This document presents a methodology for analyzing the security of industrial control systems using a knowledge-based system called IDP. The methodology models an industrial control system in IDP's input language and uses logic rules in IDP to analyze the model and extract vulnerabilities. The methodology was tested on a real-world case study of an industrial hatchery. It allows modeling the system, users, security policies, and known vulnerabilities to check if the security policy is respected given the system design and vulnerabilities.
ENGINEERING LIFE CYCLE ENABLES PENETRATION TESTING AND CYBER OPERATIONSIJMIT JOURNAL
This paper discusses the strengths and weaknesses of proper engineering and life cycle management on
higher level cyber security operations. Rushing innovation and increasing profits undermines the
foundations need to operate and create secure stability in IT based companies. This research argues how it
must be considered and how effective engineering processes greatly add to security even post
implementation.
For more course tutorials visit
www.tutorialrank.com
CSEC 610 Project 1 Information Systems and Identity Management
CSEC 610 Project 2 Operating Systems Vulnerabilities (Windows and Linux)
CSEC 610 Project 3 Assessing Information System Vulnerabilities and Risk
For more course tutorials visit
www.newtonhelp.com
CYB 610 Project 1 Information Systems and Identity Management
CYB 610 Project 2 Operating Systems Vulnerabilities (Windows and Linux)
CYB 610 Project 3 Assessing Information System Vulnerabilities and Risk
This Paper is Submitted to Fulfill The English 2 Task Study Program Software Engineering 4th Semester Buddhi Dharma University. Tangerang. Lecturer: Dra. Harisa Mardiana, M.Pd.
ENGINEERING LIFE CYCLE ENABLES PENETRATION TESTING AND CYBER OPERATIONSIJMIT JOURNAL
This paper discusses the strengths and weaknesses of proper engineering and life cycle management on
higher level cyber security operations. Rushing innovation and increasing profits undermines the
foundations need to operate and create secure stability in IT based companies. This research argues how it
must be considered and how effective engineering processes greatly add to security even post
implementation.
For more course tutorials visit
www.tutorialrank.com
CSEC 610 Project 1 Information Systems and Identity Management
CSEC 610 Project 2 Operating Systems Vulnerabilities (Windows and Linux)
CSEC 610 Project 3 Assessing Information System Vulnerabilities and Risk
For more course tutorials visit
www.newtonhelp.com
CYB 610 Project 1 Information Systems and Identity Management
CYB 610 Project 2 Operating Systems Vulnerabilities (Windows and Linux)
CYB 610 Project 3 Assessing Information System Vulnerabilities and Risk
This Paper is Submitted to Fulfill The English 2 Task Study Program Software Engineering 4th Semester Buddhi Dharma University. Tangerang. Lecturer: Dra. Harisa Mardiana, M.Pd.
An Overview of Information Systems Security Measures in Zimbabwean Small and ...researchinventy
This paper reports on the Information Systems (IS) securitymeasures implemented by small and medium size enterprises (SMEs) in Zimbabwe. A survey questionnaire was distributed to 32 randomly selected participants in order to investigate the security measures and practices in their respective organisations. The results indicated that over 50% of the respondents had installed firewalls, while more than 80% carried out regular software updates and none of the respondents had intrusion detection systems. The researchers recommended that SMEs work to enhance their knowledge on the different IS threats in order to enable the implementation of preventive measures.
For more course tutorials visit
www.tutorialrank.com
CYB 610 Project 1 Information Systems and Identity Management
CYB 610 Project 2 Operating Systems Vulnerabilities (Windows and Linux)
CYB 610 Project 3 Assessing Information System Vulnerabilities and Risk
The main aim of this project is to control the cyber crimes. Cyber security incidents will cause significant financial and reputation impacts. In order to detect malicious activities, the SIEM (Security Information and Event Management) system is built. If any pre-defined use case is triggered, SOC analysts will generate OTRS in real time. So that user will be aware of threats
Security Vulnerabilities in Modern Operating SystemsCisco Canada
The Common Exposures and Vulnerabilities database has over 25 years of data on vulnerabilities in it. In this deck we dig through that database and use it to map out trends and general information on vulnerabilities in software in the last quarter century. For more information please visit our website: http://www.cisco.com/web/CA/index.html
Program Robustness is now more important than before, because of the role software programs play in our
life. Many papers defined it, measured it, and put it into context. In this paper, we explore the different
definitions of program robustness and different types of techniques used to achieve or measure it. There
are many papers about robustness. We chose the papers that clearly discuss program or software
robustness. These papers stated that program (or software) robustness indicates the absence of ungraceful
failures. There are different types of techniques used to create or measure a robust program. However,
there is still a wide space for research in this area.
Your network environment is one of the keys to the success of your business. Most business people don’t fully believe this, even after long discussions and mounds of evidence to the contrary.
A BAYESIAN CLASSIFICATION ON ASSET VULNERABILITY FOR REAL TIME REDUCTION OF F...IJNSA Journal
IT assets connected on internetwill encounter alien protocols and few parameters of protocol process are exposed as vulnerabilities. Intrusion Detection Systems (IDS) are installed to alerton suspicious traffic or activity. IDS issuesfalse positives alerts, if any behavior construe for partial attack pattern or the IDS lacks environment knowledge. Continuous monitoring of alerts to evolve whether, an alert is false positive or not is a major concern. In this paper we present design of an external module to IDS,to identify false positive alertsbased on anomaly based adaptive learning model. The novel feature of this design is that the system updates behavior profile of assets and environment with adaptive learning process.A mixture model is used for behavior modeling from reference data. The design of the detection and learning process are based on normal behavior and of environment. The anomaly alert identification algorithm isbuiltonSparse Markov Transducers (SMT) based probability.The total process is presented using real-time data. The Experimental results are validated and presentedwith reference to lab environment.
13421ijmit03Engineering Life Cycle Enables Penetration Testing and Cyber Oper...IJMIT JOURNAL
This paper discusses the strengths and weaknesses of proper engineering and life cycle management on
higher level cyber security operations. Rushing innovation and increasing profits undermines the
foundations need to operate and create secure stability in IT based companies. This research argues how it
must be considered and how effective engineering processes greatly add to security even post
implementation.
We have evolved an IT system that is ubiquitous and pervasive and integrated into most aspects of our lives. Many of us are working on 4th and 5th level refinements in efficiency and functionality. But, we stand on the shoulders of those who came before and this restricts our freedom of action. The prior work has left us with an ecosystem which is the living embodiment
of our state-of-the-art. While we work on integration, refinement, broader application and efficiency, the results must move seamlessly into the ecosystem. Fundamental concepts are
being researched in the lab and may rebuild the world we all live in, until that happens, we must work within the ecosystem.
An Overview of Information Systems Security Measures in Zimbabwean Small and ...researchinventy
This paper reports on the Information Systems (IS) securitymeasures implemented by small and medium size enterprises (SMEs) in Zimbabwe. A survey questionnaire was distributed to 32 randomly selected participants in order to investigate the security measures and practices in their respective organisations. The results indicated that over 50% of the respondents had installed firewalls, while more than 80% carried out regular software updates and none of the respondents had intrusion detection systems. The researchers recommended that SMEs work to enhance their knowledge on the different IS threats in order to enable the implementation of preventive measures.
