nach oben

Erschienen in:

2015 | OriginalPaper | Buchkapitel

Using Logical Error Detection in Software Controlling Remote-Terminal Units to Predict Critical Information Infrastructures Failures

verfasst von : George Stergiopoulos, Marianthi Theocharidou, Dimitris Gritzalis

Erschienen in: Human Aspects of Information Security, Privacy, and Trust

Verlag: Springer International Publishing

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

A method for predicting software failures to critical information infrastructures is presented in this paper. Software failures in critical infrastructures can stem from logical errors in the source code which manipulates controllers that handle machinery; i.e. Remote Terminal Units and Programmable Logic Controllers in SCADA systems. Since these controllers are often responsible for handling hardware in critical infrastructures, detecting such logical errors in the software controlling their functionality implies detecting possible failures in the machine itself and, consequently, predicting single or cascading infrastructure failures. Our method may also be tweaked to provide estimates of the impact and likelihood of each detected error. An existing source code analysis method is adjusted to analyze code able to send commands to SCADA systems. A practical implementation of the method is presented and discussed. Examples are given using open-source SCADA operating interfaces.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Vorheriges Kapitel Framework for Cloud Usability

Nächstes Kapitel Applying the ACPO Guidelines to Building Automation Systems

Krutz, R.: Securing SCADA Systems. Wiley, Indianapolis (2005)

Alcaraz, C., Lopez, J., Zhou, J., Roman, R.: Secure SCADA framework for the protection of energy control systems. Concurrency Comput. Pract. Experience 23(12), 1414–1430 (2011)CrossRef

Theoharidou, M., Kotzanikolaou, P., Gritzalis, D.: Risk assessment methodology for interdependent critical infrastructures. Int. J. Risk Assess. Manag. Special Issue on Risk Analysis of Critical Infrastructures 15(2/3), 128–148 (2011)CrossRef

OpenSCADA: Open-source supervisory control and data acquisition system. http://openscada.org/. Accessed 2014

Wimberger, D.: Jamod - Java modbus implementation (jamod.sourceforge .net). http://jamod.sourceforge.net/ (2004). Accessed 2014

Cardenas, A., Amin, S., Sastry, S.: Research challenges for the security of control systems. In: 3rd USENIX Workshop on Hot Topics in Security (HotSec 2008), USA (2008)

Chikuni, E., Dondo, M.: Investigating the security of electrical power systems SCADA. In: AFRICON (2007)

Felmetsger, V., Cavedon, L., Kruegel, C., Vigna, J.: Toward automated detection of logic vulnerabilities in web applications. In: Proceedings of the 19th USENIX Symposium, USA (2010)

Stergiopoulos, G., Tsoumas, B., Gritzalis, D.: Hunting application-level logical errors. In: Barthe, G., Livshits, B., Scandariato, R. (eds.) ESSoS 2012. LNCS, vol. 7159, pp. 135–142. Springer, Heidelberg (2012)CrossRef

10.

Stergiopoulos, G., Tsoumas, B., Gritzalis, D.: On business logic vulnerabilities hunting: the APP_LogGIC framework. In: Lopez, J., Huang, X., Sandhu, R. (eds.) NSS 2013. LNCS, vol. 7873, pp. 236–249. Springer, Heidelberg (2013)CrossRef

11.

Stergiopoulos, G., Katsaros, P., Gritzalis, D.: Automated detection of logical errors in programs. In: Lopez, J., Ray, I., Crispo, B. (eds.) CRiSIS 2014. LNCS, vol. 8924, pp. 35–51. Springer, Heidelberg (2015)

12.

The Java PathFinder tool. NASA Ames Research Center. babelfish.arc.nasa.gov/trac/jpf/

13.

Doupe, A., Boe, B., Vigna, G.: Fear the EAR: discovering and mitigating execution after redirect vulnerabilities. In: Proceedings of the 18th ACM Conference on Computer and Communications Security, pp. 251–262, ACM (2011)

14.

