STPA-SafeSec: Safety and Security Analysis for Cyber-Physical Systems

AbstractCyber-physical systems tightly integrate physical processes and information and communication technologies. As today's critical infrastructures, e.g., the power grid or water distribution networks, are complex cyber-physical systems, ensuring their safety and security becomes of paramount importance. Traditional safety analysis methods, such as HAZOP, are ill-suited to assess these systems. Furthermore, cybersecurity vulnerabilities are often not considered critical, because their effects on the physical processes are not fully understood. In this work, we present STPA-SafeSec, a novel analysis methodology for both safety and security. Its results show the dependencies between cybersecurity vulnerabilities and system safety. Using this information, the most effective mitigation strategies to ensure safety and security of the system can be readily identified. We apply STPA-SafeSec to a use case in the power grid domain, and highlight its benefits

Security of Cyber-Physical Systems

Cyber-physical system (CPS) innovations, in conjunction with their sibling computational and technological advancements, have positively impacted our society, leading to the establishment of new horizons of service excellence in a variety of applicational fields. With the rapid increase in the application of CPSs in safety-critical infrastructures, their safety and security are the top priorities of next-generation designs. The extent of potential consequences of CPS insecurity is large enough to ensure that CPS security is one of the core elements of the CPS research agenda. Faults, failures, and cyber-physical attacks lead to variations in the dynamics of CPSs and cause the instability and malfunction of normal operations. This reprint discusses the existing vulnerabilities and focuses on detection, prevention, and compensation techniques to improve the security of safety-critical systems

Conceptual Systems Security Analysis Aerial Refueling Case Study

In today’s highly interconnected and technology reliant environment, systems security is rapidly growing in importance to complex systems such as automobiles, airplanes, and defense-oriented weapon systems. While systems security analysis approaches are critical to improving the security of these advanced cyber-physical systems-of-systems, such approaches are often poorly understood and applied in ad hoc fashion. To address these gaps, first a study of key architectural analysis concepts and definitions is provided with an assessment of their applicability towards complex cyber-physical systems. From this initial work, a definition of cybersecurity architectural analysis for cyber-physical systems is proposed. Next, the System Theory Theoretic Process Analysis approach for Security (STPA Sec) is tailored and presented in three phases which support the development of conceptual-level security requirements, applicable design-level criteria, and architectural-level security specifications. This work uniquely presents a detailed case study of a conceptual-level systems security analysis of a notional aerial refueling system based on the tailored STPA-Sec approach. This work is critically important for advancing the science of systems security engineering by providing a standardized approach for understanding security, safety, and resiliency requirements in complex systems with traceability and testability

Protecting critical infrastructure systems using cyber, physical, and socio-technical models

Critical infrastructure systems are vital to all nations, and incapacitating such systems can result in devastating impact on the general public. Therefore, it is essential to protect such systems from malicious threats. Today, the increasing interconnectedness of critical infrastructure systems has greatly improved system efficiency at the cost of a larger attack surface. In recent years, we have seen cyber-attack campaigns in addition to physical attacks on various critical infrastructure systems around the world. Thus it is important to protect such systems from adversarial physical and cyber threats. In this dissertation, we propose to protect critical infrastructure systems by (1) assessing the safety of the system and (2) detecting malicious physical threats on the system by using models that integrate the cyber, physical, and human domains. We support our dissertation statement by applying our contributions to a railway system case study. First, we perform a security analysis to identify malicious threats and suggest potential detection mechanisms to strengthen the system defense. We define a general ontology that represents cyber-physical system components and relationships among them, and cyber and physical actions by a human actor. We model a railway station using concepts from that ontology, and feed the model into the ADVISE tool to automatically generate an attack execution graph. We analyze that attack execution graph and show that the addition of a potential defense system for physical movement is an effective mechanism for improving system security. We then conduct a safety analysis to identify potential cyber attacks on the railway signaling system that would violate system safety. To do so, we use networks of timed automata to model the cyber-physical control feedback loop that drives system service. We develop a set of transformations on state automata that represent combinations of cyber actions of a human actor. Then, we perform model checking to identify the cyber attack scenarios that would compromise system safety. We demonstrate that while certain safety countermeasures can mitigate attacks by outsider adversaries, attacks by insider adversaries would still succeed. Reapplication of our security analysis with the addition of the cyber-attack vectors that we discovered shows that adversaries prefer to use physical and social means to gain access to the railway station and attack the system. Thus, to strengthen the physical security of the system, we develop defense systems that detect suspicious physical movement by human actors in a railway station. We identify abnormal movement behavior by comparing sequences of movement to historic normal movement models. In doing so, we first build models of normal movement behavior by using historic building access control logs. Then, in real-time, we screen physical accesses and check for deviations in users' behavior from the normal movement behavior model. If we find any, we flag those physical accesses as suspicious. We show that our detection approach is able to flag suspicious behavior with increasing likelihood as the malicious movement sequence increases. We then develop approaches to identify tailgating in building access control logs by using physical constraints about human movement and space occupancy. This work was motivated by the observation that adversaries may thwart building access control systems by physical and social means, e.g., by ``tailgating," or following closely behind, an authorized person. We use cyber and physical data sources to build models of the physical locations of people. Then, we flag tailgating instances when the physical constraints on human movement and space occupancy are violated. We show that our detection approach is able to identify certain tailgating scenarios and that the addition of other data sources, such as physical data sources, allows us to build a more complete model of physical location. Finally, we reapply our security analysis with the addition of defense systems. The results of our analysis show that the inclusion of the defense systems incentivizes adversaries to expend more effort and time to launch a cyber-attack campaign instead of attempting to gain access to the railway station. Therefore, our defense systems help to strengthen the overall security posture of the system. In conclusion, we identify several cyber and physical attack scenarios that would affect system safety, and we develop physical defense systems that demonstrably increase the system's security posture. Thus, in this dissertation, we present an integration of security analysis, safety analysis, and system defense that uses cyber, physical, and socio-technical models to protect critical infrastructure systems