Industrial control systems increasingly rely on middlebox functionality such as intrusion detection or in-network processing. However, traditional end-to-end security protocols interfere with the necessary access to in-flight data. While recent work on middlebox-aware end-to-end security protocols for the traditional Internet promises to address the dilemma between end-to-end security guarantees and middleboxes, the current state-of-the-art lacks critical features for industrial communication. Most importantly, industrial settings require fine-grained access control for middleboxes to truly operate in a least-privilege mode. Likewise, advanced applications even require that middleboxes can inject specific messages (e.g., emergency shutdowns). Meanwhile, industrial scenarios often expose tight latency and bandwidth constraints not found in the traditional Internet. As the current state-of-the-art misses critical features, we propose Middlebox-aware DTLS (Madtls), a middlebox-aware end-to-end security protocol specifically tailored to the needs of industrial networks. Madtls provides bit-level read and write access control of middleboxes to communicated data with minimal bandwidth and processing overhead, even on constrained hardware.

翻译：工业控制系统日益依赖中间盒功能，如入侵检测或网内处理。然而，传统的端到端安全协议会干扰对传输中数据的必要访问。尽管针对传统互联网的中间盒感知端到端安全协议近期研究有望解决端到端安全与中间盒之间的困境，但现有方案缺乏工业通信所需的关键特性。最重要的是，工业场景要求中间盒以最小权限模式运行时实现细粒度访问控制。同样，高级应用甚至要求中间盒能够注入特定消息（如紧急停机指令）。与此同时，工业场景中常见的严格延迟与带宽约束在传统互联网中并不存在。针对现有方案缺失关键特性的问题，我们提出面向中间盒的DTLS（Madtls）——一种专门适配工业网络需求的中间盒感知端到端安全协议。Madtls可为中间盒提供对通信数据的比特级读写访问控制，并最大限度降低带宽和处理开销，即使在资源受限的硬件上亦可实现。