Top

Published in:

2023 | OriginalPaper | Chapter

Challenges in OT Security and Their Impacts on Safety-Related Cyber-Physical Production Systems

Authors : Siegfried Hollerer, Bernhard Brenner, Pushparaj Rajaram Bhosale, Clara Fischer, Ali Mohammad Hosseini, Sofia Maragkou, Maximilian Papa, Sebastian Schlund, Thilo Sauter, Wolfgang Kastner

Published in: Digital Transformation

Publisher: Springer Berlin Heidelberg

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Off

Abstract

In Cyber-Physical Production Systems (CPPS), integrity and availability of hardware and software components are necessary to ensure product quality and the safety of employees and customers, while the confidentiality of engineering artifacts and product details must be kept to hide company secrets. At the same time, an increasing number of Internet connected control systems causes the presence of new attack vectors. As a result, unauthorized hardware/software modifications of CPPS components through cyber attacks become more prevalent. This development raises the demand for proper protection measures significantly, not only to ensure product quality and security but also the safety of people working with the machinery. In this chapter, we describe vulnerable assets of Operational Technology (OT) and identify information security requirements for these assets. Based on this assessment, possible attack vectors and threat models are discussed. Furthermore, measures against the mentioned threats and security relevant differences between OT and Information Technology (IT) systems are outlined. To manage a CPPS and its related threats, risk management will be addressed in more detail. Although safety and security should no longer be viewed as isolated, there are several challenges of integrating safety and security, which can lead to struggles and trade-offs. For this reason, the “Safety and Security Lab in Industry” currently investigates different aspects of future integrated solutions covering both safety and security. Challenges of such integrated solutions are outlined at the end of the chapter.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

previous chapter Dynamic Access Control in Industry 4.0 Systems

next chapter Runtime Monitoring for Systems of System

https://www.enisa.europa.eu/topics/nis-directive

https://www.ris.bka.gv.at/GeltendeFassung.wxe?Abfrage=Bundesnormen&Gesetzesnummer=20010536

S. Vitturi, C. Zunino, and T. Sauter, “Industrial communication systems and their future challenges: Next-generation Ethernet, IIoT, and 5G,” Proceedings of the IEEE, vol. 107, no. 6, pp. 944–961, 2019.CrossRef

I. Reithner, M. Papa, B. Lueger, M. Cato, S. Hollerer, and R. Seemann, “Development and Implementation of a Secure Production Network,” Proceedings of the 31st DAAAM International Symposium, pp. 736–745, 2020.

J. Jasperneite, T. Sauter, and M. Wollschlaeger, “Why we need automation models: Handling complexity in Industry 4.0 and the Internet of Things,” IEEE Industrial Electronics Magazine, vol. 14, no. 1, pp. 29–40, 2020.CrossRef

E. J. Colbert and A. Kott, Cyber-security of SCADA and other industrial control systems. Springer, 2016, vol. 66.

M. Bajer, “Control systems integration using OPC standard,” AGH Master Thesis, W. Grega-Supervisor, Krakow & Antwerp, 2008.

E. Geisberger and M. Broy, Integrierte Forschungsagenda Cyber-Physical Systems: acatech STUDIE. Deutschland: acatech, 2012.

G. Martins, S. Bhatia, X. Koutsoukos, K. Stouffer, C. Tang, and R. Candell, “Towards a systematic threat modeling approach for cyber-physical systems,” in 2015 Resilience Week (RWS). IEEE, 2015, pp. 1–6.

R. E. Petruse, I. Bondrea, and I. C. Nicolae, “Main requirements of a cyber physical production system demonstrator,” Acta Universitatis Cibiniensis. Technical Series, vol. 71, no. 1, pp. 76–80, 2019.CrossRef

International Organization for Standardization (ISO), “Robots and robotic devices - Collaborative robots,” Geneva, CH, Feb. 2016.

10.

R. Siegwart, I. R. Nourbakhsh, and D. Scaramuzza, Introduction to Autonomous Mobile Robots, 2nd ed. Cambridge, Massachusetts: The MIT Press, 2004.

11.

O. Khatib, “Mobile manipulators: Expanding the frontiers of robot applications,” in Field and Service Robotics, A. Zelinsky, Ed. Springer, 1998, pp. 6–11.

12.

B. Vogel-Heuser, T. Bauernhansl, and M. ten Hompel, Eds., Handbuch Industrie 4.0 Bd. 2: Automatisierung, 2nd ed., ser. Springer Reference Technik. Berlin: Springer, 2017.

13.

Y. Ro, A. Brem, and P. Rauschnabel, Augmented Reality Smart Glasses: Definition, Concepts and Impact on Firm Value Creation. Gewerbestrasse 11, 6330 Cham, Switzerland: Springer International Publishing AG, 2017, ch. 12, pp. 169–181.

14.

A. Grau, M. Indri, L. L. Bello, and T. Sauter, “Industrial robotics in factory automation: From the early stage to the Internet of Things,” in IECON 2017 - 43rd Annual Conference of the IEEE Industrial Electronics Society, 2017, pp. 6159–6164.

15.

Statista, “Wie hoch schätzen Sie das Risiko für Ihr Unternehmen ein, Opfer von Cyberangriffen/Datenklau zu werden?,” 2019, accessed: 2020-10-16. [Online]. Available: https://de.statista.com/statistik/daten/studie/760006/umfrage/wahrgenommenes-risiko-von-cyberangriffen-unter-unternehmen-in-deutschland/.

16.

C. Fife, “What’s Required To Secure The IoT?” 2015, accessed: 2020-10-23. [Online]. Available: https://www.citrix.com/blogs/2015/04/09/whats-required-to-secure-the-iot/.

17.

Barrgroup-Dictionary, “Embedded System,” 2020, accessed: 2020-10-14. [Online]. Available: https://barrgroup.com/embedded-systems/glossary-embedded_system.

18.

TÜV Austria, Fraunhofer Austria Research GmbH, “Safety & security in der Mensch-Roboter-Kollaboration,” 2016. [Online]. Available: https://www.tuv.at/fileadmin/user_upload/docs/group/innovation/tuv-austria-white-paper-deutsch/003_tuv_austria_white_paper_III_einfluss_it_security_sicherheit_in_der_mensch_roboter_kollaboration_fraunhofer_DE_WEB.pdf.

19.

M. Kumar, J. Meena, R. Singh, and M. Vardhan, “Data outsourcing: A threat to confidentiality, integrity, and availability,” in 2015 International Conference on Green Computing and Internet of Things (ICGCIoT). IEEE, 2015, pp. 1496–1501.

20.

F. Accerboni and M. Sartor, “ISO/IEC 27001’,” Quality Management: Tools, Methods, and Standards. Emerald Publishing Limited, pp. 245–264, 2019.

21.

Y. Lu and M. Zhu, “A control-theoretic perspective on cyber-physical privacy: Where data privacy meets dynamic systems,” Annual Reviews in Control, vol. 47, pp. 423–440, 2019.CrossRef

22.

P. Van Aubel, E. Poll, and J. Rijneveld, “Non-repudiation and end-to-end security for electric-vehicle charging,” in 2019 IEEE PES Innovative Smart Grid Technologies Europe (ISGT-Europe). IEEE, 2019, pp. 1–5.

23.

A. Shostack, Threat modeling: Designing for security. John Wiley & Sons, 2014.

24.

R. Vigo, “The cyber-physical attacker,” in International Conference on Computer Safety, Reliability, and Security. Springer, 2012, pp. 347–356.

25.

M. T. Swarup Bhunia, Hardware Security: A Hands-on Learning Approach. Morgan Kaufmann, 2019.

26.

D. Dolev and A. Yao, “On the security of public key protocols,” IEEE Transactions on information theory, vol. 29, no. 2, pp. 198–208, 1983.CrossRefMATH

27.

M. Rocchetto and N. O. Tippenhauer, “On attacker models and profiles for cyber-physical systems,” in European Symposium on Research in Computer Security. Springer, 2016, pp. 427–449.

28.

N. Hoque, M. H. Bhuyan, R. C. Baishya, D. K. Bhattacharyya, and J. K. Kalita, “Network attacks: Taxonomy, tools and systems,” Journal of Network and Computer Applications, vol. 40, pp. 307–324, 2014.CrossRef

29.

A. Humayed, J. Lin, F. Li, and B. Luo, “Cyber-physical systems security-a survey,” IEEE Internet of Things Journal, vol. 4, no. 6, pp. 1802–1831, 2017.CrossRef

30.

