Conference: 43rd Annual Conference of the IEEE
Industrial Electronics Society (IECON2017)
29 October – 1 November, 2017
China National Convention Center, Beijing, China
Title of the paper: Principles and risk assessment of
managing distributed ontologies hosted by
embedded devices for controlling industrial systems
Authors: Borja ramis Ferrer, Samuel Olaiya
Afolaranmi, Jose Luis Martinez Lastra
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Principles and risk assessment of managing distributed ontologies hosted by embedded devices for controlling industrial systems
1. Principles and risk assessment of managing
distributed ontologies hosted by embedded devices for
controlling industrial systems
Date: October 2017
Contact Information
Tampere University of Technology
FAST Laboratory
P.O. Box 600,
FIN-33101 Tampere
Finland
Email: fast@tut.fi
www.tut.fi/fast
Conference: 43rd Annual Conference of the IEEE
Industrial Electronics Society (IECON2017)
29 October – 1 November, 2017
China National Convention Center, Beijing, China
Title of the paper: Principles and risk assessment of
managing distributed ontologies hosted by
embedded devices for controlling industrial systems
Authors: Borja ramis Ferrer, Samuel Olaiya
Afolaranmi, Jose Luis Martinez Lastra
if you would like to recieve a reprint of the
original paper, please contact us.
24.10.2017
Principles and risk assessment of managing distributed
ontologies hosted by embedded devices for controlling
industrial systems
1
2. Principles and risk assessment of
managing distributed ontologies hosted
by embedded devices for controlling
industrial systems
Authors: Borja ramis Ferrer, Samuel Olaiya Afolaranmi, Jose Luis
Martinez Lastra
{borja.ramisferrer, samuel.afolaranmi, jose.lastra}@tut.fi
Tampere University of Technology, FAST-Lab.
43rd Annual Conference of the IEEE Industrial Electronics Society
(IECON2017)
31st October 2017, China National Convention Center, Beijing, China
3. Outline
• Introduction
• Motivation and main objective
• Background
• Techniques for enhancing security
• The Use Case
• Use Case TM & RA
• Discussion
• Conclusions
• Further work
24.10.2017
Principles and risk assessment of managing distributed
ontologies hosted by embedded devices for controlling
industrial systems
3
4. Introduction (1/3)
• The connectivity of industrial automation domain systems
has been enhanced by the employment of information
and communication technologies
24.10.2017
Principles and risk assessment of managing distributed
ontologies hosted by embedded devices for controlling
industrial systems
4
https://en.wikipedia.org/wiki/Industry_4.0
5. Introduction (2/3)
• Industry is continuously moving towards the employment
and exploitation of semantic technologies due to diverse
enterprise needs, such as:
–cross-domain interoperability,
–system modeling,
–categorization of information,
–model validation and
–data reasoning
24.10.2017
Principles and risk assessment of managing distributed
ontologies hosted by embedded devices for controlling
industrial systems
5
Source: Borja Ramis Ferrer and J. L. Martinez Lastra, “Private local automation clouds built by CPS:
Potential and challenges for distributed reasoning,” Adv. Eng. Inform., vol. 32, pp. 113–125, Apr. 2017.
6. Introduction (3/3)
• New semantic-based approaches for implementing
industrial systems that are:
–flexible,
–self-descriptive,
–dynamic and
–interoperable with other systems that are already
deployed in the field
24.10.2017
Principles and risk assessment of managing distributed
ontologies hosted by embedded devices for controlling
industrial systems
6
7. Motivation and main objective
• There is already a great success on implementing CPS
and efficient M2M and M2H interactions through
semantics
• However, presented solutions are not always validated in
terms of security
• This article suggests threat modeling and risk
assessment for protecting solutions from attacks and
malicious access.
