【 摘 要 】

Critical infrastructure systems are vital to all nations, and incapacitating such systems can result in devastating impact on the general public. Therefore, it is essential to protect such systems from malicious threats. Today, the increasing interconnectedness of critical infrastructure systems has greatly improved system efficiency at the cost of a larger attack surface. In recent years, we have seen cyber-attack campaigns in addition to physical attacks on various critical infrastructure systems around the world. Thus it is important to protect such systems from adversarial physical and cyber threats.In this dissertation, we propose to protect critical infrastructure systems by (1) assessing the safety of the system and (2) detecting malicious physical threats on the system by using models that integrate the cyber, physical, and human domains. We support our dissertation statement by applying our contributions to a railway system case study.First, we perform a security analysis to identify malicious threats and suggest potential detection mechanisms to strengthen the system defense. We define a general ontology thatrepresents cyber-physical system components and relationships among them, and cyber and physical actions by a human actor. We model a railway station using concepts from that ontology, and feed the model into the ADVISE tool to automatically generate an attack execution graph. We analyze that attack execution graph and show that the addition of a potential defense system for physical movement is an effective mechanism for improving system security.We then conduct a safety analysis to identify potential cyber attacks on the railway signaling system thatwould violate system safety. To do so, we use networks of timed automata to model the cyber-physical control feedback loop that drives system service. We develop a set of transformations on state automata that represent combinations of cyber actions of a human actor. Then, we perform model checking to identify the cyber attack scenarios that would compromise system safety. We demonstrate that while certain safety countermeasures can mitigate attacks by outsider adversaries, attacks by insider adversaries would still succeed. Reapplication of our security analysis with the addition of the cyber-attack vectors that we discovered shows that adversaries prefer to use physical and social means to gain access to the railway station and attack the system.Thus, to strengthen the physical security of the system, we develop defense systems that detect suspicious physical movement by human actors in a railway station. We identify abnormal movement behavior by comparing sequences of movement to historic normal movement models. In doing so, we first build models of normal movement behavior by using historic building access control logs. Then, in real-time, we screen physical accesses and check for deviations in users' behavior from the normal movement behavior model. If we find any, we flag those physical accesses as suspicious. We show that our detection approach is able to flag suspicious behavior with increasing likelihood as the malicious movement sequence increases.We then develop approaches to identify tailgating in building access control logs by using physical constraints about human movement and space occupancy. This work was motivated by the observation that adversaries may thwart building access control systems by physical and social means, e.g., by ``tailgating," or following closely behind, an authorized person. We use cyber and physical data sources to build models of the physical locations of people. Then, we flag tailgating instances when the physical constraints on human movement and space occupancy are violated. We show that our detection approach is able to identify certain tailgating scenarios and that the addition of other data sources, such as physical data sources, allows us to build a more complete model of physical location.Finally, we reapply our security analysis with the addition of defense systems. The results of our analysis show that the inclusion of the defense systems incentivizes adversaries to expend more effort and time to launch a cyber-attack campaign instead of attempting to gain access to the railway station. Therefore, our defense systems help to strengthen the overall security posture of the system.In conclusion, we identify several cyber and physical attack scenarios that would affect system safety, and we develop physical defense systems that demonstrably increase the system's security posture. Thus, in this dissertation, we present an integration of security analysis, safety analysis, and system defense that uses cyber, physical, and socio-technical models to protect critical infrastructure systems.

【 预 览 】

附件列表

Files	Size	Format	View
Protecting critical infrastructure systems using cyber, physical, and socio-technical models	3353KB	PDF	download