research-article

Towards Formal Security Analysis of Industrial Control Systems

Authors:
Marco Rocchetto

University of Luxembourg, Luxembourg, Luxembourg

University of Luxembourg, Luxembourg, Luxembourg
View Profile

,
Nils Ole Tippenhauer

Singapore University of Technology and Design, Singapore, Singapore

Singapore University of Technology and Design, Singapore, Singapore
View Profile

ASIA CCS '17: Proceedings of the 2017 ACM on Asia Conference on Computer and Communications SecurityApril 2017Pages 114–126https://doi.org/10.1145/3052973.3053024

Published:02 April 2017Publication History

ASIA CCS '17: Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security

Pages 114–126

ABSTRACT

We discuss the use of formal modeling to discover potential attacks on Cyber-Physical systems, in particular Industrial Control Systems. We propose a general approach to achieve that goal considering physical-layer interactions, time and state discretization of the physical process and logic, and the use of suitable attacker profiles. We then apply the approach to model a real-world water treatment testbed using ASLan++ and analyze the resulting transition system using CL-AtSe, identifying four attack classes. To show that the attacks identified by our formal assessment represent valid attacks, we compare them against practical attacks on the same system found independently by six teams from industry and academia. We find that 7 out of the 8 practical attacks were also identified by our formal assessment. We discuss limitations resulting from our chosen level of abstraction, and a number of modeling shortcuts to reduce the runtime of the analysis.

