Elena Lisova

Towards secure wireless TTEthernet for industrial process automation applications

TTEthernet is a communication platform which builds on Ethernet, but extends it to include fault-tolerance and real-time mechanisms. The existing TTEthernet technology is developed for wired networks. A natural step for improving and extending the current application field is the introduction of a mixed wired and wireless network. However, this step requires research both about possible adaptation of existing systems as well as implementation of new technologies. A central research question is the security aspects of real-time sensor networks using wired and wireless technologies based on TTEthernet. In this paper, we identify and classify the most important aspects to consider in order to provide secure communications in such safety-critical industrial applications and propose a potential solution to address identified issues.

Next generation real-time networks based on IT technologies

Ethernet-based networks have found their way into industrial communication more than a decade ago. However, while industry and academia developed Ethernet variants to also meet real-time and fault-tolerant requirements, recent standardization efforts within the IEEE 802 will broadly bring standard IT switched Ethernet in future industrial communication networks. As first standards of IEEE 802.1 time-sensitive networking (TSN) are becoming published at the time of this writing, we review these standards and formulate further research challenges that still go beyond current standard developments. Furthermore, we report on recent research results from the RetNet project that target these research challenges.

Protecting Clock Synchronization

Nowadays, industrial networks are often used for safety-critical applications with real-time requirements. Such applications usually have a time-triggered nature with message scheduling as a core property. Scheduling requires nodes to share the same notion of time, that is, to be synchronized. Therefore, clock synchronization is a fundamental asset in real-time networks. However, since typical standards for clock synchronization, for example, IEEE 1588, do not provide the required level of security, it raises the question of clock synchronization protection. In this paper, we identify a way to break synchronization based on the IEEE 1588 standard, by conducting a man-in-the-middle MIM attack followed by a delay attack. A MIM attack can be accomplished through, for example, Address Resolution Protocol ARP poisoning. Using the AVISPA tool, we evaluate the potential to perform a delay attack using ARP poisoning and analyze its consequences showing both that the attack can, indeed, break clock synchronization and that some design choices, such as a relaxed synchronization condition mode, delay bounding, and using knowledge of environmental conditions, can make the network more robust/resilient against these kinds of attacks. Lastly, a Configuration Agent is proposed to monitor and detect anomalies introduced by an adversary performing attacks targeting clock synchronization.

Risk evaluation of an ARP poisoning attack on clock synchronization for industrial applications

Nowadays, mixed wireless and wired networks are used everywhere in everyday life, including in industry where they often support time-critical applications. Industrial applications with high precision requirements are subject to real-time constraints, and thus one of the main assets, regardless of application area, is clock synchronization. Considering such networks, synchronization is the first thing to secure against a possible malicious adversary. In this paper, we consider ARP poisoning as a possible technique to disrupt clock synchronization and evaluate the effects of such an attack on the IEEE 1588 standard. We describe possible ways of performing ARP poisoning to disrupt synchronization and survey several mitigation techniques and their applicability within the industrial application area.

Game theory applied to secure clock synchronization with IEEE 1588

Industrial applications usually have real-time requirements or high precision timing demands. For such applications, clock synchronization is one of the main assets that needs to be protected against malicious attacks. To provide sufficient accuracy for distributed time-critical applications, appropriate techniques for preventing or mitigating delay attacks that breach clock synchronization are needed. In this paper, we apply game theory to investigate possible strategies of an adversary, performing attacks targeting clock synchronization on the one hand and a network monitor, aiming to detect anomalies introduced by the adversary on the other. We investigate the interconnection of payoffs for both sides and propose the quarantine mode as a mitigation technique. Delay attacks with constant, linearly increasing, and randomly introduced delays are considered, and we show how the adversary strategy can be estimated by evaluating the detection coefficient, giving the network monitor the possibility to deploy appropriate protection techniques.

Delay attack versus clock synchronization — A time chase

Clock synchronization is one of the most essential assets for distributed real-time systems, as sensing, control and actuation require synchronized communication to meet real-time deadlines. We propose a distributed monitoring method to detect if an adversary is interfering with the clock synchronization protocol. The monitor uses certain network indicators and a set of rules to decide about switching between Normal, Quarantine or Attack Detected states. Further, we propose a way to define thresholds for decision-making based on theoretical analysis of the indicator values influenced by an attack. In addition, we formulate the problem of adversary influence detection in the network as a detection theory problem and use it to derive an additional indicator for the network monitor. Finally, we analyze the time chase between the monitor and an adversary to investigate which factors influence the final outcome.

Incorporating Attacks Modeling into Safety Process.

Systems of systems (SoS) are built as a collection of systems capable of fulfilling their own function, as well as contributing to other functionalities. They are expected to increase production efficiency and possibly decrease human involvement in harmful environments, and in many cases such systems are safety-critical. For SoS it is a paramount to provide both safety and security assurance. It is not sufficient to analyze and provide assurance of these properties independently due to their mutual connection. Hence, a joint effort addressing safety and security that provides joint guarantees on both properties, is required. In this paper we provide a safety and security assurance argument by incorporating an adversary point of view, and identify potential failures coming from the security domain that might lead to an already identified set of hazards. In this way system assets, vulnerabilities and ways to exploit them can be assessed. As an outcome mitigation strategies coming from security considerations can be captured by the safety requirements. The approach is illustrated on an autonomous quarry.

Agent-Centred Approach for Assuring Ethics in Dependable Service Systems

As the world enters the information era, more and more dependable services controlling and even making our decisions are moved to the ubiquitous smart devices. While various standards are in place to impose the societal ethical norms on decision-making of those devices, the rights of the individuals to satisfy their own moral norms are not addressed with the same scrutiny. Hence, the right of the individuals to reason on their own and evaluate morality of certain decisions is at stake. In this work we propose an agent-centred approach for assuring ethics in dependable technological service systems. We build upon assurance of safety and security and propose the notion of ethics assurance case as a way to assure that individual users have been made aware of all the ethically challenging decisions that might be performed or enabled by the service provider. We propose a framework for identifying and categorising ethically challenging decisions, and documenting the ethics assurance case. We apply the framework on an illustrative example.