For more course tutorials visit
www.tutorialrank.com
CYB 610 Project 1 Information Systems and Identity Management
CYB 610 Project 2 Operating Systems Vulnerabilities (Windows and Linux)
CYB 610 Project 3 Assessing Information System Vulnerabilities and Risk
The main aim of this project is to control the cyber crimes. Cyber security incidents will cause significant financial and reputation impacts. In order to detect malicious activities, the SIEM (Security Information and Event Management) system is built. If any pre-defined use case is triggered, SOC analysts will generate OTRS in real time. So that user will be aware of threats
Security Vulnerabilities in Modern Operating SystemsCisco Canada
The Common Exposures and Vulnerabilities database has over 25 years of data on vulnerabilities in it. In this deck we dig through that database and use it to map out trends and general information on vulnerabilities in software in the last quarter century. For more information please visit our website: http://www.cisco.com/web/CA/index.html
Program Robustness is now more important than before, because of the role software programs play in our
life. Many papers defined it, measured it, and put it into context. In this paper, we explore the different
definitions of program robustness and different types of techniques used to achieve or measure it. There
are many papers about robustness. We chose the papers that clearly discuss program or software
robustness. These papers stated that program (or software) robustness indicates the absence of ungraceful
failures. There are different types of techniques used to create or measure a robust program. However,
there is still a wide space for research in this area.
Your network environment is one of the keys to the success of your business. Most business people don’t fully believe this, even after long discussions and mounds of evidence to the contrary.
A BAYESIAN CLASSIFICATION ON ASSET VULNERABILITY FOR REAL TIME REDUCTION OF F...IJNSA Journal
IT assets connected on internetwill encounter alien protocols and few parameters of protocol process are exposed as vulnerabilities. Intrusion Detection Systems (IDS) are installed to alerton suspicious traffic or activity. IDS issuesfalse positives alerts, if any behavior construe for partial attack pattern or the IDS lacks environment knowledge. Continuous monitoring of alerts to evolve whether, an alert is false positive or not is a major concern. In this paper we present design of an external module to IDS,to identify false positive alertsbased on anomaly based adaptive learning model. The novel feature of this design is that the system updates behavior profile of assets and environment with adaptive learning process.A mixture model is used for behavior modeling from reference data. The design of the detection and learning process are based on normal behavior and of environment. The anomaly alert identification algorithm isbuiltonSparse Markov Transducers (SMT) based probability.The total process is presented using real-time data. The Experimental results are validated and presentedwith reference to lab environment.
13421ijmit03Engineering Life Cycle Enables Penetration Testing and Cyber Oper...IJMIT JOURNAL
This paper discusses the strengths and weaknesses of proper engineering and life cycle management on
higher level cyber security operations. Rushing innovation and increasing profits undermines the
foundations need to operate and create secure stability in IT based companies. This research argues how it
must be considered and how effective engineering processes greatly add to security even post
implementation.
We have evolved an IT system that is ubiquitous and pervasive and integrated into most aspects of our lives. Many of us are working on 4th and 5th level refinements in efficiency and functionality. But, we stand on the shoulders of those who came before and this restricts our freedom of action. The prior work has left us with an ecosystem which is the living embodiment
of our state-of-the-art. While we work on integration, refinement, broader application and efficiency, the results must move seamlessly into the ecosystem. Fundamental concepts are
being researched in the lab and may rebuild the world we all live in, until that happens, we must work within the ecosystem.
How Test Labs Reduce Cyber Security Threats to Industrial Control Systemse cy...Schneider Electric
Federal agencies are moving their industrial control systems (ICS) from operational business networks to separate, dedicated networks in order to enhance security. However, without a system to test the new equipment and software coming into these separate networks, security risks will persist. This paper explores the impact on security of instituting a sanctioned ICS test lab and recommends best practices for setting up and operating these labs.
IJERA (International journal of Engineering Research and Applications) is International online, ... peer reviewed journal. For more detail or submit your article, please visit www.ijera.com
Running head UNPATCHED CLIENT SOFTWAREUNPATCHED CLIENT SOFTWARE.docxtodd521
Running head: UNPATCHED CLIENT SOFTWARE
UNPATCHED CLIENT SOFTWARE
Unpatched Client Software
Abstract
The best laid plans never make it through actual contact with the enemy; the same goes for defending networks. This paper examines how unpatched client software can significantly affect organizations. How many times have people ignored the update notification on their systems? How would an everyday user know that the update they are ignoring is critical to the security of their system? There are factors that come with patching a system that for some reason organizations are not understanding. As a result, their systems are being exploited by out of date exploits that should not be an issue. In addition, the paper also offers solutions to reduce vulnerabilities. The intent is to reduce attack vectors for adversaries and to deter them by making entering the network so agonizing that they decide to find a new target.
Information Technology (IT) managers are faced with an ever changing battleground; a battleground that is both logical and physical. This field is inundated by threats and vulnerabilities that must be mitigated or prevented by IT managers; there is also a fundamental difference between threats and vulnerabilities, which will be discussed later. Though several threats and vulnerabilities will be discussed, the single most important cybersecurity vulnerability facing IT managers today is unpatched client software. Methods for prevention of exploitation of vulnerabilities, and potential financial losses will be examined as well.
First, defining a threat: threats to systems involve deliberate malicious intent, sabotage, or human error (Vacca, 2013, p.380). In other words, a threat is an outside source propagating itself to vulnerable systems. Threats give rise to security risks by exploiting weaknesses. For example, a famous cyber attack conducted by Russia on Georgia in 2008. Russian zombie computers conducted distributed denial of service attacks (DDOS) on Georgia’s servers (Dinicu, 2014, p.111). The threat in this case is Russia having deliberate malicious intent to degrade or deny Georgia’s networks. In addition, the DDOS attack exploited the vulnerable server’s in Georgia that could not mitigate the unprecedented amount of fake requests being sent.
Another instance of a well-known cyber threat is Stuxnet, which was a worm that was used in 2010. This malware was believed to be backed by a nation state because of its sophistication. The worm targeted Iran’s industrial facilities that were connected to its nuclear program (Fildes, 2015). The worm targeted the specific programmable logic control software that controlled uranium enrichment centrifuges.
The image above explains how Stuxnet operates (Kushner, 2013).
Stuxnet was one of the largest threats to systems, and there are still variants of it out on the internet. The takeaway here is that Stuxnet was a threat because of it’s deliberate .
A UML Profile for Security and Code Generation IJECEIAES
Recently, many research studies have suggested the integration of safety engineering at an early stage of modeling and system development using Model-Driven Architecture (MDA). This concept consists in deploying the UML (Unified Modeling Language) standard as aprincipal metamodel for the abstractions of different systems. To our knowledge, most of this work has focused on integrating security requirements after the implementation phase without taking them into account when designing systems. In this work, we focused our efforts on non-functional aspects such as the business logic layer, data flow monitoring, and high-quality service delivery. Practically, we have proposed a new UML profile for security integration and code generation for the Java platform. Therefore, the security properties will be described by a UML profile and the OCL language to verify the requirements of confidentiality, authorization, availability, data integrity, and data encryption. Finally, the source code such as the application security configuration, the method signatures and their bodies, the persistent entities and the security controllers generated from sequence diagram of system’s internal behavior after its extension with this profile and applying a set of transformations.
International Journal of Engineering and Science Invention (IJESI) is an international journal intended for professionals and researchers in all fields of computer science and electronics. IJESI publishes research articles and reviews within the whole field Engineering Science and Technology, new teaching methods, assessment, validation and the impact of new technologies and it will continue to provide information on the latest trends and developments in this ever-expanding subject. The publications of papers are selected through double peer reviewed to ensure originality, relevance, and readability. The articles published in our journal can be accessed online.
