MiniCPS: A toolkit for security research on CPS Networks

In recent years, tremendous effort has been spent to modernizing communication infrastructure in Cyber-Physical Systems (CPS) such as Industrial Control Systems (ICS) and related Supervisory Control and Data Acquisition (SCADA) systems. While a great amount of research has been conducted on network security of office and home networks, recently the security of CPS and related systems has gained a lot of attention. Unfortunately, real-world CPS are often not open to security researchers, and as a result very few reference systems and topologies are available. In this work, we present MiniCPS, a CPS simulation toolbox intended to alleviate this problem. The goal of MiniCPS is to create an extensible, reproducible research environment targeted to communications and physical-layer interactions in CPS. MiniCPS builds on Mininet to provide lightweight real-time network emulation, and extends Mininet with tools to simulate typical CPS components such as programmable logic controllers, which use industrial protocols (Ethernet/IP, Modbus/TCP). In addition, MiniCPS defines a simple API to enable physical-layer interaction simulation. In this work, we demonstrate applications of MiniCPS in two example scenarios, and show how MiniCPS can be used to develop attacks and defenses that are directly applicable to real systems.Comment: 8 pages, 6 figures, 1 code listin

Domain-oriented architecture design for production control software

this paper, we present domain-oriented architectural design heuristics for production control software. Our approach is based upon the following premisses. First, software design, like all other forms of design, consists of the reduction of uncertainty about a final product by making design decisions. These decisions should as much as possible be based upon information that is certain, either because they represent laws of nature or because they represent previously made design decisions. An import class of information concerns the domain of the software. The domain of control software is the part of the world monitored and controlled by the software; it is the larger system into which the software is embedded. The software engineer should exploit system-level domain knowledge in order to make software design decisions. Second, in the case of production control software, using system-level knowledge is not only justified, it is also imposed on the software engineer by the necessity to cooperate with hardware engineers. These represent their designs by means of Process and Instrumentation Diagrams (PIDs) and Input-Output (IO) lists. They do not want to spend time, nor do they see the need, to duplicate the information represented by these diagrams by means of diagrams from software engineering methods. Such a duplication would be an occasion to introduce errors of omission (information lost during the translation process) or commission (misinterpretation, misguided but invisible design decisions made during the translation) anyway. We think it is up to the software engineer to adapt his or her notations to those of the system engineers he or she must work with. Third, work in patterns and software architectures started from the programminglanguage level and is now moving..

An Overview of Industrial Robots Control and Programming Approaches

Nowadays, manufacturing plants are required to be flexible to respond quickly to customer demands, adapting production and processes without affecting their efficiency. In this context, Industrial Robots (IRs) are a primary resource for modern factories due to their versatility which allows the execution of flexible, reconfigurable, and zero-defect manufacturing tasks. Even so, the control and programming of the commercially available IRs are limiting factors for their effective implementation, especially for dynamic production environments or when complex applications are required. These issues have stimulated the development of new technologies that support more efficient methods for robot control and programming. The goal of this research is to identify and evaluate the main approaches proposed in scientific papers and by the robotics industry in the last decades. After a critical review of the standard IR control schematic, the paper discusses the available control alternatives and summarizes their characteristics, range of applications, and remaining limitations

A model-based approach for supporting flexible automation production systems and an agent-based implementaction

158 p.En esta Tesis Doctoral se plantea una arquitectura de gestión genérica y personalizable, capaz de asegurar el cumplimiento de los requisitos de calidad de servicio (QoS) de un sistema de control industrial. Esta arquitectura permite la modificación de los mecanismos de detección y recuperación de los requisitos de QoS en función de diversos tipos de ésta. Como prueba de concepto, la arquitectura de gestión ha sido implementada mediante un middleware basado en sistemas multi-agente. Este middleware proporciona una serie de agentes distribuidos, los cuales se encargan de la monitorización y recuperación de las QoS en caso de su perdida.La incorporación de los mecanismos de reconfiguración incrementa la complejidad de los sistemas de control. Con el fin de facilitar el diseño de estos sistemas, se ha presentado un framework basado en modelos que guía y facilita el diseño de los sistemas de control reconfigurables. Este framework proporciona una serie de herramientas basadas en modelos que permiten la generación automática del código de control del sistema, así como de los mecanismos de monitorización y reconfiguración de los agentes del middleware.La implementación de la arquitectura ha sido validada mediante una serie de escenarios basados en una célula de montaje real

