Elsevier

Computers & Security

Volume 85, August 2019, Pages 156-180
Computers & Security

Securing the testing process for industrial automation software

https://doi.org/10.1016/j.cose.2019.04.016Get rights and content

Abstract

The testing of automation applications has become a crucial pillar of every production systems engineering (PSE) project with the proliferation of cyber-physical systems (CPSs). In light of new attack vectors against CPSs, caused, inter alia, by increased connectivity, security aspects must be considered throughout the PSE process. In this context, software testing represents a critical activity, as a lack of adequate security mechanisms puts a variety of valuable assets (e.g., system configurations and production details) at risk of information theft and sabotage. Thus, organizations must analyze the security of their software testing process on a regular basis in order to counter these threats. Yet, due to the required security knowledge or budget constraints for security-related expenses, these undertakings may be destined to fail. In this work, we present a framework that supports the semi-automated security analysis of an organization’s software testing process for industrial automation software. This framework is based on the VDI/VDE 2182 guideline and integrates an ontological approach to model the necessary background knowledge, including, e.g., data flows, assets, entities, threats, and countermeasures. The framework comprises a default model of the testing process, which users can adapt so that the target of inspection accurately reflects their software testing environment. In particular, the testing process considered for creating the default model is based on best practices observed at a major system integrator, aligned with the ISO/IEC/IEEE 29119 series of software testing standards. Moreover, we developed a tool that enables the automatic generation of attack–defense trees from such formal models of the organization’s software testing process. We demonstrate how the proposed framework can be applied to a generic software testing process to answer essential questions in conducting a security risk analysis. The results of the exemplary security analysis provide guidance, should raise awareness in the industrial domain, and support effective, yet cost- and time-efficient security analyses. Finally, we evaluate the presented framework by performing a comprehensive comparison of suitable security analysis tools.

Introduction

In the past decades, the adoption of software in the industrial automation domain increased significantly. According to a report presented by the Mechanical Engineering Industry Association (VDMA)1, the costs of software development activities in engineering projects for automation systems increased from approx. 20% in 2000 to more than 40% in 2010, and it is expected that this share continues to rise (Gausemeier, 2010, Vyatkin, 2013). These findings indicate that software engineering already started to dominate PSE projects, leaving other engineering disciplines (i.e., mechanics and electronics) behind in terms of spending. Strategic initiatives, such as Industry 4.0 (Kagermann et al., 2013), underpin this trend, as CPSs are considered as a stepping stone toward the realization of the “smart factory”. CPSs tightly couple “cyber” (e.g., software) and physical components (e.g., sensors, actuators) and operate on both dimensions (i.e., communicating with other cyber systems and act in the physical environment) (Baheti and Gill, 2011). Due to the fact that the behavior of these systems is governed by the software that they execute, software testing is a vital activity to ensure that the CPSs perform as intended. Since CPSs interact with the real world, e.g., by controlling manufacturing processes in case of industrial control systems (ICSs), the functional safety but also security of these systems must be guaranteed.

As a matter of fact, security and safety are interdependent properties (Knowles et al., 2015), meaning that successful cyber attacks against CPSs may damage plant equipment, put human health at risk or harm the environment. For example, past CPSs or, more specifically, ICSs security incidents2 caused sewage to flow into waterways in Maroochy Shire (Slay and Miller, 2008), the destruction of centrifuges at Iran’s Natanz nuclear facility (Falliere, Murchu, Chien, Langner) and severe physical damages to a German steel mill’s blast furnaces (Lee et al., 2014). To counter cyber threats for CPSs, security must be integrated into each phase of the PSE process, following the principle ”security by design”. PSE processes are embedded in a multi-disciplinary environment, where engineers of different domains work together using various specialized tools that produce heterogeneous planning artifacts (Biffl et al., 2017). Unprotected PSE data (i.e., engineering artifacts) in general, pose a severe security threat, as adversaries may be able to steal know-how or even introduce vulnerabilities into artifacts (e.g., blueprints or code of the CPS), for exploitation later on in the system’s lifecycle (Kieseberg, Weippl, 2018, Weippl, Kieseberg, 2017).

