Upload
others
View
4
Download
0
Embed Size (px)
Citation preview
Ian Ferguson ([email protected]) College of Engineering and Computing: ABET Visit, Oct. 2014 Slide [1]
© Bruce McMillin May 2020
Cyber-Physical Security
Through Information Flow
Bruce McMillin
Professor and Interim Chair, Department of Computer Science
2018-2020 Distinguished Visitor
Missouri University of Science and Technology
325 Computer Science, 500 W. 15th St., Rolla, MO 65409
o/ (573) 341-6435 e/ [email protected]
Ian Ferguson ([email protected]) College of Engineering and Computing: ABET Visit, Oct. 2014 Slide [2]
© Bruce McMillin May 2020
Cyber-Physical Security
Through Information Flow
Bruce McMillin
Professor and Interim Chair, Department of Computer Science
2018-2020 Distinguished Visitor
Missouri University of Science and Technology
325 Computer Science, 500 W. 15th St., Rolla, MO 65409
o/ (573) 341-6435 e/ [email protected]
Ian Ferguson ([email protected]) College of Engineering and Computing: ABET Visit, Oct. 2014 Slide [3]
© Bruce McMillin May 2020
Where is Missouri S&T
9 9 Departments, 7500 Students in Engineering
Ian Ferguson ([email protected]) College of Engineering and Computing: ABET Visit, Oct. 2014 Slide [4]
© Bruce McMillin May 2020
● Cyber-Physical Systems(CPS) are physical systemsthat are controlled andmonitored throughcomputer-based systems.
● Critical infrastructures of anation are CPS
○ Water treatment plant○ Smart grid○ Manufacturing plant○ Autonomous Vehicle○ Airspace Management
CPS
4
Ian Ferguson ([email protected]) College of Engineering and Computing: ABET Visit, Oct. 2014 Slide [5]
© Bruce McMillin May 2020
A modern Cyber-Physical System
• Community
• Local Management
• Locally Sourced
Ian Ferguson ([email protected]) College of Engineering and Computing: ABET Visit, Oct. 2014 Slide [6]
© Bruce McMillin May 2020
Modern Security Domains
• Community
• Local Management
• Secure
• Locally Sourced
• Privacy Preserving
Ian Ferguson ([email protected]) College of Engineering and Computing: ABET Visit, Oct. 2014 Slide [7]
© Bruce McMillin May 2020
Non-Intrusive Load Monitoring
Ian Ferguson ([email protected]) College of Engineering and Computing: ABET Visit, Oct. 2014 Slide [8]
© Bruce McMillin May 2020
Management and Governance
• Utility?
– NISTIR 7628
• Cloud?
– NERC CIP
– Timing
• Fog?
– IoT
– Locally Managed
– Locally Protected
Ian Ferguson ([email protected]) College of Engineering and Computing: ABET Visit, Oct. 2014 Slide [9]
© Bruce McMillin May 2020
Cloud
Fog
https://electronicsofthings.com/expert-opinion/fog-computing-relevance-iot/https://www.etsy.com/listing/559016362/there-is-no-cloud-its-just-someone-else
https://www.wired.com/story/its-time-to-think-beyond-cloud-computing/
Mist
Dew
https://www.pubnub.com/blog/moving-the-cloud-to-the-edge-computing/
http://thewallpaper.co/dew-drops-high-definition-wallpaper-download-dew-drops-images-free-wallpaper-of-windows-desktop-images-high-resolution-1920x1080/
Ian Ferguson ([email protected]) College of Engineering and Computing: ABET Visit, Oct. 2014 Slide [10]
© Bruce McMillin May 2020
Transactive Energy Management
More Critical need
Lesser need
Who needs Power?