EMPLOYEE TRUST BASED INDUSTRIAL DEVICE DEPLOYMENT AND INITIAL KEY ESTABLISHMENTIJNSA Journal
An efficient key management system is required to support cryptography. Most key management systems use either pre-installed shared keys or install initial security parameters using out-of-band channels. These methods create an additional burden for engineers who manage the devices in industrial plants. Hence, device deployment in industrial plants becomes a challenging task in order to achieve security. In this work, we present a device deployment framework that can support key management using the existing trust towards employees in a plant. This approach reduces the access to initial security parameters by employees; rather it helps to bind the trust of the employee with device commissioning. Thus, this approach presents a unique solution to the device deployment problem. Further, through a proof-of-concept implementation and security analysis using the AVISPA tool, we present that our framework is feasible to implement and satisfies our security objectives.
EMPLOYEE TRUST BASED INDUSTRIAL DEVICE DEPLOYMENT AND INITIAL KEY ESTABLISHMENTIJNSA Journal
An efficient key management system is required to support cryptography. Most key management systems use either pre-installed shared keys or install initial security parameters using out-of-band channels. These methods create an additional burden for engineers who manage the devices in industrial plants. Hence, device deployment in industrial plants becomes a challenging task in order to achieve security. In this work, we present a device deployment framework that can support key management using the existing trust towards employees in a plant. This approach reduces the access to initial security parameters by employees; rather it helps to bind the trust of the employee with device commissioning. Thus, this approach
presents a unique solution to the device deployment problem. Further, through a proof-of-concept implementation and security analysis using the AVISPA tool, we present that our framework is feasible to implement and satisfies our security objectives.
An efficient key management system is required to support cryptography. Most key management systems use either pre-installed shared keys or install initial security parameters using out-of-band channels. These methods create an additional burden for engineers who manage the devices in industrial plants. Hence, device deployment in industrial plants becomes a challenging task in order to achieve security. In this work, we present a device deployment framework that can support key management using the existing trust towards employees in a plant. This approach reduces the access to initial security parameters by employees; rather it helps to bind the trust of the employee with device commissioning. Thus, this approach presents a unique solution to the device deployment problem. Further, through a proof-of-concept implementation and security analysis using the AVISPA tool, we present that our framework is feasible to implement and satisfies our security objectives.
Include at least 250 words in your posting and at least 250 words inmaribethy2y
Include at least 250 words in your posting and at least 250 words in your reply. Indicate at least one source or reference in your original post. Please see syllabus for details on submission requirements.
Module 1 Discussion Question
Search "scholar.google.com" for a company, school, or person that has been the target of a network
or system intrusion? What information was targeted? Was the attack successful? If so, what changes
were made to ensure that this vulnerability was controlled? If not, what mechanisms were in-place to protect against the intrusion.
Reply-1(Shravan)
Introduction:
Interruption location frameworks (IDSs) are programming or equipment frameworks that robotize the way toward observing the occasions happening in a PC framework or system, examining them for indications of security issues. As system assaults have expanded in number and seriousness in the course of recent years, interruption recognition frameworks have turned into an essential expansion to the security foundation of generally associations. This direction archive is planned as a preliminary in interruption recognition, created for the individuals who need to comprehend what security objectives interruption location components serve, how to choose and design interruption discovery frameworks for their particular framework and system situations, how to deal with the yield of interruption identification frameworks, and how to incorporate interruption recognition capacities with whatever remains of the authoritative security foundation. References to other data sources are likewise accommodated the peruse who requires particular or more point by point guidance on particular interruption identification issues.
In the most recent years there has been an expanding enthusiasm for the security of process control and SCADA frameworks. Moreover, ongoing PC assaults, for example, the Stunt worm, host appeared there are gatherings with the inspiration and assets to viably assault control frameworks.
While past work has proposed new security components for control frameworks, few of them have investigated new and in a general sense distinctive research issues for anchoring control frameworks when contrasted with anchoring conventional data innovation (IT) frameworks. Specifically, the complexity of new malware assaulting control frameworks - malware including zero-days assaults, rootkits made for control frameworks, and programming marked by confided in declaration specialists - has demonstrated that it is exceptionally hard to avert and identify these assaults dependent on IT framework data.
In this paper we demonstrate how, by joining information of the physical framework under control, we can distinguish PC assaults that change the conduct of the focused on control framework. By utilizing information of the physical framework we can center around the last goal of the assault, and not on the specific instruments of how vulnerabilities are misused, and how ...
3.0 Project 2_ Developing My Brand Identity Kit.pptxtanyjahb
A personal brand exploration presentation summarizes an individual's unique qualities and goals, covering strengths, values, passions, and target audience. It helps individuals understand what makes them stand out, their desired image, and how they aim to achieve it.
Buy Verified PayPal Account | Buy Google 5 Star Reviewsusawebmarket
Buy Verified PayPal Account
Looking to buy verified PayPal accounts? Discover 7 expert tips for safely purchasing a verified PayPal account in 2024. Ensure security and reliability for your transactions.
PayPal Services Features-
🟢 Email Access
🟢 Bank Added
🟢 Card Verified
🟢 Full SSN Provided
🟢 Phone Number Access
🟢 Driving License Copy
🟢 Fasted Delivery
Client Satisfaction is Our First priority. Our services is very appropriate to buy. We assume that the first-rate way to purchase our offerings is to order on the website. If you have any worry in our cooperation usually You can order us on Skype or Telegram.
24/7 Hours Reply/Please Contact
usawebmarketEmail: support@usawebmarket.com
Skype: usawebmarket
Telegram: @usawebmarket
WhatsApp: +1(218) 203-5951
USA WEB MARKET is the Best Verified PayPal, Payoneer, Cash App, Skrill, Neteller, Stripe Account and SEO, SMM Service provider.100%Satisfection granted.100% replacement Granted.
What are the main advantages of using HR recruiter services.pdfHumanResourceDimensi1
HR recruiter services offer top talents to companies according to their specific needs. They handle all recruitment tasks from job posting to onboarding and help companies concentrate on their business growth. With their expertise and years of experience, they streamline the hiring process and save time and resources for the company.
VAT Registration Outlined In UAE: Benefits and Requirementsuae taxgpt
Vat Registration is a legal obligation for businesses meeting the threshold requirement, helping companies avoid fines and ramifications. Contact now!
https://viralsocialtrends.com/vat-registration-outlined-in-uae/
Digital Transformation and IT Strategy Toolkit and TemplatesAurelien Domont, MBA
This Digital Transformation and IT Strategy Toolkit was created by ex-McKinsey, Deloitte and BCG Management Consultants, after more than 5,000 hours of work. It is considered the world's best & most comprehensive Digital Transformation and IT Strategy Toolkit. It includes all the Frameworks, Best Practices & Templates required to successfully undertake the Digital Transformation of your organization and define a robust IT Strategy.
Editable Toolkit to help you reuse our content: 700 Powerpoint slides | 35 Excel sheets | 84 minutes of Video training
This PowerPoint presentation is only a small preview of our Toolkits. For more details, visit www.domontconsulting.com
Skye Residences | Extended Stay Residences Near Toronto Airportmarketingjdass
Experience unparalleled EXTENDED STAY and comfort at Skye Residences located just minutes from Toronto Airport. Discover sophisticated accommodations tailored for discerning travelers.
