DYPOSIT: Dynamic Policies for Shared Cyber-Physical Infrastructures under Attack

Lead Research Organisation: University of Bristol
Department Name: Computer Science

Abstract

The DYPOSIT project tackles the problem of large, shared cyber-physical system (CPS) infrastructures under attack. In particular, the project responds to the critical need for dynamically formulating and adapting security policies, rapidly and on-demand, in the face of unfolding attacks on a shared CPS fabric integrating multiple applications run by a variety of stakeholders. DYPOSIT tackles this fundamental research problem through a novel dynamic policies approach rooted in a socio-technical understanding of the complexity and dynamics of shared CPS fabrics under attack. DYPOSIT's approach is unique and transformative as it takes an inter-disciplinary view of reasoning about the security state of a CPS and formulating responses to CPS coming under attack. This is in sharp contrast to other approaches that remain largely focused on technical measures to provide security or solutions that cater for the resource-constrained nature of the devices employed in a CPS. Furthermore, DYPOSIT's approach to dynamic policies offers a new perspective on the role of policies in large-scale CPS settings - transforming policies from simply a means to enforce pre-defined security properties to policies as living, evolving objects that play a central role in reasoning about the security state of such a CPS and responding to unfolding attacks. Managing the complexity of formulating and adapting policies dynamically in such a setting, while resolving conflicts, is a fundamental advance towards resilient shared CPS fabrics. DYPOSIT's scientific advances are validated in an available realistic testbed, which is used to provide application scenarios depicting CPS under attack across a spectrum: highly-managed CPS such as those found in industrial control systems or future factories through to dynamically aggregated CPS, as in smart cities, large manufacturing plants or intelligent transportation systems.

Planned Impact

Impact on industry and practice:

While DYPOSIT's scientific advances are fundamental and foundational, its approach to evaluating their effectiveness in a real-world testbed environment makes it possible to demonstrate the practical benefits that can be derived from such an approach. By exploiting existing networks of contacts at partner sites (see Section 3.2 in case for support), DYPOSIT has the potential to transform industy and practice approaches towards large shared CPS fabrics of the future. DYPOSIT's approach inherently considers CPS across the spectrum, from highly managed to dynamically aggregated. This enables demonstration of the potential applicability of the approach across a range of CPS, hence stimulating industrial innovation in CPS security and resilience solutions.

Impact on society:

With the projected growth in connected devices (to 50bn by 2020), CPS present the new frontier for security. This growth is being driven by innovations in smart cities, internet of things, body-area networks (in healthcare), smart grids and wearable sensors - all of which will play a role in future societal settings. CPS, therefore, offer both great opportunities and great problems of security for modern society. DYPOSIT tackles key challenges with regards to security and resilience of services that crosscut large-scale, overlapping, CPS topologies, while accounting for the potentially volatile nature of such topologies. The research advances in DYPOSIT are, therefore, fundamental to infrastructure/services that will be central to our future as a society.

Publications

10 25 50

Related Projects

Project Reference Relationship Related To Start End Award Value
EP/N021657/1 01/12/2015 31/12/2017 £362,646
EP/N021657/2 Transfer EP/N021657/1 01/01/2018 30/06/2020 £194,277
 
Description 1. How and why security vulnerabilities are introduced into cyber-physical systems such as industrial control systems.

A small ethnographic study of an existing SCADA system was carried out in order to gain insights into some of the security challenges faced in managing security of Cyber Physical Systems. Shodan was used to locate what appeared to be a vulnerable ICS connected to the Internet; the apparent operators of the system were contacted, the vulnerability highlighted and remediation suggested. No further contact was made and Shodan was used to track subsequent changes over a period of 12 months. At face value, securing this ICS infrastructure connection should be trivial in terms of network security objectives. However, in practice we saw that there are many objectives to be understood and met by the system operators, some of which are contradictory, others are out of the operator's control, and mistakes were repeatedly made. By focussing initially on just the firewall aspects of the system, we can show how the thinking about security is best reasoned about in terms of security policy refinement and this view is informing the ongoing design of our security model. Rather than attempting to define security objectives declaratively or operationally, the position is that one should consider the security of a system by comparing it against other configurations that we consider to be acceptable.

