1,720,970 research outputs found
Review of Security Issues in Industrial Networks
Full text linkAlthough awareness is constantly rising, that indus- trial computer networks (in a very broad sense) can be exposed to serious cyber-threats, many people still think that the same countermeasures, developed to protect general-purpose computer networks, can be effectively adopted also in those situations where a physical system is managed/controlled through some distributed Information and Communication Technology (ICT) infrastructure.
Unfortunately, this is not the case as several examples of successful attacks carried out in the last decade, and more frequently in the very recent past, have dramatically shown. Experts in this area know very well that often the peculiarities of industrial networks prevent the adoption of classical approaches to their security, and in particular of those popular solutions that are mainly based on a detect and patch philosophy.
This paper is a contribution, from the security point of view, to the assessment of the current situation of a wide class of indus- trial distributed computing systems. In particular, the analysis presented in this paper takes into account the process of ensuring a satisfactory degree of security for a distributed industrial system, with respect to some key elements such as the system characteristics, the current state of the art of standardization and the adoption of suitable controls (countermeasures) that can help in lowering the security risks below a pre-defined, acceptable threshold
A comprehensive approach to the automatic refinement and verification of access control policies
Full text linkAbstract: Access control is one of the building blocks of network security and is often managed by network administrators through the definition of sets of high-level policies meant to regulate network behavior (policy-based management). In this scenario, policy refinement and verification are important processes that have to be dealt with carefully, possibly relaying on computer-aided automated software tools. This paper presents a comprehensive approach for access control policy refinement, verification and, in case errors are detected in the policy implementation, their fixing. The proposed methodology is based on a twofold model able to describe both policies and system configurations and allows, by suitably processing the model, to either propose a system configuration that correctly enforces the policies, or determine whether a specific implementation matches the policy specification also providing hints on how possible anomalies can be fixed. Results on the average complexity of the solution confirm its feasibility in terms of computation time, even for complex networked systems consisting of several hundred nodes
Toward attribute-based access control policy in industrial networked systems
Full text linkThe definition of a correct Access Control Policy is a fundamental step in the design of a secure information system. However, the complexity of modern systems makes critical the choice upon which model to use for such definition. This is becoming particularly true for Industrial Networked Systems, where a correct access control policy must cover all the different and ever evolving interactions between all of its heterogeneous sub-systems at different levels of the production process. In this paper, with the support of an example of a typical industrial system, we highlight the limitations of the well known and widely used Role Based Access Control policy model and we propose an alternative model, built on the ideas of the Attribute Based Access Control model, showing how it can be leveraged to easily define complex access control policies in Industrial Networked Systems. We provide also a preliminary analysis on the kind of conflicts or anomalies that such expressive model can introduce
Automated Fixing of Access Policy Implementation in Industrial Networked Systems
Full text linkAccess control (AC) is the core of every architectural solution for information security. Indeed, no effective protection scheme can abstract from the careful design of access control policies, and infrastructures underlying modern Industrial Networked Systems (INSs) are not exceptions from this point of view. This paper presents a comprehensive framework for INS access control. The proposed approach enables the description of both positive and negative AC policies, by applying the Role Based Access Control (RBAC) paradigm to typical INS implementations, while taking into account different levels of abstraction. Suitable techniques are adopted to check whether or not policies are correctly implemented in the system (verification). When conflicts are detected, possible (re)assignments of credentials to the system users are automatically computed, that can be adopted to correct anomalies (conflict resolution)
Detecting Chains of Vulnerabilities in Industrial Networks
