Skip to main content
SpringerLink
Log in
Book cover

International Conference on Security for Information Technology and Communications

SECITC 2018: Innovative Security Solutions for Information Technology and Communications pp 71–84Cite as

Formal Security Analysis of Cloud-Connected Industrial Control Systems

  • Conference paper
  • First Online:

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 11359))

Abstract

Industrial control systems are changing from isolated to remotely accessible cloud-connected architectures. Despite their advantages, these architectures introduce extra complexity, which makes it more difficult to ensure the security of these systems prior to deployment. One way to address this is by using formal methods to reason about the security properties of these systems during the early stages of development. Specifically, by analyzing security attacks and verifying that the corresponding mitigation strategies work as intended. In this paper, we present a formal framework for security analysis of cloud-connected industrial control systems. We consider several well-known attack scenarios and formally verify mitigation strategies for each of them. Our framework is mechanized using TLA+ in order to enable formal verification of security properties. Finally we demonstrate the applicability of our work using an industrial case study.

This work is supported by Manufacturing Academy of Denmark (MADE). For more information see http://www.made.dk/.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   69.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   89.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Notes

  1. 1.

    The industrial partner wishes to remain anonymous.

References

  1. Baker, T., Mackay, M., Shaheed, A., Aldawsari, B.: Security-oriented cloud platform for SOA-based SCADA. In: 2015 15th IEEE/ACM International Symposium on Cluster, Cloud and Grid Computing, pp. 961–970, May 2015. https://doi.org/10.1109/CCGrid.2015.37

  2. Bekara, C.: Security issues and challenges for the IoT-based smart grid. Procedia Comput. Sci. 34, 532–537 (2014). https://doi.org/10.1016/j.procs.2014.07.064, http://www.sciencedirect.com/science/article/pii/S1877050914009193. The 9th International Conference on Future Networks and Communications (FNC 2014)/The 11th International Conference on Mobile Systems and Pervasive Computing (MobiSPC 2014)/Affiliated Workshops

    Article  Google Scholar 

  3. Bodeveix, J.-P., Boudjadar, A., Filali, M.: An alternative definition for timed automata composition. In: Bultan, T., Hsiung, P.-A. (eds.) ATVA 2011. LNCS, vol. 6996, pp. 105–119. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-24372-1_9

    Chapter  MATH  Google Scholar 

  4. Chen, P., Cheng, S., Chen, K.: Information fusion to defend intentional attack in internet of things. IEEE Internet Things J. 1(4), 337–348 (2014). https://doi.org/10.1109/JIOT.2014.2337018

    Article  MathSciNet  Google Scholar 

  5. Cui, A., Costello, M., Stolfo, S.J.: When firmware modifications attack: a case study of embedded exploitation. In: NDSS (2013)

    Google Scholar 

  6. Ge, M., Kim, D.S.: A framework for modeling and assessing security of the internet of things. In: 2015 IEEE 21st International Conference on Parallel and Distributed Systems (ICPADS), pp. 776–781 (2015). https://doi.org/10.1109/ICPADS.2015.102

  7. Gunawan, L.A., Herrmann, P.: Compositional verification of application-level security properties. In: Jürjens, J., Livshits, B., Scandariato, R. (eds.) ESSoS 2013. LNCS, vol. 7781, pp. 75–90. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-36563-8_6

    Chapter  Google Scholar 

  8. Hawblitzel, C., et al.: Ironclad apps: end-to-end security via automated full-system verification. In: Proceedings of the 11th USENIX Conference on Operating Systems Design and Implementation, OSDI 2014, pp. 165–181. USENIX Association, Berkeley (2014). http://dl.acm.org/citation.cfm?id=2685048.2685062

  9. Jeon, B.S., Na, J.C.: A study of cyber security policy in industrial control system using data diodes. In: 2016 18th International Conference on Advanced Communication Technology (ICACT), pp. 314–317, January 2016. https://doi.org/10.1109/ICACT.2016.7423374

  10. Lamport, L.: Specifying Systems: The TLA+ Language and Tools for Hardware and Software Engineers. Addison-Wesley Longman Publishing Co. Inc., Boston (2002)

    Google Scholar 

  11. Lamport, L.: The PlusCal algorithm language. In: Leucker, M., Morgan, C. (eds.) ICTAC 2009. LNCS, vol. 5684, pp. 36–60. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-03466-4_2