Transfer Power
Ian Ferguson ([email protected]) College of Engineering and Computing: ABET Visit, Oct. 2014 Slide [11]
© Bruce McMillin May 2020
•Peer-to-peer transactive energy
c cc
c cc
c
Ian Ferguson ([email protected]) College of Engineering and Computing: ABET Visit, Oct. 2014 Slide [12]
© Bruce McMillin May 2020
Threats
• Physical
• Cyber
• Cyber-enabled Physical
• Physically-enabled Cyber Stealing Plant Secrets
Ian Ferguson ([email protected]) College of Engineering and Computing: ABET Visit, Oct. 2014 Slide [13]
© Bruce McMillin May 2020
Firewalls
Figure Source, Manufacturers Automation, Inc.
Ian Ferguson ([email protected]) College of Engineering and Computing: ABET Visit, Oct. 2014 Slide [14]
© Bruce McMillin May 2020
Seems Simple, What could go
wrong?
• Physical
• Cyber
• Cyber-enabled Physical
• Physically-enabled Cyber
Ian Ferguson ([email protected]) College of Engineering and Computing: ABET Visit, Oct. 2014 Slide [15]
© Bruce McMillin May 2020
Ian Ferguson ([email protected]) College of Engineering and Computing: ABET Visit, Oct. 2014 Slide [16]
© Bruce McMillin May 2020
Ian Ferguson ([email protected]) College of Engineering and Computing: ABET Visit, Oct. 2014 Slide [17]
© Bruce McMillin May 2020
Ian Ferguson ([email protected]) College of Engineering and Computing: ABET Visit, Oct. 2014 Slide [18]
© Bruce McMillin May 2020
Ian Ferguson ([email protected]) College of Engineering and Computing: ABET Visit, Oct. 2014 Slide [19]
© Bruce McMillin May 2020
Ian Ferguson ([email protected]) College of Engineering and Computing: ABET Visit, Oct. 2014 Slide [20]
© Bruce McMillin May 2020
Ian Ferguson ([email protected]) College of Engineering and Computing: ABET Visit, Oct. 2014 Slide [21]
© Bruce McMillin May 2020
Data to market and other systemsEMS
Energy Management System
SCADASupervisory Control and Data
Acquisition
System Control Center
Sensor Actuators,
etc.,
Sensor Actuators,
etc.,
Sensor Actuators,
etc.,
RTU Remote Terminal
unit
RTU Remote Terminal
unit
RTU Remote Terminal
unit
Messages
SCADA System - from National Academies
• Centralized Supervisory Control And Data Acquisition (SCADA)
• Electric Utility Control
A
Business Network
Ian Ferguson ([email protected]) College of Engineering and Computing: ABET Visit, Oct. 2014 Slide [22]
© Bruce McMillin May 2020June 1, 2004Computer Security: Art and Science
©2002-2004 Matt BishopSlide #6-22
Biba Model - 1975
• Integrity Levels:
• The higher the level, the more confidence
– That a program will execute correctly
– That data is accurate and/or reliable
• Note relationship between integrity and trustworthiness
• Important point: integrity levels are notsecurity levels
Ian Ferguson ([email protected]) College of Engineering and Computing: ABET Visit, Oct. 2014 Slide [23]
© Bruce McMillin May 2020June 1, 2004Computer Security: Art and Science
©2002-2004 Matt BishopSlide #6-23
Problems
• Subjects’ integrity levels decrease as system runs– Soon no subject will be able to access objects at high
integrity levels
• Alternative: change object levels rather than subject levels– Soon all objects will be at the lowest integrity level
• Crux of problem is model prevents indirect modification– Because subject levels lowered when subject reads
from low-integrity object
Ian Ferguson ([email protected]) College of Engineering and Computing: ABET Visit, Oct. 2014 Slide [24]
© Bruce McMillin May 2020
Ian Ferguson ([email protected]) College of Engineering and Computing: ABET Visit, Oct. 2014 Slide [25]
© Bruce McMillin May 2020
BIBA Data to market and other systems
EMS Energy Management System
SCADASupervisory Control and Data
Acquisition
System Control Center