C. Bodungen, B. Singer, A. Shbeeb, K. Wilhoit, and S. Hilt, Hacking Exposed Industrial Control Systems: ICS and SCADA Security Secrets & Solutions, 1st ed. New York: McGraw-Hill Education, 2016. [Online]. Available: https://mhebooklibrary.com/doi/book/10.1036/9781259589720.

31.

S. J. Templeton, “Security aspects of cyber-physical device safety in assistive environments,” in Proceedings of the 4th International Conference on PErvasive Technologies Related to Assistive Environments, ser. PETRA ’11. New York, NY, USA: Association for Computing Machinery, 2011. [Online]. Available: https://doi.org/10.1145/2141622.2141685.

32.

A. Treytl, T. Sauter, and C. Schwaiger, “Security measures in automation systems-a practice-oriented approach,” in 2005 IEEE Conference on Emerging Technologies and Factory Automation, vol. 2, 2005, pp. 847–855.

33.

A. Valenzano, “Industrial cybersecurity: Improving security through access control policy models,” IEEE Industrial Electronics Magazine, vol. 8, no. 2, pp. 6–17, 2014.CrossRef

34.

K. A. Stouffer, V. Pilitteri, M. Abrams, and A. Hahn, “NIST Special Publication 800-82 Revision 2. Guide to Industrial Control Systems (ICS) Security: Supervisory Control and Data Acquisition (SCADA) Systems, Distributed Control Systems (DCS), and Other Control System Configurations Such as Programmable Logic Controllers (PLC),” Gaithersburg, MD, USA, 2015.

35.

“IEC 62443-3-3:2013 Industrial communication networks - Network and system security - Part 3-3: System security requirements and security levels,” 2013.

36.

D. R. Preiss, Risk analysis techniques in engineering. TÜV Austria Akademie GmbH, 2020.

37.

International Organization for Standardization (ISO), “ISO/IEC guide 73:2009 - risk management - vocabulary,” 2009.

38.

D. W. Hubbard, The Failure of Risk Management: Why It’s Broken and How to Fix It. Wiley, 2009.

39.

P. Gregory, CISA Certified Information Systems Auditor All-in-One Exam Guide, Fourth Edition. McGraw-Hill, 2019.

40.

S.-H. Y. Xiaorong Lyu, Yulong Ding, “Safety and security risk assessment in cyber-physical system,” IET Cyber-Physical Systems: Theory & Applications, vol. 4–3, pp. 221–232, 2019.

41.

E. Ruijters and M. Stoelinga, “Fault tree analysis: A survey of the state-of-the-art in modeling, analysis and tools,” Computer Science Review, vol. 15–16, pp. 29–62, 2015. [Online]. Available: https://www.sciencedirect.com/science/article/pii/S1574013715000027.

42.

L. Grunske, R. Colvin, and K. Winter, “Probabilistic model-checking support for FMEA,” pp. 119–128, 10 2007.

43.

M. Rausand and S. Haugen, Hazard Identification. John Wiley & Sons, Ltd, 2020, ch. 10, pp. 259–337. [Online]. Available: https://onlinelibrary.wiley.com/doi/abs/10.1002/9781119377351.ch10.

44.

M. Modarres and S. W. Cheon, “Function-centered modeling of engineering systems using the goal tree-success tree technique and functional primitives,” Reliability Engineering & System Safety, vol. 64, no. 2, pp. 181–200, 1999. [Online]. Available: https://www.sciencedirect.com/science/article/pii/S0951832098000623.

45.

D. Lee, J. Lee, S.-W. Cheon, and J. Yoo, “Application of System-Theoretic Process Analysis to Engineered Safety Features-Component Control System,” 2013.

46.

I. Friedberg, K. McLaughlin, P. Smith, D. Laverty, and S. Sezer, “STPA-safesec: Safety and security analysis for cyber-physical systems,” Journal of Information Security and Applications, vol. 34, pp. 183–196, 2017. [Online]. Available: https://www.sciencedirect.com/science/article/pii/S2214212616300850.

47.

S. Kriaa, M. Bouissou, L. Piètre-Cambacedes, and Y. Halgand, “A Survey of Approaches Combining Safety and Security for Industrial Control Systems,” Reliability Engineering and System Safety, vol. 139, pp. 156–178, 02 2015.