2. SENAMI: Selective Non-Invasive Active Monitoring for ICS Intrusion Detection
Current intrusion detection systems (IDS) for industrial control systems (ICS) mostly involve the retrofitting of conventional network IDSs, such as SNORT. Such an approach is prone to missing highly targeted and specific attacks against ICS. Where ICS-specific approaches exist, they often rely on passive network monitoring techniques, offering a low cost solution, and avoiding any computational overhead arising from actively polling ICS devices. However, the use of passive approaches alone could fail in the detection of attacks that alter the behaviour of ICS devices (as was the case in Stuxnet). Where active solutions exist, they can be resource-intensive, posing the risk of overloading legacy devices which are commonplace in ICSs. We have demonstrated that these challenges can be overcome through the combination of a passive network monitoring approach, and selective active monitoring based on attack vectors specific to an ICS context. We have implemented this approach in a prototype IDS, SENAMI, for use with Siemens S7 devices and evaluated its effectiveness in our testbed. Our results demonstrate validity of the proposed approach through the detection of purely passive attacks at a rate of 99%, and active value tampering attacks at a rate of 81-93%. Crucially, we reached recall values greater than 0.96, indicating few attack scenarios generating false negatives.

3. A Specialised Vulnerability Scanner for Industrial Control Systems
Analyses of the attack surface of an industrial control system requires effective vulnerability scanners. Currently there is a lack of vulnerability scanners specialised to ICS settings. Systems such as PLCScan and ModScan output pertinent information from a Programmable Logic Controller (PLC). However, they do not offer any information as to how vulnerable a PLC is to an attack. We take the view that the peculiarities of ICS environment require specialised vulnerability scanners. We have designed and implemented SimaticScan, a vulnerability scanner specialised to Siemens SIMATIC PLCs. Through experimentation in our testbed, we demonstrated SimaticScan's effectiveness in determining a range of vulnerabilities across three distinct PLCs, including a previously unknown vulnerability in one of the PLCs. Our experiments also showed that SimaticScan outperforms the widely used Nessus vulnerability scanner (with relevant ICS-specific plugins deployed).

4. CerberOS: a CPS Operating System for IETF Class-1 devices
CerberOS supports secure loading of third-party application micro-services, strong application isolation, confidentiality of application data and contractually limited access to device resources. CerberOS achieves this through a secure Java Virtual Machine (JVM) that precisely monitors and controls the resource usage of each CPS micro-service. CerberOS is thus the first CPS OS to guarantee "resource security", i.e. that host applications cannot degrade overall system functionality by consuming more resources than intended. This allows even the most embedded CPS devices to be re-imagined as micro-scale cloud servers that are capable of securely supporting applications for multiple parties. Evaluation shows that CerberOS can support the secure coexistence of up to seven concurrent applications on an IETF Class-1 device with a memory usage of 40KB ROM (40%) and 5KB RAM (50%) while preserving multi-year battery lifetimes.

5. MicroPnP, an integrated hardware, software, and networking solution
We have showcased MicroPnP, an integrated hardware, software, and networking solution that delivers true Plug-and-Play integration of sensing and actuation peripherals for wireless embedded IoT devices at extremely low cost. MicroPnP's hardware element relies on passive electrical characteristics as efficient mechanism to detect and identify peripherals at run time. This enables the creation of robust dynamic environments - that subsequently need strong security protection because of these dynamics. Subsequent to the delivery of this result, our partner KU Leuven has selected MicroPnP to be used as a carrier grade platform for DYPOSIT applications and further experiments with dynamic policies.

6. Model for dynamic change in an ICS security configuration.
We have developed a model for dynamic change in an ICS security configuration in terms of a refinement relation over firewall policies; such policies provide demarkation points between the different regions of the ICS network fabric. In forming a lattice, the firewall algebra provides greatest lower-, and lowest upper bound, operators that provide sound methods of policy composition that can be used to define policy change algebraically, in addition to a refinement relation for comparing policies. The algebra has been used to provide a refinement semantics for the Linux iptables firewall.

