No full-text available
To read the full-text of this research,
you can request a copy directly from the authors.
Interplay of Attacker Behaviors and Dependability Attributes in Industrial Control System Impact Analysis
ResearchGate has not been able to resolve any citations for this publication.
Attacker models are a fundamental part of research on security of any system. For different application scenarios, suitable attacker models have to be chosen to allow comprehensive coverage of possible attacks. We consider Cyber-Physical Systems (CPS), that typically consist of networked embedded systems which are used to sense, actuate, and control physical processes. The physical layer aspects of such systems add novel attack vectors and opportunities for defenses, that require extended models of attackers’ capabilities. We develop a taxonomy to classify and compare attacker models in related work. We show that, so far, there are no commonly used attacker models for such CPS. In addition, concepts of what information belongs in an attacker model are widely different among the community. To address that problem, we develop a framework to classify attacker models and use it to review related work on CPS Security. Using our framework, we propose a set of attacker profiles and show that those profiles capture most types of attackers described in the related work. Our framework provides a more formal and standardized definition of attacker model for CPS, enabling the use of well-defined and uniform attacker models in the future.
This tutorial paper surveys the main features of Uppaal SMC, a model checking approach in Uppaal family that allows us to reason on networks of complex real-timed systems with a stochastic semantic. We demonstrate the modeling features of the tool, new verification algorithms and ways of applying them to potentially complex case studies.
Process control and SCADA systems, with their reliance on proprietary networks and hardware, have long been considered immune to the network attacks that have wreaked so much havoc on corporate information systems. Unfortunately, new research indicates this complacency is misplaced - the move to open standards such as Ethernet, TCP/IP and web technologies is letting hackers take advantage of the control industry's ignorance. This paper summarizes the incident information collected in the BCIT Industrial Security Incident Database (ISID), describes a number of events that directly impacted process control systems and identifies the lessons that can be learned from these security events.
This paper gives the main definitions relating to dependability, a generic concept including a special case of such attributes as reliability, availability, safety, integrity, maintainability, etc. Security brings in concerns for confidentiality, in addition to availability and integrity. Basic definitions are given first. They are then commented upon, and supplemented by additional definitions, which address the threats to dependability and security (faults, errors, failures), their attributes, and the means for their achievement (fault prevention, fault tolerance, fault removal, fault forecasting). The aim is to explicate a set of general concepts, of relevance across a wide range of situations and, therefore, helping communication and cooperation among a number of scientific and technical communities, including ones that are concentrating on particular types of system, of system failures, or of causes of system failures.
Industrial control systems (ICS) have become a focal point for cyberattacks due to the shift from trusted proprietary environments. The now exposed attack surface mandates that ICS be equipped with defenses to prevent or mitigate the impact of potential attacks. Consequently, along with exploring the impact on system mission objectives, impact analysis studies need to consider implementable defenses that may reduce such impact. In this work, we equip a manufacturing ICS with three system defenses, modeled using timed automata in UPPAAL, that can perform data recovery against data corruption attacks. Additionally, we compare and contrast how capable each model is in mitigating the impact caused by data corruption attacks. The analysis provides insight into different defensive behaviors and their effectiveness, how they can be affected by attacker behaviors, and suggests some recommendations for developing future ICS defensive strategies.KeywordsImpact AnalysisIndustrial Control SystemsData RecoveryData CorruptionTimed AutomataStatistical Model Checking
The Mirai botnet revolutionized the idea of IoT botnets by infecting numerous vulnerable IoT devices in 2016, leading to the rise of many Mirai variants and imitators that plague the current IoT ecosystem. Studying the botnet infection process can greatly aid us in understanding IoT botnet capabilities and the efficacy of currently available countermeasures. However, analyzing IoT botnets is difficult due to their massive scale and the numerous existing heterogeneous IoT devices that can be targeted for infection. In this paper, we model and simulate the dynamic behavior of the Mirai botnet infrastructure and various IoT device categories as a network of timed automata in UPPAAL-SMC. To determine the feasibility of rebooting as a countermeasure against botnets, we examine the effectiveness of rebooting on various IoT device networks. The resulting analysis provides a solid understanding of the impact and feasibility of rebooting on active and dormant botnet propagation processes.
