Final Report Summary - MODESEC (Model-based Design of Secure Cyber-Physical Systems)
The objective of the MODESEC project (http://modesec-project.eu) is to research the interaction between modelling and security. The basic hypothesis is that models are capable to increase the security of a computer system. The work performed in the MODESEC project is dedicated to find exemplary applications of models in the context of Cyber-Physical Systems (CPS), an area of computer science that traditionally makes heavy use of models throughout a CPS’ life cycle. The project gained some interesting new insights with respect to the emerging area of automotive security. Particularly, after the DieselGate event occurred in fall 2015, the validity of this research has been widely acknowledged.
The research looked at systems and models for two particular stages in a system are the life cycle: design and operation. When designing a system, the engineer should – in the best case – design for security right from the start. Therefore, it is necessary for the engineer to make assumptions about the threat model and potential countermeasures and trade-off these against other system requirements like performance, usability, and cost. Security concerns do not stop, after a system is deployed. Runtime monitoring techniques are geared towards observing the security of system states. Deviations of the system states from the nominal behaviour might indicate activating threats and intrusions.
In the first stage, the project produced a Secure Development Method (SDM) for secure CPS. Following steps were taken to implement the method in the current model-based design flow to design CPS:
1. Develop a model-based method to specify threats to the security of a CPS
2. Integrate the method in a model-based design tool for CPS
3. Evaluate the Secure Design Methodology in a case study
Designing and implementing appropriate control laws is one of the major tasks when building a CPS. A CPS encompasses sensors and actuators that interface with the physical environment. The control law formulates the way inputs from the sensors are transformed to outputs for the actuators. Securing a CPS ultimately has to deal with protecting the interaction of the computer system with the physical environment on its sensor and actuator interfaces. Inputs and outputs have to be reliable, correct, timely, and trustworthy.
Simulation is a common tool for CPS engineers to anticipate current future behaviour of a CPS, given a set of inputs and initial system state. In simulation, a model of a system is stimulated with different inputs and the model’s output as well is its internal state can is observable. Simulation has a dual role: first to enable learning about a system, thus, facilitating an understanding of how the components of the system work together. Second, to derive parameters values that can be exhaustively tested in the simulation and then transferred to the real system, where similar tests would be prohibitive for cost reasons. Regarding security, an approach that includes security properties of the simulation’s system states would be desirable. MODESEC proposes to co-simulate a system model and an attack model, effectively enabling a proactive security analysis during system design.
The second stage employs models to check the plausibility of the operation of a system. A reference model of a system covering a worthwhile aspect of the system is executed in parallel to the system.
Both, the reference model and the real system receive same inputs, thus, their outputs should match with respect to the targeted aspect. This, of course, assumes a certain degree of determinacy between model and system. Deviations between both indicate that reality and how it should be are in disagreement. The innovation is that the reference model describes a part of physical reality. That way, a CPS gets capabilities to reflect about intrusions in the physical domain. This novel intrusion detection technique has been implemented as an automotive security mechanism that detects chip-tuning attacks. An important question is how the reference model is generated. Machine learning is particular interesting approach that automates model creation and adaption.
Both methods have been implemented in prototypes. The SDM has been integrated in Ptolemy II, a software package for model-based design of CPS. The Automotive Intrusion Detection System (AIDS) has been implemented on a microcontroller and connected to a real car, mimicking a system deployment as an Electronic Control Unit (ECU). Both methods have also been extensively described in publications and were presented to academic and industrial audiences.
The MODESEC project strives to support CPS engineers that were not trained in cyber security to reason about the security of a system under consideration. This objective has been achieved by integrating the secure design of a CPS in the model-based design approach to design a CPS. Model-based design tools are familiar to engineers working in many different domains. Attack models could be developed by them or provides in form of a model library. Enabling engineers to explore the security of a system helps them to understand the implication of certain design choices they are making. Thus, our approach enables these engineers to build more secure products by lowering the entry barriers to implement cyber security mechanisms. Additionally, deploying a self-learning reference model that constantly checking the plausibility of a system is a security mechanisms that has a low maintenance, but big impact.