Software testing of automation applications, in particular, represents a critical phase in every engineering project, as a compromised testing process may allow adversaries to steal or manipulate engineering artifacts. Besides software piracy or the theft of intellectual property (IP), test artifacts may be leveraged to launch highly effective and covert attacks against CPSs during plant operation. For instance, if these artifacts enhance the attacker’s knowledge of the physical process under control, he or she may be able to introduce subtle changes in a way that covertly degrades the operation of the plant (de Sá et al., 2017). Stuxnet is one of the most prominent examples of such a covert attack, which required in-depth knowledge of the target systems and the controlled industrial processes (Falliere, Murchu, Chien, Langner).

On the other hand, the manipulation of test results may allow adversaries to conceal malicious code that has been injected during the testing process or previous PSE phases. The placed malware could then become active during test execution or lie dormant until triggered during plant operation. The criticality of the involved assets and the unique characteristics of the testing process for industrial automation software motivate the need for a thorough threat and risk assessment of software testing activities. Furthermore, as the software testing approaches typically differ between organizations, it is crucial to assess the individual situation of each organization.

In this article, we present a comprehensive framework that facilitates the analysis of the security aspects of the software testing process for industrial automation software. The overall objective of this article is to support organizations in securing their software testing approach and to increase the awareness of cyber threats that target the PSE process.

First, we develop a generic process model for software testing that considers the special characteristics of the industrial domain to define our assessment scope. To define this model, we conducted interviews with a major Austrian systems integrator, reviewed it together with a software quality consulting company, and finally, aligned it with internationally recognized standards for software testing.

Second, we introduce the developed security analysis framework, which is based on the procedural model for risk analysis specified in the VDI/VDE 2182-1 (2011) guideline to ensure conformance with the recommended state of the art. This framework also integrates a STRIDE-based threat modeling approach (Shostack, 2014) for identifying relevant threats to the assets involved. To ensure that the threat models are applicable to variants of the herein described testing process, we developed a tool that enables users to automatically generate attack–defense trees (ADTrees) (Kordy et al., 2011), specifically tailored to their environment. For the quantitative assessment of risks, we take advantage of the open-source software ADTool (Kordy et al., 2013a). In this way, users are able to answer questions, such as, “Which roles are authorized to access which assets?” or “Which threats may exist for the software testing process and how can they be mitigated?”.

Finally, we conduct a comprehensive evaluation of our framework by comparing it to other security analysis tools.

The contributions of this paper can be summarized as follows:

  • We investigate the state of practice in testing industrial automation software by (i) analyzing the testing approach of a major systems integrator, and (ii) aligning it with international standards for software testing (viz., the ISO/IEC/IEEE 29119 series). The outcome is a generic and profound version of the software testing process that is well applicable for industrial automation software.

  • We present a novel framework for conducting semi-automated security analyses of software testing processes in PSE projects, based on the VDI/VDE 2182-1 (2011) guideline. Furthermore, we demonstrate how this framework can be applied to understand threats and answer security-relevant questions pertaining to the software testing process.

  • Finally, we introduce a publicly-available prototype implementation of the framework, and data models of the underlying security and process knowledge. It includes ADTGenerator, a tool that allows users to automatically generate ADTrees (Kordy et al., 2011) for specific testing setups, in order to facilitate threat modeling and a quantitative risk assessment.

The remainder of this paper is structured as follows: Section 2 discusses the methodology of our work and briefly reviews existing security concepts that have been leveraged in our research. In Section 3, we introduce a generic software testing process for automation applications, which also defines the assessment scope for the proposed framework. Section 4 details the security analysis framework and how it can be applied in the context of software testing. In particular, this section first describes the ontologies that are used to model relevant knowledge and then demonstrates how the proposed framework can support each step of the security analysis. After presenting the main contribution of this work, in Section 5, we evaluate the developed framework by comparing it to other tools, some of which support (semi-)automated security analyses. Next, in Section 6, we discuss related work in the areas of threat modeling for CPSs, automated threat modeling, and information security ontologies. Finally, Section 7 concludes the article and provides suggestions for future research directions.

Section snippets

Methodology

This work is based on the Design Science approach by Hevner et al. (2004). The Design Science process, outlined in Fig. 1, is on the one hand influenced by the Environment, and on the other hand, by a Knowledge Base that provides foundations and methodologies. The research process is divided into three tasks, viz., Analysis, Solution Design, and Evaluation, which build on but also contribute to each other. In the Analysis phase, the research problem is investigated by means of the state of the

Generic software testing process for automation applications

In general, the process of testing industrial automation software is quite similar to that of testing traditional IT software. One of the main differences lies in the fact that industrial automation software runs on CPSs that integrate physical components in order to interact with the real-world (Baheti and Gill, 2011) (e.g., a robot arm as part of an assembly line). As a consequence, the system under test (SuT) consists of software that may run within a simulation or a testbed of the

Security analysis framework

This section discusses a framework for the semi-automatic security analysis of software testing processes. First, an overview of the framework is given by describing its structure and how it can support an organization’s efforts to secure its software testing process. Second, we outline in Section 4.1 how we represent knowledge about (i) the software testing process, and (ii) potential threats including their respective countermeasures by using ontologies. Third, Section 4.2 demonstrates the

Evaluation

In this section, we evaluate the proposed framework in the context of selected security analysis tools. Therefore, we first identify a set of security analysis tools (step 1) by following a generic approach for tool selection according to Poston and Sexton (1992), and then evaluate selected tools in the context of the proposed approach based on identified requirements (step 2). Fig. 7 illustrates the basic steps of the evaluation process, its inputs, and outputs.

The Security Analysis Tool

Related work

Existing work that is related to the article at hand can be categorized into (i) threat modeling for cyber-physical systems (CPSs), (ii) automated threat modeling, and (iii) information security ontologies. The following subsections discuss selected representatives of these categories and explain how this work is connected to them.

Conclusions

In this paper, we have presented a novel framework for semi-automatically conducting a security analysis of the testing process for industrial automation software. This framework is based on the procedural method described in the VDI/VDE 2182-1 (2011) guideline and uses an ontological modeling approach to represent knowledge relevant to the security analysis. In particular, we argue that analyzing the security of a software testing process can be semi-automated. Furthermore, we introduce a

Acknowledgements

The financial support by the Christian Doppler Research Association, the Austrian Federal Ministry for Digital and Economic Affairs and the National Foundation for Research, Technology and Development, and COMET K1, FFG - Austrian Research Promotion Agency is gratefully acknowledged.

Matthias Eckhart received a bachelor’s degree in Internet Technology, a master’s degree in IT & Mobile Security, and a master’s degree in IT Law & Management from the University of Applied Sciences FH JOANNEUM. In 2018, he joined the Christian Doppler Laboratory for Security and Quality Improvement in the Production System Lifecycle (CDL-SQI) as junior researcher. His research interests include the security of Cyber-Physical Systems (CPSs), Industrial Control Systems (ICSs) and the Industrial

References (77)

  • R. Bojanc et al.

    An economic modelling approach to information security risk management

    Int J Inf Manag

    (2008)
  • W. Knowles et al.

    A survey of cyber security management in industrial control systems

    Int J Crit Infrastruct Protect

    (2015)
  • B. Kordy et al.

    Dag-based attack and defense modeling: Don’t miss the forest for the attack trees

    Comput Sci Rev

    (2014)
  • M. Ahmed et al.

    Towards an ontology-based risk assessment in collaborative environment using the semanticlife

    Proceedings of the second international conference on availability, reliability and security

    (2007)
  • R. Baheti et al.

    Cyber-physical systems

    Impact Control Technol

    (2011)
  • B.J. Berger et al.

    Automatically extracting threats from extended data flow diagrams

  • Biffl S., Gerhard D., Lüder A.. Introduction to the Multi-Disciplinary Engineering for Cyber-Physical Production...
  • E.J. Byres et al.

    The use of attack trees in assessing vulnerabilities in scada systems

    in IEEE conference international infrastructure survivability workshop (IISW ’04)

    (2004)
  • W. Depamelaere et al.

    Cps security assessment using automatically generated attack trees

    Proceedings of the 5th international symposium for ICS & SCADA cyber security research 2018

    (2018)
  • A. Dubey

    Evaluating software engineering methods in the context of automation applications

    2011 9th IEEE international conference on industrial informatics

    (2011)
  • A. Ekelhart et al.

    Security ontologies: improving quantitative risk analysis

    40th annual Hawaii international conference on system sciences, 2007. HICSS 2007

    (2007)
  • A. Ekelhart et al.

    Aurum: A framework for information security risk management

    Proceedings of the 42nd Hawaii international conference on system sciences (HICSS2009)

    (2009)
  • A. Ekelhart et al.

    Formal threat descriptions for enhancing governmental risk assessment

    1st international conference on theory and practice of electronic governance

    (2007)
  • A. Ekelhart et al.

    Integrating attacker behavior in it security analysis: a discrete-event simulation approach

    Inf Technol Manag

    (2015)
  • A. Ekelhart et al.

    Automated risk and utility management

    6th international conference on information technology: new generations (ITNG 2009)

    (2009)
  • Falliere N., Murchu L.O., Chien E.. W32. stuxnet dossier. White paper, security response Symantec Corp., 2011;...
  • S. Fenz

    An ontology- and bayesian-based approach for determining threat probabilities

    Proceedings of the 6th ACM symposium on information, computer and communications security

    (2011)
  • S. Fenz et al.

    Formalizing information security knowledge

    Proceedings of the 4th international symposium on information, computer, and communications security

    (2009)
  • J.b. Gao et al.

    Ontology-based model of network and computer attacks for security assessment

    J Shanghai Jiaotong Univ (Sci)

    (2013)
  • J. Gausemeier

    Zuverlässigere mechatronik - forschungsergebnisse kompakt: transfer von Forschungsergebnissen aus 11 Verbundprojekten zur Steigerung der Zuverlässigkeit mechatronischer Systeme

    Technical Report

    (2010)
  • D. Graham et al.

    Foundations of software testing: ISTQB certification

    (2008)
  • P. Gruenbacher

    Collaborative requirements negotiation with easywinwin

    Proceedings 11th international workshop on database and expert systems applications

    (2000)
  • A. Herzog et al.

    An Ontology of Information Security

    Int J Inf Secur Privacy (IJISP)

    (2007)
  • A.R. Hevner et al.

    Design science in information systems research

    MIS Q

    (2004)
  • H. Holm et al.

    Cysemol: A tool for cyber security analysis of enterprises

    22nd international conference and exhibition on electricity distribution (CIRED 2013)

    (2013)
  • ISO/IEC/IEEE 29119-2. Software and systems engineering – software testing – part 2: Test processes....
  • ISO/IEC/IEEE 29119-3. Software and systems engineering – software testing – part 3: Test documentation....
  • M.G. Ivanova et al.

    Attack tree generation by policy invalidation

  • R. Jhawar et al.

    Attack trees with sequential conjunction

  • H. Kagermann et al.

    Recommendations for Implementing the Strategic Initiative INDUSTRIE 4.0 – Securing the Future of German Manufacturing Industry

    Final Report of the Industrie 4.0 Working Group

    (2013)
  • P. Kamongi et al.

    Nemesis: automated architecture for threat modeling and risk assessment for cloud computing

    Proceedings of the 6th ASE international conference on privacy, security, risk and trust (PASSAT)

    (2014)
  • P. Kamongi et al.

    Vulcan: Vulnerability assessment framework for cloud computing

    2013 IEEE 7th international conference on software security and reliability

    (2013)
  • R. Khan et al.

    Stride-based threat modeling for cyber-physical systems

    2017 IEEE PES innovative smart grid technologies conference Europe (ISGT-Europe)

    (2017)
  • P. Kieseberg et al.

    Security challenges in cyber-physical production systems

  • E. Kiesling et al.

    Evolving secure information systems through attack simulation

    47th Hawaii international conference on system sciences (HICSS 2014)

    (2014)
  • B. Kordy et al.

    Adtool: Security analysis with attack–defense trees

  • B. Kordy et al.

    Foundations of attack–defense trees

  • B. Kordy et al.

    Quantitative questions on attack–defense trees

  • Cited by (13)

    • Industrial espionage – A systematic literature review (SLR)

      2020, Computers and Security
      Citation Excerpt :

      They further state that future research should be dedicated to how to best manage the risks of OSNs without restraining the positive side of OSNs usage. A tremendous amount of technical approaches to protect intellectual property and confidential data are available, although they are probably not introduced originally to combat IE (e.g., Ahmad et al., 2019; Eckhart et al., 2019). Thus, the two key challenges to consider are:

    • A systematic literature review on semantic web enabled software testing

      2020, Journal of Systems and Software
      Citation Excerpt :

      Studies addressing this research question are classified into two sub-categories. The first sub-category includes studies that propose to support test process with semantic web technologies and define a roadmap, framework or reference architecture to develop concrete approaches for realizing semantic web enabled software testing (Bueno et al., 2018; Nakagawa et al., 2011; Nasser et al., 2010; Paydar and Kahani, 2010; Çiflikli and Co\cskunçay, 2018; Eckhart et al., 2019). These studies don’t propose a test ontology or ontology-based testing approach themselves.

    • Maturity model for secure software testing

      2023, Journal of Software: Evolution and Process
    View all citing articles on Scopus

    Matthias Eckhart received a bachelor’s degree in Internet Technology, a master’s degree in IT & Mobile Security, and a master’s degree in IT Law & Management from the University of Applied Sciences FH JOANNEUM. In 2018, he joined the Christian Doppler Laboratory for Security and Quality Improvement in the Production System Lifecycle (CDL-SQI) as junior researcher. His research interests include the security of Cyber-Physical Systems (CPSs), Industrial Control Systems (ICSs) and the Industrial Internet of Things (IIoT). He is currently working towards a PhD degree.

    Kristof Meixner received a master’s degree in Business Informatics from the Vienna University of Technology, Austria in 2018. Since 2018 he is working as researcher in the Christian Doppler Laboratory for Security and Quality Improvement in the Production System Lifecycle (CDL-SQI). His research areas include Software Quality Assurance, Software Testing, and Variability Modeling and Management. He is currently working towards a PhD degree.

    Dietmar Winkler received a PhD from the Vienna University of Technology, Austria in 2015. Currently he is working as senior researcher at the Vienna University of Technology as member of the research group for Quality Software Engineering at the Institute for Information Systems Engineering, Information and Software Engineering Group. Since 2018 he is working as key researcher in the Christian Doppler Laboratory for Security and Quality Improvement in the Production System Lifecycle (CDL-SQI). His research areas include Software and Systems Process Improvement, Software and Systems Quality Assurance, Software Testing, Inspection, and Empirical Software Engineering.

    Andreas Ekelhart received a master’s degree in Business Informatics and a master’s degree in Software Engineering & Internet Computing from the TU Wien. He completed his Ph.D. in Computer Science at the Institute of Software Technology and Interactive Systems at the TU Wien. After graduating, Andreas worked as project assistant at the TU Wien and project manager for software development with Security Research. He is a member of the International Information Systems Security Certification Consortium (ISC2) and holds various industrial certifications including CISSP, CSSLP, MCPD, and MCSD.

    View full text