Are You Threatening My Hazards?

  • Marina Krotofil
  • Jason Larsen
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8639)


This paper presents a framework for discussing security in cyber-physical systems, built on a simple mental model of the relationship between security and safety that has protection flows at its core. We explain their separation of concerns and outline security issues which can yield a violation of the protection flow, supporting the discussion with real world examples. We conclude the paper with a discussion on matters which are beyond our control, subjected to contradictory requirements, or do not have easy solutions. We also identify novel research challenges in the emerging field of cyber-physical security.


Safety System Critical Infrastructure Hazard Investigation Security Incident Industrial Control System 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Configure access points with Google Location Service,
  2. 2.
  3. 3.
    Safety securing approach against cyber-attacks for process control system. Computers & Chemical Engineering 57, 181–186 (2013)Google Scholar
  4. 4.
    Anderson, G., Bell, M.L.: Lights Out: Impact of the Power Outage on Mortality in New York August 2003. Epidemiology 23(2), 189–193 (2012)CrossRefGoogle Scholar
  5. 5.
    Avizienis, A., Laprie, J.C., Randell, B., Landwehr, C.: Basic concepts and taxonomy of dependable and secure computing. IEEE Transactions on Dependable and Secure Computing 1, 11–33 (2004)CrossRefGoogle Scholar
  6. 6.
    Bobrek, M., Bouldin, D., Holcomb, D., Killough, S., Smith, S., Ward, C., Wood, R.: Review Guidelines for Field-Programmable Gate Arrays in Nuclear Power Plant Safety Systems. U.S.RNC (2010)Google Scholar
  7. 7.
    Bratus, S., Locasto, M., Patterson, M.L., Sassaman, L., Shubina, A.: Exploit Programming: From Buffer Overflows to ‘Weird Machines’ and Theory of Computation. USENIX; Login 36(6), 13–21 (2011)Google Scholar
  8. 8.
    connectBlue: Bluetooth Technology in Oslo Pump Stations (2011),
  9. 9.
    Cusimano, J., Byres, E.: Safety and Security: Two Sides of the Same Coin. ControlGlobal (2010)Google Scholar
  10. 10.
    Davis, M.: SmartGrid Device Security: Adventures in a new medium. Black Hat USA (2011)Google Scholar
  11. 11.
    Gollmann, D.: Veracity, plausibility, and reputation. In: Askoxylakis, I., Pöhls, H.C., Posegga, J. (eds.) WISTP 2012. LNCS, vol. 7322, pp. 20–28. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  12. 12.
    Kesler, B.: The vulnerability of nuclear facilities to cyber attack. Strategic Insights 10(1), 15–25 (2011)Google Scholar
  13. 13.
    Langner, R.: To kill a centrifuge. Tech. rep., Langner Communications (2013)Google Scholar
  14. 14.
    Larsen, J.: Going Small When Attacking a Process,
  15. 15.
    Larsen, J.: Breakage. Black Hat USA (2008)Google Scholar
  16. 16.
    Leverett, É.P.: Quantitatively Assessing and Visualising Industrial System Attack Surfaces. Master’s thesis, University of Cambridge, UK (2011)Google Scholar
  17. 17.
    Leverett, É.P., Wightman, R.: Vulnerability Inheritance Programmable Logic Controllers. In: The 2nd International Symposium on Research in Grey-Hat Hacking, GreHack (2013)Google Scholar
  18. 18.
    Leveson, N.G.: Engineering a Safer World: Systems Thinking Applied to Safety. The MIT Press (2012)Google Scholar
  19. 19.
    Linda, O., Manic, M., McQueen, M.: Improving control system cyber-state awareness using known secure sensor measurements. In: Hämmerli, B.M., Kalstad Svendsen, N., Lopez, J. (eds.) CRITIS 2012. LNCS, vol. 7722, pp. 46–58. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  20. 20.
    Matherly, J.C.: SHODAN (2009),
  21. 21.
    McIntyre, C.: Using Smart Instrumentation. Plant Engineering: online magazine (2011), (retrieved: December 2013)
  22. 22.
    NERC: Critical Infrastructure Protection Standards,
  23. 23.
    NIST: Guide for Assessing the Security Controls in Federal Information Systems and Organizations (2010)Google Scholar
  24. 24.
    Novak, T., Gerstinger, A.: Safety- and Security-Critical Services in Building Automation and Control Systems. IEEE Transactions on Industrial Electronics 57(11), 3614–3621 (2010)CrossRefGoogle Scholar
  25. 25.
    Rinaldi, S., Peerenboom, J., Kelly, T.: Identifying, understanding, and analyzing critical infrastructure interdependencies. IEEE Control Systems 21(6), 11–25 (2001)CrossRefGoogle Scholar
  26. 26.
    U.S. Chemical Safety and Hazard Investigation Board: DuPont Corporation Toxic Chemical Releases: Investigation Report. Tech. rep., U.S. Chemical Safety Board (CSB) (20011)Google Scholar
  27. 27.
    U.S. Chemical Safety and Hazard Investigation Board: Bp America Refinery Explosion: Final Investigation Report. Tech. rep., U.S. Chemical Safety Board (CSB) (2007)Google Scholar
  28. 28.
    U.S. Chemical Safety and Hazard Investigation Board: LPG Fire ar Valero–McKee Refinery: Final Investigation Report. Tech. rep., U.S. Chemical Safety Board (CSB) (2007)Google Scholar
  29. 29.
    Zeller, M.: Myth or reality - does the Aurora vulnerability pose a risk to my generator? In: 2011 64th Annual Conference for Protective Relay Engineers, pp. 130–136 (2011)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  • Marina Krotofil
    • 1
  • Jason Larsen
    • 2
  1. 1.Hamburg University of TechnologyHamburgGermany
  2. 2.IOActive, Inc.SeattleUSA

Personalised recommendations