-
STPA-driven Multilevel Runtime Monitoring for In-time Hazard Detection
Authors:
Smitha Gautham,
Georgios Bakirtzis,
Alexander Will,
Athira V. Jayakumar,
Carl R. Elks
Abstract:
Runtime verification or runtime monitoring equips safety-critical cyber-physical systems to augment design assurance measures and ensure operational safety and security. Cyber-physical systems have interaction failures, attack surfaces, and attack vectors resulting in unanticipated hazards and loss scenarios. These interaction failures pose challenges to runtime verification regarding monitoring s…
▽ More
Runtime verification or runtime monitoring equips safety-critical cyber-physical systems to augment design assurance measures and ensure operational safety and security. Cyber-physical systems have interaction failures, attack surfaces, and attack vectors resulting in unanticipated hazards and loss scenarios. These interaction failures pose challenges to runtime verification regarding monitoring specifications and monitoring placements for in-time detection of hazards. We develop a well-formed workflow model that connects system theoretic process analysis, commonly referred to as STPA, hazard causation information to lower-level runtime monitoring to detect hazards at the operational phase. Specifically, our model follows the DepDevOps paradigm to provide evidence and insights to runtime monitoring on what to monitor, where to monitor, and the monitoring context. We demonstrate and evaluate the value of multilevel monitors by injecting hazards on an autonomous emergency braking system model.
△ Less
Submitted 22 June, 2022; v1 submitted 19 April, 2022;
originally announced April 2022.
-
Fundamental Challenges of Cyber-Physical Systems Security Modeling
Authors:
Georgios Bakirtzis,
Garrett L. Ward,
Christopher J. Deloglos,
Carl R. Elks,
Barry M. Horowitz,
Cody H. Fleming
Abstract:
Systems modeling practice lacks security analysis tools that can interface with modeling languages to facilitate security by design. Security by design is a necessity in the age of safety critical cyber-physical systems, where security violations can cause hazards. Currently, the overlap between security and safety is narrow. But deploying cyber-physical systems means that today's adversaries can…
▽ More
Systems modeling practice lacks security analysis tools that can interface with modeling languages to facilitate security by design. Security by design is a necessity in the age of safety critical cyber-physical systems, where security violations can cause hazards. Currently, the overlap between security and safety is narrow. But deploying cyber-physical systems means that today's adversaries can intentionally trigger accidents. By implementing security assessment tools for modeling languages we are better able to address threats earlier in the system's lifecycle and, therefore, assure their safe and secure behavior in their eventual deployment. We posit that cyber-physical systems security modeling is practiced insufficiently because it is still addressed similarly to information technology systems.
△ Less
Submitted 30 April, 2020;
originally announced May 2020.
-
Data Driven Vulnerability Exploration for Design Phase System Analysis
Authors:
Georgios Bakirtzis,
Brandon J. Simon,
Aidan G. Collins,
Cody H. Fleming,
Carl R. Elks
Abstract:
Applying security as a lifecycle practice is becoming increasingly important to combat targeted attacks in safety-critical systems. Among others there are two significant challenges in this area: (1) the need for models that can characterize a realistic system in the absence of an implementation and (2) an automated way to associate attack vector information; that is, historical data, to such syst…
▽ More
Applying security as a lifecycle practice is becoming increasingly important to combat targeted attacks in safety-critical systems. Among others there are two significant challenges in this area: (1) the need for models that can characterize a realistic system in the absence of an implementation and (2) an automated way to associate attack vector information; that is, historical data, to such system models. We propose the cybersecurity body of knowledge (CYBOK), which takes in sufficiently characteristic models of systems and acts as a search engine for potential attack vectors. CYBOK is fundamentally an algorithmic approach to vulnerability exploration, which is a significant extension to the body of knowledge it builds upon. By using CYBOK, security analysts and system designers can work together to assess the overall security posture of systems early in their lifecycle, during major design decisions and before final product designs. Consequently, assisting in applying security earlier and throughout the systems lifecycle.
△ Less
Submitted 6 September, 2019;
originally announced September 2019.
-
A Multilevel Cybersecurity and Safety Monitor for Embedded Cyber-Physical Systems
Authors:
Smitha Gautham,
Georgios Bakirtzis,
Matthew T. Leccadito,
Robert H. Klenke,
Carl R. Elks
Abstract:
Cyber-physical systems (CPS) are composed of various embedded subsystems and require specialized software, firmware, and hardware to coordinate with the rest of the system. These multiple levels of integration expose attack surfaces which can be susceptible to attack vectors that require novel architectural methods to effectively secure against. We present a multilevel hierarchical monitor archite…
▽ More
Cyber-physical systems (CPS) are composed of various embedded subsystems and require specialized software, firmware, and hardware to coordinate with the rest of the system. These multiple levels of integration expose attack surfaces which can be susceptible to attack vectors that require novel architectural methods to effectively secure against. We present a multilevel hierarchical monitor architecture cybersecurity approach applied to a flight control system. However, the principles present in this paper apply to any CPS. Additionally, the real-time nature of these monitors allow for adaptable security, meaning that they mitigate against possible classes of attacks online. This results in an appealing bolt-on solution that is independent of different system designs. Consequently, employing such monitors leads to strengthened system resiliency and dependability of safety-critical CPS.
