Abstract
This chapter describes the formal modeling and machine-checking of a bump-in-the-wire device that secures field device communications in industrial control networks. Field devices serve as the connection points between computer-based control systems and the physical processes being controlled. Industrial control network traffic is routinely checked for transmission errors, but limited mechanisms are available for combating attacks that exploit industrial control protocols to target critical infrastructure assets.
This chapter focuses on a bump-in-the-wire solution that can be retrofitted on field devices to provide security functionality. The TLA+ formal specification language in combination with the isolation guarantees provided by the seL4 microkernel are used to demonstrate that the bump-in-the-wire solution provides important security and liveness properties. The resulting machine-checked system correctly applies hash-based message authentication to verify the authenticity of incoming messages while being resistant to attacks.
Chapter PDF
References
M. Abrams and J. Weiss, Malicious control system cyber security attack case study – Maroochy Water Services, presented at the Twenty-Fourth Annual Computer Security Applications Conference, 2008
R. Amoah, S. Camtepe and E. Foo, Formal modeling and analysis of DNP3 Secure Authentication, Journal of Network and Computer Applications, vol. 59, pp. 345–360, 2016
N. Anderson, Confirmed: US and Israel created Stuxnet, lost control of it, Ars Technica, June 1, 2012
A. Appel, Verification of a cryptographic primitive: SHA-256, ACM Transactions on Programming Languages and Systems, vol. 37(2), article no. 7, 2015
Azure, Azure Cosmos TLA+ specifications, GitHub (github.com/Azure/azure-cosmos-tla), 2018
M. Bartock, J. Cichonski, M. Souppaya, M. Smith, G. Witte and K. Scarfone, Guide for Cybersecurity Event Recovery, NIST Special Publication 800-184, National Institute of Standards and Technology, Gaithersburg, Maryland, 2016
L. Beringer, A. Petcher, K. Ye and A. Appel, Verified correctness and security of OpenSSL HMAC, Proceedings of the Twenty-Fourth USENIX Security Symposium, pp. 207–221, 2015
Blue Coat Systems, Blue Coat ICS Protection, Scanner Station Version, USB Malware Defense for Industrial Computers, User Guide, Version 5.3.1, Sunnyvale, California (docplayer.net/18790337-Blue-coat-ics-protection-scanner-station-version.html), 2014
P. Cichonski, T. Millar, T. Grance and K. Scarfone, Computer Security Incident Handling Guide, NIST Special Publication 800-61, Revision 2, National Institute of Standards and Technology, Gaithersburg, Maryland, 2012
Control Microsystems, DNP3 User and Reference Manual, Kanata, Canada, 2007
K. Curtis, A DNP3 Protocol Primer (Revision A), DNP3 Users Group, Calgary, Canada (www.dnp.org/Portals/0/AboutUs/DNP3%20Primer%20Rev%20A.pdf), 2005
S. East, J. Butts, M. Papa and S. Shenoi, A taxonomy of attacks on the DNP3 protocol, in Critical Infrastructure Protection III, C. Palmer and S. Shenoi (Eds.), Springer, Berlin Heidelberg, Germany, pp. 67–81, 2009
J. Edmonds, M. Papa and S. Shenoi, Security analysis of multilayer SCADA protocols, in Critical Infrastructure Protection, E. Goetz and S. Shenoi (Eds.), Springer, Boston, Massachusetts, pp. 205–221. 2007
N. Falliere, Stuxnet introduces the first known rootkit for industrial control systems, Symantec Security Response Blog (www.symantec.com/connect/blogs/stuxnet-introduces-first-known-rootkit-scada-devices), August 6, 2010
N. Falliere, L. O’Murchu and E. Chien, W32.Stuxnet Dossier, Version 1.4, Symantec, Mountain View, California, 2011
M. Fernandez, G. Klein, I. Kuz and T. Murray, CAmkES Formalization of a Component Platform, National Information and Communications Technology Research Centre of Excellence (NICTA), Sydney, Australia, 2012
K. Fisher, J. Launchbury and R. Richards, The HACMS Program: Using formal methods to eliminate exploitable bugs, Philosophical Transactions, Series A, Mathematical Physical and Engineering Sciences, vol. 375(2104), article no. 20150401, 2017
T. Gary, ICS/SCADA smart scanning: Discover and assess IT-based systems in converged IT/OT environments, Tenable Blog, June 12, 2018
G. Gilchrist, Secure authentication for DNP3, Proceedings of the IEEE Power and Energy Society General Meeting – Conversion and Delivery of Electrical Energy in the 21st Century, 2008
J. Hieb, J. Graham, J. Schreiver and K. Moss, Security preprocessor for industrial control networks, Proceedings of the Seventh International Conference on Information Warfare and Security, pp. 130–137, 2012
V. Igure, S. Laughter and R. Williams, Security issues in SCADA networks, Computers and Security, vol. 25(7), pp. 498–506, 2006
Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), Advisory (ICSA-12-231-01B), Sixnet Universal Protocol Undocumented Function Codes (Update B), Idaho Falls, Idaho (www.us-cert.gov/ics/advisories/ICSA-13-231-01B), September 17, 2013
Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), ICS-CERT Advisories, Idaho Falls, Idaho (ics-cert.us-cert.gov/advisories), 2019
Kaspersky Lab ICS CERT, Threat Landscape for Industrial Automation Systems in the Second Half of 2016, Kaspersky Lab, Moscow, Russia, 2017
Kaspersky Lab ICS CERT, Threat Landscape for Industrial Automation Systems in H2 2017, Kaspersky Lab, Moscow, Russia, 2018
G. Klein, P. Derrin and K. Elphinstone, Experience report: seL4: Formally verifying a high-performance microkernel, Proceedings of the Fourteenth ACM SIGPLAN International Conference on Functional Programming, pp. 91–96, 2009
G. Klein, K. Elphinstone, G. Heiser, J. Andronick, D. Cock, P. Derrin, D. Elkaduwe, K. Engelhardt, R. Kolanski, M. Norrish, T. Sewell, H. Tuch and S. Winwood, seL4: Formal verification of an OS kernel, Proceedings of the Twenty-Second ACM Symposium on Operating Systems Principles, pp. 207–220, 2009
D. Kuhn and J. Dray, Formal specification and verification of control software for cryptographic equipment, Proceedings of the Sixth Annual Computer Security Applications Conference, pp. 32–43, 1990
I. Kuz, Y. Liu, I. Gorton and G. Heiser, CAmkES: A component model for secure microkernel-based embedded systems, Journal of Systems and Software, vol. 80(5), pp. 687–699, 2007
L. Lamport, The temporal logic of actions, ACM Transactions on Programming Languages and Systems, vol. 16(3), pp. 872–923, 1994
L. Lamport, Specifying Systems: The TLA+ Language and Tools for Hardware and Software Engineers, Addison-Wesley, Boston, Massachusetts, 2002
L. Lamport, The TLA Home Page (lamport.azurewebsites.net/tla/tla.html), December 6, 2018
H. Mackenzie, SCADA security basics: Why industrial networks are different than IT networks, Tofino Security Blog, October 31, 2012
L. Martin-Liras, M. Prada, J. Fuertes, A. Moran, S. Alonso and M. Dominguez, Comparative analysis of the security of configuration protocols for industrial control devices, International Journal of Critical Infrastructure Protection, vol. 19, pp. 4–15, 2017
Modbus Organization, Modbus over Serial Line: Specification and Implementation Guide, V1.02, Hopkinton, Massachusetts (www.modbus.org/docs/Modbus_over_serial_line_V1_02.pdf), 2006
National Institute of Standards and Technology, Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1, Gaithersburg, Maryland, 2018
C. Newcombe, T. Rath, F. Zhang, B. Munteanu, M. Brooker and M. Deardeuff, Use of Formal Methods at Amazon Web Services, Amazon, Seattle, Washington (lamport.azurewebsites.net/tla/formal-methods-amazon.pdf), 2014
B. Obama, Presidential Policy Directive 21: Critical Infrastructure Security and Resilience (PPD-21), The White House, Washington, DC, February 12, 2013
M. Permann, K. Lee, J. Hammer and K. Rohde, Mitigations for security vulnerabilities found in control system networks, presented at the Sixteenth Annual Joint ISA POWID/EPRI Controls and Instrumentation Conference, 2006
J. Rushby, Design and verification of secure systems, Proceedings of the Eighth ACM Symposium on Operating Systems Principles, pp. 12–21, 1981
K. Scarfone and P. Mell, Guide to Intrusion Detection and Prevention Systems (IDPS), NIST Special Publication 800-94, National Institute of Standards and Technology, Gaithersburg, Maryland, 2007
U. Shamir, Analyzing a New Variant of BlackEnergy 3: Likely Insider-Based Execution, SentinelOne, Mountain View, California, 2016
K. Stouffer, J. Falco and K. Scarfone, Guide to Industrial Control Systems (ICS) Security, NIST Special Publication 800-82, National Institute of Standards and Technology, Gaithersburg, Maryland, 2011
J. Sullivan and D. Kamensky, How cyber-attacks in Ukraine show the vulnerability of the U.S. power grid, The Electricity Journal, vol. 30(3), pp. 30–35, 2017
United Nations Security Council Counter-Terrorism Committee Executive Directorate (CTED) and United Nations Office of Counter-Terrorism, The Protection of Critical Infrastructure against Terrorist Attacks: Compendium of Good Practices, Geneva, Switzerland, 2018
D. Wagner, Infrastructure under attack, Risk Management, vol. 63(8), pp. 28–33, 2016
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 IFIP International Federation for Information Processing
About this paper
Cite this paper
Sabraoui, M., Hieb, J., Lauf, A., Graham, J. (2019). Modeling and Machine-Checking Bump-in-the-Wire Security for Industrial Control Systems. In: Staggs, J., Shenoi, S. (eds) Critical Infrastructure Protection XIII. ICCIP 2019. IFIP Advances in Information and Communication Technology, vol 570. Springer, Cham. https://doi.org/10.1007/978-3-030-34647-8_14
Download citation
DOI: https://doi.org/10.1007/978-3-030-34647-8_14
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-34646-1
Online ISBN: 978-3-030-34647-8
eBook Packages: Computer ScienceComputer Science (R0)