    Chapter  Google Scholar 

  12. Miller, B., Rowe, D.: A survey SCADA of and critical infrastructure incidents. In: Proceedings of the 1st Annual Conference on Research in Information Technology, RIIT 2012, pp. 51–56. ACM, New York (2012). https://doi.org/10.1145/2380790.2380805

  13. Pedroza, G., Apvrille, L., Knorreck, D.: AVATAR: a SysML environment for the formal verification of safety and security properties. In: 2011 11th Annual International Conference on New Technologies of Distributed Systems, pp. 1–10, May 2011. https://doi.org/10.1109/NOTERE.2011.5957992

  14. Piggin, R.S.H.: Securing SCADA in the cloud: managing the risks to avoid the perfect storm. In: IET Conference Proceedings, pp. 1.2–1.2(1), January 2014. http://digital-library.theiet.org/content/conferences/10.1049/cp.2014.0535

  15. Rong, C., Nguyen, S.T., Jaatun, M.G.: Beyond lightning: a survey on security challenges in cloud computing. Comput. Electr. Eng. 39(1), 47–54 (2013). https://doi.org/10.1016/j.compeleceng.2012.04.015, http://www.sciencedirect.com/science/article/pii/S0045790612000870. Special issueon Recent Advanced Technologies and Theories for Grid and Cloud Computingand Bio-engineering

    Article  Google Scholar 

  16. Sheyner, O., Haines, J., Jha, S., Lippmann, R., Wing, J.M.: Automated generation and analysis of attack graphs. In: Proceedings 2002 IEEE Symposium on Security and Privacy, pp. 273–284, May 2002. https://doi.org/10.1109/SECPRI.2002.1004377

  17. Shrestha, R., Mehrpouyan, H., Xu, D.: Model checking of security properties in industrial control systems (ICS). In: Proceedings of the Eighth ACM Conference on Data and Application Security and Privacy, CODASPY 2018, pp. 164–166. ACM, New York (2018). https://doi.org/10.1145/3176258.3176949

  18. Ten, C., Manimaran, G., Liu, C.: Cybersecurity for Critical infrastructures: attack and defense modeling. IEEE Trans. Syst. Man Cybern. B Cybern. - Part A: Syst. Hum. 40(4), 853–865 (2010). https://doi.org/10.1109/TSMCA.2010.2048028

    Article  Google Scholar 

  19. Kulik, T., Peter W.V.: Tran-Jørgensen and Jalil Boudjadar: TLA+ model for security verification of industrial cloud-connected control system (2018). https://github.com/kuliktomas/industrial-control-system-model/blob/master/vehiclecloud.tla

  20. Wardell, D.C., Mills, R.F., Peterson, G.L., Oxley, M.E.: A method for revealing and addressing security vulnerabilities in cyber-physical systems by modeling malicious agent interactions with formal verification. Procedia Comput. Sci. 95, 24–31 (2016). https://doi.org/10.1016/j.procs.2016.09.289, http://www.sciencedirect.com/science/article/pii/S1877050916324619. Complex Adaptive Systems Los Angeles, CA November 2-4, 2016

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. DIGIT, Department of Engineering, Aarhus University, Aarhus, Denmark

    Tomas Kulik, Peter W. V. Tran-Jørgensen & Jalil Boudjadar

Authors
  1. Tomas Kulik
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Peter W. V. Tran-Jørgensen
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Jalil Boudjadar
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Tomas Kulik .

Editor information

Editors and Affiliations

  1. Inria-RBA, Rennes, France

    Jean-Louis Lanet

  2. Bucharest University of Economic Studies, Bucharest, Romania

    Cristian Toma

Rights and permissions

Reprints and permissions

Copyright information

© 2019 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Kulik, T., Tran-Jørgensen, P.W.V., Boudjadar, J. (2019). Formal Security Analysis of Cloud-Connected Industrial Control Systems. In: Lanet, JL., Toma, C. (eds) Innovative Security Solutions for Information Technology and Communications. SECITC 2018. Lecture Notes in Computer Science(), vol 11359. Springer, Cham. https://doi.org/10.1007/978-3-030-12942-2_7

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-12942-2_7

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-12941-5

  • Online ISBN: 978-3-030-12942-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation