Vlog

SUTDLogoDark2x

F-pro: a fast and flexible provenance scheme for industrial control systems

Technology title

F-pro: a fast and flexible provenance scheme for industrial control systems

F-pro: a fast and flexible provenance scheme for industrial control systems

 

Technology overview

This technology is a transparent, bump-in-the-wire (BITW) solution designed for fast and flexible message authentication in Industrial Control Systems (ICS). F-Pro addresses the critical security gap where traditional firewalls and intrusion detection systems fail: verifying the end-to-end delivery path and origin of a message without disrupting time-sensitive operations. By utilising a lightweight hash-chaining scheme instead of computationally intensive public-key cryptography, F-Pro achieves end-to-end proving and verifying delays of less than 2 milliseconds. This allows it to secure the most latency-stringent smart grid communication models while remaining compatible with legacy infrastructure.

Technology specifications

F-Pro provides a comprehensive security layer that verifies message source, integrity, and provenance (delivery path) for ICS protocols.

  • Core mechanism: uses lightweight symmetric key cryptography and aggregate message authentication codes (HMAC-SHA256) to create a chain of cryptographic evidence.
  • Performance: achieves sub-2ms end-to-end latency (proving + verifying), meeting the strict requirements for IEC 61850 GOOSE and SV messages.
  • Architecture: implemented as a transparent “Bump-in-the-Wire” (BITW) device, allowing deployment without modifying existing legacy endpoints or control center software.
  • Functionality:
    • Path verification: validates that a message passed through specific checkpoints (e.g., specific high-voltage substations), preventing bypass attacks.
    • Transformation verification: authenticates messages even when they undergo protocol translation (e.g., from IEC 60870-5-104 to IEC 61850) or aggregation by intermediate gateways.
    • Multi-factor integration: supports seamless integration with multi-factor authentication for human operators (e.g., field service engineers) using time-bound one-time passwords.
Sector

This invention can be implemented as a BITW security product for various types of industrial control systems without requiring major changes in existing devices or infrastructure. Some examples are:

  • Smart Grid & Utilities
  • Critical Infrastructure (Water, Oil & Gas)
  • Industrial Internet of Things (IIoT)
Market opportunity

Rising threat landscape: high-profile attacks on power grids have demonstrated that attackers can bypass perimeter defences to inject malicious commands from compromised internal nodes. F-Pro specifically targets these “insider” and “bypass” threats that standard encryption cannot detect.

 

Legacy retrofit demand: the vast majority of global critical infrastructure relies on legacy devices that lack native cryptographic capabilities and cannot support the processing load of Public Key Infrastructure (PKI). F-Pro fills a critical market gap for a “retrofit” security solution that adds robust authentication to aging hardware without requiring a system overhaul.

 

Regulatory compliance: with increasing mandates for securing critical infrastructure, operators require solutions that meet strict latency thresholds which F-Pro uniquely satisfies.

Applications

Key applications include:

  • Substation automation: securing time-critical GOOSE and MMS messages between Intelligent Electronic Devices (IEDs) and Programmable Logic Controllers (PLCs).
  • Secure remote access: authenticating remote maintenance commands issued by engineers via VPNs, preventing credential theft and replay attacks.
  • Cross-domain communication: verifying messages that traverse multiple network domains, such as from a Control Center to a remote RTU via a substation gateway.
Customer benefits
  • Real-time protection
    (Delivers security with <2ms latency, ensuring no disruption to mission-critical industrial processes.)
  • Advanced threat defense
    (Prevents sophisticated attacks including man-in-the-middle, packet injection, and path manipulation that traditional firewalls miss.)
  • Cost-effective retrofit
    (Can be deployed on low-cost, commercial-off-the-shelf (COTS) embedded hardware, removing the need for expensive server-grade security appliances.)
  • Legacy compatibility
    (The transparent design requires no software changes to existing SCADA masters, RTUs, or IEDs, facilitating easy integration into operational environments.)
Technology readiness level

TRL 6

Ideal collaboration partner 

Ideal collaboration partners include:

  • ICS/SCADA Manufacturers: companies looking to embed lightweight provenance and security logic directly into their switches, gateways, or RTUs.
  • Cybersecurity Vendors: firms specialising in OT security wishing to expand their portfolio from passive monitoring to active, real-time message verification.
  • System Integrators: engineering firms upgrading smart grid infrastructure that need compliant, low-latency security add-ons.
Collaboration mode

This technology is suitable for multiple collaboration modes including:

  • Technology licensing: licensing of the F-Pro IP (patents and software algorithms) for commercial product integration.
  • Research collaboration: joint development to adapt F-Pro for specific proprietary industrial protocols or hardware platforms.