A critical review of cyber-physical security for building automation systems

Modern Building Automation Systems (BASs), as the brain that enables the smartness of a smart building, often require increased connectivity both among system components as well as with outside entities, such as optimized automation via outsourced cloud analytics and increased building-grid integrations. However, increased connectivity and accessibility come with increased cyber security threats. BASs were historically developed as closed environments with limited cyber-security considerations. As a result, BASs in many buildings are vulnerable to cyber-attacks that may cause adverse consequences, such as occupant discomfort, excessive energy usage, and unexpected equipment downtime. Therefore, there is a strong need to advance the state-of-the-art in cyber-physical security for BASs and provide practical solutions for attack mitigation in buildings. However, an inclusive and systematic review of BAS vulnerabilities, potential cyber-attacks with impact assessment, detection & defense approaches, and cyber-secure resilient control strategies is currently lacking in the literature. This review paper fills the gap by providing a comprehensive up-to-date review of cyber-physical security for BASs at three levels in commercial buildings: management level, automation level, and field level. The general BASs vulnerabilities and protocol-specific vulnerabilities for the four dominant BAS protocols are reviewed, followed by a discussion on four attack targets and seven potential attack scenarios. The impact of cyber-attacks on BASs is summarized as signal corruption, signal delaying, and signal blocking. The typical cyber-attack detection and defense approaches are identified at the three levels. Cyber-secure resilient control strategies for BASs under attack are categorized into passive and active resilient control schemes. Open challenges and future opportunities are finally discussed.Comment: 38 pages, 7 figures, 6 tables, submitted to Annual Reviews in Contro

Interplay of Misuse Case and Fault Tree Analysis for Security and Safety Analysis

Ohutus ja turvalisus infosüsteemides muutuvad aasta-aastalt üha olulisemaks. Seda seetõttu, et kaasaegsed infosüsteemid on üha enam levinud veebiteenustes, -võrgustikes ja –pilvedes. Ohutuse seisukohalt olulisi süsteeme, mida ei ole varem Internetis kasutatud, tehakse ümber, et muuta neid kasuatatvaks Internetis. Selle tulemusena on tekkinud vajadus leida uusi meetodeid, mis kindlustaks nii ohutuse kui turvalisuse tarkvarasüsteemides. Kui ohutust ja turvalisust ei käsitleta koos, võivad nad riske suurendada – olukorra ohutuks muutmine võib tekitada riski turvalisuses ning sellest tekib probleem. Näiteks lukustatud uksed ühiselamutes turvalisuse huvides, kaitsmaks sealseid elanikke röövide ning muude võimalike kuritegude eest. Uste avamiseks kasutavad ühiselamu elanikud kaarte, mis uksed avavad. Tulekahju korral aga avanevad uksed ohutuse eesmärgil automaatselt ning kurjategijad, lülitades sisse tuletõrjealarmi, pääsevad ühiselamu elanike vara juurde.Antud uurimistöös antakse ülevaade ohutusest ja turvalisusest kui ühtsest süsteemist, määratledes ohutuse ja turvalisuse mõisted ning otsides võimalikke viise nende integreerimiseks, arendades koosmõju ohutuse ja turvalisuse vahel kasutades misuse case´i ja fault tree analysis´i. Töös selgitatakse fault tree analysis´i sobivust ohutuse domeeni mudelisse ja püütakse leida koosmõju fault tree analysis´i ja misuse case´i tehnikate vahel. Kasutades nii ohutuse kui turvalisuse domeenimudeleid ning tekitades koosmõju tehnikate vahel, on oodatud tulemuseks ohutuse ja turvalisuse probleemi lahendamine tarkvarasüsteemides. Usutavasti aitab antud uurimistöö kaasa ohutuse ja turvalisuse integreerimisvõimaluste leidmisele selgitades fault tree analysis sobivust ohutuse domeenimudelisse, kasutades misuse case´i ja information security risk management´i seost ja kooskõlastades seda misuse case´i tehnikaga Samuti selgitatakse töös uut metoodikat, kuidas kasutada fault tree analysis-d ja misuse case´i selleks, et saavutada nii ohutus kui turvalisus kaasaegsetes infosüsteemides. Lisaks sellele testiti töös selgitatud sobivust usaldusväärse stsenaariumi korral, mis kinnitab sobivuse paikapidavust.Nowadays safety and security are becoming more and more important because of the fact that modern information systems are increasingly distributed over web-services, grids and clouds. Safety critical systems that were not utilizing usage over Internet are being re-engineered in order to be use over Internet. As a consequence of this situation there is need of new methods that cover both security and safety aspects of software systems, since these systems are used in transportation, health and process control systems that arises risk of physical injury or environmental damage. Additionally when safety and security aspects are not considered together they may violate each other while one situation is making a case safe it may violate security and this is a problem. Such as in the sample of lock doors at dormitories for security purpose to protect inhabitants against robbery and some other possible crimes, those inhabitants of dormitories use distance keys to unlock them but in case of a fire situation in the building for safety purposes these lock doors are unlocking themselves and by activating fire alarms attackers can get access to inhabitants properties. In current thesis we introduce integrated domain models of security and safety, extracting definitions from safety and security domains and finding possible pairs to integrate. Developing interplays between security and safety technique that is misuse cases and fault tree analysis. We demonstrate alignment of fault tree analysis to safety domain model and making interplay between techniques from fault tree analysis to misuse cases. By using the domain models of both security and safety and making interplay between techniques we proposed an integrated technique we expect to solve the problem to cover both safety aspects of software system benefiting from complementary strengths of security domain model and techniques. We believe that our study is contributing to the integration attempts of security and safety techniques by illustrating alignment of fault tree analysis with safety domain model benefitting from misuse cases and information security risk management relationship and making interplay with misuse case technique. And also we illustrate a new methodology on how to use fault tree analysis and misuse cases in order to elicit safety concerns in a new information system by having interplay with misuse case. Moreover, we test correctness of our methodology by making results comparison of a safety risk analyze done