Sensor Actuators,
etc.,
Sensor Actuators,
etc.,
Sensor Actuators,
etc.,
RTU Remote Terminal
unit
RTU Remote Terminal
unit
RTU Remote Terminal
unit
A
B
Business Network
Messages
Ian Ferguson ([email protected]) College of Engineering and Computing: ABET Visit, Oct. 2014 Slide [26]
© Bruce McMillin May 2020
Security? Bell-La Padula• Military Multi-Level Security Model
– No Read Up
– No Write Down
• Military Commander– Write to troops?– Downgrade
Top Secret
Secret
Confidential
Unclassified
No
Rea
d U
p
No
Write D
ow
n
Ian Ferguson ([email protected]) College of Engineering and Computing: ABET Visit, Oct. 2014 Slide [27]
© Bruce McMillin May 2020
EMS Energy Management System
SCADASupervisory Control and Data
Acquisition
System Control Center
Sensor Actuators,
etc.,
Sensor Actuators,
etc.,
Sensor Actuators,
etc.,
RTU Remote Terminal
unit
RTU Remote Terminal
unit
RTU Remote Terminal
unit
BLPBusiness Network
1
2
3
4
5Messages
Actuation
Sensor Readings
Physical Readings
Control
Data to market and other systems
Data to market and other systems
Data to market and other systems
Ian Ferguson ([email protected]) College of Engineering and Computing: ABET Visit, Oct. 2014 Slide [28]
© Bruce McMillin May 2020
BLP
Data to market and other systems
EMS Energy Management System
SCADASupervisory Control and Data
Acquisition
System Control Center
Sensor Actuators,
etc.,
Sensor Actuators,
etc.,
Sensor Actuators,
etc.,
RTU Remote Terminal
unit
RTU Remote Terminal
unit
RTU Remote Terminal
unit
B
A
Business Network
Messages
Ian Ferguson ([email protected]) College of Engineering and Computing: ABET Visit, Oct. 2014 Slide [29]
© Bruce McMillin May 2020
Fog Energy Management
Transfer Power
Ian Ferguson ([email protected]) College of Engineering and Computing: ABET Visit, Oct. 2014 Slide [30]
© Bruce McMillin May 2020
The overlapping security domains
in an IoT smart grid environment.
30
Deducible
Non-DeducibleNon-Deducible
Ian Ferguson ([email protected]) College of Engineering and Computing: ABET Visit, Oct. 2014 Slide [31]
© Bruce McMillin May 2020
Information Present in the Physical Entity
31
Ian Ferguson ([email protected]) College of Engineering and Computing: ABET Visit, Oct. 2014 Slide [32]
© Bruce McMillin May 2020
Information Flow Models
• A CPS performs physical actions that are observable
• Should keep these secret – loss of confidentiality/privacy
• Should not keep these secret – loss of integrity
• Some models
– Non-interference – Goguen and Messegeur 1982
• High-level events do not interfere with the low level outputs
– Non-inference – O’Halloran 1990
• Removing high-level events leaves a valid system trace
– Non-deducibility – Sutherland 1986
• Low-level observation is compatible with any of the high-level inputs.
Ian Ferguson ([email protected]) College of Engineering and Computing: ABET Visit, Oct. 2014 Slide [33]
© Bruce McMillin May 2020
Information Present in the Physical Entity
(Non-interference view)
33
CommandCommand
Actions Blocked
Not a good model for CPS
Ian Ferguson ([email protected]) College of Engineering and Computing: ABET Visit, Oct. 2014 Slide [34]
© Bruce McMillin May 2020
Information Flow Models
• A CPS performs physical actions that are observable
• Should keep these secret – loss of confidentiality/privacy
• Should not keep these secret – loss of integrity
• Some models
– Non-interference – Goguen and Messegeur 1982
• High-level events do not interfere with the low level outputs
– Non-inference – O-Halloran 1990
• Removing high-level events leaves a valid system trace
– Non-deducibility – Sutherland 1986
• Low-level observation is compatible with any of the high-level inputs.