References

S. Adepu and A. Mathur. An investigation into the response of a water treatment system into cyber attacks. In IEEE Symposium on High Assurance Systems Engineering (HASE), 2015. Google ScholarDigital Library
D. Antonioli, H. R. Ghaeini, S. Adepu, M. Ochoa, and N. O. Tippenhauer. Gamifying education and research on ics security: Design, implementation and results of s3. 2017. Cornell University, ArXiv e-Prints, http://arxiv.org/abs/1702.03067v1.Google Scholar
A. Armando, W. Arsac, T. Avanesov, M. Barletta, A. Calvi, A. Cappai, R. Carbone, Y. Chevalier, L. Compagna, J. Cuéllar, G. Erzse, S. Frau, M. Minea, S. Mödersheim, D. von Oheimb, G. Pellegrino, S. E. Ponta, M. Rocchetto, M. Rusinowitch, M. T. Dashti, M. Turuani, and L. Viganò. The AVANTSSAR platform for the automated validation of trust and security of service-oriented architectures. In Tools and Algorithms for the Construction and Analysis of Systems (TACAS), pages 267--282, 2012. Google ScholarDigital Library
A. Armando, D. A. Basin, Y. Boichut, Y. Chevalier, L. Compagna, J. Cuéllar, P. H. Drielsma, P. Héam, O. Kouchnarenko, J. Mantovani, S. Mödersheim, D. von Oheimb, M. Rusinowitch, J. Santiago, M. Turuani, L. Viganò, and L. Vigneron. The AVISPA tool for the automated validation of internet security protocols and applications. In Proceedings of Computer Aided Verification, (CAV), pages 281--285, 2005. Google ScholarDigital Library
A. Armando and L. Compagna. SATMC: a SAT-based model checker for security protocols. In JELIA, LNAI 3229. Springer, 2004.Google Scholar
AVANTSSAR. Deliverable 5.3: AVANTSSAR Library of validated problem cases. www.avantssar.eu, 2010.Google Scholar
AVANTSSAR. Deliverable 2.3 (update): ASLan++ specification and tutorial, 2011. Available at http://www.avantssar.eu.Google Scholar
D. Basin, S. Capkun, P. Schaller, and B. Schmidt. Let's get physical: Models and methods for real-world security protocols. In Proceedings of Theorem Proving in Higher Order Logics, 2009. Google ScholarDigital Library
D. Basin, S. Capkun, P. Schaller, and B. Schmidt. Formal reasoning about physical properties of security protocols. Transactions on Information and System Security (TISSEC), 14(2):16, 2011. Google ScholarDigital Library
D. Basin, S. Mödersheim, and L. Viganò. OFMC: A symbolic model checker for security protocols. Journal of Information Security, 4(3):181--208, 2005. Google ScholarDigital Library
M. Bugliesi, S. Calzavara, S. Mödersheim, and P. Modesti. Security protocol specification and verification with AnBx. behaviour, 15:16, 2015.Google Scholar
A. A. Cárdenas, S. M. Amin, B. Sinopoli, A. Giani, A. Perrig, and S. S. Sastry. Challenges for securing cyber physical systems. In Workshop on Future Directions in Cyber-physical Systems Security. DHS, July 2009.Google Scholar
A. A. Cárdenas, T. Roosta, and S. Sastry. Rethinking security properties, threat models, and the design space in sensor networks: A case study in SCADA systems. Ad Hoc Networks, 7(8):1434--1447, 2009. Google ScholarDigital Library
D. E. Denning. Activism, hacktivism, and cyberterrorism: The internet as a tool for influencing foreign policy. In Networks and Netwars: The Future of Terror, Crime, and Militancy. RAND Corporation, 2001. Google ScholarDigital Library
P. Derler, E. A. Lee, and A. S. Vincentelli. Modeling cyber-physical systems. Proceedings of the IEEE, 100(1):13--28, Jan 2012.Google ScholarCross Ref
D. Dolev and A. C. Yao. On the security of public key protocols. IEEE Transactions on Information Theory, 29(2):198--207, 1983. Google ScholarDigital Library
A. Doupé, M. Cova, and G. Vigna. Why Johnny Can't Pentest: An Analysis of Black-Box Web Vulnerability Scanners, pages 111--131. Springer Berlin Heidelberg, 2010.Google Scholar
B. Feddersen, K. Keefe, W. H. Sanders, C. Muehrcke, D. Parks, A. Crapo, A. Gabaldon, and R. Palla. An ontological model for constructing mobius advise security models. In Proceedings of Conference on Dependable Systems and Networks (DSN), 2015.Google Scholar
M. D. Ford, K. Keefe, E. LeMay, W. H. Sanders, and C. Muehrcke. Implementing the ADVISE security modeling formalism in möbius. In IEEE/IFIP Conference on Dependable Systems and Networks (DSN), 2013. Google ScholarDigital Library
B. Galloway and G. Hancke. Introduction to industrial control networks. Communications Surveys Tutorials, IEEE, 15(2):860--880, 2013.Google ScholarCross Ref
D. Jackson. Software Abstractions: Logic, Language, and Analysis. The MIT Press, 2006. Google ScholarDigital Library
K. H. John and M. Tiegelkamp. IEC 61131--3: Programming Industrial Automation Systems Concepts and Programming Languages, Requirements for Programming Systems, Decision-Making Aids. Springer, 2nd edition, 2010. Google ScholarDigital Library
E. Kang, S. Adepu, D. Jackson, and A. P. Mathur. Model-based security analysis of a water treatment system. In Proceedings of the Workshop on Software Engineering for Smart Cyber-Physical Systems, pages 22--28. ACM, 2016. Google ScholarDigital Library
E. LeMay, M. D. Ford, K. Keefe, W. H. Sanders, and C. Muehrcke. Model-based security metrics using adversary view security evaluation (ADVISE). In Proceedings of Conference on Quantitative Evaluation of Systems, QEST, 2011. Google ScholarDigital Library
A. Mathur and N. O. Tippenhauer. A water treatment testbed for research and training on ics security. In Proceedings of Workshop on Cyber-Physical Systems for Smart Water Networks (CySWater), Apr. 2016.Google ScholarCross Ref
A. Ornaghi and M. Valleri. Ettercap. https://ettercap.github.io/ettercap/, last visited August 3 2016.Google Scholar
M. Rocchetto, M. Ochoa, and M. Torabi Dashti. Model-based detection of CSRF. In ICT Systems Security and Privacy Protection, volume 428 of IFIP Advances in Information and Communication Technology. Springer Berlin Heidelberg, 2014.Google ScholarCross Ref
M. Rocchetto and N. O. Tippenhauer. APE (Attacker Profile Examiner), 2016. Available at http://research.scy-phy.net/ape/.Google Scholar
M. Rocchetto and N. O. Tippenhauer. ASLan++ formal model of SWaT, 2016. Available at https://research.scy-phy.net/swatmodel.Google Scholar
M. Rocchetto and N. O. Tippenhauer. CPDY: Extending the dolev-yao attacker with physical-layer interactions. In Proceedings of the International Conference on Formal Engineering Methods (ICFEM), 2016.Google ScholarCross Ref
M. Rocchetto and N. O. Tippenhauer. On attacker models and profiles for cyber-physical systems. In Proceedings of the European Simposium on Research in Computer Security (ESORICS), 2016.Google ScholarCross Ref
P. Schaller, B. Schmidt, D. A. Basin, and S. Capkun. Modeling and verifying physical properties of security protocols for wireless networks. In Computer Security Foundations Symposium (CSF), pages 109--123, 2009. Google ScholarDigital Library
V. Schiffer, D. Vangompel, and R. Voss. The common industrial protocol (CIP) and the family of CIP networks. ODVA, 2006.Google Scholar
M. Schmidt and H. Lipson. Distilling free-form natural laws from experimental data. science, 324(5923):81--85, 2009.Google Scholar
R. Software. Studio 5000®. http://www.rockwellautomation.com/rockwellsoftware/products/studio-5000.page, last visited August 3 2016.Google Scholar
D. Steinmetzer, M. Schulz, and M. Hollick. Lockpicking physical layer key exchange: Weak adversary models invite the thief. In Proc. ACM Conference Wireless Security (WiSeC), 2015. Google ScholarDigital Library
M. Turuani. The CL-Atse Protocol Analyser. In RTA, LNCS 4098, 2006. Google ScholarDigital Library
D. Urbina, J. Giraldo, N. O. Tippenhauer, and A. Cardenas. Attacking fieldbus communications in ICS: Applications to the SWaT testbed. In Proceedings of Singapore Cyber Security R&D Conference (SG-CRC), Jan. 2016.Google Scholar
R. Vigo. The cyber-physical attacker. In Proceedings of Workshop of Conference on Computer Safety, Reliability, and Security (SAFECOMP), 2012. Google ScholarDigital Library
D. von Oheimb and S. Mödersheim. ASLan++ -- a formal security specification language for distributed systems. In FMCO, LNCS 6957. Springer, 2010. Google ScholarDigital Library
A. H. Vu, N. O. Tippenhauer, B. Chen, D. M. Nicol, and Z. Kalbarczyk. CyberSAGE: A tool for automatic security assessment of cyber-physical systems. In Proceeding of Quantitative Evaluation of Systems (QEST), pages 384--387, 2014.Google ScholarCross Ref
S. Weinberger. Computer security: Is this the start of cyberwarfare? Nature, 174:142--145, June 2011.Google ScholarCross Ref

Index Terms

Towards Formal Security Analysis of Industrial Control Systems
1. Computer systems organization
  1. Embedded and cyber-physical systems
    1. Sensors and actuators
2. Security and privacy
  1. Formal methods and theory of security
  2. Network security

Recommendations

Using high-level synthesis and formal analysis to predict and preempt attacks on industrial control systems
FPGA '14: Proceedings of the 2014 ACM/SIGDA international symposium on Field-programmable gate arrays

Industrial control systems (ICSes) have the conflicting requirements of security and network access. In the event of large-scale hostilities, factories and infrastructure would more likely be targeted by computer viruses than the bomber squadrons used ...
Read More
A Formal Framework for ASTRAL Intralevel Proof Obligations

ASTRAL is a formal specification language for real-time systems. It is intended to support formal software development, and therefore has been formally defined. This paper focuses on how to formally prove the mathematical correctness of ASTRAL ...
Read More
Hacking Exposed Industrial Control Systems: ICS and SCADA Security Secrets & Solutions
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
ASIA CCS '17: Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security
April 2017
952 pages
ISBN:9781450349444
DOI:10.1145/3052973
General Chairs:
Ramesh Karri
New York University, New York, USA
,
Ozgur Sinanoglu
New York University Abu Dhabi, UAE
,
Program Chairs:
Ahmad-Reza Sadeghi
Technische Universität Darmstadt, Germany
,
Xun Yi
RMIT University, Australia
Copyright © 2017 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 2 April 2017
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
cyber-physical system
formal analysis
formal methods
formal models
practical security assessment
security
Qualifiers
- research-article
Conference

Acceptance Rates
ASIA CCS '17 Paper Acceptance Rate67of359submissions,19%Overall Acceptance Rate418of2,322submissions,18%
More
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 27
  Total Citations
  View Citations
- 560
  Total Downloads
- Downloads (Last 12 months)25
- Downloads (Last 6 weeks)2
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Towards Formal Security Analysis of Industrial Control Systems

ASIA CCS '17: Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security

ABSTRACT

References

Cited By

Index Terms

Recommendations

Using high-level synthesis and formal analysis to predict and preempt attacks on industrial control systems

A Formal Framework for ASTRAL Intralevel Proof Obligations

Hacking Exposed Industrial Control Systems: ICS and SCADA Security Secrets & Solutions