△ Less
Submitted 8 December, 2018;
originally announced December 2018.
-
Looking for a Black Cat in a Dark Room: Security Visualization for Cyber-Physical System Design and Analysis
Authors:
Georgios Bakirtzis,
Brandon J. Simon,
Cody H. Fleming,
Carl R. Elks
Abstract:
Today, there is a plethora of software security tools employing visualizations that enable the creation of useful and effective interactive security analyst dashboards. Such dashboards can assist the analyst to understand the data at hand and, consequently, to conceive more targeted preemption and mitigation security strategies. Despite the recent advances, model-based security analysis is lacking…
▽ More
Today, there is a plethora of software security tools employing visualizations that enable the creation of useful and effective interactive security analyst dashboards. Such dashboards can assist the analyst to understand the data at hand and, consequently, to conceive more targeted preemption and mitigation security strategies. Despite the recent advances, model-based security analysis is lacking tools that employ effective dashboards---to manage potential attack vectors, system components, and requirements. This problem is further exacerbated because model-based security analysis produces significantly larger result spaces than security analysis applied to realized systems---where platform specific information, software versions, and system element dependencies are known. Therefore, there is a need to manage the analysis complexity in model-based security through better visualization techniques. Towards that goal, we propose an interactive security analysis dashboard that provides different views largely centered around the system, its requirements, and its associated attack vector space. This tool makes it possible to start analysis earlier in the system lifecycle. We apply this tool in a significant area of engineering design---the design of cyber-physical systems---where security violations can lead to safety hazards.
△ Less
Submitted 23 October, 2018; v1 submitted 24 August, 2018;
originally announced August 2018.
-
MISSION AWARE: Evidence-Based, Mission-Centric Cybersecurity Analysis
Authors:
Georgios Bakirtzis,
Bryan T. Carter,
Cody H. Fleming,
Carl R. Elks
Abstract:
Currently, perimeter-based approaches are the mainstay of cybersecurity. While this paradigm is necessary, there is mounting evidence of its insufficiency with respect to sophisticated and coordinated attacks. In contrast to perimeter-based security, mission-centric cybersecurity provides awareness of how attacks can influence mission success and therefore focuses resources for mitigating vulnerab…
▽ More
Currently, perimeter-based approaches are the mainstay of cybersecurity. While this paradigm is necessary, there is mounting evidence of its insufficiency with respect to sophisticated and coordinated attacks. In contrast to perimeter-based security, mission-centric cybersecurity provides awareness of how attacks can influence mission success and therefore focuses resources for mitigating vulnerabilities and protecting critical assets. This is strategic as opposed to tactical perimeter-based cybersecurity. We propose MISSION AWARE, which assists in the identification of parts of a system that destabilize the overall mission of the system if compromised. MSSION AWARE starts with a structured elicitation process that leads to hazards analysis. It employs hierarchical modeling methods to capture mission requirements, admissible functional behaviors, and system architectures. It then generates evidence---attacks applicable to elements that directly correlate with mission success. Finally, MISSION AWARE traces evidence back to mission requirements to determine the evidence with the highest impact relative to mission objectives.
△ Less
Submitted 4 December, 2017;
originally announced December 2017.
-
A Model-Based Approach to Security Analysis for Cyber-Physical Systems
Authors:
Georgios Bakirtzis,
Bryan T. Carter,
Carl R. Elks,
Cody H. Fleming
Abstract:
Evaluating the security of cyber-physical systems throughout their life cycle is necessary to assure that they can be deployed and operated in safety-critical applications, such as infrastructure, military, and transportation. Most safety and security decisions that can have major effects on mitigation strategy options after deployment are made early in the system's life cycle. To allow for a vuln…
▽ More
Evaluating the security of cyber-physical systems throughout their life cycle is necessary to assure that they can be deployed and operated in safety-critical applications, such as infrastructure, military, and transportation. Most safety and security decisions that can have major effects on mitigation strategy options after deployment are made early in the system's life cycle. To allow for a vulnerability analysis before deployment, a sufficient well-formed model has to be constructed. To construct such a model we produce a taxonomy of attributes; that is, a generalized schema for system attributes. This schema captures the necessary specificity that characterizes a possible real system and can also map to the attack vector space associated with the model's attributes. In this way, we can match possible attack vectors and provide architectural mitigation at the design phase. We present a model of a flight control system encoded in the Systems Modeling Language, commonly known as SysML, but also show agnosticism with respect to the modeling language or tool used.
△ Less
Submitted 10 June, 2018; v1 submitted 31 October, 2017;
originally announced October 2017.