Ian Ferguson ([email protected]) College of Engineering and Computing: ABET Visit, Oct. 2014 Slide [35]
© Bruce McMillin May 2020
Information Present in the Physical Entity
(Non-inference view)
35
CommandPotentially a good model for CPS
Ian Ferguson ([email protected]) College of Engineering and Computing: ABET Visit, Oct. 2014 Slide [36]
© Bruce McMillin May 2020
Information Flow Models
• A CPS performs physical actions that are observable
• Should keep these secret – loss of confidentiality/privacy
• Should not keep these secret – loss of integrity
• Some models
– Non-interference – Goguen and Messegeur 1982
• High-level events do not interfere with the low level outputs
– Non-inference – O-Halloran 1990
• Removing high-level events leaves a valid system trace
– Non-deducibility – Sutherland 1986
• Low-level observation is compatible with any of the high-level inputs.
Ian Ferguson ([email protected]) College of Engineering and Computing: ABET Visit, Oct. 2014 Slide [37]
© Bruce McMillin May 2020
Information Present in the Physical Entity
(Non-deducibility view)
37
CommandA good model for CPS
Ian Ferguson ([email protected]) College of Engineering and Computing: ABET Visit, Oct. 2014 Slide [38]
© Bruce McMillin May 2020
The overlapping security domains
in a CPS environment.
38
Deducible
Non-DeducibleNon-Deducible
Ian Ferguson ([email protected]) College of Engineering and Computing: ABET Visit, Oct. 2014 Slide [39]
© Bruce McMillin May 2020
Non-deducibility
• Non-deducibility
– Good?
- Bad?
Secure Domain
Open Domain
Open Domain
Inside DomainNon-deducibility is a bidirectional model.
Ian Ferguson ([email protected]) College of Engineering and Computing: ABET Visit, Oct. 2014 Slide [40]
© Bruce McMillin May 2020
The Challenge
• Prevent the bad guys from seeing
confidential/private information.
• Make sure the good guys can deduce that
an attack is happening from the bad guys
• In a CPS
• With the same model
Ian Ferguson ([email protected]) College of Engineering and Computing: ABET Visit, Oct. 2014 Slide [41]
© Bruce McMillin May 2020
Multiple Domain Nondeducibility
On any given world, the valuation functions, Vix (w) , will return the value
of the corresponding state variable x as seen by an entity in a partition, i.
Ian Ferguson ([email protected]) College of Engineering and Computing: ABET Visit, Oct. 2014 Slide [42]
© Bruce McMillin May 2020
Multiple Domains of Stuxnet
Ian Ferguson ([email protected]) College of Engineering and Computing: ABET Visit, Oct. 2014 Slide [43]
© Bruce McMillin May 2020
Stuxnet Attack
I1,0, B1I1,0T1,0
I2,1, B2I2,1T2,1
Ian Ferguson ([email protected]) College of Engineering and Computing: ABET Visit, Oct. 2014 Slide [44]
© Bruce McMillin May 2020
Stuxnet Attack
I1,0, B1I1,0T1,0
I2,1, B2I2,1T2,1
I4,3, ~B4I4,3~T4,3
I4,0, B4I4,0T4,0
Alert,Mismatch
Ian Ferguson ([email protected]) College of Engineering and Computing: ABET Visit, Oct. 2014 Slide [45]
© Bruce McMillin May 2020
Tank
Monitoring Station
Filtration Units
Secure Water Treatment Testbed (SWaT)
Ian Ferguson ([email protected]) College of Engineering and Computing: ABET Visit, Oct. 2014 Slide [47]
© Bruce McMillin May 2020
Process 1: Raw Water
Purpose is to supply water to other processes of SWaT
Ian Ferguson ([email protected]) College of Engineering and Computing: ABET Visit, Oct. 2014 Slide [49]
© Bruce McMillin May 2020
Working of MSDND
ValveRAW
WATER TANK
PUMP
LIT101 P101
PROCESS 1
Flow Sensor
Flow Sensor
SD0 SD1SD2 SD3 SD4
SD5 PLC 1
LIT – Level Indication Transmitter, FIT – Flow Indication Transmitter, MV101 – Motorized Valves and P - Pump
MV101FIT101 FIT101
Ian Ferguson ([email protected]) College of Engineering and Computing: ABET Visit, Oct. 2014 Slide [50]
© Bruce McMillin May 2020
Working of MSDND (Cont.)
