Security Analysis and Enhancement of INTERBUS Protocol in ICS Based on Colored Petri Net

Abstract

The integration of buses in industrial control systems, fueled by advancements such as the Internet of Things (IoT), has led to their widespread adoption, significantly enhancing operational efficiency. However, with the increasing interconnection of systems, ensuring the security of bus communications and protocols has become an urgent priority. This paper focuses on addressing the specific security concerns associated with the widely adopted INTERBUS protocol—a fieldbus protocol. Our approach leverages the theory of colored Petri nets (CPN) for modeling, enabling a comprehensive analysis of the protocol’s security. Rigorous formal verification and analysis of the security protocol are conducted by employing the Dolev–Yao adversary model. Our investigation reveals the presence of three critical vulnerabilities: replay attacks, tampering, and impersonation. To fortify the security of the protocol, we propose the introduction of a key distribution center and the utilization of hash values. Through meticulous analysis and verification, our proposed enhancements effectively reinforce the security performance of the INTERBUS protocol.

1. Introduction

With the advancement of industrial control systems, the proliferation of industrial system intelligence, and the integration of Internet of Things (IoT) technology, the utilization of bus systems has expanded significantly [1]. Fieldbus communication is extensively employed for real-time distributed control in industrial automation systems, facilitating operations in diverse domains such as energy distribution, manufacturing, and water supply. Despite its widespread use, the security of fieldbus communication has often been treated as a secondary issue, primarily due to the confinement of these devices within enclosed environments. Consequently, ensuring the security of industrial control systems (ICS) has primarily relied on physical isolation measures [2]. However, the interconnection of control systems to establish intricate distributed systems, such as supervisory control and data acquisition (SCADA) systems, has rendered these systems no longer isolated, thereby rendering them susceptible to network breaches. These vulnerabilities can potentially inflict severe disruptions on the controlled objects. Consequently, safeguarding interconnected control networks from unauthorized access has emerged as a pivotal area of research [3,4,5,6,7,8,9], precipitating the development of dedicated security protocols [10]. For instance, traditional bus protocols like Modbus, Profibus, and CAN have been identified as particularly susceptible to cyber-attacks, especially where programmable logic controllers (PLCs) are accessed from within the control network [11]. Thus, fortifying the security infrastructure of bus systems has emerged as an imperative priority.

The evolution of modern factory control and monitoring technology is an ongoing process that shows no sign of slowing down. New functionalities and enhanced performance, influenced by the advancements in fields such as computing, electronic communications, and the internet for industrial applications, are shaping user requirements. Consequently, heightened attention has been directed toward the security challenges posed by industrial bus systems [12]. One of the earliest developed fieldbus systems, INTERBUS, attained the status of the German standard DIN 19825 in 1996, the European standard EN 50254 in 1998, and the international standard IEC 61158 in 2000. Recognized as one of the most extensively utilized fieldbus systems globally, INTERBUS boasts a staggering repertoire of over 1000 manufacturers producing more than 2500 bus products. Its application spans a wide array of industries, including automotive, warehousing and conveyance technology, tobacco, paper, packaging, and food sectors. However, the integration of additional technologies has exposed potential vulnerabilities in its security. Several scholars have extensively examined and utilized INTERBUS as a fieldbus protocol, uncovering security issues akin to those encountered in traditional fieldbus protocols [13]. These network-based attacks have the capacity to disrupt the smooth operation of industrial control devices, potentially leading to significant economic losses. As security concerns within industrial control equipment become increasingly prevalent, this study aims to delve into the intricacies of INTERBUS, given its typical and widespread usage, making it an essential focus for research both within the industry and academia. Enhancing the internal security of the protocol represents a vital area of research with far-reaching implications.

The subsequent sections of this paper are structured as follows: Section 2 presents an in-depth review and analysis of the existing literature pertaining to the security of fieldbus systems, along with an exploration of the selection process for formal tools. Section 3 offers an overview of the foundational knowledge, subdivided into an introduction to the INTERBUS protocol, an elucidation of CPN Tools, and a comprehensive discussion on attack identification. Building upon this foundation, Section 4 meticulously constructs the INTERBUS protocol message flow model, subsequently subjecting it to a rigorous process of conformance verification and evaluation utilizing the CPN Verification Tool. In the ensuing Section 5, an adversary model is incorporated, facilitating a formal security analysis of the protocols that intersect with the adversary model. Delving further, Section 6 proposes a novel hardening scheme designed to address the security challenges arising from the integration of the adversary model, culminating in the presentation of the final design of the hardening model. Finally, the concluding section offers a comprehensive summary and provides a glimpse into the future trajectory of this research endeavor.

2. Related Work

In recent years, the Industrial Internet of Things (IIoT) ecosystem has encountered a multitude of complex challenges, particularly concerning diverse communication protocols. Notably, a study by the authors [14] delves into the intricacies of the FSoE protocol, presenting findings derived from extensive experimentation conducted via a prototype system built on WiFi networks. Additionally, another research effort [15] emphasizes the distinctive interaction between automation networks and internet communication, highlighting the persistent absence of tailored solutions for security challenges at the field level and interconnections to higher tiers. Within the Industrial Internet of Things landscape, ensuring the reliability and security of bus protocol communication remains a pivotal concern, prompting several scholars to propose diverse strategies and measures. For instance, in their work [16], the authors introduce a secure industrial control communication protocol derived from the original Modbus TCP protocol. This solution employs symmetric key algorithms to guarantee data confidentiality, hash-based synchronization mechanisms to ensure data uniqueness, and digital signature algorithms to verify and maintain data integrity. To preempt the exploitation of function codes, a stringent “whitelist” filtering technique is employed, regulating function codes according to distinct roles. Building upon the foundation laid by reference [17], our proposal VeCure introduces a viable security paradigm for automotive systems, offering a fundamental resolution for the CAN bus message authentication predicament. VeCure integrates trust group structures, innovative message authentication techniques, and offline computation capabilities, effectively reducing latency and deployment costs associated with online message processing, all while remaining compatible with existing in-vehicle system architectures. Furthermore, reference [18] advocates for a connection approach revolving around PROFIBUS and the internet, conducting an exhaustive analysis of network security issues and proposing a comprehensive security model tailored to PROFIBUS industrial networks. In a complementary vein, reference [19] conducts a comprehensive assessment of the overall attack surface of IOLW in typical environments, evaluating the efficacy of various security measures and exploring relevant attack preconditions. Moreover, reference [20] delineates the application scope and compatible product types available for INTERBUS fieldbus systems, providing a detailed overview of system components and an elaborate description of its operational flow. Significantly, observations from this body of literature underscore the inherent limitations of the INTERBUS protocol, which solely relies on CRC-checking and LBW word verification, thereby necessitating robust security mechanisms to ensure secure data transmission and effectively counter man-in-the-middle attacks. Addressing this concern, reference [21] proposes a security mechanism grounded in the security practices of other protocols, specifically tailored to guarantee the secure transmission of fieldbus and remote bus data over the INTERBUS protocol.

