2018년 May 29일

CPSS Proceeding

CPSS ’18- Proceedings of the 4th ACM Workshop on Cyber-Physical System Security

CPSS ’18- Proceedings of the 4th ACM Workshop on Cyber-Physical System Security

Full Citation in the ACM Digital Library

SESSION: Keynote 1

  • Dieter Gollmann

On The Limits of Detecting Process Anomalies in Critical Infrastructure

  • Aditya Mathur

Critical infrastructure are Cyber-Physical Systems that provide essential services to the society. Such infrastructure includes plants for power generation and distribution and for water treatment and distribution. Several such plants operate under a high availability constraint. In the presence of ever increasing cyber attacks, as demonstrated by several events in the past, it becomes imperative and challenging for a plant to meet the availability requirement. Such attacks raise the importance of adding to a plant mechanisms for attack prevention, detection, and secure control. Preventive measures aim to control the incoming and outgoing network traffic and prevent unauthorised access to the plant. Detection mechanisms aim at detecting whether the plant is behaving as expected and raise alarms otherwise. Mechanisms for secure control aim at ensuring that the plant remains in a stable state despite an attack. When a preventive mechanism fails, the detection mechanism ought to detect whether the process under control is moving into an undesirable state and, if so, raise an appropriate alarm. While an alarm will likely alert an operator, it may be too late and damage may have occurred. To prevent such damage, a secure control mechanism ensures that despite the plant entering an abnormal state, the plant components, e.g., pumps and generators, do not get damaged and the process continues to function albeit in degraded mode. The ongoing process in the plant is said to be anomalous when its state is not in accordance with the plant design. A number of proposed detection mechanisms rely on the physics of the process to detect anomalous behavior. Several such mechanisms have been implemented in testbeds. In this talk we analyze two methods for the detection of process anomalies, namely the CUSUM method[2], and a relatively newer method based on the notion of state entanglement [1]. Both methods are based on models of the underlying process in the plant. CUSUM is a statistical technique for detecting change points in a time series that corresponds to a process variable. The method uses two parameters, namely bias and threshold. The bias is determined from the mean of the process variable of concern. The bias so obtained is used in conjunction with the predicted and observed state of the plant. The process is said to have changed its behavior when the CUSUM statistic exceeds a pre-specified threshold. The occurrence of a change implies process anomaly. State entanglement uses the joint state space of one or more components of the plant to construct a state space that consists of prohibited states during plant operation. The prohibited state space of the components leads to one or more invariants. The invariants so derived are coded as monitors and placed in the plant network and in the controllers. A monitor raises an alarm when the process enters a prohibited state. While both methods mentioned above have been evaluated experimentally, we wish to identify the conditions under which the methods either fail to detect an anomaly or cause false alarms. Using our analysis we reveal the inherent limitations of these methods that may lead to an unacceptable rate of false alarms, and their inability to detect coordinated cyber attacks. Our analysis is based on an increasingly complex series of attacker profiles, and affect graphs that capture state relationship among plant components, to reveal the strengths and limitations of both methods.

SESSION: Session 1: Risk Analysis and Security Testing for CPS

  • Dieter Gollmann

SARA: Security Automotive Risk Analysis Method

  • Jean-Philippe Monteuuis
  • Aymen Boudguiga
  • Jun Zhang
  • Houda Labiod
  • Alain Servel
  • Pascal Urien

Connected and automated vehicles aim to improve the comfort and the safety of the driver and passengers. To this end, car manufacturers continually improve actual standardized methods to ensure their customers safety, privacy, and vehicles security. However, these methods do not support fully autonomous vehicles, linkability and confusion threats. To address such gaps, we propose a systematic threat analysis and risk assessment framework, SARA, which comprises an improved threat model, a new attack method/asset map, the involvement of the attacker in the attack tree, and a new driving system observation metric. Finally, we demonstrate its feasibility in assessing risk with two use cases: Vehicle Tracking and Comfortable Emergency Brake Failure.

On Practical Threat Scenario Testing in an Electric Power ICS Testbed

  • Ahnaf Siddiqi
  • Nils Ole Tippenhauer
  • Daisuke Mashima
  • Binbin Chen

Industrial control system networks in real world usually require a complex composition of many different devices, protocols, and services. Unfortunately, such practical setups are rarely documented publicly in sufficient technical detail to allow third parties to use the system as reference for their research. As a result, security researchers often have to work with abstract and simplified system assumptions, which might not translate well to practice. In this work, we provide a comprehensive overview of the network services provided by industrial devices found in the EPIC (Electric Power and Intelligent Control) system at SUTD. We provide a detailed network topology of the different network segments, enumerate hosts, models, protocols, and services provided. We argue that such a detailed system description can serve as an enabler for more practical security research. In particular, we discuss how the reported information can be used for emulating a diverse set of important threat scenarios in the smart grid domain. In addition, the provided details allow other researchers to build more detailed models or simulations.

