Challenges in Secure Engineering of Critical Infrastructure Systems

Modern critical infrastructure (CI), such as water supply, smart power grids, and transportation networks, face major security challenges that arise due to complex interactions between software and physical components as well as human operators. Such systems are an attractive target for attackers who intend to disrupt the safe, normal operation of CI by exploiting vulnerabilities in software components such as the supervisory control and data acquisition (SCADA) workstations and programmable logic controllers (PLCs). In this reference paper, we elaborate on problems and challenges learned from our own experience in automating security analysis, assessment, and defense mechanisms for CI. These challenges are presented in the context of two real-world CI systems-namely, a water treatment plant and a water distribution system.

[1]  Jianying Zhou,et al.  Noise Matters: Using Sensor and Process Noise Fingerprint to Detect Stealthy Cyber Attacks and Authenticate sensors in CPS , 2018, ACSAC.

[2]  Ludovic Piètre-Cambacédès,et al.  A survey of approaches combining safety and security for industrial control systems , 2015, Reliab. Eng. Syst. Saf..

[3]  Gary McGraw,et al.  Software Security: Building Security In , 2006, 2006 17th International Symposium on Software Reliability Engineering.

[4]  Adam Shostack,et al.  Threat Modeling: Designing for Security , 2014 .

[5]  Sridhar Adepu,et al.  Integrating Six-Step Model with Information Flow Diagrams for Comprehensive Analysis of Cyber-Physical System Safety and Security , 2017, 2017 IEEE 18th International Symposium on High Assurance Systems Engineering (HASE).

[6]  Daniel Jackson,et al.  Software Abstractions - Logic, Language, and Analysis , 2006 .

[7]  Nils Ole Tippenhauer,et al.  HAMIDS: Hierarchical Monitoring Intrusion Detection System for Industrial Control Systems , 2016, CPS-SPC '16.

[8]  Jun Sun,et al.  Learning from Mutants: Using Code Mutation to Learn and Monitor Invariants of a Cyber-Physical System , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[9]  Nils Ole Tippenhauer,et al.  SWaT: a water treatment testbed for research and training on ICS security , 2016, 2016 International Workshop on Cyber-physical Systems for Smart Water Networks (CySWater).

[10]  Nancy G. Leveson,et al.  Safeware - system safety and computers: a guide to preventing accidents and losses caused by technology , 1995 .

[11]  Sridhar Adepu,et al.  Distributed Detection of Single-Stage Multipoint Cyber Attacks in a Water Treatment Plant , 2016, AsiaCCS.

[12]  Sridhar Adepu,et al.  Anomaly Detection in Cyber Physical Systems Using Recurrent Neural Networks , 2017, 2017 IEEE 18th International Symposium on High Assurance Systems Engineering (HASE).

[13]  Sridhar Adepu,et al.  Generalized Attacker and Attack Models for Cyber Physical Systems , 2016, 2016 IEEE 40th Annual Computer Software and Applications Conference (COMPSAC).

[14]  Bradley R. Schmerl,et al.  Challenges in physical modeling for adaptation of cyber-physical systems , 2016, 2016 IEEE 3rd World Forum on Internet of Things (WF-IoT).

[15]  Sridhar Adepu,et al.  A Dataset to Support Research in the Design of Secure Water Treatment Systems , 2016, CRITIS.

[16]  Aditya P. Mathur,et al.  WADI: a water distribution testbed for research in the design of secure cyber physical systems , 2017, CySWATER@CPSWeek.

[17]  Randy Bush,et al.  Configuration management and security , 2009, IEEE Journal on Selected Areas in Communications.

[18]  Charles Radley,et al.  Safeware: System safety and computers. A guide to preventing accidents and losses caused by technology , 1996 .

[19]  Qin Lin,et al.  TABOR: A Graphical Model-based Approach for Anomaly Detection in Industrial Control Systems , 2018, AsiaCCS.

[20]  Sridhar Adepu,et al.  Assessing the Effectiveness of Attack Detection at a Hackfest on Industrial Control Systems , 2018, IEEE Transactions on Sustainable Computing.

[21]  Daniel Jackson,et al.  Dependability Arguments with Trusted Bases , 2010, 2010 18th IEEE International Requirements Engineering Conference.

[22]  Sridhar Adepu,et al.  Distributed Attack Detection in a Water Treatment Plant: Method and Case Study , 2018, IEEE Transactions on Dependable and Secure Computing.

[23]  Daniel Jackson,et al.  Model-Based Security Analysis of a Water Treatment System , 2016, 2016 IEEE/ACM 2nd International Workshop on Software Engineering for Smart Cyber-Physical Systems (SEsCPS).

[24]  Aida Čaušević,et al.  Safety and Security Co-Analyses: A Systematic Literature Review , 2019, IEEE Systems Journal.

[25]  Wang Yi,et al.  UPPAAL - a Tool Suite for Automatic Verification of Real-Time Systems , 1996, Hybrid Systems.