To summarize, the current examination of fieldbus protocol security methods predominantly focuses on proposing security mechanisms or direct attack inspection methods, drawing from existing security expertise. Nevertheless, it lacks a comprehensive investigation into the formal analysis of the protocol and fails to subsequently validate the efficacy of the enhanced security scheme through formal analysis. In stark contrast, a formal analysis approach offers a precise depiction of the abstract behavior of the protocol, facilitating a comprehensive process of protocol model consistency verification and subsequent validation via attack detection. As it stands, the INTERBUS protocol suffers from a dearth of a systematic and intricate formal analysis methodology capable of rigorously evaluating the protocol’s security. In response to this gap, the present study adopts a formal modeling analysis to assess the security of the INTERBUS message transmission mechanism.

At present, numerous formal verification tools are readily available in the market. In this study, the CPN formal method is employed for the analysis of the INTERBUS protocol. Below, we provide a comparative analysis between the CPN formal analysis tool and other prevalent verification tools:

• Scyther, a high-performance tool for protocol model verification [22], employs a uniform algorithm for all protocols and subsequently provides state space analysis. However, its capability to identify attack paths is not as comprehensive or flexible as CPN’s. CPN’s versatility enables it to more effectively and comprehensively uncover potential attack paths.
• ProVerif, relying on a logic programming approach [23], computes attack paths that are notably incomplete, and considerably smaller compared to those that can be identified using CPN.
• Tamarin Prover has the capability to thoroughly explore the state space [24], yet it is known to be challenging to use, requiring a high level of expertise and lacking the user-friendly simplicity and intuitiveness that can be found in CPN.

In contrast, the Petri net approach harnessed by CPN offers distinct advantages over alternative approaches. Notably, an extension of the Petri net known as the generalized net has gained traction in recent years for effectively modeling transportation systems. In a relevant study [25], the authors devised a comprehensive generalized network model, intricately mapping the interconnections between diverse types of transportation systems. Upon conducting a comprehensive analysis, the authors arrived at a pivotal conclusion: when juxtaposed with extensions like the generalized net, the utilization of Petri net models confers a critical advantage. Specifically, Petri net models are notably more straightforward to construct, facilitating the development of conceptual, analytical, and simulation models with relative ease.

Hence, this study employs the colored Petri net (CPN) formalism to intricately model the communication processes underlying the INTERBUS protocol. Leveraging the CPN Tools modeling tool, critical components are systematically extracted, enabling a comprehensive evaluation of the protocol’s security architecture. Notably, the examination reveals inherent security vulnerabilities within the protocol, thereby prompting the development of remedial measures to fortify its security posture. This paper proceeds to outline the methodologies aimed at rectifying the identified security flaws within the protocol. Subsequently, a novel solution is meticulously designed to bolster the protocol’s resilience against potential security breaches. The efficacy of the proposed enhancement strategy is rigorously tested to validate its effectiveness, followed by a thorough examination of the security enhancements introduced by the new solution.

The approach posited in this study distinguishes itself from recent research proposals by its steadfast commitment to the principles of formal verification. Leveraging this novel formal model detection technique, the study subjects the protocol to rigorous security testing, ensuring the verification of the original model’s coherence and integrity. Introducing an attacker model into the analysis framework, the study systematically detects and addresses the underlying security vulnerabilities intrinsic to the protocol. Proposals are then put forth to specifically target and rectify the identified security weaknesses, subsequently affirming the robustness and efficacy of the devised improvement strategies.

3. Preliminary Knowledge

3.1. INTERBUS

The digital serial communication system known as INTERBUS serves as the crucial link between industrial sensors and actuators, enabling their seamless integration with the control system. Facilitating the exchange of data between the connected master and slave system applications, the INTERBUS bus operates on a centralized master–slave access mechanism, all within a structured tree topology. The protocol offers users two distinct data transfer channels, namely the process data channel and the parameter channel, each serving specific operational requirements. Additionally, the LSSS framework, elaborated upon in reference [26], represents a significant aspect of the system and warrants further exploration within the context of this study.

3.1.1. Reliability of INTERBUS Data Transmission

A prerequisite for the communication of INTERBUS fieldbus systems is the security of the transmission. Interruptions and errors in communication will be caused when the system is subject to external disturbances, such as disconnection of the entire loop or changes in the length of the shift registers in the bus system due to the closing or connection of bus segments. Since INTERBUS uses the loop network method, the transmission time of the entire loop is related to the length of the loop, so the cycle time of each loop is fixed. Therefore, INTERBUS uses either signal cycle time monitoring or LBW. When the INTERBUS system is running, the master first sends out an LBW word in a particular format, and when the master receives this word again, it means that the loop of INTERBUS has been cycled once; this time is the cycle time of the INTERBUS system. Later, the master can detect whether the whole loop is standard or not according to each instance of receiving the LBW word. If the time is too long, it means that the length of the shift register of the system has changed and that the system is not regular; if the time is too short, it means that the length of the shift register of the system is short and that the system is not regular; if the master has not been able to receive the signal of LBW, it means that the system is not looped anymore. Using the method of time detection, not only is the correct transmission operation ensured, but the periodicity of signal transmission on each fieldbus module is also ensured.

3.1.2. Security of INTERBUS Data Transmission

The LBW word serves the critical function of monitoring changes in the operational status of the INTERBUS system. Specifically, it facilitates the assessment of vital system aspects, including the proper connection of the INTERBUS, any alterations in the network structure, and the closure status of the INTERBUS loop. To ensure the accuracy and integrity of internally transmitted data, the INTERBUS protocol employs CRC (cyclic redundancy coding). The functionality of CRC codes lies in their ability to detect errors by treating the sequence of data bits as coefficients of a polynomial. This polynomial is subtracted on the sender’s end using an agreed-upon generating polynomial, yielding a residual polynomial known as the CRC-detection series. For its CRC-detection series, INTERBUS adopts the 16th-order-generating polynomial, as stipulated by CCITT, thereby ensuring robust error detection capabilities and enhancing the overall reliability of the communication process.

$$\mathrm{G}\left(\mathrm{x}\right)={\mathrm{x}}^{16}+{\mathrm{x}}^{12}+{\mathrm{x}}^5+1.$$

In each INTERBUS fieldbus module, an XOR operation is conducted with the generating polynomial, accompanied by a systematic bit shift during the data transmission process. Subsequently, a distinct CRC detection number is computed for both the transmitter and receiver modules. Upon the completion of the data shifting cycle within the INTERBUS loop, a crucial validation step ensues, involving a comparison between the CRC-generated polynomial result at the transmitter side of one module and the corresponding result at the receiver side of the subsequent module. Perfect alignment between the two results signifies the accuracy of the transmitted data, whereas any disparity indicates a data transmission error. In the event of such a discrepancy, an error signal is promptly generated upon the arrival of the data detection clock within the INTERBUS system.

