DYPOSIT

Summary

The world is experiencing a massive growth in cyber physical systems (CPS). The number of connected devices is expected to grow to 50 billion by the year 2020 and the volume of data set to exceed 35 zetabytes over the same period. Very large CPS are envisioned which will integrate multiple applications run by a variety of stakeholders within a shared CPS fabric. Examples include future industrial environments, infrastructure monitoring technologies and intelligent transportation systems. In such contexts, thousands of nodes will be deployed and used by a large number of stakeholders to provide a multitude of services. Such shared CPS fabrics will remain in operation for a long time (potentially decades) and the physical composition, the services provided and the stakeholders involved will change with time. This scale of future CPS and their dynamics in terms of stakeholders, services and physical properties over long time periods poses a unique security challenge. In such shared CPS fabrics, it is often impossible or, at least, undesirable to take the whole CPS offline when it is under attack or partially compromised. This is because the configurations of nodes utilised by applications often overlap and can also have direct and indirect dependencies resulting from service composition or layering of services within the shared CPS fabric.

A number of security models and approaches for CPS environments have been proposed. However, these have largely focused on securing CPS against potential attacks or intrusion detection to identify potential breaches. Notwithstanding the importance of these “preventive” measures, resilience of CPS in the face of unfolding attacks or when part of the CPS is compromised as a result of an attack, has received little attention to date. In particular, security and resilience issues resulting from the multi-application, multi-stakeholder nature of shared CPS fabrics remain unaddressed. Furthermore, there is little understanding of how operators, end-users and other stakeholders of the shared CPS fabric or applications/services within that fabric identify an attack and react to it. Little is also known about whether the existing socio-technical means to respond to such scenarios are effective and what information from the underlying CPS and applications/services is pertinent to good decision-making regarding the security state of the CPS, its continued operation and the consequences (social, economic, business or other) of continuing operation or operating various partial configurations.

The DYPOSIT project tackles the problem of large, shared cyber-physical infrastructures under attack. In particular, the project responds to the critical need for dynamically formulating and adapting security policies, rapidly and on-demand, in the face of unfolding attacks on a shared CPS fabric integrating multiple applications run by a variety of stakeholders. DYPOSIT tackles this fundamental research problem through a novel dynamic policies approach rooted in a socio-technical understanding of the complexity and dynamics of shared CPS fabrics under attack. DYPOSIT’s approach is unique and transformative as it takes an inter-disciplinary view of reasoning about the security state of a CPS and formulating responses to CPS coming under attack. Furthermore, DYPOSIT’s approach to dynamic policies offers a new perspective on the role of policies in large-scale CPS settings – transforming policies from simply a means to enforce pre-defined security properties to policies as living, evolving objects that play a central role in reasoning about the security state of such a CPS and responding to unfolding attacks. DYPOSIT’s scientific advances are validated in two realistic testbeds – one representing an industrial infrastructure and the other representing a smart building environment.

To date DYPOSIT has achieved a number of key results:

• Investigations into how and why security vulnerabilities are introduced into cyber-physical systems such as industrial control systems.
• A comprehensive analysis of the attack surface of a realistic cyber-physical infrastructure – a water treatment plant – and a range of attack scenarios and their implementation for studying the behaviour of the system and operators under attack.
• A systematic study of current knowledge about human responses to cyber attacks – both in enterprise systems and cyber-physical environments.
• A novel intrusion detection system (SENAMI) based on selective, non-invasive, active monitoring of devices in CPS so as to detect sophisticated attacks without compromising real-time properties of the devices.
• A novel vulnerability scanner (SimaticScan) specific to industrial control systems that provides substantial improvements over off-the-shelf vulnerability scanners.
• A CPS Operating System for IETF Class-1 devices (CerberOS) that supports secure loading of third-party application micro-services, strong application isolation, confidentiality of application data and contractually limited access to device resources.

The project is led by Lancaster University, UK with partners: KU Leuven, Belgium and University College Cork, Ireland.