SESSION: Keynote 2

  • Aditya Mathur

Leaky CPS: Inferring Cyber Information from Physical Properties (and the other way around)

  • Mauro Conti

The nature of Cyber-physical systems (CPS) is to integrate physical environments with computing capabilities, building a “channel” between the physical and the cyber world, with a continuous exchange of data and commands. From this inherent behaviour, observing data/behaviour on one side might lead to leakage of information about the status of the other side. This could be leveraged for both benign and malicious purposes. In this talk, we focus on this issue, discussing some of the core approaches and representative scenarios.

SESSION: Keynote 3

  • Jianying Zhou

Control Theory for Practical Cyber-Physical Security: Extended Abstract

  • Henrik Sandberg

In this talk, we discuss how control theory can contribute to the analysis and design of secure cyber-physical systems. We start by reviewing conditions for undetectable false-data injection attacks on feedback control systems. In particular, we highlight how a physical understanding of the controlled process can guide us in the allocation of protective measures. We show that protecting only a few carefully selected actuators or sensors can give indirect protection to many more components. We then illustrate how such analysis is exploited in the design of a resilient control scheme for a microgrid energy management system.

SESSION: Session 2: Access Control for CPS

  • Jianying Zhou

Too Long, did not Enforce: A Qualitative Hierarchical Risk-Aware Data Usage Control Model for Complex Policies in Distributed Environments

  • Fabio Martinelli
  • Christina Michailidou
  • Paolo Mori
  • Andrea Saracino

Distributed environments such as Internet of Things, have an increasing need of introducing access and usage control mechanisms, to manage the rights to perform specific operations and regulate the access to the plethora of information daily generated by these devices. Defining policies which are specific to these distributed environments could be a challenging and tedious task, mainly due to the large set of attributes that should be considered, hence the upcoming of unforeseen conflicts or unconsidered conditions. In this paper we propose a qualitative risk-based usage control model, aimed at enabling a framework where is possible to define and enforce policies at different levels of granularity. In particular, the proposed framework exploits the Analytic Hierarchy Process (AHP) to coalesce the risk value assigned to different attributes in relation to a specific operation, in a single risk value, to be used as unique attribute of usage control policies. Two sets of experiments that show the benefits both in policy definition and in performance, validate the proposed model, demonstrating the equivalence of enforcement among standard policies and the derived single-attributed policies.

An Ecosystem and IoT Device Architecture for Building Trust in the Industrial Data Space

  • Gerd S. Brost
  • Manuel Huber
  • Michael Weiß
  • Mykolai Protsenko
  • Julian Schütte
  • Sascha Wessel

The most recent and prominent advances in industrial computing include the growing interconnectivity of cyber-physical devices, as well as the increasing variety of complex applications exchanging data across company domains. In this context, the data becomes a valuable business asset and a trade good. The Industrial Data Space is a platform designed for the industry, allowing organizations the efficient data exchange and trade. The possibilities such platforms enable inevitably come along with new security risks regarding the establishment of trust, communication security, data usage control, or the integrity of participating systems. We define the key security requirements for the operation of such platforms in untrusted environments and present an overall security architecture for the whole ecosystem including the secure design and implementation of an architecture for the participating cyber-physical devices. On these devices, we allow for the controlled and isolated execution of services for application-specific gathering, processing and exchanging of data between organizations.

SESSION: Session 3: SCADA Security and Digital Twins

  • Nils Ole Tippenhauer

Understanding IEC-60870-5-104 Traffic Patterns in SCADA Networks

  • Chih-Yuan Lin
  • Simin Nadjm-Tehrani

The IEC-60870-5-104 (IEC-104) protocol is commonly used in Supervisory Control and Data Acquisition (SCADA) networks to operate critical infrastructures, such as power stations. As the importance of SCADA security is growing, characterization and modeling of SCADA traffic for developing defense mechanisms based on the regularity of the polling mechanism used in SCADA systems has been studied, whereas the characterization of traffic caused by non-polling mechanisms, such as spontaneous events, has not yet been studied. This paper provides a first look at how the traffic flowing between SCADA components changes over time. It proposes a method built upon Probabilistic Suffix Tree (PST) to discover the underlying timing patterns of spontaneous events. In 11 out of 14 tested data sequences, we see evidence of existence of underlying patterns. Next, the prediction capability of the approach, useful for devising anomaly detection mechanisms, was studied. While some data patterns enable an 80% prediction possibility, more work is needed to tune the method for higher accuracy.

Towards Security-Aware Virtual Environments for Digital Twins

  • Matthias Eckhart
  • Andreas Ekelhart

Digital twins open up new possibilities in terms of monitoring, simulating, optimizing and predicting the state of cyber-physical systems (CPSs). Furthermore, we argue that a fully functional, virtual replica of a CPS can also play an important role in securing the system. In this work, we present a framework that allows users to create and execute digital twins, closely matching their physical counterparts. We focus on a novel approach to automatically generate the virtual environment from specification, taking advantage of engineering data exchange formats. From a security perspective, an identical (in terms of the system’s specification), simulated environment can be freely explored and tested by security professionals, without risking negative impacts on live systems. Going a step further, security modules on top of the framework support security analysts in monitoring the current state of CPSs. We demonstrate the viability of the framework in a proof of concept, including the automated generation of digital twins and the monitoring of security and safety rules.