3.2. Petri Network

The Petri net theory, initially introduced by Carl Petri in 1962 [26], represents a fundamental-state-based modeling technique. This approach is firmly rooted in meticulously defined mathematical models, enabling the comprehensive modeling of diverse structures and behaviors in their entirety. Petri nets are adept at capturing and representing a wide array of behavioral features, including but not limited to parallel, asynchronous, concurrent, and sequential processes. They excel in offering a lucid depiction and comprehensive modeling of abstract system behaviors and protocols through the utilization of network diagrams [27]. Prior to delving into the analysis of the security attributes of protocols, it is imperative to establish the original model of the protocol utilizing Petri nets as a foundational tool.

3.2.1. Colored Petri Nets

Petri nets typically feature a single class of tokens, resulting in a flat-color network. Each token within a Petri net serves the purpose of attaching a specific data value, termed the token color value, to the corresponding type and range of complex operational data. Notably, a modification event can potentially alter the color value associated with a token. A more intricate iteration stemming from the Petri net concept is the coloring Petri net (CPN) [28]. The CPN retains the core advantages of traditional Petri nets while offering an enhanced interface, heightened linguistic expressiveness, and a diverse color palette, thus enabling the modeling of complex systems with a comprehensive range of communication, distribution, synchronization, concurrency, and other testable and simulated attributes. Moreover, the hierarchical colored Petri net (HCPN) model builds upon the CPN structure by incorporating hierarchical models and submodules. In essence, a Petri net is fundamentally defined as a directed connectivity graph featuring two primary nodes, namely locations and transitions, interconnected by arcs. The formal definition of a Petri net is outlined as follows:

Definition 1. 

CPN is a nine-tuple denoted by $CPN=(P,T,A,\Sigma ,C,V,G,E,I)$ [29], where:

• P: a finite collection of places, representing a data resource, represented by an ellipse.
• T: a set of finite transitions, and T satisfies P∩T = Φ, which describes system activities and is represented by rectangles.
• A: a set of directed arcs such that A∈P × T∪T × P represents the flow direction of the data resource, represented by an arrow. The arc from the repository to the transition describes the conditions under which the transition is triggered. The arc from the transition to the repository describes the state that occurs after the transition is ignited. By defining a function on the arc, you can determine the flow of token values to different places.
• Σ: represents a collection of finite nonempty color set types.
• V: denotes the set of finite variables satisfying Type [v]∈Σ for all variables v∈V.
• C: P→Σ is a color set function that assigns a color set to each location.
• G: T→EXPRV represents the arc expression function, which assigns an expression to an arc.
• I:$P\to {EXPR}^{\phi }$represents the initialization function, and the library generally needs to be given an initialization expression.

3.2.2. CPN Tools

One of the most advanced modeling and simulation tools for CPN, renowned for its explicit depiction of a system’s dynamic properties, is CPN Tools [30], developed under the stewardship of Professor Jensen at Aarhus University, Denmark. This software is compatible with multiple operating systems, including Linux, Windows XP, Windows Vista, and Windows 7. Essential features encompassed within CPN Tools comprise a comprehensive set of functionalities such as creation, simulation, networking, monitoring, state space analysis, style configuration, and visualization capabilities. Leveraging the built-in toolset, which includes the Create Model tool, Simulation tool, Layered Hierarchy tool, and Analyze State Space tool, the software enables the rigorous formal analysis of the model, thereby verifying its accuracy and logical consistency. Moreover, the internal auxiliary tools facilitate seamless simulation and debugging of the protocol’s message transmission processes within diverse domains. Notably, CPN Tools’ utilization of a user-friendly markup language (ML) contributes to its accessibility and ease of comprehension. In addition, the software’s capability for conducting boundedness and reachability analyses as part of the final state space analysis offers a comprehensive and detailed diagnosis of potential model issues [31].

3.3. Dolev–Yao Attacker Model

The Dolev–Yao attacker model, initially derived from a framework employed in the analysis of public key cryptographic protocols, has gained significant traction in the domain of security protocol research. Its proposal has laid the foundation for the evolution of research into protocol security and has contributed to the widespread adoption of this specific model within the field. As per the Dolev–Yao attacker model, a malicious entity executes a man-in-the-middle attack by intruding upon the communication channels between both parties, thereby manipulating messages before their transmission to the intended receiver [32]. This attacker is empowered to engage in a variety of nefarious activities, including legitimate participation in protocol operations, interception of messages, eavesdropping on network communications, storage of intercepted or fabricated messages that have been maliciously altered, as well as the fabrication and subsequent dissemination of these compromised messages [33,34].

Assume that the protocol operates securely assuming. In the Delev–Yao attacker model, the sequence of one execution of the secure protocol is a sequence of message alternations in strict accordance with the protocol specification in steps, i.e., $\mathrm{m}=\mathrm{r}0,\mathrm{q}1,\mathrm{r}1,\mathrm{q}2\dots \mathrm{r}\mathrm{n},\mathrm{q}\mathrm{n}$, where the set of message items is denoted by m and $\mathrm{r}0,\mathrm{r}1,\dots ,\mathrm{r}\mathrm{n}\in \mathrm{A}$ is the sequence of messages sent by the honest entity of the protocol based on the protocol operation steps, and if $\mathrm{r}0=\mathrm{\varnothing }$, then the protocol is initialized and run by the attacker; q1, q2, …, qn$\in$ A is the sequence of attack messages sent by the attacker according to the protocol steps and the knowledge possessed by the attacker;

Any sequence of messages sent by the attacker $\mathrm{q}\in \{\mathrm{q}1,\mathrm{q}2,\dots ,\mathrm{n}\}$, q is derived from the set ik of message items owned by the attacker. All messages owned by the attacker can be defined by message item closures, and the set ik is composed of the attacker’s initial knowledge and the messages intercepted from the channel $\mathrm{r}0,\mathrm{r}1,\dots ,\mathrm{r}\mathrm{n}$ The set ik is composed of the attacker’s initial knowledge and the messages intercepted from the channel, and the sequence of messages obtained by the computation of the above messages. The influential knowledge of the attacker includes the public key KP+ of the honest entity, the attacker’s own public key KI+ and private key KI−, the identity ID of the honest entity, and the random number n generated by the attacker.

