Security Analysis and Improvement of Data Logistics in AutomationML-Based Engineering Networks
The Automation Markup Language (AutomationML) is a concept developed in 2008 in order to provide a versatile data format for seamless exchangeability of engineering data, with the goal of simplifying the design and creation of cyber-physical production systems. Different software, such as CAD programs, shall be able to support this format. Especially in the case of collaborative work and data exchange, security can become an important issue as current approaches do not fulfill the essential security objectives necessary, meaning that authenticity, integrity, and confidentiality of the stored files are not ensured from the start of product design to the end product. This raises questions not only about the confidentiality of company information but also about the safety of production lines and end products. Leakage of confidential information (e.g., construction plans), leading to unintended spread of know-how, can be an expensive consequence. Unauthorized and undetected (malicious) modifications may even lead to faults in end products, availability issues, or serious accidents within the production line. This chapter focuses on the demonstration of open issues within AutomationML-based engineering project environments. We are going to demonstrate why some kind of security layer (i.e., layer ensuring access control and privileges, as well as ensuring data integrity) is crucial when using AutomationML. Therefore, we provide assumptions about potential attacks and their potential consequences. We introduce an approach to identify and analyze assets, potential threats and vulnerabilities, resulting risks, as well as countermeasures that are relevant for ensuring the abovementioned properties: confidentiality of know-how, availability of the assets, and the integrity of relevant data.
KeywordsAutomationML security AutomationML-based data exchange Access control for AutomationML
Unable to display preview. Download preview PDF.
This material is based on the work partially supported by (1) the Christian-Doppler-Laboratory for Security and Quality Improvement in the Production System Lifecycle; the financial support by the Austrian Federal Ministry for Digital and Economic Affairs and the Nation Foundation for Research, Technology and Development is gratefully acknowledged; (2) SBA Research; the competence center SBA Research (SBA-K1) is funded within the framework of COMETCompetence Centers for Excellent Technologies by BMVIT, BMDW, and the federal state of Vienna, managed by the FFG.
- Aktoudianakis, E. (2016). Relationship based access control. Ph.D. Thesis, University of Surrey.Google Scholar
- Alliance, S. C. (2015). Smart card alliance. In INSIDE Contactless Offers Free, Downloadable, Open NFC API and Source Code on SourceForge.Google Scholar
- AutomationMLe.V. Automationml FAQ. https://www.automationml.org/o.red.c/faq.html, a. Non peer-reviewed reference. Accessed Jan 2019.
- AutomationMLe.V. AutomationML – first steps. https://www.automationml.org/o.red.c/erste-schritte.html, b. Non peer-reviewed reference. Accessed 24 Jan 2019.
- AutomationMLe.V. Whitepaper automationmlpart 1 – architecture and general requirements. https://www.automationml.org/o.red/uploads/dateien/1542621846-Whitepaper, c. Non peer-reviewed reference. Accessed 22 Feb 2019.
- AutomationMLe.V. AutomationML in a Nutshell. http://www.unserebroschuere.de/automationml/WebView/, d. Non peer-reviewed reference. Accessed 13 Feb 2019.
- Barker, E., & Dang, Q. (2016). Nist special publication 800-57 part 1, revision 4. NIST, Tech. Rep.Google Scholar
- Bell, D. E., & LaPadula, L. J. (1973). Secure computer systems: Mathematical foundations. Technical report. Bedford, MA: MITRE Corp.Google Scholar
- Bell, D. E., & LaPadula, L. J. (1976). Secure computer system: Unified exposition and multics interpretation. Technical report. Bedford, MA: MITRE Corp.Google Scholar
- Biba, K. J. (1977). Integrity considerations for secure computer systems. Technical report. Bedford, MA: MITRE Corp.Google Scholar
- Biffl, S., Winkler, D., Mordinyi, R., Scheiber, S., & Holl, G. (2014). Efficient monitoring of multi-disciplinary engineering constraints with semantic data integration in the multi-model dashboard process. In 2014 IEEE, emerging technology and factory automation (ETFA) (pp. 1–10). Piscataway: IEEE.Google Scholar
- Bilge, L., & Dumitraş, T. (2012). Before we knew it: an empirical study of zero-day attacks in the real world. In Proceedings of the 2012 ACM Conference on Computer and Communications Security (pp. 833–844). New York: ACM.Google Scholar
- Blog, O. Open security research: Sniffing traffic on the wire with a hardware tap. http://blog.opensecurityresearch.com/2013/03/sniffing-traffic-on-wire-with-hardware.html. Non peer-reviewed reference. Accessed Dec 2018.