Website Link :
https://skyeresidences.com/
https://skyeresidences.com/about-us/
https://skyeresidences.com/gallery/
https://skyeresidences.com/rooms/
https://skyeresidences.com/near-by-attractions/
https://skyeresidences.com/commute/
https://skyeresidences.com/contact/
https://skyeresidences.com/queen-suite-with-sofa-bed/
https://skyeresidences.com/queen-suite-with-sofa-bed-and-balcony/
https://skyeresidences.com/queen-suite-with-sofa-bed-accessible/
https://skyeresidences.com/2-bedroom-deluxe-queen-suite-with-sofa-bed/
https://skyeresidences.com/2-bedroom-deluxe-king-queen-suite-with-sofa-bed/
https://skyeresidences.com/2-bedroom-deluxe-queen-suite-with-sofa-bed-accessible/
#Skye Residences Etobicoke, #Skye Residences Near Toronto Airport, #Skye Residences Toronto, #Skye Hotel Toronto, #Skye Hotel Near Toronto Airport, #Hotel Near Toronto Airport, #Near Toronto Airport Accommodation, #Suites Near Toronto Airport, #Etobicoke Suites Near Airport, #Hotel Near Toronto Pearson International Airport, #Toronto Airport Suite Rentals, #Pearson Airport Hotel Suites
Affordable Stationery Printing Services in Jaipur | Navpack n PrintNavpack & Print
Looking for professional printing services in Jaipur? Navpack n Print offers high-quality and affordable stationery printing for all your business needs. Stand out with custom stationery designs and fast turnaround times. Contact us today for a quote!
Kseniya Leshchenko: Shared development support service model as the way to ma...Lviv Startup Club
Kseniya Leshchenko: Shared development support service model as the way to make small projects with small budgets profitable for the company (UA)
Kyiv PMDay 2024 Summer
Website – www.pmday.org
Youtube – https://www.youtube.com/startuplviv
FB – https://www.facebook.com/pmdayconference
Tata Group Dials Taiwan for Its Chipmaking Ambition in Gujarat’s DholeraAvirahi City Dholera
The Tata Group, a titan of Indian industry, is making waves with its advanced talks with Taiwanese chipmakers Powerchip Semiconductor Manufacturing Corporation (PSMC) and UMC Group. The goal? Establishing a cutting-edge semiconductor fabrication unit (fab) in Dholera, Gujarat. This isn’t just any project; it’s a potential game changer for India’s chipmaking aspirations and a boon for investors seeking promising residential projects in dholera sir.
Visit : https://www.avirahi.com/blog/tata-group-dials-taiwan-for-its-chipmaking-ambition-in-gujarats-dholera/
Putting the SPARK into Virtual Training.pptxCynthia Clay
This 60-minute webinar, sponsored by Adobe, was delivered for the Training Mag Network. It explored the five elements of SPARK: Storytelling, Purpose, Action, Relationships, and Kudos. Knowing how to tell a well-structured story is key to building long-term memory. Stating a clear purpose that doesn't take away from the discovery learning process is critical. Ensuring that people move from theory to practical application is imperative. Creating strong social learning is the key to commitment and engagement. Validating and affirming participants' comments is the way to create a positive learning environment.
1. Extracting Vulnerabilities in Industrial Control
Systems using a Knowledge-Based System
Laurens Lemaire
KU Leuven, MSEC, iMinds-DistriNet
Department of Computer Science
Gebroeders Desmetstraat 1, 9000 Ghent, Belgium
laurens.lemaire@cs.kuleuven.be
Jan Vossaert
KU Leuven, MSEC, iMinds-DistriNet
Department of Computer Science
Gebroeders Desmetstraat 1, 9000 Ghent, Belgium
jan.vossaert@cs.kuleuven.be
Joachim Jansen
KU Leuven
Department of Computer Science
Celestijnenlaan 200A, 3001 Heverlee, Belgium
joachim.jansen@cs.kuleuven.be
Vincent Naessens
KU Leuven, MSEC, iMinds-DistriNet
Department of Computer Science
Gebroeders Desmetstraat 1, 9000 Ghent, Belgium
vincent.naessens@cs.kuleuven.be
Industrial Control Systems (ICS) are used for monitoring and controlling critical infrastructures such as
power stations, waste water treatment facilities, traffic lights, and many more. Lately, these systems have
become a popular target for cyber attacks. Both during their design and while operational, security is often
an afterthought, leaving them vulnerable to all sorts of attacks.
This paper presents a formal approach for analysing the security of Industrial Control Systems. A
knowledge-based system, namely IDP, is used to analyse a model of the control system and extract system
vulnerabilities. In this paper we present the input model of the methodology and the inferences and queries
that allow the system to extract vulnerabilities. This methodology has been added to an existing framework
where the user can model his system in the modeling language SysML. This SysML model then gets parsed
into suitable IDP input. A fully working prototype has been developed and the approach has been validated
on a real case study.
Industrial Control Systems Security, Critical Infrastructure Protection, Formal Modeling, IDP
1. INTRODUCTION
Industrial control systems used to be isolated,
proprietary systems. The only security concern was
physical access to the system. With the evolution
of IT in these last decades, this is no longer
true. ICS now often consist of Commercial Off-The-
Shelf (COTS) components, and are connected to a
company network and the internet. These changes
have made them easier to use, but also more
vulnerable to attacks ENISA (2011).
Typical IT solutions are not always applicable
to these systems. Their critical nature introduces
additional requirements such as high determinism
and response times. Reliability of the network is
more important than in most IT applications. For
these reasons, applying patches to fix vulnerabilities
is not always possible, especially if they require
a reboot of the system Tom et al. (2008). Patch
management is often an important aspect of
maintaining ICS.
Due to their critical nature, attacks on these systems
could have disastrous consequences. Previous
attacks on ICS illustrate this. Famous examples
are the Maroochy Shire sewage spill in Australia
Abrams and Weiss (2008), and the Stuxnet worm
in Iran Matrosov et al. (2011); Falliere et al. (2011).
The former caused 800.000 litres of raw sewage to
spill into local parks and rivers, the latter was used to
sabotage the fuel enrichment plant of Natanz in Iran.
Langner (2013).
The Stuxnet worm was discovered in 2010. Industrial
control system security has been a popular research
topic since. Organisations such as NIST/ISA/ISO
have produced security standards and guidelines for
adequately protecting these systems Stouffer et al.
(2015); ANSI/ISA (2013); ISO/IEC (2008). This work
presents a tool that performs a security analysis
of an ICS model based on these standards and
guidelines. The modeling is done in SysML, while
the analysis is done using the Imperative Declarative
Programming (IDP) framework.
c
The Authors. Published by BISL. 1
Proceedings of the 3rd
International Symposium for ICS & SCADA Cyber Security Research 2015
2. TBD
Lemaire • Vossaert • Jansen • Naessens
Contribution. This paper presents a model-based ap-
proach for the security analysis of industrial control
systems. The control systems are represented as
IDP instances. A logic theory inside the IDP frame-
work then extracts vulnerabilities from the system.
Vulnerability databases are included in the input
model to extract vulnerabilities at the component
level. Rules in the logic theory assess what the
impact of these component vulnerabilities is at the
system level. The methodology gives feedback about
the implications related to security in various set-
tings, for instance attackers of different skill levels
can be modeled. The security aspects we currently
focus on are authorization and authentication. Our
system checks if a provided policy specification is
respected by the control system. For instance if the
policy specifies that a certain user should not be able
to modify a parameter in the system, it is checked
whether this is actually the case. A prototype of the
tool has been created and has been validated on a
real case study.
