Dynamic Policies for Shared Cyber-Physical Infrastructures under Attack
A project
A small ethnographic study of an existing SCADA system was carried out in order to gain insights into some of the security challenges faced in managing security of Cyber Physical Systems. Shodan was used to locate what appeared to be a vulnerable ICS connected to the Internet; the apparent operators of the system were contacted, the vulnerability highlighted and remediation suggested. No further contact was made and Shodan was used to track subsequent changes over a period of 12 months. At face value, securing this ICS infrastructure connection should be trivial in terms of network security objectives. However, in practice we saw that there are many objectives to be understood and met by the system operators, some of which are contradictory, others are out of the operator's control, and mistakes were repeatedly made. By focussing initially on just the firewall aspects of the system, we can show how the thinking about security is best reasoned about in terms of security policy refinement and this view is informing the ongoing design of our security model. Rather than attempting to define security objectives declaratively or operationally, the position is that one should consider the security of a system by comparing it against other configurations that we consider to be acceptable. This is reported in the article “Getting security objectives wrong: a cautionary tale of an Industrial Control System” by S.N. Foley, to appear in the post-proceedins of the 25th International Security Protocols Workshop, 2017.
Current intrusion detection systems (IDS) for industrial control systems (ICS) mostly involve the retrofitting of conventional network IDSs, such as SNORT. Such an approach is prone to missing highly targeted and specific attacks against ICS. Where ICS-specific approaches exist, they often rely on passive network monitoring techniques, offering a low cost solution, and avoiding any computational overhead arising from actively polling ICS devices. However, the use of passive approaches alone could fail in the detection of attacks that alter the behaviour of ICS devices (as was the case in Stuxnet). Where active solutions exist, they can be resource-intensive, posing the risk of overloading legacy devices which are commonplace in ICSs. We have demonstrated that these challenges can be overcome through the combination of a passive network monitoring approach, and selective active monitoring based on attack vectors specific to an ICS context. We have implemented this approach in a prototype IDS, SENAMI, for use with Siemens S7 devices and evaluated its effectiveness in our testbed. Our results demonstrate validity of the proposed approach through the detection of purely passive attacks at a rate of 99%, and active value tampering attacks at a rate of 81-93%. Crucially, we reached recall values greater than 0.96, indicating few attack scenarios generating false negatives. The details are reported in [Jardine2016].
Analyses of the attack surface of an industrial control system requires effective vulnerability scanners. Currently there is a lack of vulnerability scanners specialised to ICS settings. Systems such as PLCScan and ModScan output pertinent information from a Programmable Logic Controller (PLC). However, they do not offer any information as to how vulnerable a PLC is to an attack. We take the view that the peculiarities of ICS environment require specialised vulnerability scanners. We have designed and implemented SimaticScan, a vulnerability scanner specialised to Siemens SIMATIC PLCs. Through experimentation in our testbed, we demonstrated SimaticScan’s effectiveness in determining a range of vulnerabilities across three distinct PLCs, including a previously unknown vulnerability in one of the PLCs. Our experiments also showed that SimaticScan outperforms the widely used Nessus vulnerability scanner (with relevant ICS-specific plugins deployed). The results are reported in [Antrobus2016].
CerberOS supports secure loading of third-party application micro-services, strong application isolation, confidentiality of application data and contractually limited access to device resources. CerberOS achieves this through a secure Java Virtual Machine (JVM) that precisely monitors and controls the resource usage of each CPS micro-service. CerberOS is thus the first CPS OS to guarantee “resource security”, i.e. that host applications cannot degrade overall system functionality by consuming more resources than intended. This allows even the most embedded CPS devices to be re-imagined as micro-scale cloud servers that are capable of securely supporting applications for multiple parties. Evaluation shows that CerberOS can support the secure coexistence of up to seven concurrent applications on an IETF Class-1 device with a memory usage of 40KB ROM (40%) and 5KB RAM (50%) while preserving multi-year battery lifetimes. This is reported in the article “CerberOS: A Resource-Secure OS for Sharing IoT Devices” by S. Akkermans, W. Daniels, G. Sankar R., B. Crispo, W. Joosen and Danny Hughes, to appear in the proceedings of the International Conference on Embedded Wireless Systems and Networks (EWSN), 2017.
We have showcased MicroPnP, an integrated hardware, software, and networking solution that delivers true Plug-and-Play integration of sensing and actuation peripherals for wireless embedded IoT devices at extremely low cost. MicroPnP’s hardware element relies on passive electrical characteristics as efficient mechanism to detect and identify peripherals at run time. This enables the creation of robust dynamic environments – that subsequently need strong security protection because of these dynamics. Subsequent to the delivery of this result [Mat16], KU Leuven has selected MicroPnP to be used as a carrier grade platform for DYPOSIT applications and further experiments with dynamic policies.
We have developed a model for dynamic change in an ICS security configuration in terms of a refinement relation over firewall policies; such policies provide demarkation points between the different regions of the ICS network fabric. In forming a lattice, the firewall algebra provides greatest lower-, and lowest upper bound, operators that provide sound methods of policy composition that can be used to define policy change algebraically, in addition to a refinement relation for comparing policies. The algebra has been used to provide a refinement semantics for the Linux iptables firewall [DBSec2016].
The DYPOSIT project team organised a one day International Workshop on Security and Resilience in Cyber-Physical Infrastructures (SERECIN) in conjunction with the International Symposium on Engineering Secure Software and Systems, London, UK, 2016.
A. Rashid (Keynote): The Internet of (Somewhat Secure) Things: To Boldly Go ...?, International Conference on Industrial Networks and Intelligent Systems, Leicester, UK, 2016.
A. Rashid (Invited seminar): Understanding Cyber Risk as Business Risk in Industrial Control Environments, Singapore University of Technology and Design, Singapore, 2015.
A. Rashid (Invited seminar): Understanding Cyber Risk as Business Risk in Industrial Control Environments, Cardiff University, UK, 2016.
S. Foley (Speaker), CPS Attack Scenarios, International Workshop on Security and Resilience in Cyber-physical Infrastructures, At ESSoS 2016, London.
S. Foley (Invited seminar), Secure by Comparison, Telecom Bretagne, Rennes June 2016.