Sat-CPS '22: Proceedings of the 2022 ACM Workshop on Secure and Trustworthy Cyber-Physical Systems

Full Citation in the ACM Digital Library

SESSION: Keynote Talk

Session details: Keynote Talk

Secure, Trustworthy and Scalable Digital Manufacturing Cyber-Physical System

The digital manufacturing cyber-physical system makes extensive use of computational tools, optimization methods and machine learning models. Development of a scalable, reliable and resilient future manufacturing system requires integrating security as a parameter in the design, manufacturing and qualification phases because numerous attack vectors exist for such connected manufacturing systems [1]. Many industrial parts have been redesigned using optimization and machine learning methods to save weight and improve functionality. Additive manufacturing has enabled manufacturing of such designs. It has been shown that using the same machine learning algorithms and manufacturing machines, designs and tool paths can be reverse engineered and part replicas can be created with high accuracy [2]. These observations require thinking of building security as an integral part of the manufacturing cyber-physical system. The entire digital manufacturing system, from the product design to manufacturing and qualification phases, can be built on the same platform, which can further increase concerns about intellectual property protection. Implementation of security in digital manufacturing cyber-physical system requires manufacturing and computer security professionals to work collaboratively on creating solutions specifically for DM. This talk will discuss the need for cybersecurity in the context of digital manufacturing and present examples of methods that can help in securing the manufacturing field from intellectual property theft and reverse engineering.

SESSION: Session 1: Cyber Physical Systems Security

Session details: Session 1: Cyber Physical Systems Security

A Cyber-Physical Experimentation Platform for Resilience Analysis

Recent high profile cyber attacks on critical infrastructures have raised awareness about the severe and widespread impacts that these attacks can have on everyday life. This awareness has spurred research into making industrial control systems and other cyber-physical systems more resilient. A plethora of cyber resilience metrics and frameworks have been proposed for cyber resilience assessments, but these approaches typically assume that data required to populate the metrics is readily available, an assumption that is frequently not valid. This paper describes a new cyber experimentation platform that can be used to generate relevant data and to calculate resilience metrics that quantify how resilient specified industrial control systems are to specified threats. Demonstration of the platform and analysis process are illustrated through a use case involving the control system for a pressurized water reactor.

Generating Cyber-Physical System Risk Overlays for Attack and Fault Trees using Systems Theory

We describe a formalized systems theoretic method for creating cyber-physical system (CPS) risk overlays that augment existing tree-based models used in CPS risk and threat analysis processes. This top-down approach objectively scopes the system's threat surface for some risk scenario consequence by analyzing its underlying control attributes and communication flows between relevant internal hardware and software sub-components. The resulting analysis should assist with the qualitative selection of causal events when utilizing attack and fault tree models, which have traditionally conducted this event selection using subjective and bottom-up methods. Objectively scoping the tree-based model analysis using a proven systems theoretic approach should also improve defensive and safety planning during the system development life cycle. We provide a control system case study using attack-defense trees and show how this approach may also be reduced to attack trees, fault trees, and attack-fault trees.

Optimal Security Hardening over a Probabilistic Attack Graph: A Case Study of an Industrial Control System using CySecTool

CySecTool is a tool that finds a cost-optimal security controls portfolio in a given budget for a probabilistic attack graph. A portfolio is a set of counter-measures, or controls, against vulnerabilities adopted for a computer system, while an attack graph is a type of a threat scenario model. In an attack graph, nodes are privilege states of the attacker, edges are vulnerabilities escalating privileges, and controls reduce the probabilities of some vulnerabilities being exploited. The tool builds on an optimisation algorithm published by Khouzani et al., enabling a user to quickly create, edit, and incrementally improve models, analyse results for given portfolios and display the best solutions for all possible budgets in the form of a Pareto frontier. A case study was performed utilising a system graph and suspected attack paths prepared by industrial security engineers based on an industrial source with which they work. The goal of the case study is to model a supervisory control and data acquisition (SCADA) industrial system which, due to having a potential to harm people, necessitates strong protection while not allowing to use of typical penetration tools like vulnerability scanners. Results are analysed to show how a cyber-security analyst would use CySecTool to store cyber-security intelligence and draw further conclusions.