Assume that the attacker’s computational power must be able to generate closures belonging to the set of message items ik$\mathrm{C}\left[\mathrm{i}\mathrm{k}\right]$ if and only if the attacker has the set of messages ik.

The Delov–Yao attacker model can be described as transformation diagrams for protocol operation and computational power assumptions [35], as shown in Figure 1. The set of message items owned by the attacker is denoted by ik, the attacker intercepts all messages from the channel denoted by Any? (m), and the attacker sends any message to the channel denoted by All! (m’). The powerful attacker model can combine “any” messages. However, this feature leads to a significant increase in invalid messages, making the message split and combining to form an infinite loop, which further leads to the model not being able to terminate properly, generating many duplicate messages and causing the system state to explode.

4. INTERBUS Protocol Modeling

4.1. Protocol Message Flow Model

This paper employs a hierarchical colored Petri net (CPN) modeling methodology, embracing a top-down approach to the modeling process and the creation of hierarchical models. Initially, the top-level network model is developed using the CPN modeling tool, effectively capturing the overarching system architecture. Subsequently, the top-level network model is partitioned into distinct sub-pages, with each sub-page dedicated to illustrating specific types of interactions within the underlying network models. The systematic refinement and enhancement of each underlying model corresponding to alternative variations are then undertaken, leveraging the collaborative impact of the alternative variation tool. This iterative process culminates in the comprehensive development of the overall system model, reflecting a meticulous and iterative refinement process. Detailed notations utilized within this study are succinctly outlined in

Table 1. INTERBUS protocol symbol descriptions.

Symbols	Description
LBW	LBW Word
MACm	Master address information
MACs	Slave Address Information
ID	Device identity information
Data	Data Information
CRC	CRC—Cyclic Redundant Coding
WKC	Counters
Ks	Master and slave public keys
Ka	Master Private Key
Kb	Slave Private Key

for reference and contextual understanding (Figure 2).

There are several steps in the INTERBUS message flow. These are the exact steps:

• Before secure data transfer, a session connection process is performed where the master sends a session connection request to the slave, including its address, the slave’s address, the LBW word, and the ID of the session connection.
• After the slave performs the corresponding operation on the received information, it replies to the master with the connection success message and the connection ID and then transmits the data after establishing the session connection or performs the reset operation if the session connection fails.
• After the connection between master and slave is completed, the subsequent security data transmission will be carried out. During the transmission of security data, the master will perform a local CRC checksum on the security data to be sent. During the checksum process, the master will segment the security data into multiple bytes of information and perform CRC checksum on the segmented security data one by one; finally, it sends the checksum data as well as the security data and other information—including command information, connection ID, and count information WKC—to the slave.
• The slave will then perform local CRC checksum on the received security data and add 1 to the counter information, then return it to the master to complete the data transmission and perform a reset operation if it fails. The master will verify the returned LBW word, and the reset operation will be performed if the verification is unsuccessful.

4.2. INTERBUS Protocol CPN Modeling

The protocol-building model encompasses three fundamental components, namely the master, slave, and ethernet gateway. Furthermore, in the pursuit of a streamlined and comprehensible model, particular emphasis is placed on ensuring the precision and fidelity of the protocol communication process. This emphasis on accuracy is imperative in mitigating the complexities inherent in the model, thereby preserving its overall simplicity and ease of comprehension. In line with the layered modeling approach adopted in this study, the model is hierarchically structured into distinct top, middle, and bottom layers, each serving a specific functional role within the model. To facilitate a comprehensive understanding, the variations associated with each layer are meticulously outlined, emphasizing their roles and contributions within the context of the underlying replacement variations.

To depict the intricacies of the message flow mechanism inherent in the INTERBUS protocol, this study employs the comprehensive model creation tools integrated within the CPN framework, utilizing key elements such as transitions and places to map out the entire process [36]. The specific dynamics of the interaction process are meticulously captured through a detailed model representation, effectively illustrating the intricate communication dynamics at play. In this endeavor, the top-level model assumes the responsibility of simulating the communication initiation process, the recipient of the communication, and the underlying Ethernet network, thus providing a holistic depiction of the overarching protocol transformation process. Within the model, the double rectangle signifies the presence of replacement variations, while the ellipse serves as a visual representation of the message repository. Notably, the Master denotes the communication initiator device, the slave represents the communication receiver device, and the NET symbolizes the communication security ethernet network manager. Figure 3 visually portrays the top-level protocol model, effectively illustrating the process of establishing connections and securely transmitting data between INTERBUS protocol masters and slaves, encompassing the processing of vital information along the way.

As shown in Figure 4, the middle layer model of the INTERBUS protocol is composed of 5 alternative transitions and 12 libraries. The left alternative, connection, describes the process of sending connection information from the master to the slave when the master is interacting with the slave; the alternative, secure transmission, describes the process of sending secure data from the master to the slave after the connection has been established; the middle alternative, NET, describes the communication process of the transmitted information in the network channel; the suitable alternative, connection, describes the process of processing and replying to the connection information by the slave. Connection’ describes the process of processing and replying to the connection information by the slave. The alternative variant, Secure transmission’, describes the process of processing and comparing the security data by the slave.

As shown in Figure 5, the alternative change Connection describes in detail the process of sending connection information from the master to the slave; the master integrates the master address information M_Mac and the slave address information S_Mac through the change Conn_MAC to form the address information and then integrates the lbw word, address information and connection ID through the change combination to form the connection information through the connection. Information is sent to the slave through the library Send_ConnReq; the acknowledgment information from the slave is received through the library Rec_ConnID, the acknowledgment information is processed through the transformation R_ConnID, and the connection ID information is sent to the following security data to be transmitted through the library ConnID.

The alternative variant, Net, describes the network structure and functions in the master-slave interaction. As shown in Figure 6, the variation Transmit ConnReq simulates the transmission channel for the master M to send connection messages to the slave S during connection establishment, the variation Transmit SafetyReq simulates the transmission channel for the master M to send safety data messages to the slave S during safety data transmission, the variation Transmit ConnID simulates the transmission channel for the slave S to send reply messages to the master M during connection establishment, and the variation Transmit WKC simulates the transmission channel for the slave S to send reply messages to the master M during safety data transmission. S sends an answer message to the master M during the connection establishment process. The variation Transmit WKC simulates the transmission channel for the slave S to send a reply count message to the master M during the secure data transmission. The variant Transmit LBW simulates the transmission channel for sending reply lbw words from the slave S to the master M during secure data transmission. The words In and Out in the port library indicate the type of this library as input and output, respectively.