- Chen, Q., & Bridges, R. A. (2017). Automated behavioral analysis of malware a case study of wannacry ransomware. arXiv preprint arXiv:1709.08753.Google Scholar
- Cisconet. Preventing security attacks from all osi 7 layer. http://cisconet.com/security/security-general/140-preventing-security-attacks-from-all-osi-7-layer.html. Non peer-reviewed reference. Accessed Dec 2018.
- Collinsdictionary. Asset definition und bedeutung — collins wörterbuch. https://www.collinsdictionary.com/de/worterbuch/englisch/asset. Non peer-reviewed reference. Accessed Nov 2018.
- Cybersecuritynews. Network vulnerabilities and the osi model; cyber security news. https://cybersecuritynews.co.uk/network-vulnerabilities-and-the-osi-model/. Non peer-reviewed reference. Accessed Dec 2018.
- Drath, R. (2009). Datenaustausch in der Anlagenplanung mit AutomationML: Integration von CAEX, PLCopen XML und COLLADA. Berlin: Springer.Google Scholar
- Drath, R., Lüder, A., Peschke, J., & Hundt, L. (2008). Automationml-the glue for seamless automation engineering. In IEEE International Conference on Emerging Technologies and Factory Automation, 2008. ETFA 2008 (pp. 616–623). Piscataway: IEEE.Google Scholar
- Execsecurity. Wiretap detection and telecom threats to businesses. https://execsecurity.com/wiretap-detection/. Non peer-reviewed reference. Accessed Dec 2018.
- Falliere, N., Murchu, L. O., & Chien, E. (2011). W32. Stuxnet dossier. White Paper, Symantec Corporation, Security Response, 5(6), 29.Google Scholar
- GitHub. About commit signature verification – github help. https://help.github.com/articles/about-commit-signature-verification/. Non peer-reviewed reference. Accessed Jan 2019.
- Git-scm. About – git. https://git-scm.com/about. Non peer-reviewed reference. Accessed Nov 2018.
- Heise. Cyberangriff: Kraussmaffei von hackern erpresst — heise online. https://www.heise.de/newsticker/meldung/Cyberangriff-KraussMaffei-von-Hackern-erpresst-4244880.html. Non peer-reviewed reference. Accessed Dec 2018.
- IETF. RFC 1122. https://www.ietf.org/rfc/rfc1122.txt, a. Accessed Nov 2018.
- IETF. Rfc 1123 – requirements for internet hosts – application and support. https://tools.ietf.org/html/rfc1123, b. Accessed Nov 2018.
- Khronos. Main page – collada public wiki. https://www.khronos.org/collada/wiki/Main_page, a. Non peer-reviewed reference. Accessed 24 Jan 2019.
- Khronos. COLLADA schema version 1.5.0. http://www.khronos.org/files/collada_schema_1_5, b. Non peer-reviewed reference. Accessed 24 Jan 2019.
- Loeliger, J., & McCullough, M. (2012). Version Control with Git: Powerful tools and techniques for collaborative software development. Sebastopol: O’Reilly Media.Google Scholar
- Meltdownattack. Meltdown and spectre. https://meltdownattack.com/. Non peer-reviewed reference. Accessed Dec 2018.
- Microsoft-Docs. How accesscheck works – windows applications — microsoft docs. https://docs.microsoft.com/en-us/windows/desktop/secauthz/how-dacls-control-access-to-an-object. Non peer-reviewed reference. Accessed Nov 2018.
- Miklau, G., & Suciu, D. (2003). Controlling access to published data using cryptography. In Proceedings of the 29th International Conference on Very Large Data Bases (Vol. 29, pp. 898–909). Los Angeles, CA: VLDB Endowment.Google Scholar
- Mohamed, S., Mynors, D., Grantham, A., Walsh, K., & Chan, P. (2006). Understanding one aspect of the knowledge leakage concept: people. In Proceedings of the European and Mediterranean Conference on Information Systems (EMCIS) (pp. 6–7). Alicante: EMCIS.Google Scholar
- Osswald, T. A., Turng, L.-S., & Gramann, P. J. (2008). Injection molding handbook. Munich: Hanser Verlag.Google Scholar
- OxfordDictionaries. Safety — definition of safety in english by oxford dictionaries. https://en.oxforddictionaries.com/definition/safety. Non peer-reviewed reference. Accessed Feb 2019.