Full text linkIn modern factories, personal computers are starting to replace traditional programmable logic controllers, due to cost and flexibility reasons, and also because their operating systems now support programming environments even suitable for demanding real-time applications. These characteristics, as well as the ready availability of many software packages covering any kind of needs, have made the introduction of PC-based devices at the factory field level especially attractive. However, this approach has a profound influence on the extent of threats that a factory computing infrastructure shall be prepared to deal with. In fact, industrial personal computers share the same kinds of vulnerabilities with their office automation counterparts. Then, their introduction increases the risk of cyber-attacks. As the complexity of the network grows, the problem rapidly becomes hard to tackle by hand, due to the subtle and unforeseen interactions that may occur among apparently unrelated vulnerabilities, thus bearing the focus on the full automation of the analysis. Going into this direction, this paper presents a software tool that, given an accurate and machine-readable description of vulnerabilities, detects whether or not they are of concern and evaluates consequences in the context of a factory networ
Experimental Comparison of Automatic Tools for the Formal Analysis of Cryptographic Protocols
No full textThe tools for cryptographic protocols analysis based on state exploration are designed to be completely automatic and should carry out their job with a limited amount of computing and storage resources, even when run by users having a limited amount of expertise in the field. This paper compares four tools of this kind to highlight their features and ability to detect bugs under the same experimental conditions. To this purpose, the ability of each tool to detect known flaws in a uniform set of well-known cryptographic protocols has been checked
On the use of automatic tools for the formal analysis of IEEE 802.11 key-exchange protocols
No full textIt is well known that the design and development of complex distributed systems, such as those used in modern factory automation and process control environments, can obtain significant benefits from the adoption of formal methods during the specification and verification phases.
The importance of using formal techniques for verifying the design correctness is even more evident when aspects such as security and safety are considered and a class of protocols, known as “cryptographic” protocols, is taken into account. Cryptographic protocols, in fact, are becoming more and more used in industrial networks to support security-related services such as cryptographic keys exchange/distribution and authentication, due to the everincreasing use of internet/intranet-based connections and the introduction of wireless communications.
This paper reports on some experimental investigations on the formal verification of two cryptographic protocols, that are commonly used in industrial wireless 802.11 networks. Investigations are carried out by means of fully automatic and publicly available tools that are based on state-exploration techniques. The aim of our work is twofold: first we intend to offer a contribution in understanding whether or not the current prototype tools can be
considered mature enough for helping the designer with the analysis of real protocols, and second we wish to develop some (preliminary) considerations on their characteristics and performanc
Evaluating the Combined Effect of Vulnerabilities and Faults on Large Distributed Systems
No full textOn large and complex distributed systems hardware and software faults, as well as vulnerabilities, exhibit significant dependencies and interrelationships. Being able to assess their actual impact on the overall system dependability is especially important. The goal of this paper is to propose a unifying way of describing a complex hardware and software system, in order to assess the impact of both vulnerabilities and faults by means of the same underlying reasoning mechanism, built on a standard Prolog inference engine. Some preliminary experimental results show that a prototype tool based on these techniques is both feasible and able to achieve encouraging performance levels on several synthetic test cases
Leveraging SDN To Improve Security in Industrial Networks
Full text linkIn recent years, several important initiatives have appeared worldwide, aimed at bringing significant innovation in next generations of industrial networked systems (INSs). For example, the Industry 4.0 and Factory of the Future frameworks are paving the way to modern intelligent factories, where issues such as the communication complexity between smart devices or the system on-the-fly reconfiguration are dealt with in efficient and cost-effective ways. However, global connectivity also implies constant increase of cyber menaces targeting industrial systems, so that security must be considered since the very beginning when new appealing solutions are conceived. In this paper, we exploit the innovative Software Defined Networking (SDN) paradigm to introduce improvements in managing the network infrastructure of INSs, as this can help in reducing the management costs and complexity. In particular, enhanced SDN functionalities are adopted, which are able to provide security support in additions to their native switching/routing functionalities. The paper also shows how this approach can overcome some limitations of many current INS security architectures. The feasibility of the proposed solution is confirmed by the development of a simple laboratory prototype based on commodity hardware, and used to obtain some preliminary evaluation of the achievable functionality and performance benefits
- …
