Multilevel Runtime Security and Safety Monitoring for Cyber Physical Systems Using Model-Based Engineering (original) (raw)
Related papers
A multilevel cybersecurity and safety monitor for embedded cyber-physical systems: WIP abstract
2019
Cyber-physical systems (CPS) are composed of various embedded subsystems (often realized on system on chip technology) and require specialized software, firmware and hardware to coordinate with the rest of the system. These multiple levels of integration expose attack surfaces which can be susceptible to attack vectors that require novel architectural methods to effectively secure against. We present a multilevel monitor architecture cybersecurity approach applied to a flight control system (FCS). We develop formal framework for the architecture using Event Calculus to define the interactions among the monitors and the system under observation.
Heterogeneous Runtime Verification of Safety Critical Cyber Physical Systems
ArXiv, 2020
Advanced embedded system technology is one of the key driving forces behind the rapid growth of Cyber-Physical System (CPS) applications. Cyber-Physical Systems are comprised of multiple coordinating and cooperating components, which are often software intensive and interacting with each other to achieve unprecedented tasks. Such complex CPSs have multiple attack surfaces and attack vectors that we have to secure against. Towards this goal, we demonstrate a multilevel runtime safety and security monitor framework where there are monitors across the CPS for detection and isolation of attacks. We implement the runtime monitors on FPGA using a stream-based runtime verification tool called TeSSLa. We demonstrate our monitoring scheme for an Autonomous Emergency Braking (AEB) CPS system.
Synthesis of Runtime Monitors for Safe and Secure Industrial Systems
2022 11th Mediterranean Conference on Embedded Computing (MECO), 2022
Industrial control systems (ICS) are cyber-physical systems that implement industrial processes. Their use has expanded from typical industrial environments to the control and management of a wide range of processes, ranging from avionics and traffic management to power grids, transport systems and water management. Today, ICS are employed for management and control of most critical infrastructures. Critical infrastructures are increasingly targeted by attackers; Stuxnet, the Miraj attack and the prewar attacks on the Ukrainian power grid are a few known examples. Safety in critical infrastructures has become a major concern, because failures can affect economies and services at a large scale, influencing the well-being of large populations and even endangering human life. As security attacks become more prevalent, safety problems become worse. A significant problem in safety and security of critical infrastructures is the development of runtime monitors that detect safety and security incidents. In this talk, we address the problem of synthesis of runtime security monitors for applications of industrial processes. We present an approach that detects computational and false data injection attacks, employing and combining different detection methods, such as verification techniques for computational attacks and fault diagnosis techniques for dynamic systems to detect false data injection attacks. Finally, we present research directions and challenges towards automatically synthesizing effective and efficient monitors.
A model-based approach to security analysis for cyber-physical systems
2018 Annual IEEE International Systems Conference (SysCon), 2018
Evaluating the security of cyber-physical systems throughout their life cycle is necessary to assure that they can be deployed and operated in safety-critical applications, such as infrastructure, military, and transportation. Most safety and security decisions that can have major effects on mitigation strategy options after deployment are made early in the system's life cycle. To allow for a vulnerability analysis before deployment, a sufficient well-formed model has to be constructed. To construct such a model we produce a taxonomy of attributes; that is, a generalized schema for system attributes. This schema captures the necessary specificity that characterizes a possible real system and can also map to the attack vector space associated with the model's attributes. In this way, we can match possible attack vectors and provide architectural mitigation at the design phase. We present a model of a flight control system encoded in the Systems Modeling Language, commonly known as SysML, but also show agnosticism with respect to the modeling language or tool used.
Towards a Model-Integrated Runtime Monitoring Infrastructure for Cyber-Physical Systems
2021 IEEE/ACM 43rd International Conference on Software Engineering: New Ideas and Emerging Results (ICSE-NIER)
Runtime monitoring is essential for ensuring the safe operation and enabling self-adaptive behavior of Cyber-Physical Systems (CPS). It requires the creation of system monitors, instrumentation for data collection, and the definition of constraints. All of these aspects need to evolve to accommodate changes in the system. However, most existing approaches lack support for the automated generation and setup of monitors and constraints for diverse technologies and do not provide adequate support for evolving the monitoring infrastructure. Without this support, constraints and monitors can become stale and become less effective in long-running, rapidly changing CPS. In this "new and emerging results" paper we propose a novel framework for model-integrated runtime monitoring. We combine model-driven techniques and runtime monitoring to automatically generate large parts of the monitoring framework and to reduce the maintenance effort necessary when parts of the monitored system change. We build a prototype and evaluate our approach against a system for controlling the flights of unmanned aerial vehicles.