TankT101
LIT101
PLC1Operator
PUMP
FIT102
MV101
FIT101
VIRUS
SD0
SD3
SD4
SD5
SD2
SD1
SD6
I6,2 ∼lB6I6,2 ∼lT6,2 ∼l
I5,6lB5I5,6lT5,6l
Ian Ferguson ([email protected]) College of Engineering and Computing: ABET Visit, Oct. 2014 Slide [51]
© Bruce McMillin May 2020
> Since B5I5,6 l ∧ T5,6 l → B5 l, the PLC believes the lie told in all cases. Therefore, unknown to entities in SD2, V2l (w) and V2∼l (w) cannot be evaluated. Therefore l is MSDND secure from SD2.
> MSDND(ES) = ∃ w ∈ W →[(Sl⊕ S∼l )] ∧ [w |= (∄V SD5∼l (w)
∧ ∄V SD5l (w))]
> This is BAD for the plant as the threat goes undetected
Working of MSDND (Cont.)
Ian Ferguson ([email protected]) College of Engineering and Computing: ABET Visit, Oct. 2014 Slide [52]
© Bruce McMillin May 2020
Working of MSDND (Cont.)
TankT101
LIT101
PLC1Operator
PUMP
FIT102
MV101
FIT101
VIRUS
SD0
SD8
SD3
SD4
SD5
SD2
SD1
SD6
I6,2 ∼lB3I6,2 ∼lT6,2 ∼l
I5,6lB5I5,6lT5,6l
Total Water = (Water Inflow – Water Outflow) *
Const
I7,8lB5I7,8lT7,8l
Ian Ferguson ([email protected]) College of Engineering and Computing: ABET Visit, Oct. 2014 Slide [53]
© Bruce McMillin May 2020
• Now when we take the ‘and’ operation for both the normal working and when an invariant is considered, we can conclude that the system is working normally
• Sinvariant ∧ Sl = S∗; System is working normally if and if only this is true
• MSDND(ES) = ∃ w ∈ W →[(S∗⊕ S∼l )] ∧ [w |= (∄V SD5∼l
(w) ∧ ∃VSD5l (w))]
Working of MSDND (Cont.)
Ian Ferguson ([email protected]) College of Engineering and Computing: ABET Visit, Oct. 2014 Slide [54]
© Bruce McMillin May 2020
• When an invariant fails, the tile with that invariant turns red
Working of MSDND (Cont.)
Ian Ferguson ([email protected]) College of Engineering and Computing: ABET Visit, Oct. 2014 Slide [55]
© Bruce McMillin May 2020
• Conclusion (Cont.)Process Comp Summary Suggestions
Process 1 4 Invariants Developed : 4Invariants Matching : 4Vulnerabilities remaining : 0
Invariants for FIT and LIT should be modified to better capture multipoint attacks
Process 2 11 Invariants Developed : 7Invariants Matching : 0Vulnerabilities remaining : 6
Chemical processes should be further analyzed for getting more reliable invariants. Chemical dosing pumps and level indication should be modified.