This logic has been added to a framework which
allows the user to model the system with SysML,
the Systems Modelling Language. The resulting XML
file gets parsed to input that is accepted by the IDP
framework. Then the security evaluation takes place
Lemaire et al. (2014).
Outline. The structure of this paper is as follows.
Section 2 gives an overview of related work. Our
case study, which will be used throughout the
remainder of this paper, is presented in Section 3.
Section 4 details the approach and introduces the
IDP system. In Section 5 we discuss the input model
that will formally represent the industrial control
systems in IDP. Section 6 contains the inferences
and queries that are used to extract vulnerabilities.
The validation on our case study is presented in
Section 7. Finally, Section 8 concludes the paper and
contains future work.
2. RELATED WORK
In Pai and Bechta Dugan (2002), the authors use
UML system models to automatically create dynamic
fault trees (DFTs). These DFTs are then analysed to
compute the reliability of a system. Our methodology
applies a similar approach. We use the Systems
Modeling Language (SysML) instead of UML. SysML
extends UML with several new or modified diagrams
and is more suited for modeling systems or systems-
of-systems. Further, our approach does not aim to
draw conclusions regarding reliability, but focuses
on security instead. Currently there is a lack of
attention for system security in model-based system
engineering, as discussed in Oates et al. (2013). Our
tool fills this gap.
Other tools exist that perform a security analysis
on industrial control systems. CySeMoL estimates
the probability that attacks succeed against an
enterprise system Sommestad et al. (2013, 2010).
Similar to our method, CySeMoL allows users to
change their system architecture and view the
resulting changes on the attack probabilities. For
their attack probabilities, CySeMoL assumes that the
attacker is a penetration tester who only has access
to public tools. More powerful attackers must be
considered. Our tool also incorporates vulnerability
databases to extract vulnerabilities at the software
and hardware level.
The ADVISE security modeling formalism
LeMay et al. (2011) establishes which way an
attacker is most likely to go about attacking
a system. To this end, both the system and
the attacker are modeled. ADVISE has been
implemented in the Möbius framework Ford et al.
(2013) to make use of its modeling formalisms
and solution techniques. ADVISE does not draw
from vulnerability databases, it assumes the
vulnerabilities in the system are already known. Our
tool attempts to find such vulnerabilities and could
hence be used in combination with ADVISE.
The result of our system analysis is also different
from the one in the above tools. ADVISE and
CySeMoL calculate the probability that certain
attacker goals can be reached. Our approach will
check whether a provided policy specification holds
true in the industrial control system. The modeler
will submit a policy matrix detailing which users can
do certain operations on the process parameters.
Our logic component will then check whether this
specification holds true in the control system. If this
is not the case, traces will be returned to detail which
vulnerabilities or component properties cause the
specification to not hold true.
Tools exist that take vulnerability databases into
account, but these focus mainly on network security
and are not tailored to ICS. For instance MulVAL
Ou et al. (2005) is a tool that models networks in
Datalog to perform a network vulnerability analysis.
The tool uses an OVAL scanner to find reported
software vulnerabilities in a network and returns their
impact on the system.
A similar tool is Cauldron Jajodia et al. (2011).
Cauldron contains several vulnerability databases,
such as NIST’s National Vulnerability Database
(NVD), the Bugtraq security database, Symantec
Deepsight, etc. It integrates with vulnerability
scanners such as Nessus, Retina, and Foundscan,
to populate its network model. Cauldron draws
on these sources to find the vulnerabilities in
2
3. TBD
Lemaire • Vossaert • Jansen • Naessens
a network and automatically generates mitigation
recommendations.
Both MulVAL and Cauldron focus on network secu-
rity. Our tool is aimed at industrial control systems,
the vulnerability databases we draw from reflect
this. Currently our logic theory only contains the
ICS-CERT vulnerability database, which contains
vulnerabilities in ICS components (PLCs, industrial
operating systems, HMIs, historians, . . . ). More vul-
nerability databases will be incorporated later.
3. AN INDUSTRIAL HATCHERY
The approach presented in this paper has been
tested on a real case study. The case study is a
hatchery. The incubators used in this hatchery are
manufactured by one of our industry partners.
The hatchery consists of sixteen incubators, twelve
setters and four hatchers. Each incubator can hold
up to 115200 eggs. Eggs are initially put in one of
the setter incubators, where they are turned hourly.
Then they get transferred to the hatcher incubators
to hatch. Each incubator consists of various sensors
and actuators that are connected to a PLC. At
the front of the incubator a touchscreen is used
for monitoring and controlling the parameters. Each
incubator room has a switch that all PLCs in that
room are connected to. This switch is connected to
a wireless router which can be used for accessing
the incubators with a mobile device, using an app
that can take control of the touchscreens. The
room switches are all connected to a switch in a
centralized location. In this location we also find a
server that is used by the manufacturer to connect to
the hatchery remotely. There is also an industrial PC
that logs all the data and can be used to control all
incubators.
The touchscreens and industrial PC utilise role
based access control. There are currently four
different types of users in the hatchery. The least
privileged users can look at the different parameters,
but not change them. Additionally, they can reset
the incubator alarms or turn off the sound. This is
meant for cleaning personnel and technicians. The
second lowest level is used by the operators of the
hatchery. This usergroup can change all parameters
of the incubators, including the temperature settings,
humidity, CO2 levels, etc. The local managers make
up the third level. They are able to do all the above,
as well as change operator passwords, export data
regarding login lists and alarms to USB, and so on.
The highest level is reserved for the manufacturer
of the incubators. When they log on remotely using
their password, they also get access to additional
information regarding errors and failures, so they can
assist when problems occur.
4. APPROACH
In this section the approach is presented. Figure 1
gives an overview of the major components of the
modeling approach.
The System Independent Modeling part consists
of the Vocabulary (V) and the Theory (T ). These
remain the same for all systems. The Vocabulary
consists of three parts, an input vocabulary to specify
the types, predicates and functions that are used in
the input model, a reasoning vocabulary that defines
the same constructs used in the theory, and finally
an output vocabulary to represent conclusions. The
theory contains the logic that will be applied to the
model to extract the vulnerabilities. There are two
sets of rules. One set is run on the input model
to expand it. A second set with queries then gets
applied to the expanded model to draw conclusions.
The Input Model (MI) consists of an ICS Model,
a User Model (MU ), a Policy Specification (MP ),
and a Vulnerability Model (MV). The ICS Model
represents the industrial control system. This is
done in three layers. At the top layer we model
the process specification, which consists of the
process parameters and operations. For instance,
each incubator has a temperature parameter which
can be modified, and an alarm that can be turned
on or off. Then we model the architecture of the
control system. This includes all the components
and the modules they consist of. An example of
a component is a supervision PC which consists
of several software modules that allow users
to control or monitor system parameters. Finally,
security mechanisms of the control system are
modeled. This currently focuses on authorization
and authentication of users and components. In the
future, this framework can easily be expanded to
include additional security properties.
In the User Model, different user groups can be
defined by the modeler. Each group gets the
appropriate credentials associated with them, and
other properties that determine how powerful they
are. For instance, which components or networks in
the system they can access. Attackers are modeled
in the same way. They can be given the same
credentials and properties as one of the user groups
to reason about internal adversaries.
The Policy Specification is a list of user permissions.
The modeler will indicate which users should be
able to do operations on system parameters. This
specification will then be checked by the logic rules.