Alternative variation Connection’ describes in detail the process of sending a connection confirmation message from the slave to the master, as shown in Figure 7. The slave takes the message received by the library house Rec_ConnReq, processes it by variation RR_conn message, and then stores the received message in the library house RE and library house RE, after which the connection ID information and confirmation information are integrated and sent to the slave through the library Send_ConnID. If the connection fails, the slave will perform a reset operation.

In the alternative variant, Secure transmission, the process of sending security data from the master to the slave is described in detail. As shown in Figure 8, the master performs CRC checksum of the security data Safedata by means of the variant CRCdata. He integrates the security data and CRC detection data. The master integrates the received confirmation connection ID and CMD operation command and counter information WKC by means of combination and forms the security data to be sent together with the security data and checksum data. The data is sent out through the library Send_SafetyReq, the updated information of the counter WKC is received through the library Rec_WKC, and the Rec_LBW receives the lbw word and then verifies it with lbw’. If verification fails, then reset; if verification succeeds, communication is successful.

The process of processing the security data by the slave and sending the count message to the master is described in detail in the ‘Replace Variation Secure Transmission’. As shown in Figure 9, the slave processes the security data received by the library Rec_SafetyReq, splits the data message through the Fine_Message variation, and then checks the security data locally with CRC, compares the check result with the incoming CRC data, and if the result is the same, the data is commanded accordingly, and the counter is incremented by 1. Send_WKC of the library sends the count information to the master. If the CRC checksum fails, the slave will perform a reset operation.

4.3. INTERBUS Protocol Model Conformance Verification

When assessing the consistency of the protocol model, our approach commences with establishing specific expectations concerning the anticipated behavior of the protocol model. Subsequently, we conduct a meticulous analysis of the variations’ activities within the state space nodes and generate comprehensive state space reports corresponding to the protocol model. Finally, the validation process entails a thorough comparison between the anticipated model expectations and the results derived from the state space analysis. It is important to note that the model subjected to validation pertains to the original operational model of the protocol, characterized by the absence of any introduced attackers. This focused approach allows for a comprehensive and accurate assessment of the protocol model’s consistency and behavior, facilitating a robust validation process.

4.3.1. Analysis of Expected Results

To ascertain the accuracy of the established colored Petri net (CPN) model, our initial focus involves a comprehensive analysis of its state dynamics, with particular attention directed towards the active state of the state nodes and associated variables. Considering the communication flow pattern outlined in Figure 2, once the authentication process between the two communicating entities is successfully completed, the subsequent communication is conducted securely. Notably, the absence of any inactive variations is anticipated, given that the receiver initiates each variation within the communication process. Furthermore, the operational state of the model is expected to be consistently active from the initial stages to the culmination of the transmission between the two communication counterparts. This process should be devoid of any operational stagnation, ensuring a seamless flow of communication. Consequently, the presence of only one inactive node without any active transitions is expected, underscoring the robustness and fluidity of the communication process within the model.

4.3.2. State Space Results Analysis

During the analysis of the model, the state space analysis tool, an integral feature within CPN Tools, serves as a crucial aid in expediting the assessment process. Leveraging this tool facilitates a more efficient and comprehensive evaluation of the model. Specifically, the generation of the state space report, an essential component of the analysis process, provides a detailed overview of the model’s dynamics and characteristics. The comprehensive state space report, presented in

Table 2. Symbols and descriptions.

Type	Quantity
State space nodes	544
State space arc	2178
SCC graph node	544
SCC graph arc	2178
Live Transition Instances	0
Dead marking	1
Dead Transition Instances	0

, contributes to a deeper understanding of the model’s intricate workings, enabling researchers to glean valuable insights efficiently and effectively.

The data presented in Table 2 underscores several critical aspects of our model. Notably, it becomes apparent that each variant node remains reachable throughout the entirety of the message interaction within the model. Furthermore, the executable nature of all request signals, coupled with distinct interaction endpoints for each participating entity, is indicative of the robustness and integrity of the model’s design. A key observation from the data is the balanced counts of state space nodes, directed arcs, strongly connected nodes, and strongly connected arcs, highlighting the absence of any iterative behavior or infinite state loops within the model. Moreover, the presence of only one dead node further emphasizes the model’s capacity to fulfill all requests seamlessly, with the unique identification of node endpoints consistently maintained during the transmission of message nodes within the protocol. The absence of any unreachable variations within the model, coupled with the continual passage of variations in a loop, results in a zero count for both dead and live variations. Collectively, this comprehensive analysis serves to confirm the precise and accurate nature of our protocol modeling, reinforcing the reliability and efficacy of the proposed model.

5. Add Attack Model Evaluation and Validation

5.1. Modeling Based on the Dolev–Yao Attacker Model

Presently, the Dolev–Yao model serves as a primary method for capturing diverse attack scenarios, particularly those executed by an adversary operating in the man-in-the-middle position [37]. In line with this, the current section consolidates the capabilities of the Dolev–Yao attacker model, encompassing spoofing, replaying, and tampering, to comprehensively evaluate and validate the inherent security of the protocol. Furthermore, in accordance with the description provided in Section 4, the model serves as an essential tool for decrypting, encrypting, as well as dividing and reassembling the information exchanged during the protocol transmission phase [38].

A significant portion of the contemporary attacker models is rooted in the Dolev–Yao attacker model. Nonetheless, the original Dolev–Yao attacker model is susceptible to generating a substantial number of message repetitions, primarily due to its unrestricted processing of messages. This characteristic contributes to an excessively large state space, consequently influencing the evaluation outcomes of the protocol. In light of these challenges, this section introduces an enhancement strategy for the attacker model. Firstly, the attacker’s operations are constrained and segmented into two distinct components, namely message decomposition and message synthesis, aimed at mitigating the issue of state explosion. The transformation rules associated with this strategy are delineated in

Table 3. Conversion rules.