7. A lightweight attack surface reduction approach for legacy industrial control systems. We designed an approach to improve the security of legacy industrial control systems. The lightweight approach that can be implemented on legacy PLCs to reduce their attack surface, making it harder for an attacker to learn system behaviour and craft useful attacks - without compromising the real-time properties of the physical process. Our approach involves applying obfuscation to PLC data whenever it is stored or accessed which leads to a continuous change of the target surface. Obfuscation keys can be refreshed depending on the threat situation, striking a balance between system performance and protection level. Using real-world and simulated ICS data sets, we demonstrate that the technique (called LASARUS) is able to prevent a set of well-known attacks like random or replay injection, by reducing their passing rate significantly - up to a 100 times.

8. Lessons learnt from building an industrial control systems testbed for real-world experimentation. We documented our experience of developing and refining our industrial control systems testbed as a blueprint for other researchers embarking on a similar effort. Hands-on experimental research is essential to better understand and explore security challenges in industrial control systems (ICSs). However, real-world production systems are often off-limits due to the potential impact such research could have on operational processes and, in turn, safety. On the other hand, software-based simulations cannot always reflect all the potential device/system states due to over-simplified assumptions when modelling the hardware in question. As a result, laboratory-based ICS testbeds have become a key tool for research on ICS security. Development of such a testbed is a costly, labour- and time- intensive activity that must balance a range of design considerations, e.g., diversity of hardware and software platforms against scalability and complexity. Yet there was little coverage in existing literature on such design considerations, their implications and how to avoid typical pitfalls. Each group of researchers embarks on this journey from scratch, learning through a painful process of trial and error. We reflected on over 3 years of experience of building our extensive ICS testbed with a range of devices and documented ten lessons as a blueprint for other researchers and practitioners - including how to address issues of diversity, scalability and complexity and design choices to manage trade-offs amongst these properties.

9. Threat-driven Dynamic Security Policies for Cyber-Physical Systems. Large-scale CPSs, such as smart grids and water treatment plants, present a unique set of challenges when attempting to secure them from active attack. Resource limited controllers and their connections to nationally critical infrastructure mean we can neither check every input nor shutdown the entire system at the first sign of attack-the large number of users and scale of disruption makes this infeasible unless safety is clearly at stake. Our framework seeks to address this by dynamically re-configuring the security and monitoring policies of distributed CPSs on the basis of identified threats and risks. We illustrate the use of our framework by describing how it could work with a water- treatment plant by re-configuring PLCs, taking action, and by responding to threats as they present, by dynamically adapting policies based on unfolding threats, and go on to show how the policy language could have helped to mitigate against three real-world CPS attacks.
Exploitation Route A number of security models and approaches for cyber-physical system (CPS) environments have been proposed. However, these have largely focused on securing CPS against potential attacks or intrusion detection to identify potential breaches. Notwithstanding the importance of these "preventive" measures, resilience of CPS in the face of unfolding attacks or when part of the CPS is compromised as a result of an attack, has received little attention to date. In particular, security and resilience issues resulting from the multi-application, multi-stakeholder nature of shared CPS fabrics remain unaddressed. Furthermore, there is little understanding of how operators, end-users and other stakeholders of the shared CPS fabric or applications/services within that fabric identify an attack and react to it. Little is also known about whether the existing socio-technical means to respond to such scenarios are effective and what information from the underlying CPS and applications/services is pertinent to good decision-making regarding the security state of the CPS, its continued operation and the consequences (social, economic, business or other) of continuing operation or operating various partial configurations.

DYPOSIT's results provide specialised tools and technologies developed to support continued operation of a cyber-physical infrastructure while under attack. These can be utilised by organisations operating critical infrastructures to make their systems more resilient in the face of cyber attacks.
Sectors Aerospace, Defence and Marine,Digital/Communication/Information Technologies (including Software),Energy,Financial Services, and Management Consultancy,Manufacturing, including Industrial Biotechology,Transport,Other

URL https://dyposit.eu
 
Description A specialised vulnerability scanner, SimaticScan, has been built which has led to a more effective analysis of vulnerabilities in programmable logic controllers. The intrusion detection system, SENAMI, developed in this project is currently the subject of discussion for collaboration with an industry organisation. Detailed guidelines were developed on building an industrial control systems testbed and ten lessons published for those embarking on similar activity. A framework for a threat-centered policy language has been developed along with a Python implementation of an algebra for composing, refining and reasoning about iptables firewall rules.
First Year Of Impact 2018
Sector Digital/Communication/Information Technologies (including Software),Other
 