3
4. TBD
Lemaire • Vossaert • Jansen • Naessens
Vocabulary (V)
Theory (T )
System Independent Modelling
Logic
Component
Conclusions
Structure (S)
User Model (MU )
ICS Model (MS)
Input
Model
(M
I
)
Process Specification
Parameters Operations
Individuals Credentials
Properties
Security Properties
Authorization Authentication
Architecture
Components Modules
Queries
Expansion Rules
Policy Specification (MP)
Permissions
Vulnerabilities (MV)
ICS-CERT Simulations
Figure 1: Framework for extracting vulnerabilities from industrial control systems.
The Vulnerability Model contains vulnerability
databases that will identify component vulnerabilities
in the system. Currently only the ICS-CSR database
is included, but the framework allows for other
databases to be added in the future. It is also
possible for the modeler to introduce vulnerabilities
in components to check their impact on the system
security as a whole. For example, a user can mark
a certain HMI as being vulnerable to a Denial of
Service attack, and then check if the control system
can still have its desired functionality, e.g. whether
the appropriate user groups can still read and modify
parameters they are authorized to.
The Logic Component is a logic tool that automates
the reasoning on formal models. For our work
we have chosen to use the IDP system. IDP is
a state-of-the-art declarative programming system
developed at KU Leuven. IDP supports reasoning
on expressions in a high-level formal language that
extends first-order logic, called “The IDP language”.
This language adds aggregates, partial functions,
inductive definitions, etc. to first order logic to make
it easier for users to specify their problem. IDP is
used to solve search problems using, amongst other
methods, model expansion Wittocx et al. (2008);
Bogaerts et al. (2012).
Once a control system is modeled in the IDP
framework, the logic theory can be used to expand
this model, finding a value for previously unknown
data that complies with the theory. If at least one
such expansion exists, the set of resulting models
is returned. If there is no expansion possible from
the structure that does not violate the components
in the theory, it is possible to identify which theory
components were violated by the model.
The major strength of the IDP framework is an
intuitive input language, which allows us to model
problems fluently. The use of inductive definitions,
for example, is very helpful for modeling transitive
closures and other recursive predicates.
Once the logic component has finished analysing
the model, the conclusions are returned. These are
the predicates and functions defined in the output
vocabulary.
5. SPECIFYING THE INPUT MODEL
In this section we show which information the
modeler has to input in order to analyse a particular
system. We use the hatchery from Section 3 as an
example. Not all predicates and functions are shown
here due to space limitations.
5.1. The ICS Model
The ICS Model specifies the control system. This is
split up in three parts. In the Process Specification,
the modeler lists out the Parameters and Operations.
Parameters are the variables of the environment
that the control system interacts with. For instance,
the temperature or humidity inside an incubator, the
status of incubator lights/alarms, etc. The modeler
is free to use his own naming conventions for these
parameters. Here we will refer to the temperature
of the first setter incubator as parameter T empS1,
and so on. Operations are the actions that users of
4
5. TBD
Lemaire • Vossaert • Jansen • Naessens
the system can perform on these parameters. We
consider two operations: Read and Modify.
type Parameter
Parameter = {T empS1, AlarmS1 , T empS2 , . . .}
type Operation
Operation = {Read, Modify}
In the Architecture, the physical parts of the
control system are modeled. A type SystemPart is
created which will contain all the building blocks
of the system. Type Component is a subtype of
SystemPart. Components are the basic elements of
the systems, for instance a PLC, a touchscreen, a
supervision PC, . . . .
type SystemPart
type Component isa SystemPart
Component = {PLCS1 , SwitchHatchery, . . .}
Components can consist of several software
processes, which are called modules in our model.
Consider the industrial PC that is used for monitoring
and controlling the incubators at the hatchery. In this
PC we will distinguish two modules, one to represent
the operating system (OS), and one to represent the
software process that can influence the parameters
of the control system.
type Module isa SystemPart
Module = {ControlIndP C, OSIndP C, . . .}
Modules are associated with components using a
SoftwareModule predicate:
SoftwareModule(Module, Component)
Components have their product and version informa-
tion associated with them using a predicate. This will
be used to find component vulnerabilities, which is
explained in the next section.
type Product
type V ersion
Switch(SystemPart, Product, V ersion)
Using predicates Measure and Control, components
and modules are connected to the parameters they
measure or control.
Measure(Component, Parameter)
Measure = {(AlarmSensorS1 , AlarmS1 ), . . .}
Control(Module, Parameter)
Control = {(ControlIndP C, T empS1 ), . . .}
The modeler also indicates which Networks are con-
sidered in the control system and what components
are placed in them. In this context a Network is any
collection of components that are connected to each
other and can exchange information.
Network = {NetworkHatchery, . . .}
NetworkLocation = {(PLCS1 ,
NetworkHatchery), . . .}
Finally, the relevant Security Properties are asso-
ciated with the components and modules by using
predicates. Currently the focus lies on Authentica-
tion, Authorization, and Vulnerabilities introduced by
the modeler, but the framework allows for adding
more categories of properties.
Authentication is achieved by using tokens (pass-
words, keys, . . . ). Modules get tokens associated
with them. If users possess the correct tokens, they
can authenticate themselves to these modules and
make use of their functionality.
type T oken
T oken = {PasswordIndP C , . . .}
Authentication(SystemPart, T oken)
Authorization specifies which tokens are required on
a certain module to control process parameters. For
instance, a certain password PwT echnician might give
the user access to the alarm parameters, but not the
temperature, whereas password PwManager gives
access to all.
Authorization(PwManager, ControlIndP C , T empS1 )
If a manager now successfully authenticates to the
module using PwManager, he will be able to control
the parameter. Which operations the manager can
do on this parameter is modeled in the policy
specification explained below.
5.2. The User Model
The User Model lists the users in the system and
assigns properties to them. Various Attackers of
different strength can be included in the model. They
are modelled in the same way as other users and
only differ in name.
type User
User = {T echnician, Operator, Manager,
InternalAttacker, . . .}
Credentials and properties can then be associated
with the different user groups or attackers by using
the predicates provided in the vocabulary. For
instance if we want to specify that the manager has
the password required to access the industrial PC,
the following lines are added to the model:
HasT oken(User, T oken)
HasT oken = {(Manager, PasswordIndP C ), . . .}
5
6. TBD
Lemaire • Vossaert • Jansen • Naessens
T empS1 AlarmS1 HumidityS2
T echnician R R M R
Operator R M R M R M
Manager R M R M R M
Attacker
Table 1: Part of the Policy Specification.
Similarly, other predicates allow the modeler to
specify which networks a user has access to, or
what components he can physically access. All these
predicates can also be assigned to the attackers.
5.3. The Policy Specification
The Policy Specification details the permissions of
the users. By this we mean which operations the
users should be able to do on the control system
parameters. The modeler provides this list when
modeling the system and then the logic theory will
check whether the control system complies to this
specification.
Permission(User, Parameter, Operation)
Table 1 shows a list of permissions from the hatchery
case study. This is not the full policy specification,
the full example contains too many parameters to list
here.
An attacker should not be able to read or modify
any parameters in the system. Technicians are able
to turn the incubator alarms on or off, but they are
not authorized to make any other modifications. The
operators and managers have full control over all
parameters.
5.4. The Vulnerability Model
The Vulnerability Model consists of two parts.
One part contains Vulnerability Databases that will
find Component Vulnerabilities. The other part are
vulnerabilities introduced by the modeler, allowing
the modeler to simulate attacks on the system.
Component vulnerabilities are associated with the
software or the hardware of a certain component.
For example, a certain version of a PLC might have
an error in it that causes a denial of service attack.