Typology	Rules and Regulations
Split	$\mathrm{c}\mathrm{h}\mathrm{a}\mathrm{n}\mathrm{n}\mathrm{e}\mathrm{l}(\mathrm{A},\mathrm{m},\mathrm{B})\to \mathrm{D}\mathrm{B}\left(\mathrm{m}\right),\mathrm{D}\mathrm{B}\left(\mathrm{A}\right),\mathrm{D}\mathrm{B}\left(\mathrm{B}\right)$;
	$\mathrm{D}\mathrm{B}(\mathrm{m}1·\mathrm{m}2)\to$ DB(m1), DB(m2);
	$\mathrm{D}\mathrm{B}\left(\right\{\mathrm{m}\left\}\mathrm{k}\right),\mathrm{A}\mathrm{B}\left({\mathrm{k}}^{\prime }\right)\to$ DB(m), AB(${\mathrm{k}}^{\prime }$);
Combined	$\mathrm{C}\mathrm{B}\left(\mathrm{m}\right),\mathrm{A}\mathrm{B}\left(\mathrm{A}\right),\mathrm{A}\mathrm{B}\left(\mathrm{B}\right)\to$ channel(m, A, B);
	$\mathrm{C}\mathrm{B}\left(\mathrm{m}\right),\mathrm{A}\mathrm{B}\left(\mathrm{A}\right),\mathrm{A}\mathrm{B}\left(\mathrm{B}\right)\to \mathrm{c}\mathrm{h}\mathrm{a}\mathrm{n}\mathrm{n}\mathrm{e}\mathrm{l}(\mathrm{m},\mathrm{A})$;
	$\mathrm{C}\mathrm{B}\left(\mathrm{m}1\right),\mathrm{C}\mathrm{B}\left(\mathrm{m}2\right)\to \mathrm{C}\mathrm{B}(\mathrm{m}1,\mathrm{m}2)$;
	$\mathrm{C}\mathrm{B}\left(\mathrm{m}\right),\mathrm{A}\mathrm{B}\left(\mathrm{k}\right)\to \mathrm{C}\mathrm{B}\left(\right\{\mathrm{m}\left\}\mathrm{k}\right),\mathrm{A}\mathrm{B}\left(\mathrm{k}\right)$;
Isomerization	$\mathrm{D}\mathrm{B}\left(\mathrm{a}\right)\to \mathrm{A}\mathrm{B}\left(\mathrm{a}\right)$;
	$\mathrm{A}\mathrm{B}\left(\mathrm{a}\right)\to \mathrm{C}\mathrm{B}\left(\mathrm{a}\right)$;
	$\mathrm{D}\mathrm{B}\left(\right\{\mathrm{m}\left\}\mathrm{k}\right),\mathrm{A}\mathrm{B}\left({\mathrm{k}}^{\prime }\right)\to \mathrm{C}\mathrm{B}\left(\right\{\mathrm{m}\left\}\mathrm{k}\right)$

. Additionally, the parameterized attack method is employed to curtail the state space, further reinforcing the robustness of the model.

It is important to note that the model developed in this study primarily focuses on the security attributes inherent to the analyzed protocols themselves and does not directly consider the security aspects of cryptographic algorithms. Specifically, real-time protocols such as the INTERBUS standard are included in this scope. The encryption, decryption, and authentication procedures for each data exchange are carried out autonomously by the communicating devices. Considering the brief transmission time between the devices and the proximity of the receiver to a potential attacker, the study primarily addresses the security concerns within this context.

At the network transmission level of the initial model, as shown in Figure 10, we include man-in-the-middle attacks such as replay, spoofing, and tampering. Replay attacks are modeled at the locations and variations indicated by the green areas in the figure. The information transmitted for the first time when the protocol is running may be intercepted by the variation TA. The attacker performs the splitting and the information to be split is stored in location BG and the atomic information is stored in locations LBW, A2, and A3. The atomic message resulting from the decomposition of the mutation TC is stored in the repository A3, and the decomposition process uses the attacker’s decomposition rules. The atomic message information synthesized by the variation TD is stored in A5, and the synthesis process uses the attacker’s synthesis rules. Messages from variant TH that use the attacker’s overrules cannot be decrypted. The concurrency control repository HH is used to restrict the variant TD, which is mainly used to allow splitting messages synthesized by the initial state and ignition. The variation TF creates the attack data that the attacker eventually transmits to the channel port bank. The arcs of the pink markers at the variations indicate attempts to tamper and launch the attacker’s attack introduced in the expression through the variation ATTACK, i.e., a parameterized attack. The blue part of the figure simulates a spoofing attack by including all the variations during the original network transmission, e.g., Transmit ConnReq, Transmit ConnID, Transmit SafetyReq, Transmit WKC, and Transmit LBW.

5.2. Security Assessment of the INTERBUS Protocol

In this section, we expand upon the initial model discussed in Section 4.2 by incorporating the attacker model depicted in Figure 10. Our focus revolves around the comprehensive assessment and validation of the security aspects concerning the protocol’s message transmission process. To achieve this, we leverage the CPN state space tool to extract state data, enabling us to gain valuable insights into the existing security concerns.

5.2.1. Attacker Model Consistency Analysis

In order to ascertain whether the model’s consistency aligns with the specified requirements, this section conducts a comprehensive verification of the model’s functional consistency and safety. Analyzing the state data becomes crucial in determining the acceptability of the consistency and the appropriateness of our model. With the incorporation of the attacker model, we present a state space summary in Figure 10 and

Table 4. Comparison of the state space of the model under different attacks.

Type	Original Model	REY-ATK	TAR-ATK	SPF-ATK
State space nodes	544	32,192	1844	2611
State space arc	2178	182,536	8678	10,454
SCC graph node	544	32,192	1844	2611
SCC graph arc	2178	182,536	8678	10,454
Dead marking	1	4	2	3
Dead transition instances	0	0	0	0
Live transition instances	0	0	0	0

. The REY-ATK column illustrates the state space report generated using the replay attack model, the TAR-ATK column represents the state space report generated using the tamper attack model, and the SPF-ATK column represents the state space report generated using the spoofing attack model.

The table illustrates that an equivalent number of state-space nodes, state-space directed arcs, and strongly connected nodes are present, demonstrating that all state nodes of the attacker model are accessible without any occurrence of infinite loops or iterative state behavior. Furthermore, the graphs indicate that there is no occurrence of state space explosion, which aligns with the anticipated outcomes. However, it is observed that the introduction of the adversary model results in a significant increase in the number of state space nodes and directed arcs. Despite this expansion, the integration of the attacker model effectively reduces the number of messages required from both parties. These features enhance the efficiency of the attack model, ensuring its effectiveness and significantly improving its efficiency.

5.2.2. Security Validation

Upon comparing the REY-ATK replay attack model with the initial model, Table 3 exhibits a notable surge in the number of vector arcs and state space nodes. The attacker significantly amplifies the state space by generating duplicate messages through its attack methodology. Additionally, three dead nodes were identified, stemming from the discarding of crucial messages by the receiving nodes. The number of dead nodes increased relative to the original model due to the improper modification of authentication data by the TAR-ATK tampering attack. As for the SPF-ATK spoofing attack model, Table 3 indicates the presence of three dead nodes, highlighting the unknown impact of the attack on the protocol. The newly introduced adversary model effectively targets the original model’s request and response message transmission process, exposing three vulnerabilities in the original protocol: tampering, spoofing, and replay.

