ARMET: Behavior-Based Secure and Resilient Industrial Control Systems

In this paper, we introduce a design methodology to develop reliable and secure industrial control systems (ICSs) based on the behavior of their computational resources (i.e., process/application) and underlying physical resources (e.g., the controlled plant). The methodology has three independent, but complementary, components that employ novel approaches and techniques in the design of reliable and secure ICSs. First, we introduce reliable-and-secure-by-design development of secure industrial control applications through stepwise sound refinement of an executable specification, employing deductive synthesis to enforce functional and nonfunctional (e.g., security and safety) properties of ICS applications. Second, we present a runtime security monitor at the middleware level of ICSs that protects ICS operation in the field through comparison of the application execution and the application specification execution in real time; the runtime security monitor can be synthesized from the executable specification. Finally, based on the specification, we perform a vulnerability analysis for false data injection (FDI) attacks, which leads to ICS application designs that are resilient to this type of attacks. We demonstrate the methodology through its application to a basic and typical ICS example application, describing all the tools used and ARMET, the middleware monitor that constitutes the core component of the methodology.

[1]  Alvaro A. Cárdenas,et al.  Attacks against process control systems: risk assessment, detection, and response , 2011, ASIACCS '11.

[2]  John S. Fitzgerald,et al.  A rigorous approach to the design of resilient cyber-physical systems through co-simulation , 2012, IEEE/IFIP International Conference on Dependable Systems and Networks Workshops (DSN 2012).

[3]  Gabriela Hug,et al.  Vulnerability Assessment of AC State Estimation With Respect to False Data Injection Cyber-Attacks , 2012, IEEE Transactions on Smart Grid.

[4]  Weiyi Liu,et al.  Analysis and Design of Stealthy Cyber Attacks on Unmanned Aerial Systems , 2014, J. Aerosp. Inf. Syst..

[5]  Carlo Ghezzi,et al.  TRIO: A logic language for executable specifications of real-time systems , 1990, J. Syst. Softw..

[6]  Alexander Aiken,et al.  An introduction to data representation synthesis , 2012, CACM.

[7]  Bran Selic,et al.  Modeling Languages for Real-Time and Embedded Systems - Requirements and Standards-Based Solutions , 2007, Model-Based Engineering of Embedded Real-Time Systems.

[8]  Wm. Arthur Conklin IT vs. OT Security: A Time to Consider a Change in CIA to Include Resilienc , 2016, 2016 49th Hawaii International Conference on System Sciences (HICSS).

[9]  Walter Hamscher,et al.  Joshua: Uniform Access to Heterogeneous Knowledge Structures, or why Joshing Is Better than Conniving or Planning , 1987, AAAI.

[10]  Ehab Al-Shaer,et al.  A formal model for verifying stealthy attacks on state estimation in power grids , 2013, 2013 IEEE International Conference on Smart Grid Communications (SmartGridComm).

[11]  Adam Chlipala,et al.  Ur/Web , 2015, Communications of the ACM.

[12]  Ilaria Matteucci,et al.  Automated Synthesis of Enforcing Mechanisms for Security Properties in a Timed Setting , 2007, ICS@SYNASC.

[13]  Howard Barringer,et al.  Rule Systems for Run-time Monitoring: from Eagle to RuleR , 2010, J. Log. Comput..

[14]  Dimitrios N. Serpanos,et al.  Sound and Complete Runtime Security Monitor for Application Software , 2016, ArXiv.

[15]  C. A. R. Hoare,et al.  Proof of correctness of data representations , 1972, Acta Informatica.

[16]  Manuel Blum,et al.  Software reliability via run-time result-checking , 1997, JACM.

[17]  Sakir Sezer,et al.  Towards A Stateful Analysis Framework for Smart Grid Network Intrusion Detection , 2016, ICS-CSR.

[18]  Lang Tong,et al.  Malicious Data Attacks on the Smart Grid , 2011, IEEE Transactions on Smart Grid.

[19]  Ulf Lindqvist,et al.  Using Model-based Intrusion Detection for SCADA Networks , 2006 .

[20]  J. R. Büchi On a Decision Method in Restricted Second Order Arithmetic , 1990 .

[21]  Jeannette M. Wing A specifier's introduction to formal methods , 1990, Computer.

[22]  Gary T. Leavens,et al.  Design by Contract with JML , 2006 .

[23]  Grigore Rosu,et al.  Mop: an efficient and generic runtime verification framework , 2007, OOPSLA.

[24]  Wolfram Schulte,et al.  Runtime verification of .NET contracts , 2003, J. Syst. Softw..

[25]  Nils Klarlund,et al.  Mona: Monadic Second-Order Logic in Practice , 1995, TACAS.

[26]  Aaron Kane,et al.  Runtime Monitoring for Safety-Critical Embedded Systems , 2015 .

[27]  Bruno Sinopoli,et al.  Integrity Data Attacks in Power Market Operations , 2011, IEEE Transactions on Smart Grid.

[28]  Adam Chlipala,et al.  Fiat , 2015, POPL.

[29]  Peter G. Neumann,et al.  The future of the internet of things , 2017, Commun. ACM.

[30]  Bruno Courcelle,et al.  Graph Structure and Monadic Second-Order Logic - A Language-Theoretic Approach , 2012, Encyclopedia of mathematics and its applications.

[31]  Romain Soulat,et al.  Synthesis of correct-by-design schedulers for hybrid systems. (Synthèse d'ordonnanceurs corrects par conception pour les systèmes hybrides) , 2014 .

[32]  Mu Zhang,et al.  Towards Automatic Generation of Security-Centric Descriptions for Android Apps , 2015, CCS.

[33]  Gary C. Borchardt,et al.  Event Calculus , 1985, IJCAI.

[34]  Edsger W. Dijkstra,et al.  A constructive approach to the problem of program correctness , 1968 .

[35]  Sridhar Adepu,et al.  Using Process Invariants to Detect Cyber Attacks on a Water Treatment System , 2016, SEC.

[36]  Henrik Sandberg,et al.  Stealth Attacks and Protection Schemes for State Estimators in Power Systems , 2010, 2010 First IEEE International Conference on Smart Grid Communications.

[37]  Ing-Ray Chen,et al.  A survey of intrusion detection techniques for cyber-physical systems , 2014, ACM Comput. Surv..

[38]  Sorin Lerner,et al.  Formal Verification of Stability Properties of Cyber-physical Systems , 2015 .

[39]  Armando Solar-Lezama,et al.  A language for automatically enforcing privacy policies , 2012, POPL '12.

[40]  C. C. Elgot Decision problems of finite automata design and related arithmetics , 1961 .

[41]  M. Rabin Decidability of second-order theories and automata on infinite trees. , 1969 .

[42]  Alexander S. Kamkin,et al.  Runtime Verification Based on Executable Models: On-the-Fly Matching of Timed Traces , 2013, MBT.

[43]  Wei Chen,et al.  dReach: δ-Reachability Analysis for Hybrid Systems , 2015, TACAS.

[44]  Dimitrios N. Serpanos,et al.  A rigorous and efficient run-time security monitor for real-time critical embedded system applications , 2016, 2016 IEEE 3rd World Forum on Internet of Things (WF-IoT).

[45]  Karl Henrik Johansson,et al.  Cyber security analysis of state estimators in electric power systems , 2010, 49th IEEE Conference on Decision and Control (CDC).

[46]  Nils Ole Tippenhauer,et al.  Towards Formal Security Analysis of Industrial Control Systems , 2017, AsiaCCS.

[47]  Bran Selic,et al.  Modeling Languages for Real-Time and Embedded Systems - Requirements and Standards-Based Solutions , 2007, Model-Based Engineering of Embedded Real-Time Systems.

[48]  Bruno Courcelle,et al.  Monadic Second-Order Definable Graph Transductions: A Survey , 1994, Theor. Comput. Sci..

[49]  Shinpei Kato,et al.  APEX: Autonomous Vehicle Plan Verification and Execution , 2016 .

[50]  Ralph Langner,et al.  Stuxnet: Dissecting a Cyberwarfare Weapon , 2011, IEEE Security & Privacy.

[51]  Alexander Egyed,et al.  AWDRAT: A Cognitive Middleware System for Information Survivability , 2007, AI Mag..

[52]  Sorin Lerner,et al.  Towards foundational verification of cyber-physical systems , 2016, 2016 Science of Security for Cyber-Physical Systems Workshop (SOSCYPS).

[53]  Egon Börger,et al.  Abstract State Machines. A Method for High-Level System Design and Analysis , 2003 .

[54]  Fabio Martinelli,et al.  An Approach for the Specification, Verification and Synthesis of Secure Systems , 2007, VODCA@FOSAD.

[55]  Fritz Henglein,et al.  Mechanical Translation of Set Theoretic Problem Specifications into Efficient RAM Code-A Case Study , 1987, J. Symb. Comput..

[56]  Adam Chlipala,et al.  Using Crash Hoare logic for certifying the FSCQ file system , 2015, USENIX Annual Technical Conference.

[57]  Mark Zeller,et al.  Myth or reality — Does the Aurora vulnerability pose a risk to my generator? , 2011, 2011 64th Annual Conference for Protective Relay Engineers.

[58]  Ross A. Knepper,et al.  ROSCoq: Robots Powered by Constructive Reals , 2015, ITP.

[59]  Martin Leucker,et al.  Runtime Verification for LTL and TLTL , 2011, TSEM.

[60]  Karl Henrik Johansson,et al.  Revealing stealthy attacks in control systems , 2012, 2012 50th Annual Allerton Conference on Communication, Control, and Computing (Allerton).

[61]  Peng Ning,et al.  False data injection attacks against state estimation in electric power grids , 2011, TSEC.

[62]  J. Büchi Weak Second‐Order Arithmetic and Finite Automata , 1960 .

[63]  Edmund M. Clarke,et al.  δ-Complete Decision Procedures for Satisfiability over the Reals , 2012, IJCAR.

[64]  Bradley R. Schmerl,et al.  Challenges in physical modeling for adaptation of cyber-physical systems , 2016, 2016 IEEE 3rd World Forum on Internet of Things (WF-IoT).

[65]  Armando Solar-Lezama,et al.  Automated vulnerability analysis of AC state estimation under constrained false data injection in electric power systems , 2015, 2015 54th IEEE Conference on Decision and Control (CDC).

[66]  Rajeev Alur,et al.  From Monadic Second-Order Definable String Transformations to Transducers , 2013, 2013 28th Annual ACM/IEEE Symposium on Logic in Computer Science.

[67]  Edmund M. Clarke,et al.  dReal: An SMT Solver for Nonlinear Theories over the Reals , 2013, CADE.