SAT-CPS '21: Proceedings of the 2021 ACM Workshop on Secure and Trustworthy Cyber-Physical Systems

Cyber-physical systems span a wide spectrum, from long-lived legacy systems to more modern installations. Trust is an issue that arises across the spectrum, albeit with different variants of goals and constraints. On the one end of the spectrum, legacy systems are characterized by function-based designs in which trust is an implicitly in-built concept -- the operation is historically designed, implemented, and optimized in a benign stance with respect to intended use. On the other end of the spectrum, modern systems are characterized by offerings from manufacturers, vendors, and system installers -- the devices and deployments use a variety of security features that offer promises of increased trust. All along this spectrum of cyber-physical systems, extending trust beyond the traditional cyber portions to the arteries that connect the physical portions to the cyber portions is a major challenge. Here, we identify a Trust-but-Verify approach that spans this spectrum in addressing trust.

Autonomy has been touted to be a major asset of Cyber-Physical Systems (CPS) and its components. By intertwining non-physical and physical processes they seamlessly integrate interdependent computational and physical components. In this contribution we take a closer look on structural constellations of CPS and their components that refer to autonomy. We also take into account development aspects and demonstrate encoding autonomy aspects into a behavior-centered representation scheme for digital twins. It features encapsulation on various layers of abstraction in the course of design and choreography for self-contained while networked operation of CPS as System-of-Systems. As digital twin models created in the course of CPS design activities can be executed automatically, the implementation and adaptation of CPS (components) is intertwined with design activities. Consequently, users can act as designers and experience CPS behavior through digital twin execution interactively. Critical elements, such as managing private data in healthcare, can be monitored and adapted to individual needs.

Cyber-Physical Systems are widely used in critical infrastructures such as the power grids, water purification systems, nuclear plants, oil refinery and compressor plants, food manufacturing, etc. Anomalies in these systems can be a result of cybersecurity attacks, failed sensors or communication channels. Undetected anomalies may lead to process failure, cause financial damage and have significant impact on human lives. Thus, it is important to detect anomalies at early stages and to protect data in Cyber-Physical Systems. In this paper, we propose the novel on-the-fly NIST-compliant key generation scheme for a secure data container used to transfer and store sensor data. The data container delivers data from the low-level field sensors to high-level data analysis servers in a protected form. It provides data confidentiality and integrity, as well as data origin integrity, a fine-grained role-based and attribute-based access control. As a result, the anomaly detector runs on trustworthy data sets, protected from unauthorized adversarial modifications. Our solution can be easily integrated with many existing Cyber-Physical Systems and IT infrastructures since our secure data container supports RESTful API and is implemented in two modifications: (1) signed, watermarked and encrypted spreadsheet file; (2) signed and encrypted JSON file. In addition, we implemented several machine learning models based on a Random Forest, a k-Nearest Neighbors, a Support Vector Machine and a Neural Network algorithms for the detection of various anomalies and attacks in a gas pipeline system. We will demonstrate that our anomaly detection models achieve high detection rate with an average accuracy of 97.7% for two industrial data sets collected by the Mississippi State University's Critical Infrastructure Protection Center and Oak Ridge National Laboratories (ORNL)

In Cloud Computing, the cloud serves as a central data hub for the Industrial Internet of Things' (IIoT) data and is deployed in diverse application fields, e.g., Smart Grid or Smart Manufacturing. Therefore, the aggregated and contextualized data is bundled in a central data hub, bringing tremendous cybersecurity advantages. Given the threat landscape in IIoT systems, especially SMEs (small and medium-sized enterprises) need to be prepared regarding their cybersecurity, react quickly, and strengthen their overall cybersecurity. For instance, with the application of machine learning algorithms, security-related data can be analyzed predictively in order to be able to ward off a potential attack at an early stage. Since modern reference architectures for IIoT systems, such as RAMI 4.0 or IIRA, consider cybersecurity approaches on a high level and SMEs lack financial funds and knowledge, this paper conceptualizes a security analytics service used as a security add-on to these reference architectures. Thus, this paper conceptualizes a flexible security analytics service that implements security capabilities with flexible analytical techniques that fit specific SMEs' needs. The security analytics service is also evaluated with a real-world use case.

