implemented in TinyCrypt library 2017-09-15 | CyberICPS2017 Towards End-To-End Data Protection in Low-Power Networks | Vasily Mikhalev

Evaluation and Deployment 2017-09-15 | CyberICPS2017 Towards End-To-End Data Protection in Low-Power Networks | Vasily Mikhalev

Architecture 2017-09-15 | CyberICPS2017 Towards End-To-End Data Protection in Low-Power Networks | Vasily Mikhalev

Low-end MCUs Intel® Quark™ microcontrollers equipped with LoRaWan modules D2000 C1000 32-bit address bus 8 KB of cache, 32 MHz clock speed 80 KB SRAM 384 KB integrated Flash 2017-09-15 | CyberICPS2017 Towards End-To-End Data Protection in Low-Power Networks | Vasily Mikhalev

Evaluation Results Energy holds for 12 years when data is sent every minute 190 years if sent every 15 minutes 2017-09-15 | CyberICPS2017 Towards End-To-End Data Protection in Low-Power Networks | Vasily Mikhalev

2017-09-15 | CyberICPS2017 Towards End-To-End Data Protection in Low-Power Networks | Vasily Mikhalev

2017-09-15 | CyberICPS2017 Towards End-To-End Data Protection in Low-Power Networks | Vasily Mikhalev

2017-09-15 | CyberICPS2017 Towards End-To-End Data Protection in Low-Power Networks | Vasily Mikhalev

Conclusion 2017-09-15 | CyberICPS2017 Towards End-To-End Data Protection in Low-Power Networks | Vasily Mikhalev

Conclusion Scheme providing E2E security Confidentiality, Integrity Authenticity Feasible in most existing LPW technologies Follows NIST recommendations Supports format preserving encryption Deployed on the water distribution network of the City of Antibes 2017-09-15 | CyberICPS2017 Towards End-To-End Data Protection in Low-Power Networks | Vasily Mikhalev

Thank you! Vasily Mikhalev mikhalev@uni-mannheim.de 2017-09-15 | CyberICPS2017 Towards End-To-End Data Protection in Low-Power Networks | Vasily Mikhalev