Skip to main content
SpringerLink
Log in

An Assessment of Security Analysis Tools for Cyber-Physical Systems

  • Conference paper
  • First Online:
Risk Assessment and Risk-Driven Quality Assurance (RISK 2016)

Part of the book series: Lecture Notes in Computer Science ((LNPSE,volume 10224))

Included in the following conference series:

Abstract

Cyber-Physical Systems are heavily used in today’s world. However, their security leaves much to be desired. Attacks such as the Stuxnet worm and the Ukrainian Grid Hack have shown that compromising these systems can have disastrous consequences.

It follows that additional methods for assessing the security of these systems must be explored. To this end, several tools have been developed. In this paper, five existing tools that examine the security of cyber-physical systems are presented. The input models and feedback of these tools are then compared with each other. A real life case study has been modelled in all five tools to achieve this. Two versions of this case study are implemented, one with a DMZ in the network and one without. The five tools are evaluated and their strengths and weaknesses for assessing the security of cyber-physical systems are analysed.

Finally, additional methods for the security assessment are touched upon, and we discuss how they can be used together with the tools.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Hardcoded passwords list (2016). https://github.com/scadastrangelove/SCADAPASS/blob/master/scadapass.csv

  2. Abrams, M., Weiss, J.: Malicious control system cyber security attack case study-maroochy water services, Australia (2008)

    Google Scholar 

  3. Assante, M.: Confirmation of a coordinated attack on the Ukrainian power grid (2016). https://ics.sans.org/blog/2016/01/09/confirmation-of-a-coordinated-attack-on-the-ukrainian-power-grid

  4. Bogaerts, B., De Cat, B., De Pooter, S., Denecker, M.: The IDP framework reference manual (2012)

    Google Scholar 

  5. Evans, S., Wallner, J.: Risk-based security engineering through the eyes of the adversary. In: Proceedings from the Sixth Annual IEEE SMC Information Assurance Workshop, IAW 2005, pp. 158–165. IEEE (2005)

    Google Scholar 

  6. Falliere, N., Murchu, L., Chien, E.: W32.Stuxnet Dossier (2011). http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf

  7. Ford, M.D., Keefe, K., LeMay, E., Sanders, W.H., Muehrcke, C.: Implementing the advise security modeling formalism in möbius. In: 2013 43rd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), pp. 1–8. IEEE (2013)

    Google Scholar 

  8. Homeland Security, H.C.C.: Cset: Cyber security evaluation tool (2014)

    Google Scholar 

  9. Langner, R.: To kill a centrifuge: a technical analysis of what stuxnet’s creators tried to achieve (2013)

    Google Scholar 

  10. Lee, E.A.: Cyber physical systems: design challenges. In: 2008 11th IEEE International Symposium on Object Oriented Real-Time Distributed Computing (ISORC), pp. 363–369. IEEE (2008)

    Google Scholar 

  11. Lemaire, L., Lapon, J., De Decker, B., Naessens, V.: A SysML extension for security analysis of industrial control systems. In: Proceedings of the 2nd International Symposium for ICS & SCADA Cyber Security Research, p. 1 (2014)

    Google Scholar 

  12. Lemaire, L., Vossaert, J., Jansen, J., Naessens, V.: Extracting vulnerabilities in industrial control systems using a knowledge-based system. In: Proceedings of the 3rd International Symposium for ICS & SCADA Cyber Security Research, p. 1 (2015)

    Google Scholar 

  13. LeMay, E., Ford, M.D., Keefe, K., Sanders, W.H., Muehrcke, C.: Model-based security metrics using adversary view security evaluation (advise). In: 2011 Eighth International Conference on Quantitative Evaluation of Systems (QEST), pp. 191–200. IEEE (2011)

    Google Scholar 

  14. Lippmann, R., Ingols, K., Scott, C., Piwowarski, K., Kratkiewicz, K., Artz, M., Cunningham, R.: Validating and restoring defense in depth using attack graphs. In: IEEE Military Communications Conference, MILCOM 2006, pp. 1–10. IEEE (2006)

    Google Scholar 

  15. Lippmann, R., Scott, C., Kratkiewicz, K., Artz, M., Ingols, K.W.: Network security planning architecture. US Patent 7,194,769, 20 March 2007

    Google Scholar 

  16. Matrosov, A., Researcher, S.V., Rodionov, E., Analyst, R., Harley, D.: Stuxnet Under the Microscope (2011)

    Google Scholar 

  17. Noel, S., Elder, M., Jajodia, S., Kalapa, P., O’Hare, S., Prole, K.: Advances in topological vulnerability analysis. In: Cybersecurity Applications & Technology Conference For Homeland Security, CATCH 2009, pp. 124–129. IEEE (2009)

    Google Scholar 

  18. Ou, X., Govindavajhala, S., Appel, A.W.: Mulval: A logic-based network security analyzer. In: USENIX security (2005)

    Google Scholar 

  19. Schlegel, R., Obermeier, S., Schneider, J.: Assessing the security of IEC 62351. In: Proceedings of the 3rd International Symposium for ICS & SCADA Cyber Security Research, pp. 11–19. British Computer Society (2015)

    Google Scholar 

  20. Sommestad, T., Ekstedt, M., Holm, H.: The cyber security modeling language: a tool for assessing the vulnerability of enterprise system architectures. IEEE Syst. J. 7(3), 363–373 (2013)

    Article  Google Scholar 

  21. Sommestad, T., Ekstedt, M., Nordström, L.: A case study applying the cyber security modeling language (2010)

    Google Scholar 

  22. Stouffer, K., Lightman, S., Pillitteri, V., Abrams, M., Hahn, A.: Guide to industrial control systems (ICS) security (2015)

    Google Scholar 

  23. Vu, A.H., Tippenhauer, N.O., Chen, B., Nicol, D.M., Kalbarczyk, Z.: CyberSAGE: a tool for automatic security assessment of cyber-physical systems. In: Norman, G., Sanders, W. (eds.) QEST 2014. LNCS, vol. 8657, pp. 384–387. Springer, Cham (2014). doi:10.1007/978-3-319-10696-0_29

    Google Scholar 

  24. Wang, E.K., Ye, Y., Xu, X., Yiu, S., Hui, L., Chow, K.: Security issues and challenges for cyber physical system. In: Proceedings of the 2010 IEEE/ACM International Conference on Green Computing and Communications & International Conference on Cyber, Physical and Social Computing, pp. 733–738. IEEE Computer Society (2010)

    Google Scholar 

  25. Whiteman, B.: Network risk assessment tool (NRAT). IA Newsl. 11(1), 4–8 (2008)

    Google Scholar 

  26. Wittocx, J., Mariën, M., Denecker, M.: The IDP system: a model expansion system for an extension of classical logic. In: Proceedings of the 2nd Workshop on Logic and Search, pp. 153–165 (2008)

    Google Scholar 

  27. Zetter, K.: Inside the cunning, unprecedented hack of Ukraine’s power grid (2016). http://www.wired.com/2016/03/inside-cunning-unprecedented-hack-ukraines-power-grid/

Download references

Acknowledgements

Research funded by a PhD grant of the Agency for Innovation by Science and Technology in Flanders (IWT).

The CyberSAGE software, used by the authors, was developed by the “Integrative Security Assessment of Smart Grid Cyber Infrastructure” project, and is jointly owned by the Illinois Pte ADSC and The Agency for Science Technology and Research in Singapore.

Author information

Authors and Affiliations

  1. Department of Computer Science, KU Leuven, IMinds-DistriNet, Leuven, Belgium

    Laurens Lemaire, Jan Vossaert, Bart De Decker & Vincent Naessens

Authors
  1. Laurens Lemaire
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Jan Vossaert
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Bart De Decker
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Vincent Naessens
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Laurens Lemaire .

Editor information

Editors and Affiliations

  1. Fraunhofer FOKUS CC SQC, Berlin, Germany

    Jürgen Großmann

  2. Department of Computer Science, Universität Innsbruck, Innsbruck, Austria

    Michael Felderer

  3. SINTEF ICT, Oslo, Norway

    Fredrik Seehusen

Rights and permissions

Reprints and permissions

Copyright information

© 2017 Springer International Publishing AG

About this paper

Cite this paper

Lemaire, L., Vossaert, J., De Decker, B., Naessens, V. (2017). An Assessment of Security Analysis Tools for Cyber-Physical Systems. In: Großmann, J., Felderer, M., Seehusen, F. (eds) Risk Assessment and Risk-Driven Quality Assurance. RISK 2016. Lecture Notes in Computer Science(), vol 10224. Springer, Cham. https://doi.org/10.1007/978-3-319-57858-3_6

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-57858-3_6

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-57857-6

  • Online ISBN: 978-3-319-57858-3

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation