| Security for wired embedded control networks is becoming a greater concern as manufacturers add increasing connectivity from these internal wired networks to the outside world. In the event that an attacker gains access to an embedded control network, the attacker might manipulate potentially safety-critical message traffic to induce a system failure. However, protocols used in these networks omit support for multicast authentication to prevent masquerade and replay attacks. While many approaches for multicast authentication exist, the unique constraints of embedded control networks make incorporating these schemes impractical. Resource limited nodes must authenticate short periodic messages to multiple receivers within tight real-time deadlines while tolerating potentially high packet loss rates.;This work presents time-triggered authentication: a new multicast authentication technique to prevent masquerade and replay attacks in wired embedded control networks. This approach takes advantage of the existing temporal redundancy of many embedded control networks by verifying messages across multiple samples using one message authentication code (MAC) per receiver (OMPR), each being just a few bits in size. This approach can be applied to both state transition commands and reactive control messages, and allows a tradeoff among authentication bits per packet, application level latency, tolerance to invalid MACs, and probability of induced failure, while satisfying typical embedded system constraints.;This work also presents validity voting: a method to improve overall bandwidth efficiency and reduce authentication latency of OMPR in time-triggered authentication by using unanimous voting on message values and validity amongst a group of nodes. This technique decreases the probability of successful per-packet forgery by using one extra bit per additional vote, regardless of the number of total receivers.;We also show how to use two existing multicast authentication techniques (TESLA and a master-slave approach using hash tree broadcast authentication) in conjunction with time-triggered authentication and compared all four techniques.;Finally, we demonstrated the applicability of time-triggered authentication using each of the four techniques in two case studies. First, we implemented each technique in a simulated elevator control network. Second, we examined the impacts of authentication on bandwidth for an automotive network workload. |