Cyber threats directly affect the critical reliability and availability of modern Industry Control Systems (ICS) in respects of operations and processes. Where there are a variety of vulnerabilities and cyber threats, it is necessary to effectively evaluate cyber security risks, and control uncertainties of cyber environments, and quantitative evaluation can be helpful. To effectively and timely control the spread and impact produced by attacks on ICS networks, a probabilistic Multi-Attribute Vulnerability Criticality Analysis (MAVCA) model for impact estimation and prioritised remediation is presented. This offer a new approach for combining three major attributes: vulnerability severities influenced by environmental factors, the attack probabilities relative to the vulnerabilities, and functional dependencies attributed to vulnerability host components. A miniature ICS testbed evaluation illustrates the usability of the model for determining the weakest link and setting security priority in the ICS. This work can help create speedy and proactive security response. The metrics derived in this work can serve as sub-metrics inputs to a larger quantitative security metrics taxonomy; and can be integrated into the security risk assessment scheme of a larger distributed system.
We propose timed (finite) automata to model the behavior of real-time systems over time. Our definition provides a simple, and yet powerful, way to annotate state-transition graphs with timing constraints using finitely many real-valued clocks. A timed automaton accepts timed words–infinite sequences in which a real-valued time of occurrence is associated with each symbol. We study timed automata from the perspective of formal language theory: we consider closure properties, decision problems, and subclasses. We consider both nondeterministic and deterministic transition structures, and both Büchi and Muller acceptance conditions. We show that nondeterministic timed automata are closed under union and intersection, but not under complementation, whereas deterministic timed Muller automata are closed under all Boolean operations. The main construction of the paper is an (PSPACE) algorithm for checking the emptiness of the language of a (nondeterministic) timed automaton. We also prove that the universality problem and the language inclusion problem are solvable only for the deterministic automata: both problems are undecidable (Π¹1-hard) in the nondeterministic case and PSPACE-complete in the deterministic case. Finally, we discuss the application of this theory to automatic verification of real-time requirements of finite-state systems.
We apply formal methods to lay and streamline theoretical foundations to reason about Cyber-Physical Systems (CPSs) and physics-based attacks, i.e., attacks targeting physical devices. We focus on a formal treatment of both integrity and denial of service attacks to sensors and actuators of CPSs, and on the timing aspects of these attacks. Our contributions are fourfold. (1) We define a hybrid process calculus to model both CPSs and physics-based attacks. (2) We formalise a threat model that specifies MITM attacks that can manipulate sensor readings or control commands in order to drive a CPS into an undesired state; we group these attacks into classes, and provide the means to assess attack tolerance/vulnerability with respect to a given class of attacks, based on a proper notion of most powerful physics-based attack.
(3) We formalise how to estimate the impact of a successful attack on a CPS and investigate possible quantifications of the success chances of an attack. (4) We illustrate our definitions and results by formalising a non-trivial running example in Uppaal SMC, the statistical extension of the Uppaal model checker; we use Uppaal SMC as an automatic tool for carrying out a static security analysis of our running example in isolation and when exposed to three different physics-based attacks with different impacts.
Attack patterns have been used to specify security test cases for traditional information technology systems in order to mitigate cyber attacks. However, the attack patterns for traditional information technology systems are not directly applicable to industrial control systems. This chapter considers the differences between traditional information technology systems and industrial control systems, discusses why attack patterns for traditional information technology systems are inadequate for industrial control systems, and specifies attack patterns for industrial control systems. The attack patterns are useful for creating security test cases for assessing the security levels of industrial control systems. An elevator system case study is used to demonstrate the utility of industrial control system attack patterns in specifying security test cases.
Recent trends in manufacturing and industry accelerate the interconnection of industrial control systems between each other and over public networks. This brings an increase of cyber attack impact with it as the number of potential targets rises and the consequences of the attacks gain in severity. In order to build secure manufacturing systems, it is paramount to measure the possible impact of cyber attacks. This is required to evaluate security controls towards their effectiveness in attack scenarios.
