Roman Schlegel

Structured system threat modeling and mitigation analysis for industrial automation systems

Industrial control systems are an important part of critical infrastructures and their uninterrupted operation is important for many aspects of society. In recent years these systems have come under more scrutiny, as reports about attacks on them have become more frequent. There is therefore a need to better secure them, and the first step to achieve this is to identify the threat landscape for such systems. This is typically done by creating a threat model of a system, enumerating the potential threats, and then devising mitigation options based on the discovered threats. However, many of the available threat modeling methods and tools target very specific systems (e.g., software components), and do not lend themselves well to evaluating diverse systems or abstract reference architectures of systems. In this paper we present a methodology for system threat modeling that addresses this gap, by enabling the modeling of a diverse range of systems and reference architectures of systems. Furthermore, the methodology provides additional functionality, such as guiding the user in the completion of a threat model and automatically detecting unmitigated threats in a system. In addition, our methodology also takes mitigation into account by modeling the security components in a system. We have implemented the methodology in a web-based tool, and also evaluated the tool on a reference architecture of a complex automation system, validating both the approach and the tool.

Security assessment methodology for industrial control system products

Industrial control systems (ICS) are at the heart of critical infrastructures and security is therefore important for such systems. In order to determine the security level of existing and planned systems, ICS products should be efficiently and comprehensively assessed. In this paper we present a methodology for assessing the security of a product or a system that can be used by security experts and non-experts alike. The methodology contains specific and concrete security recommendations (what), a rationale for each recommendation (why) as well as concrete implementation guidance (how). The methodology aims to help product teams to quickly and efficiently assess the security level of their products, prioritize resources on future development efforts, and generate security requirements for future products. We validate the approach by applying a concrete instantiation of the methodology to a fictitious ICS product.

Automatic attack surface reduction in next-generation industrial control systems

Industrial control systems are often large and complex distributed systems and therefore expose a large potential attack surface. Effectively minimizing this attack surface requires security experts and significant manpower during engineering and maintenance of the system. This task, which is already difficult for todays control systems, will become significantly more complex for tomorrows systems, which can reconfigure themselves dynamically, e.g., if hardware failures occur. In this article, we present a dynamic security system which can automatically minimize the attack surface of a control systems communication network. This security system is specifically designed for next-generation industrial control systems, but can also be applied in current generation systems. The presented security system adapts the necessary parameters of network and security controls according to the underlying changes in the control system environment. This ensures a better cyber security resilience against system compromise and reduces the attack surface because security controls will only allow data transfer that is required by the control application. Our evaluations for a next generation industrial control system and a current generation substation automation system show that the attack surface can be reduced by up to 90%, depending on the size and actual configuration of the control system.

A security evaluation of IEC 62351

Abstract IEC 62351 is an industry standard aimed at improving security in automation systems in the power system domain. It contains provisions to ensure the integrity, authenticity and confidentiality for different protocols used in power systems. In this article we look at the different parts of IEC 62351 and assess to what extent the standard manages to improve security in automation systems. We also point out some incongruities in the algorithms or parameters chosen in parts of the standard. Overall, we conclude that the standard can significantly improve security in power systems if applied comprehensively, but we also note that the need to preserve (partial) backwards-compatibility has led to some design choices that provide less security than could have been achieved with a more ambitious approach.

Secure design of engineering software tools in Industrial Automation and Control Systems

Industrial Automation and Control Systems (IACS) used in critical infrastructure typically perform their tasks using embedded devices. While the security of the embedded devices during the operation of the system is naturally the focus of security considerations, the security of the engineering framework is often overlooked. In this paper, we model the trust boundaries of a typical engineering tool used in an IACS, identify security risks in this context, suggest mitigation techniques for end users, and finally propose an architecture that allows to implement secure engineering frameworks.

A framework for incident response in industrial control systems

Industrial control systems are used to control and supervise plants and critical infrastructures. They are crucial for operation of many industries and even society at large. However, despite efforts to secure such systems, there are frequent reports of incidents that lead to problems because of human error (e.g., installing unauthorized software on a mission-critical machine) or even cyber attacks. While such incidents should be prevented in the first place, it is not feasible to achieve 100% security; therefore, operators should be prepared to deal with incidents promptly and efficiently if they occur. In this paper, we present a general methodology and framework for investigating incidents in industrial control systems. The methodology is supported by a tool to automate an investigation, especially to efficiently determine the state of files on a device after an incident. This enables faster recovery from incidents by being able to identify suspicious files and focus on the files that have been modified compared to the initially installed files, or a previously taken baseline. An evaluation confirms the applicability of the methodology for an embedded industrial controller and for an industrial control system.