Skip to main content
SpringerLink
Log in

Securing Industrial Control Systems

  • Chapter
  • First Online:
Security and Privacy Trends in the Industrial Internet of Things

Abstract

We propose controllability, observability, and operability as the core security objectives of a control system, whilst the much-used triad of confidentiality, integrity, and availability captures the security requirements on IT infrastructures. We discuss how the deployment of IT in industrial control systems has changed the attack surface, how this invalidates assumptions about independent failure modes crucial in safety design, and explain why stronger IT infrastructure security does not necessarily imply better ICS security. We show how process physics can be used to carry attack payloads and thus become an instrument for the attacker, and argue that ICS security standards should expand their scope to the physical processes layer.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 84.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 109.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
Hardcover Book
USD 159.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    Inspired by [10].

  2. 2.

    https://www.cyberark.com/blog/four-ssh-vulnerabilities-you-should-not-ignore/

  3. 3.

    https://en.wikipedia.org/wiki/NIST_hash_function_competition#Entrants_with_substantial_weaknesses

  4. 4.

    https://www.isa.org/isa99/

  5. 5.

    https://www.blackhat.com/docs/us-17/wednesday/us-17-Krotofil-Evil-Bubbles-Or-How-To-Deliver-Attack-Payload-Via-The-Physics-Of-The-Process.pdf

  6. 6.

    https://www.flowcontrolnetwork.com/how-iiot-monitoring-improves-pump-maintenance/

References

  1. Alcaraz C, Lopez J (2017) A cyber-physical systems-based checkpoint model for structural controllability. IEEE Syst J 12:3543–3554

    Article  Google Scholar 

  2. Alves-Foss J, Oman PW, Taylor C, Harrison WS (2006) The mils architecture for high-assurance embedded systems. Int J Embed Syst 2(3–4):239–247

    Article  Google Scholar 

  3. Arthur W, Challener D (2015) A practical guide to TPM 2.0: using the Trusted Platform Module in the new age of security. Apress, Berkeley

    Book  Google Scholar 

  4. Barreto C, Cárdenas AA, Quijano N (2013) Controllability of dynamical systems: threat models and reactive security. In: International Conference on Decision and Game Theory for Security. Springer, pp 45–64

    Google Scholar 

  5. Bell DE, LaPadula LJ (1973) Secure computer systems: mathematical foundations. Technical report, MITRE CORP BEDFORD MA

    Google Scholar 

  6. Biba KJ (1977) Integrity considerations for secure computer systems. Technical report, MITRE CORP BEDFORD MA

    Google Scholar 

  7. Bratus S, Locasto M, Patterson M, Sassaman L, Shubina A (2011) Exploit programming: from buffer overflows to weird machines and theory of computation. {USENIX; login:}

    Google Scholar 

  8. Byres E (2012) Using ANSI/ISA-99 standards to improve control system security. White paper, Tofino Security

    Google Scholar 

  9. Carvalho M, DeMott J, Ford R, Wheeler DA (2014) Heartbleed 101. IEEE Secur Priv 12(4):63–67

    Article  Google Scholar 

  10. Christey S (2007) Unforgivable vulnerabilities. Black Hat Brief 13:17

    Google Scholar 

  11. Clark DD, Wilson DR (1987) A comparison of commercial and military computer security policies. In: Proceedings of the 1987 IEEE Symposium on Security and Privacy, pp 184–194

    Google Scholar 

  12. Dabrowski A, Ullrich J, Weippl ER (2017) Grid shock: coordinated load-changing attacks on power grids: the non-smart power grid is vulnerable to cyber attacks as well. In: Proceedings of the 33rd Annual Computer Security Applications Conference. ACM, pp 303–314

    Google Scholar 

  13. Duntemann J (2004) The lessons of software monoculture. SD Times, p 28, 1 Nov 2004

    Google Scholar 

  14. Etalle S (2017) From intrusion detection to software design. In: European Symposium on Research in Computer Security. Springer, pp 1–10

    Google Scholar 

  15. Fu K, Xu W (2018) Risks of trusting the physics of sensors. Commun ACM 61(2):20–23

    Article  Google Scholar 

  16. Glaessgen E, Stargel D (2012) The digital twin paradigm for future nasa and us air force vehicles. In: 53rd AIAA/ASME/ASCE/AHS/ASC Structures, Structural Dynamics and Materials Conference 20th AIAA/ASME/AHS Adaptive Structures Conference 14th AIAA, p 1818