- Pilato, C. M., Collins-Sussman, B., & Fitzpatrick, B. W. (2008). Version control with subversion: next generation open source version control. Sebastopol: O’Reilly Media.Google Scholar
- Plcopen. PLCopen xml. http://www.plcopen.org/pages/tc6_xml/. Non peer-reviewed reference. Accessed 13 Feb 2019.
- Ross, R., McEvilley, M., & Oren, J. (2016). Nist sp 800-160 systems security engineering: Considerations for a multidisciplinary approach in the engineering of trustworthy secure systems. In National Institute of Standards Technology, US Department of Commerce, Gaithersburg, MD, USA, Tech Report NIST SP (pp. 800–160).Google Scholar
- S21sec. Attacks on layer two of the osi model (i) – s21sec. https://www.s21sec.com/en/attacks-on-layer-two-of-the-osi-model-i/. Non peer-reviewed reference. Accessed Dec 2018.
- Sandhu, R., Ferraiolo, D., Kuhn, R. (2000). The NIST model for role-based access control: towards a unified standard. In ACM workshop on role-based access control (Vol. 2000, pp. 1–11).Google Scholar
- Schleipen, M., Drath, R., Sauer, O. (2008). The system-independent data exchange format caex for supporting an automatic configuration of a production monitoring and control system. In IEEE International Symposium on Industrial Electronics, 2008. ISIE 2008 (pp. 1786–1791). Piscataway: IEEE.Google Scholar
- Searchdatabackup. Full, incremental or differential: How to choose the correct backup type. https://searchdatabackup.techtarget.com/feature/Full-incremental-or-differential-How-to-choose-the-correct-backup-type. Non peer-reviewed reference. Accessed Dec 2018.
- Smart, N. P. (2003). Access control using pairing based cryptography. In Cryptographers Track at the RSA Conference (pp. 111–121). Berlin: Springer.Google Scholar
- Subversion. Apache subversion. https://subversion.apache.org/. Non peer-reviewed reference. Accessed Nov 2018.
- Support, M. Protect windows against spectre and meltdown. https://support.microsoft.com/en-us/help/4073757/protect-your-windows-devices-against-spectre-meltdown. Non peer-reviewed reference. Accessed Dec 2018.
- Thefoa. The foa reference for fiber optics – how to tap fiber optic cables-. http://www.thefoa.org/tech/ref/appln/tap-fiber.html. Non peer-reviewed reference. Accessed Dec 2018.
- TheGuardian. Nsa files decoded: Edward snowden’s surveillance revelations explained — us news — theguardian.com. https://www.theguardian.com/world/interactive/2013/nov/01/snowden-nsa-files-surveillance-revelations-decoded. Non peer-reviewed reference. Accessed Aug 2018.
- TheLinuxFoundation. Overview of linux kernel security features — linux.com — the source for linux information. https://www.linux.com/learn/overview-linux-kernel-security-features. Non peer-reviewed reference. Accessed Nov 2018.
- Thonnard, O., Bilge, L., O’Gorman, G., Kiernan, S., & Lee, M. (2012). Industrial espionage and targeted attacks: Understanding the characteristics of an escalating threat. In International workshop on recent advances in intrusion detection (pp. 64–85). Berlin: Springer.Google Scholar
- T. S. of Queensland. Managing information technology risks — business queensland. https://www.business.qld.gov.au/running-business/protecting-business/risk-management/it-risk-management/managing. Non peer-reviewed reference. Accessed Dec 2018.
- Tucker, R. L. (1997). Industrial espionage as unfair competition. University of Toledo Law Review. University of Toledo. College of Law, 29, 245.Google Scholar
- Wikipedia. Spritzgießmaschine – wikipedia. https://de.wikipedia.org/wiki/Spritzgie%C3%9Fmaschine. Non peer-reviewed reference. Accessed 22 Feb 2019.