5.2.3. Protocol Vulnerability Analysis

Upon concluding the security assessment, following an attack on the original protocol model utilizing the enhanced attacker model, our analysis of the derived security assessment results highlights the protocol’s susceptibility to three distinct man-in-the-middle attacks: tampering, replay, and spoofing. These vulnerabilities are observed during the master–slave interaction process, where legitimate connection requests and transmission of secure data can be intercepted and manipulated during the protocol’s operation, thereby compromising the transmission of legitimate messages. These three types of man-in-the-middle attacks could potentially result in:

Type I protocol vulnerability: Manipulation of the connection ID value during a protocol session can lead to an unpredictable disruption of the session, resulting in a protocol reset. If an attacker continuously monitors the session connection, they may notice that each time the connection fails, a new connection ID is generated. Exploiting this vulnerability, the attacker can alter the connection ID and transmit it to the master, posing as slave O. Consequently, the master may send an erroneous message authentication code, leading to the disruption of the session connection and triggering a protocol reset.

Type II protocol vulnerability: Through extensive observation of protocol transmission messages, an attacker can identify instances where the same message connection ID is used for secure data transmission. Leveraging this knowledge, the attacker can reintroduce previously intercepted transmissions into the ongoing message interactions, prompting the slave to execute false commands.

Type III protocol vulnerability: By closely monitoring a significant volume of protocol transmission messages, the attacker can relay the intercepted connection ID to the security data transmission process when the same message session connection is detected. This action misleads the slave into assuming that the master is responsible for sending the connection ID during the subsequent security data transmission operation. Consequently, the slave executes an unauthorized command issued by the master, thus facilitating an attack on the slave.

6. Protocol Improvement and Validation

6.1. Protocol Enhancement Schemes

In this paper, we present a corresponding enhancement strategy for addressing the security vulnerability inherent in the protocol. The proposed solution involves the introduction of a key distribution center during the connection process, where Ks represents the public key of both the master and the slave, Ka denotes the private key of the master, and Kb signifies the private key of the slave. Additionally, a hash value is incorporated during the secure data transmission. The message flow diagram of the improved protocol is illustrated in Figure 11.

• The master sends the master address and slave address information and the connection ID information and LBW word to the secret key distribution center Key.
• The secret key distribution center adds the public key Ks to the message sent by the master, then encrypts the address information and the public key Ks with the private key Kb of the slave and sends all these messages to the master after encrypting them with the private key Ka of the master.
• The master decrypts the received information with its private key, Ka, and after decryption sends the information to be sent to the slave party.
• The slave decrypts the received information with its private key Kb, generates a new connection ID, encrypts it with the received public key Ks, and sends the encrypted information to the master.
• The master decrypts the received information with the public key Ks, performs a function on the connection ID, then encrypts the result with the public key and sends it to the slave for authentication.
• The slave decrypts the received information with the public key and authenticates the connection ID.
• The master locally hashes the security data to be sent and then sends the hash value, security data, connection ID, command, and counter information to the slave.
• The slave will hash the security data in the received message again and then use the obtained hash value to compare with the hash value sent by the master; if the same, the corresponding command operation of the security data will be performed, and the LBW word and counter will have 1 added and will be returned to the master.

6.2. New Solution Model for Protocols

The improved CPN model is shown in Figure 12, which adds a third-party secret key distribution platform to the middle layer model of the original model. The improved middle layer model consists of 6 alternative variations and 16 libraries, which completely simulates the connection process of secret key distribution and authentication and the transmission process of security data. The alternative variant Key simulates the process of secret key differentiation, the alternative variants Connection and Connection’ simulates the process of connection establishment and authentication, and the alternative variants Secure transmission and Secure transmission’ simulates the process of secure data transmission.

The alternative variation, Connection, describes in detail the process of sending requests from the master to the secret key differentiation center and sending recognition information to the enslaved person. As shown in Figure 13, substitution combination integrates the MAC addresses of the master and slave stations and the connection ID and LBW word and sends them to the secret key distribution center through the library Send_MAC; decrypts the information returned by the secret key center received by the library Rec_Ks with its own secret key Ka and confirms that it is the information returned by the secret key center, then sends the information with the public key Ks. After confirming that it is the information returned by the secret key center, the information with public key Ks is sent to the slave through the library Send_Kb; the information returned by the slave received by the library Rec_Sid’ is decrypted with public secret key Ks, and then the received session ID is functionally operated by the change Go, and finally the connection ID after the functionally operated is encrypted with public key Ks by the change PublicKey and sent to the slave through the library Send_Sid.

The alternative variation Key describes the process of processing messages by the secret key differentiation center. As shown in Figure 14, the slave processes the received request message from the master, integrates the master’s request message and the public secret key Ks through the variation ksMsg1, integrates the received address information and the public key Ks through the variation M_KS, packages the message to be returned to the master through the variation Com_M, encrypts the returned message Ka through the variation com_M, and finally sends the encrypted information to the master through the library Rec_Ks.

The alternative variation Connection’ describes in detail the process of connection information processing and authentication by the slave. As shown in Figure 15, the variant COM decrypts the information received by the slave with the secret key Kb and then encrypts the newly generated connection ID with the public secret key Ks through the variant kid and sends it to the master through the library Rec_Sid. The variant FID will decrypt the authentication information sent by the master using the public key Ks and authenticate the connection with the decrypted connection ID.

The alternative variant Safety describes in detail the process of sending security data from the master to the slave. As shown in Figure 16, unlike the original model, we hash the security data to be sent to the slave through the variant Hash and then send the hash result together with the security data. The alternative variant Safety’ describes in detail the processing of the safety data by the slave, as shown in Figure 17. Different from the original model, the security data sent by the master station will be locally hashed by the slave station through the transition HASH, and then the generated hash value hdata and the hash value hdata sent by the master station will be compared through the transition COMPAR. If the same, it proves that the data has not been tampered with, and then relevant commands will be operated. The counter is returned to the master station by adding 1. If it is different, it is reset.

6.3. Improving the Security Assessment Model of the Protocol

In this section, we employ the same Dolev–Yao adversary model to assess the robustness of the enhanced communication model resulting from the new scheme. As illustrated in Figure 18, the segments highlighted in red simulate a replay attack, the portions marked in purple mimic a tampering attack, and the elements shaded in blue emulate a spoofing attack.

6.4. Safety Assessment and Analysis of the Improved Solution Model

In the previous section, we incorporated three attack models. This section elucidates the alterations in the spatial reports following the inclusion of these attack types. Subsequently, the security efficacy of the enhanced protocol is thoroughly analyzed.

6.4.1. Security Assessment in Three Attack Environments

Table 5. Comparison of the state space of the pre- and post-improved safety assessment models.