Cyber security of CPS is of utmost importance to society. CPS are often part of critical infrastructures such as public and private transportation, energy distribution systems, medical devices, water and sewage systems, etc. Preventing attackers from manipulating these systems is of utmost importance to guarantee a reliable and secure service to individuals and society at large. Future products embodying CPS (e.g. cars) will need to implement security to be economically feasible. Consumers might just not buy products lacking appropriate security mechanisms. The MODESEC project addresses these requirements in an innovative way. Models are a powerful ally to parry threats to CPS security.
The research looked at systems and models for two particular stages in a system are the life cycle: design and operation. When designing a system, the engineer should – in the best case – design for security right from the start. Therefore, it is necessary for the engineer to make assumptions about the threat model and potential countermeasures and trade-off these against other system requirements like performance, usability, and cost. Security concerns do not stop, after a system is deployed. Runtime monitoring techniques are geared towards observing the security of system states. Deviations of the system states from the nominal behaviour might indicate activating threats and intrusions.
In the first stage, the project produced a Secure Development Method (SDM) for secure CPS. Following steps were taken to implement the method in the current model-based design flow to design CPS:
1. Develop a model-based method to specify threats to the security of a CPS
2. Integrate the method in a model-based design tool for CPS
3. Evaluate the Secure Design Methodology in a case study
Designing and implementing appropriate control laws is one of the major tasks when building a CPS. A CPS encompasses sensors and actuators that interface with the physical environment. The control law formulates the way inputs from the sensors are transformed to outputs for the actuators. Securing a CPS ultimately has to deal with protecting the interaction of the computer system with the physical environment on its sensor and actuator interfaces. Inputs and outputs have to be reliable, correct, timely, and trustworthy.
Simulation is a common tool for CPS engineers to anticipate current future behaviour of a CPS, given a set of inputs and initial system state. In simulation, a model of a system is stimulated with different inputs and the model’s output as well is its internal state can is observable. Simulation has a dual role: first to enable learning about a system, thus, facilitating an understanding of how the components of the system work together. Second, to derive parameters values that can be exhaustively tested in the simulation and then transferred to the real system, where similar tests would be prohibitive for cost reasons. Regarding security, an approach that includes security properties of the simulation’s system states would be desirable. MODESEC proposes to co-simulate a system model and an attack model, effectively enabling a proactive security analysis during system design.
The second stage employs models to check the plausibility of the operation of a system. A reference model of a system covering a worthwhile aspect of the system is executed in parallel to the system.
Both, the reference model and the real system receive same inputs, thus, their outputs should match with respect to the targeted aspect. This, of course, assumes a certain degree of determinacy between model and system. Deviations between both indicate that reality and how it should be are in disagreement. The innovation is that the reference model describes a part of physical reality. That way, a CPS gets capabilities to reflect about intrusions in the physical domain. This novel intrusion detection technique has been implemented as an automotive security mechanism that detects chip-tuning attacks. An important question is how the reference model is generated. Machine learning is particular interesting approach that automates model creation and adaption.
Both methods have been implemented in prototypes. The SDM has been integrated in Ptolemy II, a software package for model-based design of CPS. The Automotive Intrusion Detection System (AIDS) has been implemented on a microcontroller and connected to a real car, mimicking a system deployment as an Electronic Control Unit (ECU). Both methods have also been extensively described in publications and were presented to academic and industrial audiences.
The MODESEC project strives to support CPS engineers that were not trained in cyber security to reason about the security of a system under consideration. This objective has been achieved by integrating the secure design of a CPS in the model-based design approach to design a CPS. Model-based design tools are familiar to engineers working in many different domains. Attack models could be developed by them or provides in form of a model library. Enabling engineers to explore the security of a system helps them to understand the implication of certain design choices they are making. Thus, our approach enables these engineers to build more secure products by lowering the entry barriers to implement cyber security mechanisms. Additionally, deploying a self-learning reference model that constantly checking the plausibility of a system is a security mechanisms that has a low maintenance, but big impact.
Cyber security of CPS is of utmost importance to society. CPS are often part of critical infrastructures such as public and private transportation, energy distribution systems, medical devices, water and sewage systems, etc. Preventing attackers from manipulating these systems is of utmost importance to guarantee a reliable and secure service to individuals and society at large. Future products embodying CPS (e.g. cars) will need to implement security to be economically feasible. Consumers might just not buy products lacking appropriate security mechanisms. The MODESEC project addresses these requirements in an innovative way. Models are a powerful ally to parry threats to CPS security.