A Data-Centric Approach to Generate Invariants for a Smart Grid Using Machine Learning

Cyber-Physical Systems (CPS) have gained popularity due to the increased requirements on their uninterrupted connectivity and process automation. Due to their connectivity over the network including intranet and internet, dependence on sensitive data, heterogeneous nature, and large-scale deployment, they are highly vulnerable to cyber-attacks. Cyber-attacks are performed by creating anomalies in the normal operation of the systems with a goal either to disrupt the operation or destroy the system completely. The study proposed here focuses on detecting those anomalies which could be the cause of cyber-attacks. This is achieved by deriving the rules that govern the physical behavior of a process within a plant. These rules are called Invariants. We have proposed a Data-Centric approach (DaC) to generate such invariants. The entire study was conducted using the operational data of a functional smart power grid which is also a living lab.

SESSION: Session 2: Access Control and Trust

Session details: Session 2: Access Control and Trust

Securing Smart Home IoT Systems with Attribute-Based Access Control

Over the last few years, there has been an increased proliferation of IoT systems for smart homes, enabling owners to remotely manage a variety of devices and gadgets installed on their properties. This growth was made possible due to several innovative contributions from the industry in device & sensor technology, efficient networking protocols, as well as extensive deployment of cloud infrastructure, and the development of user-friendly smartphone applications. However, the security of such systems, especially controlled access to the devices and their functionality, is still lagging. There were some recent attempts to develop access control methods for smart home IoTs. While the solutions appear to be interesting, they either ignore the practical issues faced during real-world deployment in IoT systems or do not support fine-grained access control as required by such applications. In this paper, we show how the security of smart home IoT systems can be strengthened through the use of attribute-based access control, which has been considered due to its several distinct advantages including the ability to specify fine-grained security policies and consideration of environmental conditions for making access decisions. A prototype implementation of the proposed framework has been done in the SmartThings IoT platform. An extensive set of experiments show that the approach is quite promising.

Attribute Based Access Control Model for Protecting Programmable Logic Controllers

Industrial Control Systems (ICS) were traditionally designed as stand-alone systems and isolated from Internet Technology (IT) networks. With the advancement in communication technology, the attack surface has increased; vulnerabilities in ICS components such as Programmable Logic Controllers (PLC), and Human Machine Interfaces (HMI) can now be accessed and exploited. Authentication and access control form the first level of defense for protecting ICS from attacks. Unfortunately, vulnerabilities stemming from improper authentication and access control are very common. We focus our attention to investigate these vulnerabilities, specifically those centered around PLCs, and demonstrate how the use of Attribute-Based Access Control (ABAC) helps protect against them and make ICS more resilient to attacks. We design an ABAC model for PLC, show how it can be enforced, analyze the resulting system and demonstrate their resilience against some sample vulnerabilities.

Blockchain-Based Administration of Access in Smart Home IoT

There is a rising concern about authorization in IoT environments to be appropriately designed and applied, due to smart things surge to be part of people's daily lives on one hand, and the amount of personal/private information they utilize, on the other hand. Different access control systems have been proposed for different IoT environments, many are remaining only at a conceptual level. In this paper, we propose a decentralized, ledger-based, publish-subscribe based architecture for the administration of access in a smart home IoT environment to preside at the assignments of underlying operational authorizations. Proposed architecture is endorsed by a proof-of-concept implementation, which utilizes smart contracts to ensure the integrity of administration supplemented by intrinsic benefits of blockchain to be distributed and transparent. Despite the rising hype around the blockchain technology that stokes its utilization in different domains, utilizing it for access control purposes is not yet promising. Our implementation results assure using blockchain for administrative access control is propitious, while is not yet appropriate for operational access control, which have been mainly the focus of previously proposed blockchain-based access control works.

Quantifying Trustworthiness in Decentralized Trusted Applications

Decentralized systems play an important role in many modern data processing applications. Due to the distributed nature of these applications, participating system components are often operated by different stakeholders with potentially conflicting interests. To prevent malicious participants from manipulating critical system components, trusted computing technologies such as Trusted Platform Modules (TPMs) or Intel's Software Guard Extensions (SGX) can be employed. These technologies provide hardware-based access control to sensitive data and allow users to remotely verify the integrity of critical software stacks. However, not all trusted computing technologies are equally suitable for all use cases. As different technologies offer different benefits and drawbacks, it becomes quite challenging to determine if the decentralized system can be fully trusted in its current state. In this work we present a methodology for estimating the trustworthiness of decentralized systems that are being protected by trusted computing hardware. Our approach is based on a formal model describing the operational dependencies between distributed system components, as well as the required protection goals for a secure component operation. Based on this model we then show how stakeholders can calculate the trustworthiness of a specific system operation as a subjective probability (degree-of-belief). We then generalize this approach to obtain trust estimations for the entire decentralized system. Finally we demonstrate the application of our proposal using the real-world scenario of distributed usage control as an example.