Description Fourth ACM Workshop on Cyber-Physical Systems Security and PrivaCy (CPS-SPC) in conjunction with the ACM Conference on Computer and Communications Security (CCS) in Toronto, Canada. 
Form Of Engagement Activity Participation in an activity, workshop or similar
Part Of Official Scheme? No
Geographic Reach International
Primary Audience Other audiences
Results and Impact Professor Rashid chaired the workshop that brought together international researchers to discuss key challenges and new approaches for security and privacy in cyber-physical systems, including industrial control systems.
Year(s) Of Engagement Activity 2018
URL https://cps-spc.org
 
Description Google Talk 2017 
Form Of Engagement Activity A talk or presentation
Part Of Official Scheme? No
Geographic Reach International
Primary Audience Industry/Business
Results and Impact Invited Talk: Everything is Awesome! or is it? Cyber Security Risk in Critical Infrastructure, Google Zurich, 2017. This talk discussed insights from three years of research studying cyber security in such settings. The talk highlighted the complexity of managing security in a landscape shaped by the often competing demands of a variety of stakeholders, e.g., managers, control engineers, enterprise IT personnel and field site operators. It also covered how the security decision-making patterns of the various stakeholders contrast, with some surprising (or perhaps not so surprising) insights into the decision patterns of security experts and so-called non-experts. The talk concluded by discussing risks arising from the prevalence of social media information especially how these may be utilised to infer employees of a critical infrastructure organisation - leading to the potential for highly targeted spear-phishing campaigns.
Year(s) Of Engagement Activity 2017
 
Description Lunchtime Talk at Pervasive Media Studio: "Everything is Awesome!!!" or is it? Cyber Security Risks in Critical Infrastructure 
Form Of Engagement Activity A talk or presentation
Part Of Official Scheme? No
Geographic Reach Regional
Primary Audience Public/other audiences
Results and Impact Industrial Control Systems play an important role in the monitoring, control, and automation of critical infrastructure such as water, gas, oil, and electricity. Recent years have seen a number of high profile cyber attacks on such infrastructure exemplified by Stuxnet and the Ukrainian Power Grid attacks. This naturally begs the question: how should we manage cyber security risks in such infrastructure on which the day-to-day functioning of our society relies?

In this talk Awais Rashid will discuss insights from three years of research studying cyber security in such settings. The talk will highlight the complexity of managing security in a landscape shaped by the often competing demands of a variety of stakeholders, e.g., managers, control engineers, enterprise IT personnel and field site operators. He will also discuss how the security decision-making patterns of the various stakeholders contrast, with some surprising (or perhaps not so surprising) insights into the decision patterns of security experts and so-called non-experts.
Year(s) Of Engagement Activity 2018
URL https://www.watershed.co.uk/studio/events/2018/10/05/"everything-awesome"-or-it-cyber-security-risks...
 
Description Participation in CHIST-ERA Seminars 
Form Of Engagement Activity Participation in an activity, workshop or similar
Part Of Official Scheme? No
Geographic Reach International
Primary Audience Other audiences
Results and Impact The project research was presented at the seminars organised by the CHIST-ERA programme and synergies with other CHIST-ERA projects explored.
Year(s) Of Engagement Activity 2016,2017
URL http://www.chistera.eu/
 
Description Third ACM Workshop on Cyber-Physical Systems Security and PrivaCy (CPS-SPC) in conjunction with the ACM Conference on Computer and Communications Security (CCS) in Dallas, Texas, USA. 
Form Of Engagement Activity Participation in an activity, workshop or similar
Part Of Official Scheme? No
Geographic Reach International
Primary Audience Other audiences
Results and Impact Professor Rashid co-chaired the workshop that brought together international researchers to discuss key challenges and new approaches for security and privacy in cyber-physical systems, including industrial control systems.
Year(s) Of Engagement Activity 2017
URL https://cps-spc.org/