Model-Driven Design and Development of Flexible Automated Production Control Configurations for Industry 4.0

The continuous changes of the market and customer demands have forced modern automation systems to provide stricter Quality of service (QoS) requirements. This work is centered in automation production system flexibility, understood as the ability to shift from one controller configuration to a different one, in the most quick and cost-effective way, without disrupting its normal operation. In the manufacturing field, this allows to deal with non-functional requirements such as assuring control system availability or workload balancing, even in the case of failure of a machine, components, network or controllers. Concretely, this work focuses on flexible applications at production level, using Programmable Logic Controllers (PLCs) as primary controllers. The reconfiguration of the control system is not always possible as it depends on the process state. Thus, an analysis of the system state is necessary to make a decision. In this sense, architectures based on industrial Multi Agent Systems (MAS) have been used to provide this support at runtime. Additionally, the introduction of these mechanisms makes the design and the implementation of the control system more complex. This work aims at supporting the design and development of such flexible automation production systems, through the proposed model-based framework. The framework consists of a set of tools that, based on models, automate the generation of control code extensions that add flexibility to the automation production system, according to industry 4.0 paradigm.This work was financed by MCIU/AEI/FEDER, UE (grant number RTI2018-096116-B-I00) and by GV/EJ (grant number IT1324-19)

Ladder Metamodeling & PLC Program Validation through Time Petri Nets

International audienceLadder Diagram (LD) is the most used programming language for Programmable Logical Controllers (PLCs). A PLC is a special purpose industrial computer used to automate industrial processes. Bugs in LD programs are very costly and sometimes are even a threat to human safety. We propose a model driven approach for formal verification of LD programs through model-checking. We provide a metamodel for a subset of the LD language. We define a time Petri net (TPN) semantics for LD programs through an ATL model transformation. Finally, we automatically generate behavioral properties over the LD models as LTL formulae which are then checked over the generated TPN using the model-checkers available in the Tina toolkit. We focus on race condition detection. This work is supported by the topcased project, part of the french cluster Aerospace Valley (granted by the french DGE), cf. http://www.topcased.or

Engineering Method and Tool for the Complete Virtual Commissioning of Robotic Cells

Intelligent robotic manufacturing cells must adapt to ever-varying operating conditions, developing autonomously optimal manufacturing strategies to achieve the best quality and overall productivity. Intelligent and cognitive behaviors are realized by using distributed controllers, in which complex control logics must interact and process a wide variety of input/output signals. In particular, programmable logic controllers (PLCs) and robot controllers must be coordinated and integrated. Then, there is the need to simulate the robotic cells’ behavior for performance verification and optimization by evaluating the effects of both PLC and robot control codes. In this context, this work proposes a method, and its implementation into an integrated tool, to exploit the potential of ABB RobotStudio software as a virtual prototyping platform for robotic cells, in which real robots control codes are executed on a virtual controller and integrated with Beckhoff PLC environment. For this purpose, a PLC Smart Component was conceived as an extension of RobotStudio functionalities to exchange signals with a TwinCAT instance. The new module allows the virtual commissioning of a complete robotic cell to be performed, assessing the control logics effects on the overall productivity. The solution is demonstrated on a robotic assembly cell, showing its feasibility and effectiveness in optimizing the final performance

A Flashback on Control Logic Injection Attacks against Programmable Logic Controllers

Programmable logic controllers (PLCs) make up a substantial part of critical infrastructures (CIs) and industrial control systems (ICSs). They are programmed with a control logic that defines how to drive and operate critical processes such as nuclear power plants, petrochemical factories, water treatment systems, and other facilities. Unfortunately, these devices are not fully secure and are prone to malicious threats, especially those exploiting vulnerabilities in the control logic of PLCs. Such threats are known as control logic injection attacks. They mainly aim at sabotaging physical processes controlled by exposed PLCs, causing catastrophic damage to target systems as shown by Stuxnet. Looking back over the last decade, many research endeavors exploring and discussing these threats have been published. In this article, we present a flashback on the recent works related to control logic injection attacks against PLCs. To this end, we provide the security research community with a new systematization based on the attacker techniques under three main attack scenarios. For each study presented in this work, we overview the attack strategies, tools, security goals, infected devices, and underlying vulnerabilities. Based on our analysis, we highlight the current security challenges in protecting PLCs from such severe attacks and suggest security recommendations for future research directions