Information flow properties for cyber-physical systems

In cyber-physical systems, which are the integrations of computational and physical processes, security properties are difficult to enforce. Fundamentally, physically observable behavior leads to violations of confidentiality. This work analyzes certain noninterference based security properties to ensure that interactions between the cyber and physical processes preserve confidentiality. A considerable barrier to this analysis is the representation of physical system interactions at the cyber-level. This thesis presents encoding of these physical system properties into a discrete event system and represents the cyber-physical system using Security Process Algebra (SPA). The model checker, Checker of Persistent Security (CoPS) shows Bisimulation based NonDeducibility on Compositions (BNDC) properties, which are a variant of noninterference properties, to check the system\u27s security against all potential high-level interactions. This work considers a model problem of invariant pipeline flow to examine the BNDC properties and their applicability for cyber-physical systems--Abstract, page iii

Multiple security domain nondeducibility in cyber-physical systems

Cyber-physical Systems (CPS) present special problems for security. This dissertation examines the cyber security problem, the physical security problem, the security problems presented when cyber systems and physical systems are intertwined, and problems presented by the fact that CPS leak information simply by being observed. The issues presented by applying traditional cyber security to CPS are explored and some of the shortcomings of these models are noted. Specific models of a drive-by-wire\u27\u27 automobile connected to a road side assistance network, a Stuxnet type\u27\u27 attack, the smart grid, and others are presented in detail. The lack of good tools for CPS security is addressed in part by the introduction of a new model, Multiple Security Domains Nondeducibility over an Event System, or MSDND(ES). The drive-by-wire automobile is studied to show how MSDND(ES) is applied to a system that traditional security models do not describe well. The issue of human trust in inherently vulnerable CPS with embedded cyber monitors, is also explored. A Stuxnet type attack on a CPS is examined using both MSDND(ES) and Belief, Information acquisition, and Trust (BIT) logic to provide a clear and precise method to discuss issues of trust and belief in monitors and electronic reports. To show these techniques, the electrical smart grid as envisioned by the Future Renewable Electric Energy Delivery and Management Systems Center (FREEDM) project is also modeled. Areas that may lead to the development of additional tools are presented as possible future work to address the fact: CPS are different and require different models and tools to understand. --Abstract, page iii

Cyber physical security of avionic systems

“Cyber-physical security is a significant concern for critical infrastructures. The exponential growth of cyber-physical systems (CPSs) and the strong inter-dependency between the cyber and physical components introduces integrity issues such as vulnerability to injecting malicious data and projecting fake sensor measurements. Traditional security models partition the CPS from a security perspective into just two domains: high and low. However, this absolute partition is not adequate to address the challenges in the current CPSs as they are composed of multiple overlapping partitions. Information flow properties are one of the significant classes of cyber-physical security methods that model how inputs of a system affect its outputs across the security partition. Information flow supports traceability that helps in detecting vulnerabilities and anomalous sources, as well as helps in rendering mitigation measures. To address the challenges associated with securing CPSs, two novel approaches are introduced by representing a CPS in terms of a graph structure. The first approach is an automated graph-based information flow model introduced to identify information flow paths in the avionics system and partition them into security domains. This approach is applied to selected aspects of the avionic systems to identify the vulnerabilities in case of a system failure or an attack and provide possible mitigation measures. The second approach is based on graph neural networks (GNN) to classify the graphs into different security domains. Using these two approaches, successful partitioning of the CPS into different security domains is possible in addition to identifying their optimal coverage. These approaches enable designers and engineers to ensure the integrity of the CPS. The engineers and operators can use this process during design-time and in real-time to identify failures or attacks on the system”--Abstract, page iii

Environmental Obfuscation of a Cyber Physical System - Vehicle Example

Cyber-Physical Systems (CPSs) are deeply embedded infrastructures that have significant cyber and physical components that interact with each other in complex ways. These interactions can violate a system\u27s security policy, leading to unintended information flow. The physical portion of such systems is inherently observable, and, as such, many methods of preserving confidentiality are not applicable. This fundamental property of CPSs presents new security challenges. To illustrate this, a vehicle composed of an embedded computer system, its operator, and its environment show how information is disclosed to an observer that is watching from the outside. The example is made of up a vehicle with an automated engine management system (smart cruise control) traveling across some terrain with an observer watching the vehicle. The information that is to be protected is the controller of the vehicle. This model is analyzed using formal models of information flow, namely nondeducibility and noninference. The vehicle\u27s operation, in context with the terrain of the road, discloses information to the observer. Context is important; the same information that was disclosed with one terrain type is hidden with a different terrain. This problem, its methodology, and results uncover problems, and solutions, based on the theory of information flow, to quantify security in these new types of systems

Enforcing Information Flow Security Properties in Cyber-Physical Systems: A Generalized Framework Based on Compensation

This paper presents a general theory of event compensation as an information flow security enforcement mechanism for Cyber-Physical Systems (CPSs). The fundamental research problem being investigated is that externally observable events in modern CPSs have the propensity to divulge sensitive settings to adversaries, resulting in a confidentiality violation. This is a less studied yet emerging concern in modern system security. A viable method to mitigate such violations is to use information flow security based enforcement mechanisms since access control based security models cannot impose restrictions on information propagation. Further, the disjoint nature of security analysis is not appropriate for systems with highly integrated physical and cyber infrastructures. The proposed compensation based security framework is foundational work that unifies cyber and physical aspects of security through the shared semantics of information flow. A DC circuit example is presented to demonstrate this concept

