An Assessment of Security Analysis Tools for Cyber-Physical Systems
Cyber-Physical Systems are heavily used in today’s world. However, their security leaves much to be desired. Attacks such as the Stuxnet worm and the Ukrainian Grid Hack have shown that compromising these systems can have disastrous consequences.
It follows that additional methods for assessing the security of these systems must be explored. To this end, several tools have been developed. In this paper, five existing tools that examine the security of cyber-physical systems are presented. The input models and feedback of these tools are then compared with each other. A real life case study has been modelled in all five tools to achieve this. Two versions of this case study are implemented, one with a DMZ in the network and one without. The five tools are evaluated and their strengths and weaknesses for assessing the security of cyber-physical systems are analysed.
Finally, additional methods for the security assessment are touched upon, and we discuss how they can be used together with the tools.
KeywordsCyber-physical systems Security assessment CSET ADVISE CyberSAGE CySeMoL FAST-CPS
Research funded by a PhD grant of the Agency for Innovation by Science and Technology in Flanders (IWT).
The CyberSAGE software, used by the authors, was developed by the “Integrative Security Assessment of Smart Grid Cyber Infrastructure” project, and is jointly owned by the Illinois Pte ADSC and The Agency for Science Technology and Research in Singapore.
- 1.Hardcoded passwords list (2016). https://github.com/scadastrangelove/SCADAPASS/blob/master/scadapass.csv
- 2.Abrams, M., Weiss, J.: Malicious control system cyber security attack case study-maroochy water services, Australia (2008)Google Scholar
- 3.Assante, M.: Confirmation of a coordinated attack on the Ukrainian power grid (2016). https://ics.sans.org/blog/2016/01/09/confirmation-of-a-coordinated-attack-on-the-ukrainian-power-grid
- 4.Bogaerts, B., De Cat, B., De Pooter, S., Denecker, M.: The IDP framework reference manual (2012)Google Scholar
- 5.Evans, S., Wallner, J.: Risk-based security engineering through the eyes of the adversary. In: Proceedings from the Sixth Annual IEEE SMC Information Assurance Workshop, IAW 2005, pp. 158–165. IEEE (2005)Google Scholar
- 6.Falliere, N., Murchu, L., Chien, E.: W32.Stuxnet Dossier (2011). http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf
- 7.Ford, M.D., Keefe, K., LeMay, E., Sanders, W.H., Muehrcke, C.: Implementing the advise security modeling formalism in möbius. In: 2013 43rd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), pp. 1–8. IEEE (2013)Google Scholar
- 8.Homeland Security, H.C.C.: Cset: Cyber security evaluation tool (2014)Google Scholar
- 9.Langner, R.: To kill a centrifuge: a technical analysis of what stuxnet’s creators tried to achieve (2013)Google Scholar
- 10.Lee, E.A.: Cyber physical systems: design challenges. In: 2008 11th IEEE International Symposium on Object Oriented Real-Time Distributed Computing (ISORC), pp. 363–369. IEEE (2008)Google Scholar
- 11.Lemaire, L., Lapon, J., De Decker, B., Naessens, V.: A SysML extension for security analysis of industrial control systems. In: Proceedings of the 2nd International Symposium for ICS & SCADA Cyber Security Research, p. 1 (2014)Google Scholar
- 12.Lemaire, L., Vossaert, J., Jansen, J., Naessens, V.: Extracting vulnerabilities in industrial control systems using a knowledge-based system. In: Proceedings of the 3rd International Symposium for ICS & SCADA Cyber Security Research, p. 1 (2015)Google Scholar
- 13.LeMay, E., Ford, M.D., Keefe, K., Sanders, W.H., Muehrcke, C.: Model-based security metrics using adversary view security evaluation (advise). In: 2011 Eighth International Conference on Quantitative Evaluation of Systems (QEST), pp. 191–200. IEEE (2011)Google Scholar
- 14.Lippmann, R., Ingols, K., Scott, C., Piwowarski, K., Kratkiewicz, K., Artz, M., Cunningham, R.: Validating and restoring defense in depth using attack graphs. In: IEEE Military Communications Conference, MILCOM 2006, pp. 1–10. IEEE (2006)Google Scholar
- 15.Lippmann, R., Scott, C., Kratkiewicz, K., Artz, M., Ingols, K.W.: Network security planning architecture. US Patent 7,194,769, 20 March 2007Google Scholar
- 16.Matrosov, A., Researcher, S.V., Rodionov, E., Analyst, R., Harley, D.: Stuxnet Under the Microscope (2011)Google Scholar
- 17.Noel, S., Elder, M., Jajodia, S., Kalapa, P., O’Hare, S., Prole, K.: Advances in topological vulnerability analysis. In: Cybersecurity Applications & Technology Conference For Homeland Security, CATCH 2009, pp. 124–129. IEEE (2009)Google Scholar
- 18.Ou, X., Govindavajhala, S., Appel, A.W.: Mulval: A logic-based network security analyzer. In: USENIX security (2005)Google Scholar
- 19.Schlegel, R., Obermeier, S., Schneider, J.: Assessing the security of IEC 62351. In: Proceedings of the 3rd International Symposium for ICS & SCADA Cyber Security Research, pp. 11–19. British Computer Society (2015)Google Scholar
- 21.Sommestad, T., Ekstedt, M., Nordström, L.: A case study applying the cyber security modeling language (2010)Google Scholar
- 22.Stouffer, K., Lightman, S., Pillitteri, V., Abrams, M., Hahn, A.: Guide to industrial control systems (ICS) security (2015)Google Scholar
- 24.Wang, E.K., Ye, Y., Xu, X., Yiu, S., Hui, L., Chow, K.: Security issues and challenges for cyber physical system. In: Proceedings of the 2010 IEEE/ACM International Conference on Green Computing and Communications & International Conference on Cyber, Physical and Social Computing, pp. 733–738. IEEE Computer Society (2010)Google Scholar
- 25.Whiteman, B.: Network risk assessment tool (NRAT). IA Newsl. 11(1), 4–8 (2008)Google Scholar
- 26.Wittocx, J., Mariën, M., Denecker, M.: The IDP system: a model expansion system for an extension of classical logic. In: Proceedings of the 2nd Workshop on Logic and Search, pp. 153–165 (2008)Google Scholar
- 27.Zetter, K.: Inside the cunning, unprecedented hack of Ukraine’s power grid (2016). http://www.wired.com/2016/03/inside-cunning-unprecedented-hack-ukraines-power-grid/