Kuan-Yu, T., Chen, D., Kalbarczyk, Z., Iyer, R.: Characterization of the error resiliency of power grid substation devices. In: 42nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks, pp. 1–8, 25–28 June 2012

15.

Ernst, M., Perkins, J., Guo, P., McCamant, S., Pacheco, C., Tschantz, M., Xiao, C.: The Daikon system for dynamic detection of likely invariants. Sci. Comput. Program. 69, 35–45 (2007)MathSciNetCrossRef

16.

The Daikon invariant detector manual. http://groups.csail.mit.edu/pag/daikon/

17.

MODBUS4J. http://sourceforge.net/projects/modbus4j/. Accessed January 2014

18.

Bolton, W.: Programmable Logic Controllers. Elsevier, Amsterdam (2009)CrossRef

19.

IEEE Standard C37 1994. Definition, Specification and analysis of systems used for supervisory control, data acquisition and automatic control

20.

Stouffer, K., Falco, J., Kent, K.: Guide to supervisory control and data acquisition and industrial control systems security. NIST (2008)

21.

EAR/Pilar-risk analysis environment. http://www.ar-tools.com/en/index.html

22.

Kotzanikolaou, P., Theoharidou, M., Gritzalis, D.: Interdependencies between critical infrastructures: analyzing the risk of cascading effects. In: Bologna, S., Hämmerli, B., Gritzalis, D., Wolthusen, S. (eds.) CRITIS 2011. LNCS, vol. 6983, pp. 104–115. Springer, Heidelberg (2013)CrossRef

23.

Kotzanikolaou, P., Theoharidou, M., Gritzalis, D.: Assessing n-order dependencies between critical infrastructures. Int. J. Crit. Infrastruct. 9(1/2), 93–110 (2013)CrossRef

24.

Kjølle, G., Utne, I., Gjerde, O.: Risk analysis of critical infrastructures emphasizing electricity supply and interdependencies. Reliab. Eng. Syst. Saf. 105, 80–89 (2012)CrossRef

25.

Oracle Java SE documentation. http://docs.oracle.com/. Accessed 2014

26.

FlowServe L75 series electric actuator. FCD LMAIM7502-00 – 07/05

27.

PLCSimulator. http://www.plcsimulator.org/. Accessed 2014

28.

Kotzanikolaou, P., Theoharidou, M., Gritzalis, D.: Cascading effects of common-cause failures on critical infrastructures. In: Butts, J., Shenoi, S. (eds.) Critical Infrastructure Protection VII. IFIP AICT, vol. 417, pp. 171–182. Springer, New York (2013)CrossRef

29.

Boland, T., Black, P.: Juliet 1.1 C/C++ and JAVA test suite. Computer 45(10), 88–90 (2012)CrossRef

30.

The common weakness enumeration initiative. MITRE Corporation. cwe.mitre.org/

31.

Fan, C., Yih, S., Tseng, W., Chen, W.: Empirical analysis of software-induced failure events in the nuclear industry. Saf. Sci. 57, 118–128 (2013)CrossRef

32.

Soupionis, Y., Benoist, T.: Demo abstract: demonstrating cyber-attacks impact on cyber-physical simulated environment. In: ACM/IEEE International Conference on Cyber-Physical Systems, p. 222, 14–17 April 2014

33.

Stergiopoulos, G., Katsaros, P., Gritzalis, D.: Source code profiling and classification for automated detection of logical errors. In: Proceedings of the 3rd International Seminar on Program Verification, Automated Debugging and Symbolic Computation, Germany (2014)

Titel: Using Logical Error Detection in Software Controlling Remote-Terminal Units to Predict Critical Information Infrastructures Failures
verfasst von: George Stergiopoulos
Marianthi Theocharidou
Dimitris Gritzalis
Verlag: Springer International Publishing
Buch: Human Aspects of Information Security, Privacy, and Trust
Print ISBN: 978-3-319-20375-1

Electronic ISBN: 978-3-319-20376-8

Copyright-Jahr: 2015
DOI: https://doi.org/10.1007/978-3-319-20376-8_60

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"