Manuel Cheminod

Review of Security Issues in Industrial Networks

Although awareness is constantly rising, that industrial computer networks (in a very broad sense) can be exposed to serious cyber threats, many people still think that the same countermeasures, developed to protect general-purpose computer networks, can be effectively adopted also in those situations where a physical system is managed/controlled through some distributed Information and Communication Technology (ICT) infrastructure. Unfortunately, this is not the case, as several examples of successful attacks carried out in the last decade, and more frequently in the very recent past, have dramatically shown. Experts in this area know very well that often the peculiarities of industrial networks prevent the adoption of classical approaches to their security and, in particular, of those popular solutions that are mainly based on a detect and patch philosophy. This paper is a contribution, from the security point of view, to the assessment of the current situation of a wide class of industrial distributed computing systems. In particular, the analysis presented in this paper takes into account the process of ensuring a satisfactory degree of security for a distributed industrial system, with respect to some key elements such as the system characteristics, the current state of the art of standardization and the adoption of suitable controls (countermeasures) that can help in lowering the security risks below a predefined, acceptable threshold.

Formal Vulnerability Analysis of a Security System for Remote Fieldbus Access

As fieldbus networks are becoming accessible from the Internet, security mechanisms to grant access only to authorized users and to protect data are becoming essential. This paper proposes a formally based approach to the analysis of such systems, both at the security protocols level and at the system architecture level. This multilevel analysis allows the evaluation of the effects of an attack on the overall system, due to security problems that affect the underlying security protocols. A case study on a typical fieldbus security system validates the approach.

Detecting Chains of Vulnerabilities in Industrial Networks

In modern factories, personal computers are starting to replace traditional programmable logic controllers, due to cost and flexibility reasons, and also because their operating systems now support programming environments even suitable for demanding real-time applications. These characteristics, as well as the ready availability of many software packages covering any kind of needs, have made the introduction of PC-based devices at the factory field level especially attractive. However, this approach has a profound influence on the extent of threats that a factory computing infrastructure shall be prepared to deal with. In fact, industrial personal computers share the same kinds of vulnerabilities with their office automation counterparts. Then, their introduction increases the risk of cyber-attacks. As the complexity of the network grows, the problem rapidly becomes hard to tackle by hand, due to the subtle and unforeseen interactions that may occur among apparently unrelated vulnerabilities, thus bearing the focus on the full automation of the analysis. Going into this direction, this paper presents a software tool that, given an accurate and machine-readable description of vulnerabilities, detects whether or not they are of concern and evaluates consequences in the context of a factory network.

On the description of access control policies in networked industrial systems

The specification and verification of access control policies are fundamental steps in the process of securing industrial control systems and critical infrastructures. The focus of this paper is on bridging the semantic gap between high-level access control policies specified in the Role-Based Access Control (RBAC) framework and the low-level security mechanisms actually implemented in the physical system. Our approach is based on a novel kind of model, which includes two distinct views of the system, namely an RBAC-based specification and a low-level system description. The descriptive capabilities of the model are presented through an example derived from a real prototype plant for printed circuit boards re-manufacturing/de-manufacturing.

Automatic analysis of security policies in industrial networks

The protection of ICT systems is a topic whose importance has been dramatically growing in the last years. In fact, their increased interconnection, both internal and through the Internet, besides having provided higher and inexpensive flexibility (e.g. remote access, management and configuration), has also made them more subject to a wide range of (remotely exploitable) attacks and damages. This paper shows how security policies for industrial systems can be defined in the framework of standard recommendations, and especially checked with the help of an automatic analysis tool, thus leading to a set of security policies whose design and implementation match the expected security requirements. In particular, a suitable example highlights how the tool can profitably help through the steps from the design to the implementation of security policies in an industrial network.

Tools for cryptographic protocols analysis: A technical and experimental comparison

The tools for cryptographic protocols analysis based on state exploration are designed to be completely automatic and should carry out their job with a reasonable amount of computing and storage resources, even when run by users having a limited amount of expertise in the field. This paper compares four tools of this kind to highlight their features and ability to detect bugs under the same experimental conditions. To this purpose, the ability of each tool to detect known flaws in a uniform set of well-known cryptographic protocols has been checked. Results are also given on the relative performance of the tools when analysing several known-good protocols with an increasing number of parallel sessions.

System configuration check against security policies in industrial networks

Awareness that networked embedded systems are vulnerable to cyber-threats has been constantly raising since some years ago. In the industrial arena recent severe attacks, such as the popular case of the Stuxnet worm, have completely debunked the myth of security of embedded devices based on their isolation. Indeed, the ever increasing dependence of many industrial systems on digital communication networks is causing the cyber-security requirements to become a priority in their planning, design, deployment and management. This paper deals with our experience in checking the conformance of a distributed industrial automation system, which includes several types of embedded devices, with respect to a set of security policies defined at the global system level. In particular, the focus of the paper is on the use of modeling techniques and semi-automated s/w tools to verify the configuration of devices and services with attention to the correct use of their security capabilities to support the desired set of policies.

Analysis of access control policies in networked embedded systems: A case study

The increasing adoption of networked embedded devices in the industrial scenario demands for new techniques and computer-aided tools that could help in designing, deploying and maintaining large and complex systems. This is true, in particular, when access control is considered, since the hardware and software characteristics of many industrial embedded devices prevent the introduction of policies enforcement mechanisms at a global system level. This paper deals with our experience in analyzing the correct implementation of access policies in a medium-sized real-world system. Our approach is based on an innovative type of model and software analyzer, which is able to compare two different views of the target system, described at different abstraction levels.

Semiautomated Verification of Access Control Implementation in Industrial Networked Systems

Access control is a necessary building block in the security of any kind of cyber system and, in this sense, industrial networked systems (INSs) make no exception. Typically, access control policies are specified at a high implementation-independent level of abstraction and then mapped onto the real system by leveraging available policy enforcement mechanisms. Unfortunately, different from general-purpose ICT systems, enforcement mechanisms are generally very basic in INS. As a consequence, verifying the correctness of policy implementation becomes a crucial task, especially cumbersome when it needs to be carried out entirely by hand. This paper presents a new methodology, which also serves as the basis of a purposely developed software tool conceived to cope with the lack of policy enforcement mechanisms in INS and to allow semiautomatic verification of policy implementation. Our approach is based on a twofold system model that enables both the abstract specification of access control policies and the detailed description of the target physical system. These two separate views are then combined to automatically determine whether the current system implementation matches the policy specification.

On the analysis of vulnerability chains in industrial networks

The ever-increasing adoption at the factory field level of COTS (commercial off-the-shelf) hardware and software to host both real-time control tasks and a general-purpose operating system on the same machine is profoundly influencing the extent of threats that a factory network and computing infrastructure shall be prepared to deal with. In fact, these machines share with their office automation counterparts the same kinds of vulnerabilities and, being often interconnected to computers providing services to the public, are prone to cyber-attacks. In this paper, the architecture and use of a software tool able to analyse a factory network for vulnerabilities are described. Automating the analysis is of outmost importance because, as the complexity of the network grows, the problem rapidly becomes hard to tackle by hand due to the subtle interactions that may occur among apparently unrelated vulnerabilities.