Master Thesis Proposal

advertisement
Master Thesis Proposal
Security robustness test of IT systems in the Industrial Automation and Control
Summary: Installation and secure configuration of IT systems in the Industrial Automation and
Control System have to comply with the major International standards and organizations’ own
IT/Cyber security policies such as ISA/IEC 62443 (aka ISA 99). Such systems contain layered network
architecture which is logically separated from the enterprise IT network. Secure system
configuration tasks include among others the access and account management, system hardening,
deplopyment of patch management and antimalware solution etc. Even after deploying layers of
defensive security mechanisms and controls in the system, new vulnerabilities are discovered every
day. The objective of this work is to build a robustness test platform, conduct the robustness test on
the systems without harming the systems and to prepare a strategy comprising tools and procedures
for such tests.
Host supervisor: <Name of the supervisor>
Industry Supervisors:
Mohammad M. R. Chowdhury, PhD
ABB Oil, Gas and Chemical, ABB AS, Norway
Duration of study: xxxx (approximately)
Special Requirements: Under NDA (only if necessary)
Interested candidates are requested to send their resume to <supervisor’s epost address>,
mmchowdh@ifi.uio.no
System
Background and Motivation
The security threat landscape for Industrial Automation and Control System (IACS) is continuously
evolving as today’s IACS is moving from stand-alone isolated network towards connected networks.
Instead of proprietary protocols, adoption of open and common standards and protocols in IACS further
enhanced the security threats. Addressing these threats is crucial as they can compromise the security
of the critical infrastructure.
In the critical infrastructure, the security breaches and the resulting service interruptions are costly and
may cause catastrophic consequences such as loss of lives, environmental hazards etc. Even after
deploying layers of defensive security mechanisms and controls in the system, new vulnerabilities are
discovered every day. The robustness testing evaluates system’s ability to protect its networks,
applications, endpoints and users in the event of an attack. The tests include among others different
flooding tests, fuzzing tests, vulnerability scanning, penetration tests etc. The penetration testing is the
practice of attacking an IT/computer system to identify the vulnerabilities without actually harming the
systems. It is done with good intent and with system owner’s permission.
A vulnerability is a security hole or weakness in a peace of software, hardware or operating system that
provides a potential way to compromise the availability, integrity, or confidentiality of the system. An
exploit is a highly sophisticated software, piece of data, or a sequence of commands that takes
advantage of the system weaknesses to carry out some form of malicious intent. The weakness in the
system can be among others design vulnerability, inadequate or wrong configuration of the product,
flaws in the implementation etc.
Overview of the Work
Nowadays in the Industrial Automation and Control System, IT systems are integrated with the
Programmable Logic Controllers (PLC), other industrial automation controller variants, sensors and
actuators. The major elements in the IT systems of IACS include servers/clients computers, network
equipments such as firewall, switches, routers etc. Such systems gather real-time sensor data, process
the data, presents this data in the applications, downloads the applications onto the controller and
when necessary may send responses back to the actuators. The industrial automation and control
systems have to be logically isolated from the enterprise IT networks which requires layered network
architecture. Secure system configuration tasks include among others the access and account
management, system hardening, deplopyment of patch management and antimalware solution etc.
Installation and secure configuration of such IT systems have to comply with the major International
standards and organizations’ own IT/Cyber security policies such as ISA/IEC 62443 (aka ISA 99).
The scope of this work starts when the Installation and secure configuratopm of the IT systems is
completed. The objective of this work is to build a robustness test platform, conduct the security
robustness test on the systems without harming the systems and to prepare a strategy comprising tools
and procedures for such tests.
The objectives of this work are the following:
• To study IT & Cyber Security infrastructure used in the industrial automation and control system
• To provide suggestions on the feasible tools and test platform
• To build a test platform
• To identify the vulnerabilities in the system using open source tools
• To prepare sufficiently strong but easy-to-use procedure to conduct the testing
A tentative plan includes (approximate Months and may change),
M00-M01:
- Study of Industrial Automation and Control System and its IT & Cyber Security Infrastructure and
security controls
- Study of keywords: security robustness, vulnerability scanning, penetration tests, fuzzing, flooding etc.
M01-M04:
- Indentification of robust tests and criteria
- Indentification of robustness testing tools
M03-M05:
- Deployment of the tools
- Start preparation of the methodologies for conducting robustness tests
M05-M06: Demostration of the tests of system
Download