In this work, a proposal for an impact assessment framework in manufacturing is given. A suitable attacker model for execution of the attacks is provided. An evaluation metric for quantifying attack impact on manufacturing systems is developed. A light-weight modeling technique is presented and used to study the impact of cyber attacks on a cellular assembly setup. Different attack scenarios are implemented and simulated within the framework. The simulations provide detailed insight and illustrate attack impact.
Petroleum Cyber-Physical System (CPS) marks the beginning of a new chapter of the oil and gas industry. Combining vast computational power with intelligent Computer Aided Design (CAD) algorithms, petroleum CPS is capable of precisely modeling the flow of fluids over the entire petroleum reservoir and leveraging the massive field data remotely collected at the production wells. It provides field operators with valuable insights into the geological structure and remaining reserves of the reservoir for optimizing their operational strategies. Despite such benefits, petroleum CPS is vulnerable to various cyberattacks that jeopardize the integrity of the field data collected at production wells. Given manipulated field data, CAD software would generate an inaccurate reservoir model which misleads the field operators.
This work is the first to analyze potential cybersecurity attacks in a petroleum CPS. In this paper, an intelligent cyberattack strategy optimization framework is proposed to optimize the malicious manipulation of field data such that the history matching solver generates the most inaccurate reservoir model. Our method is based on the advanced Model Reference Adaptive Search (MRAS) technique, and it can be used to evaluate the worst case impact due to the field data manipulation attacks. Experimental results on a standard petroleum CPS testcase demonstrate that the proposed method can reduce the production quality, measured by the weighted mismatch sum of the bottom hole pressure (BHP), the gas oil ratio (GOR), and the Water Cut (WCT), by up to 99.1% when comparing to a random attack.
A cyber-physical attack in Supervisory Control and Data Acquisition (SCADA) systems can cause the disruption of physical process, and may result in economic loss, equipment damage or even casualties. Due to the increase of security risk in SCADA systems, a major research challenge is to identify the potential threats and analyze their possible influence and consequence. This paper presents a new class of cyber-physical attacks named false sequential logic attack, and proposes an approach for modeling the attack. In addition, simulations are performed in the MATLAB/SIMULINK, and the physical effects of attacks are analyzed in details, which are useful for understanding how the false sequential logic attack can affect the physical system.
This paper presents a framework for cyber attack impact analysis of a smart grid. We focus on the model synthesis stage in which both cyber and physical grid entity relationships are modeled as directed graphs. Each node of the graph has associated state information that is governed by dynamical system equations that model the physics of the interaction (for electrical grid components) or functionality (for cyber grid elements). We illustrate how cause-effect relationships can be conveniently expressed for both analysis and extension to large-scale smart grid systems.
We propose timed (finite) automata to model the behavior of real-time systems over time. Our definition provides a simple, and yet powerful, way to annotate state-transition graphs with timing constraints using finitely many real-valued clocks. A timed automaton accepts timed words–infinite sequences in which a real-valued time of occurrence is associated with each symbol. We study timed automata from the perspective of formal language theory: we consider closure properties, decision problems, and subclasses. We consider both nondeterministic and deterministic transition structures, and both Büchi and Muller acceptance conditions. We show that nondeterministic timed automata are closed under union and intersection, but not under complementation, whereas deterministic timed Muller automata are closed under all Boolean operations. The main construction of the paper is an (PSPACE) algorithm for checking the emptiness of the language of a (nondeterministic) timed automaton. We also prove that the universality problem and the language inclusion problem are solvable only for the deterministic automata: both problems are undecidable (Π11-hard) in the nondeterministic case and PSPACE-complete in the deterministic case. Finally, we discuss the application of this theory to automatic verification of real-time requirements of finite-state systems.
Threat modeling: Designing for security.
- A Shostack
A. Shostack, Threat modeling: Designing for security. John Wiley &
Sons, 2014. ISBN: 978-1118809990.