Compliance verification of a cyber security standard for Cloud-connected SCADA

Advances in IoT and cloud computing are revolutionizing the architecture of industrial control systems by changing them from isolated architectures to decentralized ones. This leads to increased complexity that exposes these systems to cyber threats from both the cloud and the control environment. Different cyber security standards have been proposed for securing these systems based on a set of security requirements. However, these requirements are often specified in natural language, which makes formal verification of security properties against the standards challenging. In this paper we propose a framework for modeling cloud-connected SCADA systems and formally verify their compliance with the IEC-62443-3-3 standard. We model the system and the security requirements from the standards using the formal modeling language TLA+ in order to formally verify compliance with the standard using the TLC model checker. The applicability of our technique is demonstrated using an industrial case study.

[1]  Peter Herrmann,et al.  Compositional Verification of Application-Level Security Properties , 2013, ESSoS.

[2]  Mamoun Filali,et al.  An Alternative Definition for Timed Automata Composition , 2011, ATVA.

[3]  Andrews Jeyaraj,et al.  Recent security challenges in cloud computing , 2018, Comput. Electr. Eng..

[4]  Boo-Sun Jeon,et al.  A study of cyber security policy in industrial control system using data diodes , 2016, 2016 18th International Conference on Advanced Communication Technology (ICACT).

[5]  Kwang-Cheng Chen,et al.  Information Fusion to Defend Intentional Attack in Internet of Things , 2014, IEEE Internet of Things Journal.

[6]  Eduardo B. Fernández,et al.  A survey of compliance issues in cloud computing , 2016, Journal of Internet Services and Applications.

[7]  Tomas Kulik,et al.  Formal Security Analysis of Cloud-Connected Industrial Control Systems , 2018, SecITC.

[8]  Leslie Lamport,et al.  Specifying Systems: The TLA+ Language and Tools for Hardware and Software Engineers [Book Review] , 2002, Computer.

[9]  Nils Ole Tippenhauer,et al.  Towards Formal Security Analysis of Industrial Control Systems , 2017, AsiaCCS.

[10]  Dimitrios Zissis,et al.  Addressing cloud computing security issues , 2012, Future Gener. Comput. Syst..

[11]  Henning Trsek,et al.  Cloud computing for industrial automation systems — A comprehensive overview , 2013, 2013 IEEE 18th Conference on Emerging Technologies & Factory Automation (ETFA).

[12]  Dong Seong Kim,et al.  A Framework for Modeling and Assessing Security of the Internet of Things , 2015, 2015 IEEE 21st International Conference on Parallel and Distributed Systems (ICPADS).

[13]  Leslie Lamport,et al.  The PlusCal Algorithm Language , 2009, ICTAC.

[14]  Emiliano Sisinni,et al.  A Wireless Cloud Network Platform for Industrial Process Automation: Critical Data Publishing and Distributed Sensing , 2017, IEEE Transactions on Instrumentation and Measurement.

[15]  Aditya P. Mathur,et al.  Aligning Cyber-Physical System Safety and Security , 2014, CSDM Asia.

[16]  Somesh Jha,et al.  Automated generation and analysis of attack graphs , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[17]  Mathias Ekstedt,et al.  Issues of cyber security in SCADA-systems - On the importance of awareness , 2009 .