Cyber-physical security of a chemical plant

The increasing number of cyber attacks on industries demands immediate attention for providing more secure mechanisms to safeguard industries and minimize risks. A supervisory control and data acquisition (SCADA) system employing the distributed networks of sensors and actuators that interact with the physical environment is vulnerable to attacks that target the interface between the cyber and physical subsystems. These cyber attacks are typically malicious actions that cause undesired results in the cyber physical world, for example, the Stuxnet attack that targeted Iran\u27s nuclear centrifuges. An attack that hijacks the sensors in an attempt to provide false readings to the controller can be used to feign normal system operation for the control system, while the attacker can hijack the actuators to send the system beyond its safety range. Cyber physical systems (CPS) being used in industries such as oil and gas, chemical process plants and the like are termed Industrial Control Systems (ICS). Control system security is aimed at preventing intentional or unintentional interference with the proper operation of ICS. This thesis proposes a process-aware approach with the use of invariant equations based on the physical and chemical properties of the process and a Multiple Security Domain Nondeducibility (MSDND) framework to detect when a sensor signal is being maliciously manipulated. We have taken a benzene production plant as case study to illustrate our approach and its effectiveness in determining the state of the system. A system without any MSDND secure information flows between the CPS and cyber monitors has fewer weaknesses that can be exploited --Abstract, page iii

An approach for formal analysis of the security of a water treatment testbed

This thesis focuses on securing critical infrastructures such as chemical plants, manufacturing units, and power generating plants against attacks that disrupt the information flow from one component to another. Such systems are controlled by an Industrial Control System (ICS) that includes controllers communicating with each other, and with physical sensors and actuators, using a communications network. Traditional security models partition the security universe into two worlds, secure and insecure, but in the real world the partitions often overlap and information is leaked even through the physical observation which makes it much harder to analyze a Cyber physical system (CPS). To overcome these, this thesis focus on the Multiple Security Domain Nondeducibility (MSDND) model to identify the vulnerable points of attack on the system that hide critical information as in the STUXNET virus rather than theft of information. It is shown how MSDND analysis, conducted on a realistic multi-stage water treatment testbed, is useful in enhancing the security of a water treatment plant. Based on the MSDND analysis, this thesis offers a thorough documentation on the vulnerable points of attack, invariants used for removing the vulnerabilities, and suggested design decisions that help in developing invariants --Abstract, page iii

CEEME: compensating events based execution monitoring enforcement for Cyber-Physical Systems

Fundamentally, inherently observable events in Cyber-Physical Systems with tight coupling between cyber and physical components can result in a confidentiality violation. By observing how the physical elements react to cyber commands, adversaries can identify critical links in the system and force the cyber control algorithm to make erroneous decisions. Thus, there is a propensity for a breach in confidentiality leading to further attacks on availability or integrity. Due to the highly integrated nature of Cyber-Physical Systems, it is also extremely difficult to map the system semantics into a security framework under existing security models. The far-reaching objective of this research is to develop a science of selfobfuscating systems based on the composition of simple building blocks. A model of Nondeducibility composes the building blocks under Information Flow Security Properties. To this end, this work presents fundamental theories on external observability for basic regular networks and the novel concept of event compensation that can enforce Information Flow Security Properties at runtime --Abstract, page iii

Multiple security domain nondeducibility air traffic surveillance systems

Traditional security models partition the security universe into two distinct and completely separate worlds: high and low level. However, this partition is absolute and complete. The partition of security domains into high and low is too simplistic for more complex cyber-physical systems (CPS). Absolute divisions are conceptually clean, but they do not reflect the real world. Security partitions often overlap, frequently provide for the high level to have complete access to the low level, and are more complex than an impervious wall. The traditional models that handle situations where the security domains are complex or the threat space is ill defined are limited to mutually exclusive worlds. These models are limited to accepting commands from a single source in a system but the CPS accepts commands from multiple sources. This paper utilizes Multiple Security Domain Nondeducibility (MSDND) as a model to determine information flow among multiple partitions, such as those that occur in a CPS. MSDND is applied to selected aspects of Traffic Collision and Avoidance System (TCAS) and Automatic Dependent Surveillance-Broadcast (ADS-B) air traffic surveillance systems under various physical and cyber security vulnerabilities to determine when the actual operational state can, and cannot be, deduced. It is also used to determine what additional information inputs and flight physics are needed to determine the actual operational state. Several failure scenarios violating the integrity of the system are considered with mitigation using invariants --Abstract, page iii

Security Property Violation in CPS Through Timing

Security in a cyber-physical system (CPS) is not well understood. Interactions between components in the cyber and physical domains lead to unintended information flow. This paper makes use of formal information flow models to describe leakage in a model CPS, the Cooperating FACTS Power System. Results show that while a casual observer cannot ascertain confidential internal information, when application semantics, including timing, are considered, this confidentiality is lost. Model checking is used to verify the result. The significance of the paper is in showing an example of the complex interactions that occur between the Cyber and Physical domains and their impact on security