Luca Durante

Review of Security Issues in Industrial Networks

Although awareness is constantly rising, that industrial computer networks (in a very broad sense) can be exposed to serious cyber threats, many people still think that the same countermeasures, developed to protect general-purpose computer networks, can be effectively adopted also in those situations where a physical system is managed/controlled through some distributed Information and Communication Technology (ICT) infrastructure. Unfortunately, this is not the case, as several examples of successful attacks carried out in the last decade, and more frequently in the very recent past, have dramatically shown. Experts in this area know very well that often the peculiarities of industrial networks prevent the adoption of classical approaches to their security and, in particular, of those popular solutions that are mainly based on a detect and patch philosophy. This paper is a contribution, from the security point of view, to the assessment of the current situation of a wide class of industrial distributed computing systems. In particular, the analysis presented in this paper takes into account the process of ensuring a satisfactory degree of security for a distributed industrial system, with respect to some key elements such as the system characteristics, the current state of the art of standardization and the adoption of suitable controls (countermeasures) that can help in lowering the security risks below a predefined, acceptable threshold.

Automatic testing equivalence verification of spi calculus specifications

Testing equivalence is a powerful means for expressing the security properties of cryptographic protocols, but its formal verification is a difficult task because of the quantification over contexts on which it is based. Previous articles have provided insights into using theorem-proving for the verification of testing equivalence of spi calculus specifications. This article addresses the same verification problem, but uses a state exploration approach. The verification technique is based on the definition of an environment-sensitive, labeled transition system representing a spi calculus specification. Trace equivalence defined on such a transition system coincides with testing equivalence. Symbolic techniques are used to keep the set of traces finite. If a difference in the traces of two spi descriptions (typically a specification and the corresponding implementation of a protocol) is found, it can be used to automatically build the spi calculus description of an intruder process that can exploit the difference.

Spi2Java: automatic cryptographic protocol Java code generation from spi calculus

The aim of this work is to describe a tool (Spi2Java) that automatically generates Java code implementing cryptographic protocols described in the formal specification language spi calculus. Spi2Java is part of a set of tools for spi calculus, also including a preprocessor, a parser, and a security analyzer. The latter can formally analyze protocols and detect protocol flaws. When a protocol has been analyzed and an adequate confidence about its correctness has been reached, Spi2Java can generate a corresponding correct Java implementation of the protocol, thus dramatically reducing the risk of introducing security flaws in the coding phase.

Standard field bus networks for industrial applications

Abstract This paper deals with three emerging proposals for standardizing industrial field bus networks. Even though significant work is being done by some international organizations to develop suitable field bus standards, a wide consensus is still to be reached on which features this kind of subnetworks must exhibit and on the protocol mechanisms which are necessary to support them. The aim of this paper is to present the solutions introduced in FIP, PROFIBUS, and SERCOS network architectures which have already been adopted as national standards by some European countries. These field buses are compared briefly and some formulas are introduced in order to offer the reader a preliminary evaluation of the performance which can be expected from this kind of systems.

A new CAN-like field network based on a star topology

Abstract Because of the particular medium access technique they adopt, Controller Area Networks (CAN) suffer from an intrinsic drawback which severely limits the maximum bus length allowed at high bit rates. In this paper, a new proposal is presented, which is based on a star topology and enables to enlarge the CAN network extension more than 10 times or, equivalently, to increase the bit rate of the same factor. In the proposed scheme, a star coupler takes part actively in the arbitration phase by disabling on-the-fly all the nodes which lose the contention, so that the increased propagation delays can be dealt with properly. The new mechanism shows a behaviour that is very similar to CAN, thus a reasonable degree of compatibility with the original protocol and the technology of the existing devices can be preserved.

A State-Exploration Technique for Spi-Calculus Testing Equivalence Verification

Several verification techniques based on theorem proving have been developed for the verification of security properties of cryptographic protocols specified by means of the spi calculus. However, to be used successfully, such powerful techniques require skilled users. Here we introduce a different technique which can overcome this drawback by allowing users to carry out the verification task in a completely automatic way. It is based on the definition of an extended labeled transition system, where transitions are labeled by means of the new knowledge acquired by the external environment as the result of the related events. By means of bounding the replication of parallel processes to a finite number, and by using an abstract representation of all explicitly allowed values in interactions between the spi process and the environment, the number of states and transitions remains finite and tractable, thus enabling the use of state-space exploration techniques for performing verification automatically.

Comparing Lexical Analysis Tools for Buffer Overflow Detection in Network Software

Many of the bugs in distributed software modules are security vulnerabilities, the most common and also the most exploited of which are buffer overflows and they typically arise in programs written in the C language. This paper, focusing on static analysis tools for detecting buffer overflows in C programs, presents a methodology for experimentally evaluating and comparing the main objective features of such tools. The proposed method is based on testing all the tools on a common set of publicly available, open source software packages, and makes use of specific metrics defined to evaluate the main tool features. In particular, the evaluation aims at quantifying how close the tool is to a complete and sound tool. Our approach has been applied for an initial evaluation of the class of static analysis tools that are based on lexical analysis, using as test cases three well known network software packages. The results obtained, illustrated and commented on in this paper, offer some interesting indications

A twofold model for the analysis of access control policies in industrial networked systems

Requirements concerning the specification and correct implementation of access control policies have become more and more popular in industrial networked systems during the last years. Unfortunately, the peculiar characteristics of industrial systems often prevent the designer from taking full advantage of technologies and techniques already developed and profitably employed in other application areas. In particular, the unavailability and/or impossibility of adopting hardware (h/w) and software (s/w) mechanisms able to automatically enforce the policies defined at a high level of abstraction, often results in checking the correctness of policy implementation in the real system manually. The first step towards carrying out this cumbersome task in an automated way is the development of a model able to capture both the high level policy specification as well as the details and low-level mechanisms characterizing the actual system implementation. This paper introduces a twofold model for the description of access control policies in industrial environments aimed at coping with this requirement and which can be profitably adopted in several kinds of automated analysis. A model to describe access control policies in industrial networked systems.The model allows the high level description of access control policies in RBAC.The model allows the detailed description of the real system low level mechanisms.The model allows automated analysis of the correctness of policy implementation.

Automatic analysis of security policies in industrial networks

The protection of ICT systems is a topic whose importance has been dramatically growing in the last years. In fact, their increased interconnection, both internal and through the Internet, besides having provided higher and inexpensive flexibility (e.g. remote access, management and configuration), has also made them more subject to a wide range of (remotely exploitable) attacks and damages. This paper shows how security policies for industrial systems can be defined in the framework of standard recommendations, and especially checked with the help of an automatic analysis tool, thus leading to a set of security policies whose design and implementation match the expected security requirements. In particular, a suitable example highlights how the tool can profitably help through the steps from the design to the implementation of security policies in an industrial network.

Tools for cryptographic protocols analysis: A technical and experimental comparison

The tools for cryptographic protocols analysis based on state exploration are designed to be completely automatic and should carry out their job with a reasonable amount of computing and storage resources, even when run by users having a limited amount of expertise in the field. This paper compares four tools of this kind to highlight their features and ability to detect bugs under the same experimental conditions. To this purpose, the ability of each tool to detect known flaws in a uniform set of well-known cryptographic protocols has been checked. Results are also given on the relative performance of the tools when analysing several known-good protocols with an increasing number of parallel sessions.