Abstract
Real-time availability with integrity is a crucial security requirement for critical infrastructure assets – delays in reporting device states or computations may result in equipment damage, perhaps even catastrophic failure. However, it is also necessary to address malicious software-based threats. Trusted computing (TC) is a security paradigm that enables application platforms to enforce the integrity of execution targets. A TC architecture can be combined with a real-time access control system to help protect against real-time availability and malware threats. However TC architectures offer only static (load-time) protection, so it is still necessary to address the possibility of run-time (execution) attacks. This paper focuses on the protection afforded by TC platforms to critical infrastructure assets. The paper defines a threat model, analyzes vulnerabilities, proposes services and tools that guarantee real-time availability with integrity, and demonstrates how they can be used to protect communications of an IEC61850-90-5-compliant substation automation system in an electricity grid. Also, it discusses the impact of run-time attacks on TC-compliant critical infrastructure assets.
Chapter PDF
Similar content being viewed by others
References
A. Baratloo, N. Singh and T. Tsai, Transparent run-time defense against stack smashing attacks, Proceedings of the USENIX Annual Technical Conference, p. 21, 2000.
E. Bell and L. La Padula, Secure Computer System: Unified Exposition and Multics Interpretation, Technical Report ESD-TR-75-306, MITRE Corporation, Bedford, Massachusetts, 1976.
E. Bertino, P. Bonatti and E. Ferrari, TRBAC: A temporal role-based access control model, ACM Transactions on Information and System Security, vol. 4(3), pp. 191–233, 2001.
K. Biba, Integrity Considerations for Secure Computer Systems, Technical Report ESD-TR-76-372, MITRE Corporation, Bedford, Massachusetts, 1977.
S. Blake, D. Black, M. Carlson, E. Davies, Z. Wang and W. Weiss, An Architecture for Differentiated Services, RFC 2475, 1998.
R. Braden, D. Clark and S. Shenker, Integrated Services in the Internet Architecture: An Overview, RFC 1633, 1994.
M. Burmester, J. Lawrence, D. Guidry, S. Easton, S. Ty, X. Liu, X. Yuan and J. Jenkins, Towards a secure electricity grid, Proceedings of the Eighth IEEE International Conference on Intelligent Sensors, Sensor Networks and Information Processing, 2013.
M. Burmester, E. Magkos and V. Chrissikopoulos, Modeling security in cyber-physical systems, International Journal of Critical Infrastructure Protection, vol. 5(3-4), pp. 118–126, 2012.
W. Chang, B. Streiff and C. Lin, Efficient and extensible security enforcement using dynamic data flow analysis, Proceedings of the Fifteenth ACM Conference on Computer and Communications Security, pp. 39–50, 2008.
W. Cheng, Q. Zhao, B. Yu and S. Hiroshige, TaintTrace: Efficient flow tracing with dynamic binary rewriting, Proceedings of the Eleventh IEEE Symposium on Computers and Communications, pp. 749–754, 2006.
L. Davi, A. Sadeghi and M. Winandy, ROPdefender: A detection tool to defend against return-oriented programming attacks, Proceedings of the Sixth ACM Symposium on Information, Computer and Communications Security, pp. 40–51, 2011.
D. Dolev, C. Dwork, O. Waarts and M. Yung, Perfectly secure message transmission, Journal of the ACM, vol. 40(1), pp. 17–47, 1993.
International Electrotechnical Commission, IEC/TR 61850-90-5, Edition 1.0 2012-05, Power Systems Management and Associated Information Exchange – Data and Communications Security, Geneva, Switzerland, 2012.
International Electrotechnical Commission, IEC/TR 61850-1, Edition 2.0, Communication Networks and Systems in Substations for Power Utility Automation – Part 1: Introduction and Overview, Geneva, Switzerland, 2013.
J. Joshi, E. Bertino, U. Latif and A. Ghafoor, A generalized temporal role-based access control model, IEEE Transactions on Knowledge and Data Engineering, vol. 17(1), pp. 4–23, 2005.
A. Leicher, N. Kuntze and A. Schmidt, Implementation of a trusted ticket system, Proceedings of the Twenty-Fourth IFIP TC 11 International Information Security Conference, pp. 152–163, 2009.
M. Lelarge and J. Bolot, Economic incentives to increase security in the Internet: The case for insurance, Proceedings of the Twenty-Eighth Conference on Computer Communications, pp. 1494–1502, 2009.
A. Metke and R. Ekl, Smart grid security technology, Proceedings of the First IEEE PES Conference on Innovative Smart Grid Technologies, 2010.
V. Mohan and K. Hamlen, Frankenstein: Stitching malware from benign binaries, Proceedings of the Sixth USENIX Workshop on Offensive Technologies, p. 8, 2012.
F. Qin, C. Wang, Z. Li, H. Kim, Y. Zhou and Y. Wu, LIFT: A low-overhead practical information flow tracking system for detecting security attacks, Proceedings of the Thirty-Ninth Annual IEEE/ACM International Symposium on Microarchitecture, pp. 135–148, 2006.
R. Roemer, E. Buchanan, H. Shacham and S. Savage, Return-oriented programming: Systems, languages and applications, ACM Transactions on Information and System Security, vol. 15(1), pp. 2:1–2:34, 2012.
R. Sandhu, E. Coyne, H. Feinstein and C. Youman, Role-based access control models, IEEE Computer, vol. 29(2), pp. 38–47, 1996.
SISCO, Cisco and SISCO collaborate on open source synchrophasor framework, Press Release, Sterling Heights, Michigan ( www.sisconet.com/downloads/90-5_Cisco_SISCO.pdf ), 2011.
Trusted Computing Group, TPM Main Specification, Level 2, Version 1.2, Revision 116, Beaverton, Oregon ( www.trustedcomputinggroup.org/resources/tpm_main_specification ), 2011.
Trusted Computing Group, TCG Trusted Network Connect TNC Architecture for Interoperability; Specification 1.5; Revision 3, Beaverton, Oregon ( www.trustedcomputinggroup.org/files/resource_files/2884F884-1A4B-B294-D001FAE2E17EA3EB/TNC_Architecture_v1_5_r3-1.pdf ), 2012.
Trusted Computing Group, Trusted Computing Group, Beaverton, Oregon ( www.trustedcomputinggroup.org ).
E. Yuan and J. Tong, Attribute-based access control (ABAC) for web services, Proceedings of the IEEE International Conference on Web Services, pp. 561–569, 2005.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 IFIP International Federation for Information Processing
About this paper
Cite this paper
Jenkins, J., Burmester, M. (2013). Protecting Infrastructure Assets from Real-Time and Run-Time Threats. In: Butts, J., Shenoi, S. (eds) Critical Infrastructure Protection VII. ICCIP 2013. IFIP Advances in Information and Communication Technology, vol 417. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-45330-4_7
Download citation
DOI: https://doi.org/10.1007/978-3-642-45330-4_7
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-45329-8
Online ISBN: 978-3-642-45330-4
eBook Packages: Computer ScienceComputer Science (R0)