If this PLC is present in the control system that is
being modeled, the user should be made aware of
this vulnerability.
To make this possible, the vulnerabilities in the
ICS-CERT database have been converted into IDP
rules. The database contains alerts and advisories.
Alerts inform the user about newly discovered
vulnerabilities in ICS equipment, whereas advisories
contain fixes and mitigations. Both have been
included in IDP Lemaire et al. (2014). Additional
vulnerability databases will be included in the logic
theory in the future.
Component vulnerabilities are represented with the
following predicate:
HasV ulnerability(SystemPart, V ulnerability)
Simulation. We want the user to have the
possibility to flag components with a certain type
of vulnerability. For instance, if a user wants to find
out what would happen if a supervision PC was
vulnerable to a denial of service attack, he should
be able to flag this PC as vulnerable. This is done by
adding a simple predicate:
SimulateDoS(SystemPart)
There are several categories of component vulnera-
bilities, and they each have their Simulate predicate.
This is explained further in the next section.
6. FINDING VULNERABILITIES IN THE ICS
In this section we will focus on the rules in the Theory
that extract vulnerabilities. We show the interaction
between component and system vulnerabilities.
Component Vulnerabilities. The component vul-
nerabilities are grouped in categories which will be
used later. For instance, BufferOverflow, HeapOver-
flow, MemoryCorruption, . . . are all vulnerabilities
that can potentially cause a Denial of Service. Hence
we can group them together as follows:
∀x[SystemPart] : HasDoSV uln(x) ←
HasV ulnerability(x, BufferOverflow) ∨
HasV ulnerability(x, HeapOverflow) ∨ . . .
All component vulnerabilities are assigned to
one or more categories. Other categories include
Escalation of Privilege, Data Leakage, Bypass of
Authentication, . . . The categories are based on
the threats we currently consider in the system
vulnerability rules.
Remember the user is also able to directly
flag components as vulnerable. Both ways of
finding vulnerabilities are combined with one final
disjunction:
∀x[SystemPart] : DoS(x) ← HasDoSV uln(x) ∨
SimulateDoS(x)
Now these various categories can be used in system
vulnerabilities.
System Vulnerabilities. The vulnerabilities in the
previous section are at the component level.
6
7. TBD
Lemaire • Vossaert • Jansen • Naessens
User U
Parameter P
Network N
Module M
Component C
Access
Auth and Authorization
Location
Requirement
Control
Figure 2: A conceptual representation of parameter
accessibility.
Having an overview of which components contain
vulnerabilities is useful, but system security as a
whole is even more important. A set of rules is
present in the theory which evaluates this, we refer
to these as system rules.
Currently the system rules focus on authentication
and authorization. To give the reader a feel for these
rules, the rest of this section will give an example
of a set of system rules related to authorization
that deal with parameter accessibility. By this we
mean the ability for users to read or modify process
parameters, for example reading the temperature of
an incubator, or turning of an incubator alarm. The
desirable situation is that users are able to control the
parameters that they are authorized to control, which
is specified by the modeler in the policy specification.
Figure 2 shows the parts of the system that are
considered in this parameter accessibility example.
If a certain software module is able to control a
parameter, a credential needs to be authorized to
use the software to change said parameter, the user
must also be able to authenticate to the module, and
the user must have access to the component that
contains the module. The component containing the
module must also be able to reach the network of the
actuator that controls the parameter in order to send
commands to it.
Some of this information is taken directly from the
model and represented as predicates. These are
listed below:
- Control(Module, Parameter). This predicate
associates software modules with the param-
eters they can control. For instance, the control
module inside the Industrial PC in the hatchery
is able to change all incubator parameters, this
is represented in the structure as Control =
{(ControlIndP C, T empS1 ), . . .}.
- LocationRequirement(Parameter, Network).
A predicate that indicates what network
components have to reach in order to control
a given parameter.
- NetworkLocation(SystemPart, Network).
Associates system parts with the network they
are in.
- Authorization(Token, Module, Parameter).
This predicate lists tokens that are re-
quired to control parameters on a mod-
ule. Authorization(PwManager, ControlIndP C,
S1T ) indicates that when logging in using the
manager password on the industrial PC, it is
possible to control the temperature of setter 1.
- Authentication(SystemPart, Token). These
pairs indicate the authentication details of the
components.
The other predicates are initially empty, and get
filled up based on the information in the model.
Definitions are provided in the logic theory for filling
up these predicates. The end result is a predicate
ModifyParameter(User, SystemPart, Parameter)
which includes all triples of users that can control
parameters through a certain system part. The
definition of this predicate is provided in IDP Listing
1. The different parts are explained below.
The first three predicates on the right side of
the definition, Control(x,z), Authorization(t,x,z), and
HasToken(u,t) are simple checks on the model to
see if a user is authorized to use a certain software
module that is able to control the parameter.
Next is authentication, the definition says that
either the user can prove all credentials of
the Module (AllCredsProven(x,u)), or there
are no credentials required (NoCreds(x)).
AllCredsProven(Module,User) is defined as follows:
∀x[Module] u[User] : AllCredsProven(x, u) ←
(∀ o[T oken] : (Authentication(x, o) =⇒
HasT oken(u, o))).
In order to authenticate to a module, the system
checks which tokens are required, and then confirms
the user possesses all these tokens.
Reachable(User,Module) indicates whether a user
has access to a module. This can be either physical
access to the module or logical access from a remote
component.
(SoftwareModule(x, y) ∧
LocationRequirement(z, n)) =⇒
NetworkLocation(y, n) says that if module x is
on component y, and the parameter can only be
controlled from network n, then component y must
be in network n to modify the parameter using
module x.
7
8. TBD
Lemaire • Vossaert • Jansen • Naessens
∀x[Module], y[Component], z[Parameter], u[User], n[Network]t[T oken] : ModifyParameter(u, x, z) ←
Control(x, z) ∧ Authorization(t, x, z) ∧ HasT oken(u, t) ∧ (AllCredsProven(x, u) ∨ (NoCreds(x)∧
Reachable(u, x))) ∧ ((SoftwareModule(x, y) ∧ LocationRequirement(z, n)) ⇒ NetworkLocation(y, n))
∧¬(DoS(x)).
IDP Listing 1: The definition for parameter accessibility.
Finally, if there are component vulnerabilities that
allow an attacker to take down a module by
performing a Denial of Service (DoS) attack, it is
possible that the module can not be used, and hence
the user can not reach the parameter through the
module. This is represented by DoS(x).
Queries. Once the definitions have completed all
the predicates and the model is fully expanded, it
is possible to check whether certain properties hold.
A second theory contains logic rules that do exactly
this. These rules are referred to as queries.
For the above example, we could check whether the
triples in ModifyParameter are consistent with the
policy specification submitted by the modeler. This
would indicate that no unauthorized users are able
to change parameters, and the authorized users can.
Such a query is constructed as follows:
∀u[User] s[SystemPart] p[Parameter]
: ModifyParameter(u, s, p) ⇒
Permission(u, p, ”Modify”).
Other queries check various other security proper-
ties of the model, e.g. whether users have access to
networks they should not have access to, or physical
access to protected components; whether users can
change device configurations they are not authorized
to, etc.
When IDP evaluates and there are no models that
satisfy the queries, it can be asked to print a minimal
subset of the given theory that is unsatisfiable given
the structure. It is shown step by step how a rule in
the theory fails. This allows an operator to identify
which vulnerabilities are critical when it comes to
system security. The printing is achieved by adding
the printcore(theory,structure) command in the main
call.