    Google Scholar 

  17. Gollmann D, Gurikov P, Isakov A, Krotofil M, Larsen J, Winnicki A (2015) Cyber-physical systems security: experimental analysis of a vinyl acetate monomer plant. In: Proceedings of the 1st ACM Workshop on Cyber-Physical System Security. ACM, pp 1–12

    Google Scholar 

  18. Jovanovic P, Neves S (2015) Practical cryptanalysis of the open smart grid protocol. In: International Workshop on Fast Software Encryption. Springer, pp 297–316

    Google Scholar 

  19. Kocher P, Genkin D, Gruss D, Haas W, Hamburg M, Lipp M, Mangard S, Prescher T, Schwarz M, Yarom Y (2018) Spectre attacks: exploiting speculative execution. arXiv preprint arXiv:1801.01203

    Google Scholar 

  20. Krotofil M, Larsen J, Gollmann D (2015) The process matters: ensuring data veracity in cyber-physical systems. In: Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security. ACM, pp 133–144

    Google Scholar 

  21. Kursawe K, Peters C (2015) Structural weaknesses in the open smart grid protocol. In: 2015 10th International Conference on Availability, Reliability and Security (ARES). IEEE, pp 1–10

    Google Scholar 

  22. Lampson BW (1973) A note on the confinement problem. Commun ACM 16(10):613–615

    Article  Google Scholar 

  23. Leverett E, Wightman R (2013) Vulnerability inheritance programmable logic controllers. In: Proceedings of the Second International Symposium on Research in Grey-Hat Hacking

    Google Scholar 

  24. Lions J-L, Lübeck L, Fauquembergue J-L, Kahn G, Kubbat W, Levedag S, Mazzini L, Merle D, O’Halloran C (1996) Ariane 5 flight 501 failure report by the inquiry board

    Google Scholar 

  25. Lipp M, Schwarz M, Gruss D, Prescher T, Haas W, Mangard S, Kocher P, Genkin D, Yarom Y, Hamburg M (2018) Meltdown. arXiv preprint arXiv:1801.01207

    Google Scholar 

  26. McQueen M, Giani A (2011) ‘Known secure sensor measurements’ for critical infrastructure systems: detecting falsification of system state. In: International Workshop on Software Engineering for Resilient Systems. Springer, pp 156–163

    Google Scholar 

  27. Sharifzadeh M (2013) Integration of process design and control: a review. Chem Eng Res Des 91(12):2515–2549

    Article  Google Scholar 

  28. Tung L (2018) Meltdown-spectre: more businesses warned off patching over stability issues. https://www.zdnet.com/, 15 Jan 2018

  29. Unified Extensible Firmware Interface specification, Version 2.5, April 2015

    Google Scholar 

  30. U.S. Chemical Safety Board (2011) Dupont corporation toxic chemical releases: investigation report, July 2011

    Google Scholar 

  31. Verizon (2016) Data breach digest. Scenarios from the field

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Security in Distributed Applications, Hamburg University of Technology, Hamburg, Germany

    Marina Krotofil & Dieter Gollmann

  2. GridSEC, The Hague, The Netherlands

    Klaus Kursawe

  3. SCSE, Nanyang Technological University, Singapore, Singapore

    Dieter Gollmann

Authors
  1. Marina Krotofil
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Klaus Kursawe
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Dieter Gollmann
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Marina Krotofil .

Editor information

Editors and Affiliations

  1. Computer Science Department, University of Malaga, Malaga, Spain

    Cristina Alcaraz

Rights and permissions

Reprints and permissions

Copyright information

© 2019 Springer Nature Switzerland AG

About this chapter

Check for updates. Verify currency and authenticity via CrossMark

Cite this chapter

Krotofil, M., Kursawe, K., Gollmann, D. (2019). Securing Industrial Control Systems. In: Alcaraz, C. (eds) Security and Privacy Trends in the Industrial Internet of Things. Advanced Sciences and Technologies for Security Applications. Springer, Cham. https://doi.org/10.1007/978-3-030-12330-7_1

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-12330-7_1

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-12329-1

  • Online ISBN: 978-3-030-12330-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation