Finding dependencies between cyber-physical domains for security testing of industrial control systems
In modern societies, critical services such as transportation, power supply, water treatment and distribution are strongly dependent on Industrial Control Systems (ICS). As technology moves along, new features improve services provided by such ICS. On the other hand, this progress also introduces ne...
- Autores:
- Tipo de recurso:
- Fecha de publicación:
- 2018
- Institución:
- Universidad del Rosario
- Repositorio:
- Repositorio EdocUR - U. Rosario
- Idioma:
- eng
- OAI Identifier:
- oai:repository.urosario.edu.co:10336/22899
- Acceso en línea:
- https://doi.org/10.1145/3274694.3274745
https://repository.urosario.edu.co/handle/10336/22899
- Palabra clave:
- Control systems
Cyber Physical System
Data flow analysis
Data flow graphs
Embedded systems
Graphic methods
Industrial water treatment
Information dissemination
Network security
Programmable logic controllers
Risk analysis
Risk assessment
Critical service
Data and information
Domain-specific knowledge
Industrial control systems
Information ow
Physical components
Security testing
System under test
Intelligent control
Cyber-Physical Systems
ICS Security
Information ow
- Rights
- License
- http://purl.org/coar/access_right/c_abf2
id |
EDOCUR2_f7e6c5e7f51362a56cef86b5f260c62e |
---|---|
oai_identifier_str |
oai:repository.urosario.edu.co:10336/22899 |
network_acronym_str |
EDOCUR2 |
network_name_str |
Repositorio EdocUR - U. Rosario |
repository_id_str |
|
spelling |
Finding dependencies between cyber-physical domains for security testing of industrial control systemsControl systemsCyber Physical SystemData flow analysisData flow graphsEmbedded systemsGraphic methodsIndustrial water treatmentInformation disseminationNetwork securityProgrammable logic controllersRisk analysisRisk assessmentCritical serviceData and informationDomain-specific knowledgeIndustrial control systemsInformation owPhysical componentsSecurity testingSystem under testIntelligent controlCyber-Physical SystemsICS SecurityInformation owIn modern societies, critical services such as transportation, power supply, water treatment and distribution are strongly dependent on Industrial Control Systems (ICS). As technology moves along, new features improve services provided by such ICS. On the other hand, this progress also introduces new risks of cyber attacks due to the multiple direct and indirect dependencies between cyber and physical components of such systems. Performing rigorous security tests and risk analysis in these critical systems is thus a challenging task, because of the non-trivial interactions between digital and physical assets and the domain-specific knowledge necessary to analyse a particular system. In this work, we propose a methodology to model and analyse a System Under Test (SUT) as a data flow graph that highlights interactions among internal entities throughout the SUT. This model is automatically extracted from production code available in Programmable Logic Controllers (PLCs). We also propose a reachability algorithm and an attack diagram that will emphasize the dependencies between cyber and physical domains, thus enabling a human analyst to gauge various attack vectors that arise from subtle dependencies in data and information propagation. We test our methodology in a functional water treatment testbed and demonstrate how an analyst could make use of our designed attack diagrams to reason on possible threats to various targets of the SUT. © 2018 Association for Computing Machinery.Association for Computing Machinery20182020-05-25T23:58:38Zinfo:eu-repo/semantics/conferenceObjecthttp://purl.org/coar/version/c_970fb48d4fbd8a85http://purl.org/coar/resource_type/c_c94fapplication/pdfhttps://doi.org/10.1145/3274694.32747452016https://repository.urosario.edu.co/handle/10336/22899instname:Universidad del Rosarioreponame:Repositorio Institucional EdocURenghttps://www.scopus.com/inward/record.uri?eid=2-s2.0-85060062319&doi=10.1145%2f3274694.3274745&partnerID=40&md5=d33076a591738ac6b1663bace7173639http://purl.org/coar/access_right/c_abf2Castellanos J.H.Ochoa M.Zhou J.oai:repository.urosario.edu.co:10336/228992022-05-02T07:37:14Z |
dc.title.none.fl_str_mv |
Finding dependencies between cyber-physical domains for security testing of industrial control systems |
title |
Finding dependencies between cyber-physical domains for security testing of industrial control systems |
spellingShingle |
Finding dependencies between cyber-physical domains for security testing of industrial control systems Control systems Cyber Physical System Data flow analysis Data flow graphs Embedded systems Graphic methods Industrial water treatment Information dissemination Network security Programmable logic controllers Risk analysis Risk assessment Critical service Data and information Domain-specific knowledge Industrial control systems Information ow Physical components Security testing System under test Intelligent control Cyber-Physical Systems ICS Security Information ow |
title_short |
Finding dependencies between cyber-physical domains for security testing of industrial control systems |
title_full |
Finding dependencies between cyber-physical domains for security testing of industrial control systems |
title_fullStr |
Finding dependencies between cyber-physical domains for security testing of industrial control systems |
title_full_unstemmed |
Finding dependencies between cyber-physical domains for security testing of industrial control systems |
title_sort |
Finding dependencies between cyber-physical domains for security testing of industrial control systems |
dc.subject.none.fl_str_mv |
Control systems Cyber Physical System Data flow analysis Data flow graphs Embedded systems Graphic methods Industrial water treatment Information dissemination Network security Programmable logic controllers Risk analysis Risk assessment Critical service Data and information Domain-specific knowledge Industrial control systems Information ow Physical components Security testing System under test Intelligent control Cyber-Physical Systems ICS Security Information ow |
topic |
Control systems Cyber Physical System Data flow analysis Data flow graphs Embedded systems Graphic methods Industrial water treatment Information dissemination Network security Programmable logic controllers Risk analysis Risk assessment Critical service Data and information Domain-specific knowledge Industrial control systems Information ow Physical components Security testing System under test Intelligent control Cyber-Physical Systems ICS Security Information ow |
description |
In modern societies, critical services such as transportation, power supply, water treatment and distribution are strongly dependent on Industrial Control Systems (ICS). As technology moves along, new features improve services provided by such ICS. On the other hand, this progress also introduces new risks of cyber attacks due to the multiple direct and indirect dependencies between cyber and physical components of such systems. Performing rigorous security tests and risk analysis in these critical systems is thus a challenging task, because of the non-trivial interactions between digital and physical assets and the domain-specific knowledge necessary to analyse a particular system. In this work, we propose a methodology to model and analyse a System Under Test (SUT) as a data flow graph that highlights interactions among internal entities throughout the SUT. This model is automatically extracted from production code available in Programmable Logic Controllers (PLCs). We also propose a reachability algorithm and an attack diagram that will emphasize the dependencies between cyber and physical domains, thus enabling a human analyst to gauge various attack vectors that arise from subtle dependencies in data and information propagation. We test our methodology in a functional water treatment testbed and demonstrate how an analyst could make use of our designed attack diagrams to reason on possible threats to various targets of the SUT. © 2018 Association for Computing Machinery. |
publishDate |
2018 |
dc.date.none.fl_str_mv |
2018 2020-05-25T23:58:38Z |
dc.type.none.fl_str_mv |
info:eu-repo/semantics/conferenceObject |
dc.type.coarversion.fl_str_mv |
http://purl.org/coar/version/c_970fb48d4fbd8a85 |
dc.type.coar.fl_str_mv |
http://purl.org/coar/resource_type/c_c94f |
dc.identifier.none.fl_str_mv |
https://doi.org/10.1145/3274694.3274745 2016 https://repository.urosario.edu.co/handle/10336/22899 |
url |
https://doi.org/10.1145/3274694.3274745 https://repository.urosario.edu.co/handle/10336/22899 |
identifier_str_mv |
2016 |
dc.language.none.fl_str_mv |
eng |
language |
eng |
dc.relation.none.fl_str_mv |
https://www.scopus.com/inward/record.uri?eid=2-s2.0-85060062319&doi=10.1145%2f3274694.3274745&partnerID=40&md5=d33076a591738ac6b1663bace7173639 |
dc.rights.coar.fl_str_mv |
http://purl.org/coar/access_right/c_abf2 |
rights_invalid_str_mv |
http://purl.org/coar/access_right/c_abf2 |
dc.format.none.fl_str_mv |
application/pdf |
dc.publisher.none.fl_str_mv |
Association for Computing Machinery |
publisher.none.fl_str_mv |
Association for Computing Machinery |
dc.source.none.fl_str_mv |
instname:Universidad del Rosario reponame:Repositorio Institucional EdocUR |
instname_str |
Universidad del Rosario |
institution |
Universidad del Rosario |
reponame_str |
Repositorio Institucional EdocUR |
collection |
Repositorio Institucional EdocUR |
repository.name.fl_str_mv |
|
repository.mail.fl_str_mv |
|
_version_ |
1803710463504023552 |