Abstract
We propose controllability, observability, and operability as the core security objectives of a control system, whilst the much-used triad of confidentiality, integrity, and availability captures the security requirements on IT infrastructures. We discuss how the deployment of IT in industrial control systems has changed the attack surface, how this invalidates assumptions about independent failure modes crucial in safety design, and explain why stronger IT infrastructure security does not necessarily imply better ICS security. We show how process physics can be used to carry attack payloads and thus become an instrument for the attacker, and argue that ICS security standards should expand their scope to the physical processes layer.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Inspired by [10].
- 2.
- 3.
- 4.
- 5.
- 6.
References
Alcaraz C, Lopez J (2017) A cyber-physical systems-based checkpoint model for structural controllability. IEEE Syst J 12:3543–3554
Alves-Foss J, Oman PW, Taylor C, Harrison WS (2006) The mils architecture for high-assurance embedded systems. Int J Embed Syst 2(3–4):239–247
Arthur W, Challener D (2015) A practical guide to TPM 2.0: using the Trusted Platform Module in the new age of security. Apress, Berkeley
Barreto C, Cárdenas AA, Quijano N (2013) Controllability of dynamical systems: threat models and reactive security. In: International Conference on Decision and Game Theory for Security. Springer, pp 45–64
Bell DE, LaPadula LJ (1973) Secure computer systems: mathematical foundations. Technical report, MITRE CORP BEDFORD MA
Biba KJ (1977) Integrity considerations for secure computer systems. Technical report, MITRE CORP BEDFORD MA
Bratus S, Locasto M, Patterson M, Sassaman L, Shubina A (2011) Exploit programming: from buffer overflows to weird machines and theory of computation. {USENIX; login:}
Byres E (2012) Using ANSI/ISA-99 standards to improve control system security. White paper, Tofino Security
Carvalho M, DeMott J, Ford R, Wheeler DA (2014) Heartbleed 101. IEEE Secur Priv 12(4):63–67
Christey S (2007) Unforgivable vulnerabilities. Black Hat Brief 13:17
Clark DD, Wilson DR (1987) A comparison of commercial and military computer security policies. In: Proceedings of the 1987 IEEE Symposium on Security and Privacy, pp 184–194
Dabrowski A, Ullrich J, Weippl ER (2017) Grid shock: coordinated load-changing attacks on power grids: the non-smart power grid is vulnerable to cyber attacks as well. In: Proceedings of the 33rd Annual Computer Security Applications Conference. ACM, pp 303–314
Duntemann J (2004) The lessons of software monoculture. SD Times, p 28, 1 Nov 2004
Etalle S (2017) From intrusion detection to software design. In: European Symposium on Research in Computer Security. Springer, pp 1–10
Fu K, Xu W (2018) Risks of trusting the physics of sensors. Commun ACM 61(2):20–23
Glaessgen E, Stargel D (2012) The digital twin paradigm for future nasa and us air force vehicles. In: 53rd AIAA/ASME/ASCE/AHS/ASC Structures, Structural Dynamics and Materials Conference 20th AIAA/ASME/AHS Adaptive Structures Conference 14th AIAA, p 1818
Gollmann D, Gurikov P, Isakov A, Krotofil M, Larsen J, Winnicki A (2015) Cyber-physical systems security: experimental analysis of a vinyl acetate monomer plant. In: Proceedings of the 1st ACM Workshop on Cyber-Physical System Security. ACM, pp 1–12
Jovanovic P, Neves S (2015) Practical cryptanalysis of the open smart grid protocol. In: International Workshop on Fast Software Encryption. Springer, pp 297–316
Kocher P, Genkin D, Gruss D, Haas W, Hamburg M, Lipp M, Mangard S, Prescher T, Schwarz M, Yarom Y (2018) Spectre attacks: exploiting speculative execution. arXiv preprint arXiv:1801.01203
Krotofil M, Larsen J, Gollmann D (2015) The process matters: ensuring data veracity in cyber-physical systems. In: Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security. ACM, pp 133–144
Kursawe K, Peters C (2015) Structural weaknesses in the open smart grid protocol. In: 2015 10th International Conference on Availability, Reliability and Security (ARES). IEEE, pp 1–10
Lampson BW (1973) A note on the confinement problem. Commun ACM 16(10):613–615
Leverett E, Wightman R (2013) Vulnerability inheritance programmable logic controllers. In: Proceedings of the Second International Symposium on Research in Grey-Hat Hacking
Lions J-L, Lübeck L, Fauquembergue J-L, Kahn G, Kubbat W, Levedag S, Mazzini L, Merle D, O’Halloran C (1996) Ariane 5 flight 501 failure report by the inquiry board
Lipp M, Schwarz M, Gruss D, Prescher T, Haas W, Mangard S, Kocher P, Genkin D, Yarom Y, Hamburg M (2018) Meltdown. arXiv preprint arXiv:1801.01207
McQueen M, Giani A (2011) ‘Known secure sensor measurements’ for critical infrastructure systems: detecting falsification of system state. In: International Workshop on Software Engineering for Resilient Systems. Springer, pp 156–163
Sharifzadeh M (2013) Integration of process design and control: a review. Chem Eng Res Des 91(12):2515–2549
Tung L (2018) Meltdown-spectre: more businesses warned off patching over stability issues. https://www.zdnet.com/, 15 Jan 2018
Unified Extensible Firmware Interface specification, Version 2.5, April 2015
U.S. Chemical Safety Board (2011) Dupont corporation toxic chemical releases: investigation report, July 2011
Verizon (2016) Data breach digest. Scenarios from the field
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this chapter
Cite this chapter
Krotofil, M., Kursawe, K., Gollmann, D. (2019). Securing Industrial Control Systems. In: Alcaraz, C. (eds) Security and Privacy Trends in the Industrial Internet of Things. Advanced Sciences and Technologies for Security Applications. Springer, Cham. https://doi.org/10.1007/978-3-030-12330-7_1
Download citation
DOI: https://doi.org/10.1007/978-3-030-12330-7_1
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-12329-1
Online ISBN: 978-3-030-12330-7
eBook Packages: Computer ScienceComputer Science (R0)