Utilities around the world are reported to invest a total of around \$30 billion over the next few years for installation of more than 300 million smart meters, replacing traditional analog meters \citeinfo. By mid-decade, with full country wide deployment, there will be almost 1.3 billion smart meters in place \citeinfo. Collection of fine-grained energy usage data by these smart meters provides numerous advantages such as energy savings for customers with use of demand optimization, a billing system of higher accuracy with dynamic pricing programs, bidirectional information exchange ability between end-users for better consumer-operator interaction, and so on. However, all these perks associated with fine-grained energy usage data collection threaten the privacy of users. With this technology, customers' personal data such as sleeping cycle, number of occupants, and even type and number of appliances stream into the hands of the utility companies and can be subject to misuse. This research paper addresses privacy violation of consumers' energy usage data collected from smart meters and provides a novel solution for the privacy protection while allowing benefits of energy data analytics. First, we demonstrate the successful application of occupancy detection attacks using a deep neural network method that yields high accuracy results. We then introduce Adversarial Machine Learning Occupancy Detection Avoidance with Blockchain (AMLODA-B) framework as a counter-attack by deploying an algorithm based on the Long Short Term Memory (LSTM) model into the standardized smart metering infrastructure to prevent leakage of consumer's personal information. Our privacy-aware approach protects consumers' privacy without compromising the correctness of billing and preserves operational efficiency without use of authoritative intermediaries.

In the near future IoT will be part of every home turning our houses into smart houses, in which we have multiple users with complex social relationships between them using the same smart devices. This requires sophisticated access control specification and enforcement models. Recently, several access control models have been developed or adapted for IoT in general, with a few specifically designed for the smart home IoT domain. The majority of these models are built on role-based access control (RBAC) or attribute-based access control (ABAC) models which have had considerable traction in traditional non-IoT domains. In this paper, we introduce the smart home IoT attribute-based access control model (HABAC). HABAC is a dynamic and fine-grained model that is developed specifically to meet smart home IoT challenges. Currently it is not precisely clear what are the pros and cons of ABAC over RBAC in general, and in smart home IoT in particular. To this end we provide an analysis of HABAC relative to the previously published EGRBAC (extended generalized role based access control) model for smart home IoT. We compare the theoretical expressive power of these models by providing algorithms for converting an HABAC specification to EGRBAC and vice versa, and discuss the insights for practical deployment of these models resulting from these constructions. We conclude that a hybrid model combining ABAC and RBAC features may be the most suitable for smart home IoT, and likely more generally.

Using role-based access control (RBAC) to manage RBAC is among RBAC's attractive benefits, contributing to its long-standing dominance in practice. Administrative models facilitate management of (mostly configuration) changes in the underlying operational models. Overall system security is crucially dependent on both the administrative and operational models. In this paper, we develop an RBAC administrative model to manage authorization assignments in the EGRBAC (enhanced generalized role-based access control) operational model for smart home IoT. We design the administrative model based on pairwise disjoint Administrative Units, each of which contains a uniquely assigned administrative role and a set of administrative tasks. Administrative tasks determine the administrative permissions available to manage the operational model assignments. We begin with a model containing a single administrative unit and then extend it to include additional units. Multiple administrative units enable decentralized administration which could be adapted to provide scalability in inherently distributed and large-scale environments beyond smart home, such as smart buildings or smart campuses. We provide formalism of our proposed model and illustrate it by specifying operational and administrative use cases. Although, the model is proposed based on a specific smart home operational model, our approach could be applied to environments with similar dynamics.

Increasing number of internet connected devices has paved a path for smarter ecosystems in various sectors such as agriculture, aquaculture, manufacturing, healthcare, etc. Especially, integrating technologies like big data, artificial intelligence (AI), blockchain, etc. with internet connected devices has increased efficiency and productivity. Therefore, fishery farmers have started adopting smart fisheries technologies to better manage their fish farms. Despite their technological advancements smart fisheries are exposed and vulnerable to cyber-attacks that would cause a negative impact on the ecosystem both physically and economically.

Therefore in this paper, we present a smart fisheries ecosystem where the architecture describes various interactions that happen between internet connected devices. We develop a smart fisheries ontology based on the architecture and implement Attribute Based Access Control System (ABAC) where access to resources of smart fisheries is granted by evaluating the requests. We also discuss how access control decisions are made in multiple use case scenarios of a smart fisheries ecosystem. Furthermore, we elaborate on some AI applications that would enhance the smart fisheries ecosystem.