Process 3 9 Invariants Developed : 4Invariants Matching : 3Vulnerabilities remaining : 2
Several attacks can be performed on motorized valves for damaging pumps and draining water. Install PIT near UF Unit to generate invariant for DPIT
Process 4 7 Invariants Developed : 3Invariants Matching : 3Vulnerabilities remaining : 1
Dichlorination Unit and NaHSO3 dosings effects chemical properties of water, using this, better invariants should be made as it effects RO Unit
Ian Ferguson ([email protected]) College of Engineering and Computing: ABET Visit, Oct. 2014 Slide [56]
© Bruce McMillin May 2020
Process Comp Summary Suggestions
Process 5 16 Invariants Developed : 7Invariants Matching : 0Vulnerabilities remaining : 9
Many MSDND Secure paths are identified, invariants should be developed to break the MSDND security
Process 6 7 Invariants Developed : 2Invariants Matching : 0Vulnerabilities remaining : 5
Level switches should be replaced with level indicators, and more FIT’s should be installed for getting invariant
Ian Ferguson ([email protected]) College of Engineering and Computing: ABET Visit, Oct. 2014 Slide [57]
© Bruce McMillin May 2020
Another Typical Result
Power System Testbed in Singapore• Solar• Batteries• Generators• Loads
Ian Ferguson ([email protected]) College of Engineering and Computing: ABET Visit, Oct. 2014 Slide [58]
© Bruce McMillin May 2020
WHAT TO DO WITH THIS INFORMATION?
Ian Ferguson ([email protected]) College of Engineering and Computing: ABET Visit, Oct. 2014 Slide [59]
© Bruce McMillin May 2020
What to do with this information?
• Measure System Security Resilience
– Using the uniform information flow model
• Improve Design
– Mitigate MSDND paths
• Mitigate Attacks through Engineered Knowledge to Break MSDND
– Active defense against • Cyber Enabled Physical
• Physically Enabled Cyber
This is Hard to Do
Ian Ferguson ([email protected]) College of Engineering and Computing: ABET Visit, Oct. 2014 Slide [60]
© Bruce McMillin May 2020
Goals • Automated Security
Domain Construction• Semantic Bridges and
Oracle Owls• Design-Centric
• Port Hamiltonian Systems
• State Estimation • Algebraic, Spatio-
temporal & Real-Time Dynamic State Estimation
• Data Science • Learn behavior with
ground truth
How to provide a functioning CPS without relying on assumptions of trust, but instead developing trust among components?
• Experimentation on real infrastructures• Power, Water, Manufacturing, Transportation
Ian Ferguson ([email protected]) College of Engineering and Computing: ABET Visit, Oct. 2014 Slide [61]
© Bruce McMillin May 2020
Findings
Data Centric
Design CentricDiverge
Association Rule Mining, Generalized Linear Modeling
?
Subtle Theft, Slow Drift
Ian Ferguson ([email protected]) College of Engineering and Computing: ABET Visit, Oct. 2014 Slide [62]
© Bruce McMillin May 2020
Traditional View –Castle/Maginot Line/BLP
– High level vs low level– Firewalls, Defense in Depth– Does not address cyber-
physical nor insider attacks
Modern Environment– Multiple security domains– High/low, Insider vs Outsider
has changed ▪ We are INSIDE the system
– How do we secure the cyber-physical?
Ian Ferguson ([email protected]) College of Engineering and Computing: ABET Visit, Oct. 2014 Slide [63]
© Bruce McMillin May 2020
Ethics in these systems
Trolley Problem
Ian Ferguson ([email protected]) College of Engineering and Computing: ABET Visit, Oct. 2014 Slide [64]
© Bruce McMillin May 2020
Will people use this?
• Privacy
– Norway vs. USA
• Resilience
– Cyber threats
• Fog?
– Ethical Issues
Your Thoughts?
Ian Ferguson ([email protected]) College of Engineering and Computing: ABET Visit, Oct. 2014 Slide [65]
© Bruce McMillin May 2020
A Professional Society
• Local Seminars
• Get-together
• Quality
– Accreditation
– Peer Review
– Standards
Ian Ferguson ([email protected]) College of Engineering and Computing: ABET Visit, Oct. 2014 Slide [66]
© Bruce McMillin May 2020
Cyber-Physical Security
Through Information Flow
Bruce McMillin
Professor and Interim Chair, Department of Computer Science
2018-2020 Distinguished Visitor
Missouri University of Science and Technology
325 Computer Science, 500 W. 15th St., Rolla, MO 65409
o/ (573) 341-6435 e/ [email protected]