Software reliability and dependability: a roadmap

Shifting the focus from software reliability to user-centred measures of dependability in complete software-based systems. Influencing design practice to facilitate dependability assessment. Propagating awareness of dependability issues and the use of existing, useful methods. Injecting some rigour in the use of process-related evidence for dependability assessment. Better understanding issues of diversity and variation as drivers of dependability. Bev Littlewood is founder-Director of the Centre for Software Reliability, and Professor of Software Engineering at City University, London. Prof Littlewood has worked for many years on problems associated with the modelling and evaluation of the dependability of software-based systems; he has published many papers in international journals and conference proceedings and has edited several books. Much of this work has been carried out in collaborative projects, including the successful EC-funded projects SHIP, PDCS, PDCS2, DeVa. He has been employed as a consultant t

Multilevel Runtime Verification for Safety and Security Critical Cyber Physical Systems from a Model Based Engineering Perspective

Advanced embedded system technology is one of the key driving forces behind the rapid growth of Cyber-Physical System (CPS) applications. CPS consists of multiple coordinating and cooperating components, which are often software-intensive and interact with each other to achieve unprecedented tasks. Such highly integrated CPSs have complex interaction failures, attack surfaces, and attack vectors that we have to protect and secure against. This dissertation advances the state-of-the-art by developing a multilevel runtime monitoring approach for safety and security critical CPSs where there are monitors at each level of processing and integration. Given that computation and data processing vulnerabilities may exist at multiple levels in an embedded CPS, it follows that solutions present at the levels where the faults or vulnerabilities originate are beneficial in timely detection of anomalies. Further, increasing functional and architectural complexity of critical CPSs have significant safety and security operational implications. These challenges are leading to a need for new methods where there is a continuum between design time assurance and runtime or operational assurance. Towards this end, this dissertation explores Model Based Engineering methods by which design assurance can be carried forward to the runtime domain, creating a shared responsibility for reducing the overall risk associated with the system at operation. Therefore, a synergistic combination of Verification & Validation at design time and runtime monitoring at multiple levels is beneficial in assuring safety and security of critical CPS. Furthermore, we realize our multilevel runtime monitor framework on hardware using a stream-based runtime verification language

User experience and robustness in social virtual reality applications

Cloud-based applications that rely on emerging technologies such as social virtual reality are increasingly being deployed at high-scale in e.g., remote-learning, public safety, and healthcare. These applications increasingly need mechanisms to maintain robustness and immersive user experience as a joint consideration to minimize disruption in service availability due to cyber attacks/faults. Specifically, effective modeling and real-time adaptation approaches need to be investigated to ensure that the application functionality is resilient and does not induce undesired cybersickness levels. In this thesis, we investigate a novel ‘DevSecOps' paradigm to jointly tune both the robustness and immersive performance factors in social virtual reality application design/operations. We characterize robustness factors considering Security, Privacy and Safety (SPS), and immersive performance factors considering Quality of Application, Quality of Service, and Quality of Experience (3Q). We achieve “harmonized security and performance by design” via modeling the SPS and 3Q factors in cloud-hosted applications using attack-fault trees (AFT) and an accurate quantitative analysis via formal verification techniques i.e., statistical model checking (SMC). We develop a real-time adaptive control capability to manage SPS/3Q issues affecting a critical anomaly event that induces undesired cybersickness. This control capability features a novel dynamic rule-based approach for closed-loop decision making augmented by a knowledge base for the SPS/3Q issues of individual and/or combination events. Correspondingly, we collect threat intelligence on application and network based cyber-attacks that disrupt immersiveness, and develop a multi-label K-NN classifier as well as statistical analysis techniques for critical anomaly event detection. We validate the effectiveness of our solution approach in a real-time cloud testbed featuring vSocial, a social virtual reality based learning environment that supports delivery of Social Competence Intervention (SCI) curriculum for youth. Based on our experiment findings, we show that our solution approach enables: (i) identification of the most vulnerable components that impact user immersive experience to formally conduct risk assessment, (ii) dynamic decision making for controlling SPS/3Q issues inducing undesirable cybersickness levels via quantitative metrics of user feedback and effective anomaly detection, and (iii) rule-based policies following the NIST SP 800-160 principles and cloud-hosting recommendations for a more secure, privacy-preserving, and robust cloud-based application configuration with satisfactory immersive user experience.Includes bibliographical references (pages 133-146)

COST Action IC 1402 ArVI: Runtime Verification Beyond Monitoring -- Activity Report of Working Group 1

This report presents the activities of the first working group of the COST Action ArVI, Runtime Verification beyond Monitoring. The report aims to provide an overview of some of the major core aspects involved in Runtime Verification. Runtime Verification is the field of research dedicated to the analysis of system executions. It is often seen as a discipline that studies how a system run satisfies or violates correctness properties. The report exposes a taxonomy of Runtime Verification (RV) presenting the terminology involved with the main concepts of the field. The report also develops the concept of instrumentation, the various ways to instrument systems, and the fundamental role of instrumentation in designing an RV framework. We also discuss how RV interplays with other verification techniques such as model-checking, deductive verification, model learning, testing, and runtime assertion checking. Finally, we propose challenges in monitoring quantitative and statistical data beyond detecting property violation