Type	Before Improvement			After Improvement
	REY-ATK	TAR-ATK	SPF-ATK	REY-ATK	TAR-ATK	SPF-ATK
State space nodes	32,192	1844	2611	48,132	8624	8404
State space arc	182,536	8678	10,454	283,158	39,532	38,526
SCC graph node	32,192	1844	2611	48,132	8624	8404
SCC graph arc	182,536	8678	10,454	283,158	39,532	38,526
Dead marking	4	2	3	2	1	1
Dead Transition Instances	0	0	0	0	0	0
Live Transition Instances	0	0	0	0	0	0

displays the state space data before and after the enhancement of the three attack models. TAR-ATK represents the tampering attack model, SPF-ATK denotes the spoofing attack model, and REY-ATK signifies the replay attack model. The data in the table align with the anticipated performance changes. Post-enhancement, the number of state nodes has notably decreased compared to the number of directed arcs before the enhancements. Upon comparison, the alteration in the state data for the REY-ATK replay attack indicates a reduction in dead nodes from 4 to 2, signifying that the replay attack method doesn’t effectively undermine the impact of our improved defense measures. Similarly, the number of dead nodes for the TAR-ATK tampering attack has been reduced to one after the enhancement, implying that the attacker’s attempt to manipulate communication data is ineffective without access to the session keys of both parties. The diminished number of dead nodes (from 3 to 1) in the improved SPF-ATK spoofing attack highlights that the attack does not result in unexpected protocol behavior once full authentication is integrated.

6.4.2. Safety Analysis of the Improvement Scheme

Through the comparison of the state space results from the original protocol security assessment model before the enhancement and the improved protocol security assessment model after the upgrade, as presented in Table 5, it is apparent that the introduction of the secret key distribution center for authentication and the incorporation of hash values into the data have led to a significant augmentation in the number of nodes and arcs in the state space of the improved protocol security assessment model. Notably, there is a notable increase in the number of state space nodes and arcs in the enhanced model. During the security validation phase, three types of man-in-the-middle attacks are employed to test the improved scheme’s resilience against such attacks. A comparative analysis shows a reduction in dead nodes in the improved scheme compared to the initial state, indicating that the improved protocol remains unharmed by the attack attempts. The alterations in the dead nodes in the analysis table post-enhancement are primarily at the network level. This is because the attack model cannot access the secret session key of the protocol connection, preventing it from deciphering and decomposing the acquired information and launching replay attacks. Similarly, at the data transmission level, the protocol’s transmission messages are hash-transformed, rendering the hash value irreversible, thus thwarting any attempts at tampering. With the addition of authentication to the protocol, the improved scheme effectively safeguards against spoofing attacks.

In conclusion, the analysis demonstrates that the attacker is incapable of initiating an attack due to its failure to access the secret session key of the message and the secret authentication key, as well as its inability to manipulate the data’s hash. This finding serves as evidence that the enhanced scheme effectively thwarts the three previously identified man-in-the-middle attacks and meets the property requirements of the protocol security mechanism.

6.5. Analysis of Improvement Program QOS

The concept of quality of service (QoS) (CISCO, San Jose, CA, USA, 2002) within a network pertains to its capability to furnish enhanced service to selected network traffic by employing a diverse array of technologies. These technologies encompass frame relay, asynchronous transfer mode, ethernet and 802.1 networks, SONET, and IP-routed networks, which can be leveraged individually or in conjunction with each other [39]. A range of service policies further complements these technologies. Within the context of the INTERBUS protocol, the CQ policy is adopted [40]. CQ is structured to accommodate up to 16 groups, each with specified configurations determining the allocation of packets into designated queues, the queue length, the consecutive byte transmission capacity per queue polling, and other pertinent parameters.

Under the CQ framework, packets are systematically classified and sorted into distinct categories, with a maximum of 17 queues facilitating the segregation of messages based on their specific categories. The messages are then allocated to their respective queues in alignment with the assigned categories. In a bid to bolster the data security framework of the protocol, the proposed scheme introduces enhancements to the data encryption strategy. This involves the integration of a key distribution center and a robust hash function, bolstering the security infrastructure without necessitating alterations to other existing strategies. Importantly, these enhancements are designed to fortify data security while maintaining the integrity of the protocol’s QoS provisions.

7. Summary

This paper delves into a comprehensive exploration of the security intricacies encompassing the INTERBUS protocol, a pivotal field bus protocol extensively employed within industrial internet applications. With the relentless advancement of intelligent industrial control systems and related technologies, the widespread adoption of field bus communications, including the prominent use of INTERBUS, has become an integral component of contemporary industrial automation systems. However, the increasing interconnectivity among control systems, often resulting in the formation of complex distributed networks, has accentuated the urgency of addressing critical security concerns, thereby elevating it to a focal point of contemporary research endeavors. In this study, a hybrid approach integrating colored Petri net (CPN) modeling and detection techniques alongside formal analysis methods has been adopted to comprehensively assess the security landscape of the INTERBUS protocol. This multifaceted analysis encompasses a comprehensive evaluation of the protocol’s security framework, meticulous identification of potential vulnerabilities, strategic proposal of enhancement methodologies, and rigorous validation of their efficacy. The insights derived from this study serve as a valuable repository of knowledge and references for fortifying the security infrastructure of industrial control systems, thereby contributing significantly to the ongoing discourse surrounding industrial cybersecurity.

During the comprehensive security assessment of the INTERBUS, CPN Tools assumes a pivotal role in modeling the protocol and meticulously scrutinizing the intricacies of the message flow method underpinning the communication protocol interaction process. Employing an adversary model, the constructed INTERBUS model undergoes rigorous testing to ascertain and evaluate its security posture. Subsequently, the state space is meticulously examined and analyzed utilizing CPN’s proprietary tools. The security evaluation reveals that the protocol is susceptible to three primary forms of attack, namely replay attacks, spoofing attacks, and tampering. In response to the identified vulnerabilities, this paper introduces a comprehensive approach aimed at bolstering protocol authentication to ensure secure data transmission. This proposed strategy incorporates the integration of key distribution hubs and robust hashing mechanisms to establish a framework for reliable and secure data transmission. To validate the efficacy of the proposed security enhancement strategy, the protocol is remodeled using CPN, incorporating the same adversary model. A detailed comparative analysis of the state space results before and after the implementation of the proposed enhancements indicates that the newly devised hardening scheme effectively thwarts the three identified attacks, thus underscoring its robustness and efficacy in fortifying the security infrastructure of the INTERBUS protocol.

This study has primarily concentrated on examining three specific attack methods to comprehensively analyze the security of the protocol, with comparatively lesser emphasis on other potential attack strategies. In the subsequent phases of our research, we intend to expand our analysis by incorporating a more extensive array of attack strategies. This expanded approach will facilitate a more thorough exploration of the protocol, allowing us to identify any additional latent security vulnerabilities and implement further measures to fortify its security infrastructure.