Cross-Level Detection Framework for Attacks on Cyber-Physical Systems
Journal of Hardware and Systems Security
Anomaly detection is critical in thwarting malicious attacks on Cyber-Physical Systems. This work presents a novel inference engine that integrates two heterogeneous anomaly detectors, working at different levels of the system architecture, in order to produce a crosslevel detector more effective than either one separately. The macro-or process-level detector uses a bank of observers of the physical plant that estimate the state of the process suspected to be under attack, specifically for its sensor to be compromised, from data gathered by available networked sensors. The estimates are then combined using a
Hazard Driven Threat Modelling for Cyber Physical Systems
Proceedings of the 2020 Joint Workshop on CPS&IoT Security and Privacy, 2020
Adversarial actors have shown their ability to infiltrate enterprise networks deployed around Cyber Physical Systems (CPSs) through social engineering, credential stealing and file-less infections. When inside, they can gain enough privileges to maliciously call legitimate APIs and apply unsafe control actions to degrade the system performance and undermine its safety. Our work lies at the intersection of security and safety, and aims to understand dependencies among security, reliability and safety in CPS/IoT. We present a methodology to perform hazard driven threat modelling and impact assessment in the context of CPSs. The process starts from the analysis of behavioural, functional and architectural models of the CPS. We then apply System Theoretic Process Analysis (STPA) on the functional model to highlight high-level abuse cases. We leverage a mapping between the architectural and the system theoretic (ST) models to enumerate those components whose impairment provides the attacker with enough privileges to tamper with or disrupt the data-flows. This enables us to find a causal connection between the attack surface (in the architectural model) and system level losses. We then link the behavioural and system theoretic representations of the CPS to quantify the impact of the attack. Using our methodology it is possible to compute a comprehensive attack graph of the known attack paths and to perform both a qualitative and quantitative impact assessment of the exploitation of vulnerabilities affecting target nodes. The framework and methodology are illustrated using a small scale example featuring a Communication Based Train Control (CBTC) system. Aspects regarding the scalability of our methodology and its application in real world scenarios are also considered. Finally, we discuss the possibility of using the results obtained to engineer both design time and real time defensive mechanisms. CCS CONCEPTS • Security and privacy → Distributed systems security; Information flow control.
Model-Based Risk Assessment for Cyber Physical Systems Security
Computers & Security, 2020
Traditional techniques for Cyber-Physical Systems (CPS) security design either treat the cyber and physical systems independently, or do not address the specific vulnerabilities of real time embedded controllers and networks used to monitor and control physical processes. In this work, we develop and test an integrated model-based approach for CPS security risk assessment utilizing a CPS testbed with real-world industrial controllers and communication protocols. The testbed monitors and controls an exothermic Continuous Stirred Tank Reactor (CSTR) simulated in real-time. CSTR is a fundamental process unit in many industries, including Oil & Gas, Petrochemicals, Water treatment, and nuclear industry. In addition, the process is rich in terms of hazardous scenarios that could be triggered by cyber attacks due to the lack of possible mechanical protection. The paper presents an integrated approach to analyze and design the cyber security system for a given CPS where the physical threats are identified first to guide the risk assessment process. A mathematical model is derived for the physical system using a hybrid automaton to enumerate potential hazardous states of the system. The cyber system is then analyzed using network and data flow models to develop the attack scenarios that may lead to the identified hazards. Finally, the attack scenarios are performed on the testbed and observations are obtained on the possible ways to prevent and mitigate the attacks. The insights gained from the experiments result in several key findings, including the expressive power of hybrid automaton in security risk assessment, the hazard development time and its impact on cyber security design, and the tight coupling between the physical and the cyber systems for CPS that requires an integrated design approach to achieve cost-effective and secure designs.
Work-In-Progress: a DSL for the safe deployment of Runtime Monitors in Cyber-Physical Systems
2020 IEEE Real-Time Systems Symposium (RTSS)
Guaranteeing that safety-critical Cyber-Physical Systems (CPS) do not fail upon deployment is becoming an even more complicated task with the increased use of complex software solutions. To aid in this matter, formal methods (rigorous mathematical and logical techniques) can be used to obtain proofs about the correctness of CPS. In such a context, Runtime Verification has emerged as a promising solution that combines the formal specification of properties to be validated and monitors that perform these validations during runtime. Although helpful, runtime verification solutions introduce an inevitable overhead in the system, which can disrupt its correct functioning if not safely employed. We propose the creation of a Domain Specific Language (DSL) that, given a generic CPS, 1) verifies if its realtime scheduling is guaranteed, even in the presence of coupled monitors, and 2) implements several verification conditions for the correct-by-construction generation of monitoring architectures. To achieve it, we plan to perform statical verifications, derived from the available literature on schedulability analysis, and powered by a set of semi-automatic formal verification tools.
IEEE Transactions on Industrial Cyber-Physical Systems
In the new industrial environment, the safe and reliable operation of Industrial Cyber-Physical Systems (ICPSs) is being threatened by new types of attacks: Attackers carefully tamper with the measurement and control data transmitted over the network, causing the controlled systems to behave abnormally. The essence of such threats is operational safety issues induced by information security issues, which need to be studied at the bottom monitoring and control layer of the system. Studying safety and security monitoring, as well as defense strategies against these attacks, is of paramount importance. The primary objective of this article is to offer readers a timely survey that sheds light on the current status of safety and security issues in ICPSs. A comprehensive comparison is conducted with existing approaches and relevant literature, focusing on a systems and control perspective. Specifically, we emphasize the concept of cyber-physical attacks by contrasting them with conventional cyberattacks. A summary of realworld instances of typical cyber-physical attacks is provided to illustrate their significance. In terms of methodology, we conduct a thorough review of attack principles, attack detection, and evaluation approaches, as well as defense schemes. During this process, we carefully compare the pros and cons of different detection methods. It is further elaborated that the information asymmetry between the offensive and defensive parties is the booster of the integrated design of industrial safety and security. Looking