Master Thesis Proposal Security robustness test of IT systems in the Industrial Automation and Control Summary: Installation and secure configuration of IT systems in the Industrial Automation and Control System have to comply with the major International standards and organizations’ own IT/Cyber security policies such as ISA/IEC 62443 (aka ISA 99). Such systems contain layered network architecture which is logically separated from the enterprise IT network. Secure system configuration tasks include among others the access and account management, system hardening, deplopyment of patch management and antimalware solution etc. Even after deploying layers of defensive security mechanisms and controls in the system, new vulnerabilities are discovered every day. The objective of this work is to build a robustness test platform, conduct the robustness test on the systems without harming the systems and to prepare a strategy comprising tools and procedures for such tests. Host supervisor: <Name of the supervisor> Industry Supervisors: Mohammad M. R. Chowdhury, PhD ABB Oil, Gas and Chemical, ABB AS, Norway Duration of study: xxxx (approximately) Special Requirements: Under NDA (only if necessary) Interested candidates are requested to send their resume to <supervisor’s epost address>, mmchowdh@ifi.uio.no System Background and Motivation The security threat landscape for Industrial Automation and Control System (IACS) is continuously evolving as today’s IACS is moving from stand-alone isolated network towards connected networks. Instead of proprietary protocols, adoption of open and common standards and protocols in IACS further enhanced the security threats. Addressing these threats is crucial as they can compromise the security of the critical infrastructure. In the critical infrastructure, the security breaches and the resulting service interruptions are costly and may cause catastrophic consequences such as loss of lives, environmental hazards etc. Even after deploying layers of defensive security mechanisms and controls in the system, new vulnerabilities are discovered every day. The robustness testing evaluates system’s ability to protect its networks, applications, endpoints and users in the event of an attack. The tests include among others different flooding tests, fuzzing tests, vulnerability scanning, penetration tests etc. The penetration testing is the practice of attacking an IT/computer system to identify the vulnerabilities without actually harming the systems. It is done with good intent and with system owner’s permission. A vulnerability is a security hole or weakness in a peace of software, hardware or operating system that provides a potential way to compromise the availability, integrity, or confidentiality of the system. An exploit is a highly sophisticated software, piece of data, or a sequence of commands that takes advantage of the system weaknesses to carry out some form of malicious intent. The weakness in the system can be among others design vulnerability, inadequate or wrong configuration of the product, flaws in the implementation etc. Overview of the Work Nowadays in the Industrial Automation and Control System, IT systems are integrated with the Programmable Logic Controllers (PLC), other industrial automation controller variants, sensors and actuators. The major elements in the IT systems of IACS include servers/clients computers, network equipments such as firewall, switches, routers etc. Such systems gather real-time sensor data, process the data, presents this data in the applications, downloads the applications onto the controller and when necessary may send responses back to the actuators. The industrial automation and control systems have to be logically isolated from the enterprise IT networks which requires layered network architecture. Secure system configuration tasks include among others the access and account management, system hardening, deplopyment of patch management and antimalware solution etc. Installation and secure configuration of such IT systems have to comply with the major International standards and organizations’ own IT/Cyber security policies such as ISA/IEC 62443 (aka ISA 99). The scope of this work starts when the Installation and secure configuratopm of the IT systems is completed. The objective of this work is to build a robustness test platform, conduct the security robustness test on the systems without harming the systems and to prepare a strategy comprising tools and procedures for such tests. The objectives of this work are the following: • To study IT & Cyber Security infrastructure used in the industrial automation and control system • To provide suggestions on the feasible tools and test platform • To build a test platform • To identify the vulnerabilities in the system using open source tools • To prepare sufficiently strong but easy-to-use procedure to conduct the testing A tentative plan includes (approximate Months and may change), M00-M01: - Study of Industrial Automation and Control System and its IT & Cyber Security Infrastructure and security controls - Study of keywords: security robustness, vulnerability scanning, penetration tests, fuzzing, flooding etc. M01-M04: - Indentification of robust tests and criteria - Indentification of robustness testing tools M03-M05: - Deployment of the tools - Start preparation of the methodologies for conducting robustness tests M05-M06: Demostration of the tests of system