SESSION: Session 3: Miscellaneous Topics

Session details: Session 3: Miscellaneous Topics

A Framework for Automatic Labeling of Log Datasets from Model-driven Testbeds for HIDS Evaluation

Intrusion detection systems are essential for network security. To verify their detection capabilities and facilitate comparison, benchmark log datasets are used to measure evaluation metrics such as accuracy and false alarm rates. Thereby, it is necessary that these datasets come with a correct ground truth that differentiates normal and attacker behavior. While it is relatively straightforward to generate labels for network-based datasets by selecting events according to IP addresses of attacker hosts, system logs do not necessarily involve such identifiers and are possibly only recognizable as malicious by their combined occurrences. Even more problems emerge when log data is collected in model-driven testbeds, i.e., automatically generated networks that simulate differently parameterized attack scenarios in diverse infrastructures. In these testbeds, parameters such as IP addresses are subject to change and thus cannot simply be used for matching. We thus propose a framework that integrates template-based labeling rules for model-driven testbeds. In this paper we describe the syntax for rule templates with different query types specifically designed to match sequential or interrelated system log events. An evaluation of our open-source implementation shows that only 27 rules are necessary to assign 15 labels to 8 system log files containing attack manifestations.

GyroidOS: Packaging Linux with a Minimal Surface

Separation of privilege domains is crucial when building secure system architectures for Cyber-Physical systems. The bar for a successful attack can be raised significantly and the consequences of an attack can be contained. As Cyber-physical systems often comprise devices with limited resources, container virtualization provides an ideal base technology to construct secure architectures for CPS. However, the provided isolation guarantees entirely depend on one, shared kernel. Therefore, it is crucial to protect this kernel against attacks. Recent research proposed solutions to this issue. However, these approaches incurred performance penalties hindering their practical applicability. Therefore, we created GyroidOS, an architecture to shrink the kernel attack surface available to an attacker inside a container. To achieve this, we exploit redundancy in the Linux syscall interface to restrict access to syscalls without reducing the functionality available to user space binaries. Thereby, we aim to achieve maximum compatibility and applicability in real world scenarios. At the same time, GyroidOS aims to minimize the imposed performance penalty to avoid performance-related issues in the applicability of which previous approaches suffered.

Employing Digital Twins for Security-by-Design System Testing

Ever since cyber attacks focused on industrial and critical infrastructure settings, the awareness of the security issues of these systems has increased. These industrial control systems (ICS) mainly focus on operation and availability -- instead of providing general security features. Moreover, the current Industry 4.0 movement aggravates this security gap by connecting the ICS to the enterprise network, which facilitates targeting these systems. Proper system testing can reveal the system's vulnerabilities and provide remedies. However, security measures are usually neglected or addressed after an emerging incident only, which results in high costs. To maximize the benefit of system testing, we argue that it should be carried out as early as possible, especially to render systems secure-by-design. In this work, we propose an approach for introducing security-by-design system testing by the application of a digital twin. A digital twin is able to represent a system virtually along its lifecycle. To enable security-by-design, the simulation capability of digital twin is harnessed to create a prospective environment of a planned system. This allows detecting vulnerabilities before they can emerge in the real-world and providing a adequate risk strategy. Our work shows how security-by-design system testing is anchored in the security applications along a system's lifecycle. Next to proposing a security-by-design system testing approach with digital twins, we implement a digital twin representing a pressure vessel, and demonstrate how to carry out each step of our proposed approach. During this proof-of-concept, we identify vulnerabilities and show how an attacker can compromise the system by manipulating values of the pressure vessel with the potential to cause over-pressure, which, in turn, can result in an explosion of the vessel.

SecureWeaver: Intent-Driven Secure System Designer

Design and management of networked systems, such as Information Technology/Network (IT/NW) or IoT systems, are inherently complex. Moreover, the need to adhere to security requirements adds even more complexity, as the manual audit and security mitigation of system design are time, skill, and labour intensive. In this paper, we present SecureWeaver, a secure system designer that generates a system design which meets functional, quantitative and security service requirements. SecureWeaver is based on the intent-based designer for IT/NW services named Weaver, and security support was implemented by improving the Weaver design stage via a threat mitigation knowledge base, specific refinement rules, and a security verification mechanism. A case study on video surveillance service requirements is used to illustrate the security threats and their mitigation during the automatic design process. Our results show that SecureWeaver is able to mitigate and verify the solutions from a security perspective without incurring a significant overhead: in our experiments, average overhead is 0.04% for systems with more than 100 elements. We also present a feature comparison with three other related systems that emphasizes the practical advantages of SecureWeaver.