Industrial Control Systems Security via Runtime Enforcement

IF 3 4区计算机科学 Q2 COMPUTER SCIENCE, INFORMATION SYSTEMS

ACM Transactions on Privacy and Security Pub Date : 2022-11-09 DOI:https://dl.acm.org/doi/10.1145/3546579

Ruggero Lanotte, Massimo Merro, Andrei Munteanu

{"title":"Industrial Control Systems Security via Runtime Enforcement","authors":"Ruggero Lanotte, Massimo Merro, Andrei Munteanu","doi":"https://dl.acm.org/doi/10.1145/3546579","DOIUrl":null,"url":null,"abstract":"With the advent of Industry 4.0, industrial facilities and critical infrastructures are transforming into an ecosystem of heterogeneous physical and cyber components, such as programmable logic controllers, increasingly interconnected and therefore exposed to cyber-physical attacks, i.e., security breaches in cyberspace that may adversely affect the physical processes underlying industrial control systems.In this article, we propose a formal approach based on runtime enforcement to ensure specification compliance in networks of controllers, possibly compromised by colluding malware that may locally tamper with actuator commands, sensor readings, and inter-controller communications. Our approach relies on an ad-hoc sub-class of Ligatti et al.’s edit automata to enforce controllers represented in Hennessy and Regan’s Timed Process Language. We define a synthesis algorithm that, given an alphabet 𝒫 of observable actions and a timed correctness property e, returns a monitor that enforces the property e during the execution of any (potentially corrupted) controller with alphabet 𝒫, and complying with the property e. Our monitors do mitigation by correcting and suppressing incorrect actions of corrupted controllers and by generating actions in full autonomy when the controller under scrutiny is not able to do so in a correct manner. Besides classical requirements, such as transparency and soundness, the proposed enforcement enjoys deadlock- and diverge-freedom of monitored controllers, together with scalability when dealing with networks of controllers. Finally, we test the proposed enforcement mechanism on a non-trivial case study, taken from the context of industrial water treatment systems, in which the controllers are injected with different malware with different malicious goals.","PeriodicalId":56050,"journal":{"name":"ACM Transactions on Privacy and Security","volume":"23 1","pages":""},"PeriodicalIF":3.0000,"publicationDate":"2022-11-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"ACM Transactions on Privacy and Security","FirstCategoryId":"94","ListUrlMain":"https://doi.org/https://dl.acm.org/doi/10.1145/3546579","RegionNum":4,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q2","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

Abstract

With the advent of Industry 4.0, industrial facilities and critical infrastructures are transforming into an ecosystem of heterogeneous physical and cyber components, such as programmable logic controllers, increasingly interconnected and therefore exposed to cyber-physical attacks, i.e., security breaches in cyberspace that may adversely affect the physical processes underlying industrial control systems.

In this article, we propose a formal approach based on runtime enforcement to ensure specification compliance in networks of controllers, possibly compromised by colluding malware that may locally tamper with actuator commands, sensor readings, and inter-controller communications. Our approach relies on an ad-hoc sub-class of Ligatti et al.’s edit automata to enforce controllers represented in Hennessy and Regan’s Timed Process Language. We define a synthesis algorithm that, given an alphabet 𝒫 of observable actions and a timed correctness property e, returns a monitor that enforces the property e during the execution of any (potentially corrupted) controller with alphabet 𝒫, and complying with the property e. Our monitors do mitigation by correcting and suppressing incorrect actions of corrupted controllers and by generating actions in full autonomy when the controller under scrutiny is not able to do so in a correct manner. Besides classical requirements, such as transparency and soundness, the proposed enforcement enjoys deadlock- and diverge-freedom of monitored controllers, together with scalability when dealing with networks of controllers. Finally, we test the proposed enforcement mechanism on a non-trivial case study, taken from the context of industrial water treatment systems, in which the controllers are injected with different malware with different malicious goals.

查看原文本刊更多论文

通过运行时强制实现工业控制系统的安全性

随着工业4.0的到来，工业设施和关键基础设施正在转变为一个由异构物理和网络组件组成的生态系统，如可编程逻辑控制器，它们之间的互联程度越来越高，因此容易受到网络物理攻击，即网络空间中的安全漏洞，可能会对工业控制系统底层的物理过程产生不利影响。在本文中，我们提出了一种基于运行时强制的正式方法，以确保控制器网络中的规范遵从性，可能会受到串通恶意软件的损害，这些恶意软件可能会在本地篡改执行器命令、传感器读数和控制器间通信。我们的方法依赖于Ligatti等人的编辑自动机的一个特别子类来强制使用Hennessy和Regan的定时过程语言表示的控制器。我们定义了一个综合算法，给定可观察动作的字母集合集合和时间正确性属性e，返回一个监视器，该监视器在执行任何具有字母集合集合集合集合的(可能损坏的)控制器期间强制执行属性e，并遵守属性e。我们的监视器通过纠正和抑制损坏控制器的不正确动作以及在被检查的控制器无法以正确的方式生成完全自主的动作来进行缓解。除了透明和健全等经典要求外，所提出的强制执行还具有被监视控制器的死锁和发散自由，以及处理控制器网络时的可扩展性。最后，我们在一个重要的案例研究中测试了所提出的执行机制，该案例研究取自工业水处理系统的背景，其中控制器被注入了具有不同恶意目标的不同恶意软件。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

ACM Transactions on Privacy and Security Computer Science-General Computer Science

CiteScore

5.20

自引率

0.00%

发文量

期刊介绍： ACM Transactions on Privacy and Security (TOPS) (formerly known as TISSEC) publishes high-quality research results in the fields of information and system security and privacy. Studies addressing all aspects of these fields are welcomed, ranging from technologies, to systems and applications, to the crafting of policies.