7. EVALUATION
The case study from Section 3 has been modeled
and analysed in IDP. Several vulnerabilities were
found.
Our modeling approach works in two iterations.
During the first iteration, we use our logic rules
to complete all the predicates in the model. This
includes the HasVulnerability predicate, hence we
already identify component vulnerabilities during this
iteration. Then, during a second iteration, the queries
are run on this completed model, to find security
vulnerabilities at the system level.
No component vulnerabilities were found. None of
the components used in this hatchery are present in
the vulnerability databases that are checked.
At the system level, an authorization vulnerability
was found. The HMI touchscreens on the incuba-
tors have role-based access control implemented.
However, the PLCs they are connected to do not.
If an attacker finds a way to overwrite flags in the
PLC directly, he can change the parameters of the
incubators without being authorized to do so. The
PLC programming software provides such a way.
The PLC manufacturer provides a free trial download
of the programming software on their website. Some
basic registration is required, but anyone can access
the software. It is then sufficient to get access to
the network the target PLC is part of, and know the
PLC IP address. Various network scanners can be
used to find out the IP address. Once known, the
programming software can be used to change this
PLC directly.
The way our tool inferred this vulnerability is
illustrated in the following listings. The query that is
violated is shown in IDP Listing 2, which states that
users should only be able to change a configuration
of a module, if they have the authorization to use that
module for modifying parameters. When the query
fails, the trace in IDP Listing is returned, allowing the
user to infer why the query has failed. In this case, we
see that the configuration of setter 1 can be changed
by technicians, allowing them to change parameters
of this setter, which they are not authorized to do.
The system has inferred the fact that technicians can
change this configuration by noting that they have
network access to the hatchery network, and access
to the PLC programming software.
The full evaluation process takes 2.24 seconds.
The runtime scales well with more rules or bigger
systems, always finishing in less than 3 seconds.
8
9. TBD
Lemaire • Vossaert • Jansen • Naessens
n
∀u, p, c : (ChangeConfig(u, c) ∧ ConfigAffects(c, p)) ⇒ Permission(u, p, ”Modify”).
o
IDP Listing 2: The IDP query that was not satisfied
>>> Generating an unsatisfiable subset of the given theory.
>>> Unsatisfiable subset found, trying to reduce its size (might take some time,
can be interrupted with ctrl-c.
The following is an unsatisfiable subset, given that functions can map to at most
one element (and exactly one if not partial) and the interpretation of types and
symbols in the structure:
(~(ChangeConfig("Technician","ConfigurationS1") &
ConfigAffects("ConfigurationS1","TempS1")) | (
Permission("Technician","TempS1","Modify"))) instantiated from line 360
with c="ConfigurationS1", p="TempS1", u="Technician".
Elapsed time to find models : 2.24 sec
IDP Listing 3: The final lines of the output, showing the trace of the failed model
This approach has been added to the framework
described in Lemaire et al. (2014). The framework
allows the user to model the control system in SysML
rather than straight in IDP, which can be useful for
complex systems. A parser has been written that
is able to convert a SysML model XML file into the
correct input for the IDP system.
8. CONCLUSIONS
This paper presents a tool that automates the
security analysis of industrial control systems. The
approach uses modeling and formal reasoning
to accomplish its goal. A logic theory in a
knowledge-based system extracts vulnerabilities on
a component and system level. The rules in the
logic theory are taken from vulnerability databases
and ICS security standards and guidelines. Once
the vulnerabilities are extracted, the user can
change the model accordingly to reason about the
effects of component changes or newly introduced
vulnerabilities on system security.
A first version of the tool is ready and has been
tested on a real case study.
Currently the results are being displayed in a text
file as standard IDP output. Future work will include
representing the vulnerabilities in a SysML diagram
that is part of the model. There are also additional
sets of system rules that still need to be included in
the logic theory.
REFERENCES
Abrams, M. and J. Weiss (2008). Malicious
control system cyber security attack case study–
maroochy water services, australia.
ANSI/ISA (2013). Ansi/isa-62443-3-3 (99.03.03)-
2013 security for industrial automation and control
systems part 3-3: System security requirements
and security levels.
Bogaerts, B., B. De Cat, S. De Pooter, and
M. Denecker (2012). The idp framework reference
manual.
ENISA (2011). Protecting industrial control systems:
Recommendations for europe and member states.
Falliere, N., L. Murchu, and E. Chien (2011).
W32.Stuxnet Dossier.
Ford, M. D., K. Keefe, E. LeMay, W. H. Sanders,
and C. Muehrcke (2013). Implementing the
advise security modeling formalism in möbius. In
Dependable Systems and Networks (DSN), 2013
43rd Annual IEEE/IFIP International Conference
on, pp. 1–8. IEEE.
ISO/IEC (2008). Iso/iec 21827 information technol-
ogy – security techniques – systems security en-
gineering – capability maturity model (sse-cmm).
Jajodia, S., S. Noel, P. Kalapa, M. Albanese, and
J. Williams (2011). Cauldron mission-centric
cyber situational awareness with defense in depth.
In Military Communciations Conference, 2011-
MILCOM 2011, pp. 1339–1344. IEEE.
Langner, R. (2013). To kill a centrifuge: A technical
analysis of what stuxnets creators tried to achieve.
Lemaire, L., J. Lapon, B. De Decker, and
V. Naessens (2014). A sysml extension for
security analysis of industrial control systems. In
Proceedings of the 2nd International Symposium
for ICS & SCADA Cyber Security Research, pp.
1.
9
10. TBD
Lemaire • Vossaert • Jansen • Naessens
LeMay, E., M. D. Ford, K. Keefe, W. H. Sanders,
and C. Muehrcke (2011). Model-based security
metrics using adversary view security evaluation
(advise). In Quantitative Evaluation of Systems
(QEST), 2011 Eighth International Conference on,
pp. 191–200. IEEE.
Matrosov, A., S. V. Researcher, E. Rodionov,
R. Analyst, and D. Harley (2011). Stuxnet Under
the Microscope.
NIST (2012). Guide for conducting risk assess-
ments. NIST special publication 800-30 Revision
1.
Oates, R., F. Thom, and G. Herries (2013). Security-
aware, model-based systems engineering with
sysml. In Proceedings of the 1st International
Symposium for ICS & SCADA Cyber Security
Research, pp. 78.
Ou, X., S. Govindavajhala, and A. W. Appel (2005).
Mulval: A logic-based network security analyzer.
In USENIX security.
Pai, G. J. and J. Bechta Dugan (2002). Automatic
synthesis of dynamic fault trees from uml system
models. In Software Reliability Engineering, 2002.
ISSRE 2003. Proceedings. 13th International
Symposium on, pp. 243–254. IEEE.
Sommestad, T., M. Ekstedt, and H. Holm (2013).
The cyber security modeling language: A tool for
assessing the vulnerability of enterprise system
architectures. Systems Journal, IEEE 7(3), 363–
373.
Sommestad, T., M. Ekstedt, and L. Nordström
(2010). A case study applying the cyber security
modeling language.
Stouffer, K., S. Lightman, V. Pillitteri, M. Abrams,
and A. Hahn (2015). Guide to industrial control
systems (ics) security.
Tom, S., D. Christiansen, and D. Berrett (2008).
Recommended practice for patch management of
control systems.
Wittocx, J., M. Mariën, and M. Denecker (2008).
The idp system: a model expansion system for an
extension of classical logic. In Proceedings of the
2nd Workshop on Logic and Search, pp. 153–165.
10