48.

L. Chung and J. C. S. do Prado Leite, On Non-Functional Requirements in Software Engineering. Berlin, Heidelberg: Springer Berlin Heidelberg, 2009, pp. 63–379.

49.

A. Kornecki, N. Subramanian, and J. Zalewski, “Studying interrelationships of safety and security for software assurance in cyber-physical systems: Approach based on Bayesian belief networks,” pp. 1393–1399, 01 2013.

50.

International Organization for Standardization (ISO), “ISO 12100:2010-general principle for design-risk assessment and risk reduction.” 2010.

51.

Federal Ministry for Climate Action, Environment, Energy, Mobility, Innovation and Technology (BMK) Austria, “Sicherheit für die digitale Transformation der Produktion,” 2020, accessed: 2020-10-22. [Online]. Available: https://www.bmk.gv.at/themen/innovation/publikationen/produktion/sigi.html.

52.

J.-P. A. Yaacoub, O. Salman, H. N. Noura, N. Kaaniche, A. Chehab, and M. Malli, “Cyber-physical systems security: Limitations, issues and future trends,” Microprocessors and Microsystems, vol. 77, p. 103201, 2020. [Online]. Available: http://www.sciencedirect.com/science/article/pii/S0141933120303689.

53.

S. F. D’amato and D. W. Mallik, “Plastic molding of articles including a hologram or other microstructure,” Dec. 10 1991, US Patent 5,071,597.

54.

C. A. Cole and J. T. Weber, “Package integrity indicating closure,” Apr. 2 2013, US Patent 8,408,792.

55.

V. Immler, J. Obermaier, K. K. Ng, F. X. Ke, J. Lee, Y. P. Lim, W. K. Oh, K. H. Wee, and G. Sigl, “Secure physical enclosures from covers with tamper-resistance,” IACR Transactions on Cryptographic Hardware and Embedded Systems, vol. 2019, no. 1, p. 51-96, Nov. 2018. [Online]. Available: https://tches.iacr.org/index.php/TCHES/article/view/7334.

56.

Y. Liu, K. Huang, and Y. Makris, “Hardware trojan detection through golden chip-free statistical side-channel fingerprinting,” in Proceedings of the 51st Annual Design Automation Conference, 2014, pp. 1–6.

57.

M. M. T. Bhunia Swarup, The Hardware Trojan War. Springer-Verlag GmbH, 2017. [Online]. Available: https://www.springer.com/de/book/9783319685106.

58.

B. Bailey, “Optimization challenges for safety and security,” 2019, accessed: 2020-09-25. [Online]. Available: https://semiengineering.com/optimization-challenges-for-safety-and-security/.

59.

W. A. Arbaugh, W. L. Fithen, and J. McHugh, “Windows of vulnerability: A case study analysis,” Computer, vol. 33, no. 12, pp. 52–59, 2000.CrossRef

60.

A. A. Cárdenas, S. Amin, and S. Sastry, “Research challenges for the security of control systems.” in HotSec, 2008.

61.

B. Brenner, E. Weippl, and A. Ekelhart, “Security related technical debt in the cyber-physical production systems engineering process,” in IECON 2019-45th Annual Conference of the IEEE Industrial Electronics Society, vol. 1. IEEE, 2019, pp. 3012–3017.

62.

G. Sabaliauskaite and A. P. Mathur, “Aligning cyber-physical system safety and security,” in Complex Systems Design & Management Asia. Springer, 2015, pp. 41–53.

Title: Challenges in OT Security and Their Impacts on Safety-Related Cyber-Physical Production Systems
Authors: Siegfried Hollerer
Bernhard Brenner
Pushparaj Rajaram Bhosale
Clara Fischer
Ali Mohammad Hosseini
Sofia Maragkou
Maximilian Papa
Sebastian Schlund
Thilo Sauter
Wolfgang Kastner
Publisher: Springer Berlin Heidelberg
Book: Digital Transformation
Print ISBN: 978-3-662-65003-5

Electronic ISBN: 978-3-662-65004-2

Copyright Year: 2023
DOI: https://doi.org/10.1007/978-3-662-65004-2_7

Springer Professional

Abstract

Please log in to get access to your license.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Premium Partner