As autonomous vehicles fill the roads and more manufacturers join the trend, the need for a unified communication protocol grows. Current paradigms in vehicle-to-vehicle communication are too slow to provide accurate and meaningful traffic data in a timely fashion, and it is difficult to trust that incoming data is correct without an authoritative server verifying the sender's identity. This paper introduces a protocol for peer-to-peer exchanges of positional data that determines the trust level of a particular message by comparing matching object data hashes. Similar in concept to non-interactive zero-knowledge proofs, the design retains the privacy and anonymity of senders and is relatively fast compared to certificate-based solutions under a reasonable traffic load. Our preliminary experiment shows promising results, with much faster runtimes compared to similar cryptographic solutions. Although the current implementation is still rough around the edges, the basic design can provide the groundwork for future paradigms in inter-vehicular communication without depending on expensive cryptographic operations performed on special or more powerful hardware. This opens doors for protocols that can be run on current vehicles without requiring the collective processing power of all vehicles to increase.

This tutorial provides a review of the state-of-the-art research and the applications of Artificial Intelligence and Machine Learning for malware analysis. We will provide an overview, background and results with respect to the three main malware analysis approaches: static malware analysis, dynamic malware analysis and online malware analysis. Further, we will provide a simplified hands-on tutorial of applying ML algorithm for dynamic malware analysis in cloud IaaS.

The ongoing digitization of industrial manufacturing leads to a decisive change in industrial communication paradigms. Moving from traditional one-to-one to many-to-many communication, publish/subscribe systems promise a more dynamic and efficient exchange of data. However, the resulting significantly more complex communication relationships render traditional end-to-end security futile for sufficiently protecting the sensitive and safety-critical data transmitted in industrial systems. Most notably, the central message brokers inherent in publish/subscribe systems introduce a designated weak spot for security as they can access all communication messages. To address this issue, we propose ENTRUST, a novel solution for key server-based end-to-end security in publish/subscribe systems. ENTRUST transparently realizes confidentiality, integrity, and authentication for publish/subscribe systems without any modification of the underlying protocol. We exemplarily implement ENTRUST on top of MQTT, the de-facto standard for machine-to-machine communication, showing that ENTRUST can integrate seamlessly into existing publish/subscribe systems.

Passwords continue to dominate the authentication landscape, while One Time Passwords (OTPs) provided by apps are increasingly used as second factor. Even though several alternatives are developed, very few regard usability. Even fewer alternatives consider special conditions of authentication, like disabilities and other input restrictions, typical for healthcare workers. In this paper, we show shortcomings by the example of different stages within the care cycle. Generalized requirements are used to evaluate existing authentication mechanisms. These findings result in the design of a matrix showing different authentication methods and requirements. The matrix can be used to identify the best fitting authentication mechanisms based on the needs of the scenario. Not only the first factor can be identified, but the matrix also helps to select additional well-fitting authentication mechanism for a specific scenario. The designed matrix is practically underlined by applying it to the care cycle with different cyber-physical systems (CPS).

Due to our dependency on electricity, it is vital to keep our power systems secure from cyber attacks. However, because power systems are being digitalized and the infrastructure is growing increasingly complicated, it is difficult to gain an overview and secure the entire system. An overview of the potential security vulnerabilities can be achieved with threat modeling. The Meta Attack Language (MAL) is a formalism that enables the development of threat modeling languages that can be used to automatically generate attack graphs and conduct simulations over them. In this article we present the MAL-based language SCL-Lang which has been created based on the System description Configuration Language (SCL) as defined in the IEC 61850 standard. With SCL-Lang one can create threat models of substations based on their SCL files and automatically find information regarding potential cyber attack paths in the substation automation system configuration. This enables structured cyber security analysis for evaluating various design scenarios before implementation.

Modern computer memories have been shown to have reliability issues. The main memory is the target of a security attack called Rowhammer, which causes bit flips in adjacent victim cells of aggressor rows. Multiple mitigation techniques have been proposed to counter this issue, but they all come at a non-negligible cost of performance and/or silicon surface. Some techniques rely on a detection mechanism using row access counters to trigger automatic defenses.

In this paper, we propose a tool to build a system-specific detection mechanism using gem5 to simulate the system and Machine Learning to detect the attack by analyzing hardware event traces. The detection mechanism built with our tool shows high accuracy (over 99.5%) and low latency (maximum 474µs to classify when running offline in software) to detect an attack before completion.