Abstract
Cyber-Physical Systems are heavily used in today’s world. However, their security leaves much to be desired. Attacks such as the Stuxnet worm and the Ukrainian Grid Hack have shown that compromising these systems can have disastrous consequences.
It follows that additional methods for assessing the security of these systems must be explored. To this end, several tools have been developed. In this paper, five existing tools that examine the security of cyber-physical systems are presented. The input models and feedback of these tools are then compared with each other. A real life case study has been modelled in all five tools to achieve this. Two versions of this case study are implemented, one with a DMZ in the network and one without. The five tools are evaluated and their strengths and weaknesses for assessing the security of cyber-physical systems are analysed.
Finally, additional methods for the security assessment are touched upon, and we discuss how they can be used together with the tools.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Hardcoded passwords list (2016). https://github.com/scadastrangelove/SCADAPASS/blob/master/scadapass.csv
Abrams, M., Weiss, J.: Malicious control system cyber security attack case study-maroochy water services, Australia (2008)
Assante, M.: Confirmation of a coordinated attack on the Ukrainian power grid (2016). https://ics.sans.org/blog/2016/01/09/confirmation-of-a-coordinated-attack-on-the-ukrainian-power-grid
Bogaerts, B., De Cat, B., De Pooter, S., Denecker, M.: The IDP framework reference manual (2012)
Evans, S., Wallner, J.: Risk-based security engineering through the eyes of the adversary. In: Proceedings from the Sixth Annual IEEE SMC Information Assurance Workshop, IAW 2005, pp. 158–165. IEEE (2005)
Falliere, N., Murchu, L., Chien, E.: W32.Stuxnet Dossier (2011). http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf
Ford, M.D., Keefe, K., LeMay, E., Sanders, W.H., Muehrcke, C.: Implementing the advise security modeling formalism in möbius. In: 2013 43rd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), pp. 1–8. IEEE (2013)
Homeland Security, H.C.C.: Cset: Cyber security evaluation tool (2014)
Langner, R.: To kill a centrifuge: a technical analysis of what stuxnet’s creators tried to achieve (2013)
Lee, E.A.: Cyber physical systems: design challenges. In: 2008 11th IEEE International Symposium on Object Oriented Real-Time Distributed Computing (ISORC), pp. 363–369. IEEE (2008)
Lemaire, L., Lapon, J., De Decker, B., Naessens, V.: A SysML extension for security analysis of industrial control systems. In: Proceedings of the 2nd International Symposium for ICS & SCADA Cyber Security Research, p. 1 (2014)
Lemaire, L., Vossaert, J., Jansen, J., Naessens, V.: Extracting vulnerabilities in industrial control systems using a knowledge-based system. In: Proceedings of the 3rd International Symposium for ICS & SCADA Cyber Security Research, p. 1 (2015)
LeMay, E., Ford, M.D., Keefe, K., Sanders, W.H., Muehrcke, C.: Model-based security metrics using adversary view security evaluation (advise). In: 2011 Eighth International Conference on Quantitative Evaluation of Systems (QEST), pp. 191–200. IEEE (2011)
Lippmann, R., Ingols, K., Scott, C., Piwowarski, K., Kratkiewicz, K., Artz, M., Cunningham, R.: Validating and restoring defense in depth using attack graphs. In: IEEE Military Communications Conference, MILCOM 2006, pp. 1–10. IEEE (2006)
Lippmann, R., Scott, C., Kratkiewicz, K., Artz, M., Ingols, K.W.: Network security planning architecture. US Patent 7,194,769, 20 March 2007
Matrosov, A., Researcher, S.V., Rodionov, E., Analyst, R., Harley, D.: Stuxnet Under the Microscope (2011)
Noel, S., Elder, M., Jajodia, S., Kalapa, P., O’Hare, S., Prole, K.: Advances in topological vulnerability analysis. In: Cybersecurity Applications & Technology Conference For Homeland Security, CATCH 2009, pp. 124–129. IEEE (2009)
Ou, X., Govindavajhala, S., Appel, A.W.: Mulval: A logic-based network security analyzer. In: USENIX security (2005)
Schlegel, R., Obermeier, S., Schneider, J.: Assessing the security of IEC 62351. In: Proceedings of the 3rd International Symposium for ICS & SCADA Cyber Security Research, pp. 11–19. British Computer Society (2015)
Sommestad, T., Ekstedt, M., Holm, H.: The cyber security modeling language: a tool for assessing the vulnerability of enterprise system architectures. IEEE Syst. J. 7(3), 363–373 (2013)
Sommestad, T., Ekstedt, M., Nordström, L.: A case study applying the cyber security modeling language (2010)
Stouffer, K., Lightman, S., Pillitteri, V., Abrams, M., Hahn, A.: Guide to industrial control systems (ICS) security (2015)
Vu, A.H., Tippenhauer, N.O., Chen, B., Nicol, D.M., Kalbarczyk, Z.: CyberSAGE: a tool for automatic security assessment of cyber-physical systems. In: Norman, G., Sanders, W. (eds.) QEST 2014. LNCS, vol. 8657, pp. 384–387. Springer, Cham (2014). doi:10.1007/978-3-319-10696-0_29
Wang, E.K., Ye, Y., Xu, X., Yiu, S., Hui, L., Chow, K.: Security issues and challenges for cyber physical system. In: Proceedings of the 2010 IEEE/ACM International Conference on Green Computing and Communications & International Conference on Cyber, Physical and Social Computing, pp. 733–738. IEEE Computer Society (2010)
Whiteman, B.: Network risk assessment tool (NRAT). IA Newsl. 11(1), 4–8 (2008)
Wittocx, J., Mariën, M., Denecker, M.: The IDP system: a model expansion system for an extension of classical logic. In: Proceedings of the 2nd Workshop on Logic and Search, pp. 153–165 (2008)
Zetter, K.: Inside the cunning, unprecedented hack of Ukraine’s power grid (2016). http://www.wired.com/2016/03/inside-cunning-unprecedented-hack-ukraines-power-grid/
Acknowledgements
Research funded by a PhD grant of the Agency for Innovation by Science and Technology in Flanders (IWT).
The CyberSAGE software, used by the authors, was developed by the “Integrative Security Assessment of Smart Grid Cyber Infrastructure” project, and is jointly owned by the Illinois Pte ADSC and The Agency for Science Technology and Research in Singapore.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Lemaire, L., Vossaert, J., De Decker, B., Naessens, V. (2017). An Assessment of Security Analysis Tools for Cyber-Physical Systems. In: Großmann, J., Felderer, M., Seehusen, F. (eds) Risk Assessment and Risk-Driven Quality Assurance. RISK 2016. Lecture Notes in Computer Science(), vol 10224. Springer, Cham. https://doi.org/10.1007/978-3-319-57858-3_6
Download citation
DOI: https://doi.org/10.1007/978-3-319-57858-3_6
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-57857-6
Online ISBN: 978-3-319-57858-3
eBook Packages: Computer ScienceComputer Science (R0)