Automatic attack surface reduction in next-generation industrial control systems

Industrial control systems are often large and complex distributed systems and therefore expose a large potential attack surface. Effectively minimizing this attack surface requires security experts and significant manpower during engineering and maintenance of the system. This task, which is already difficult for today's control systems, will become significantly more complex for tomorrow's systems, which can reconfigure themselves dynamically, e.g., if hardware failures occur. In this article, we present a dynamic security system which can automatically minimize the attack surface of a control system's communication network. This security system is specifically designed for next-generation industrial control systems, but can also be applied in current generation systems. The presented security system adapts the necessary parameters of network and security controls according to the underlying changes in the control system environment. This ensures a better cyber security resilience against system compromise and reduces the attack surface because security controls will only allow data transfer that is required by the control application. Our evaluations for a next generation industrial control system and a current generation substation automation system show that the attack surface can be reduced by up to 90%, depending on the size and actual configuration of the control system.

[1]  Tao Xie,et al.  First step towards automatic correction of firewall policy faults , 2012, TAAS.

[2]  Florent Jacquemard,et al.  Automatic verification of conformance of firewall configurations to security policies , 2009, 2009 IEEE Symposium on Computers and Communications.

[3]  Chen-Nee Chuah,et al.  FIREMAN: a toolkit for firewall modeling and analysis , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[4]  Nora Cuppens-Boulahia,et al.  Enabling automated threat response through the use of a dynamic security policy , 2007, Journal in Computer Virology.

[5]  Ragnar Schierholz,et al.  Leveraging determinism in industrial control systems for advanced anomaly detection and reliable security configuration , 2009, 2009 IEEE Conference on Emerging Technologies & Factory Automation.

[6]  Sofiène Tahar,et al.  Modeling and verification of firewall configurations using domain restriction method , 2011, 2011 International Conference for Internet Technology and Secured Transactions.

[7]  Ehab Al-Shaer,et al.  Towards a Unified Modeling and Verification of Network and System Security Configurations , 2012, SafeConfig.

[8]  Manuel Oriol,et al.  Reconciling flexibility and robustness in industrial automation systems, and living happily ever after , 2013, 2013 IEEE 18th Conference on Emerging Technologies & Factory Automation (ETFA).

[9]  Gail-Joon Ahn,et al.  Detecting and Resolving Firewall Policy Anomalies , 2012, IEEE Transactions on Dependable and Secure Computing.

[10]  Nora Cuppens-Boulahia,et al.  MIRAGE: A Management Tool for the Analysis and Deployment of Network Security Policies , 2010, DPM/SETOP.

[11]  Ieee P . ad Virtual Bridged Local Area Networks-Amendment 4 : Provider Bridges , 2003 .

[12]  Ahmed A. Hassan,et al.  A framework for translating a high level security policy into low level security mechanisms , 2009, 2009 IEEE/ACS International Conference on Computer Systems and Applications.

[13]  Heiko Koziolek,et al.  FASA: a scalable software framework for distributed control systems , 2012, ISARCS '12.

[14]  Mark Adamiak,et al.  IEC 61850 Communication Networks and Systems In Substations: An Overview for Users , 1988 .

[15]  Xinming Ou,et al.  Network Security Management with High-level Security Policies , .

[16]  Ehab Al-Shaer,et al.  On synthesizing distributed firewall configurations considering risk, usability and cost constraints , 2011, 2011 7th International Conference on Network and Service Management.

[17]  Manuel Oriol,et al.  Disruption-free software updates in automation systems , 2014, Proceedings of the 2014 IEEE Emerging Technology and Factory Automation (ETFA).

[18]  Prasad Rao,et al.  Automatic management of network security policy , 2001, Proceedings DARPA Information Survivability Conference and Exposition II. DISCEX'01.