24.10.2017
Principles and risk assessment of managing distributed
ontologies hosted by embedded devices for controlling
industrial systems
7
8. Background
• Distributed systems and semantics in the industry
• Ontologies and the Semantic Web for industrial systems
• Security of distributed automation systems
24.10.2017
Principles and risk assessment of managing distributed
ontologies hosted by embedded devices for controlling
industrial systems
8
9. Techniques for enhancing security (1/3)
• It becomes imperative to perform security assessment
and analysis of DAS from the design phase
• This involves the security evaluation of all the DAS
components in order to:
1. Identify security issues (risk or threat),
2. specify security requirements,
3. specify (or identify) security controls and
countermeasures
24.10.2017
Principles and risk assessment of managing distributed
ontologies hosted by embedded devices for controlling
industrial systems
9
10. Techniques for enhancing security (2/3)
• This research suggests the Thread Modelling (TM) and
Risk Assessment (RA)
• It is a process that enables effective security analysis of
an application
–the recognition, rating and mitigation of threats
–systematic addressing of security issues
• The result of the process is a threat model, which
presents the security information of the application or
system
24.10.2017
Principles and risk assessment of managing distributed
ontologies hosted by embedded devices for controlling
industrial systems
10
11. Techniques for enhancing security (3/3)
• Process steps:
1. System component identification
2. Component threat identification and ranking
3. Security requirements specification
4. Selection of Security Controls
• The result of this process is a threat model document,
which provides information about the identified threats
per component together with the risks associated with
each of the threats
24.10.2017
Principles and risk assessment of managing distributed
ontologies hosted by embedded devices for controlling
industrial systems
11
12. The Use Case (1/3)
24.10.2017
Principles and risk assessment of managing distributed
ontologies hosted by embedded devices for controlling
industrial systems
12
• A knowledge-based solution as a test bed for TM & RA
13. The Use Case (2/3)
• Ontology model hosted by each device
24.10.2017
Principles and risk assessment of managing distributed
ontologies hosted by embedded devices for controlling
industrial systems
13
14. The Use Case (3/3)
• Distributing reasoning process in the knowledge-based
use case
24.10.2017
Principles and risk assessment of managing distributed
ontologies hosted by embedded devices for controlling
industrial systems
14
15. Use Case TM & RA (1/5)
• System component identification
– Components: User-Interface, Admin-Interface, devices with KBs,
equipment (e.g., robots, conveyors and sensors) and PLCs
– Entry points: HTTP, MODBUS TCP, RS232, IP
– Trust Levels: Operator, Administrator, DAS components
24.10.2017
Principles and risk assessment of managing distributed
ontologies hosted by embedded devices for controlling
industrial systems
15
Components Description Trust Level Entry Points
Operator Interface
WebUI for Operator interaction with
DAS
Operator HTTP Port, IP
Admin Interface
WebUI for Administrator interaction
with DAS
Administrator HTTP Port, IP
Devices
Stores, processes and
encapsulates KBs)
Administrator,
Operator, DAS
components
HTTP Port, IP
Controllers (PLCs)
Processes logic for performing
operations
Operator, Devices
MODBUS, IP
TCP, RS232
Equipment Performs operations Operator, Devices RS232
16. Use Case TM & RA (2/5)
• Component threat identification and ranking
24.10.2017
Principles and risk assessment of managing distributed
ontologies hosted by embedded devices for controlling
industrial systems
16
17. Use Case TM & RA (3/5)
• Security requirements specification
– ISA-99 (Security for Industrial Automation and Control
Systems) standards was used to identify these requirements
– ISA-62443-1-1 specifies the foundational requirements for
IACS, which are Identification & Authorization control, Use
control, System Integrity, Data Confidentiality, Restricted Data
Flow, Timely response to events and Resource availability
– ISA-62443-4-2 further provides component requirements and
guidelines needed to fulfill the foundational requirements in
IACS components
24.10.2017
Principles and risk assessment of managing distributed
ontologies hosted by embedded devices for controlling
industrial systems
17
18. Use Case TM & RA (4/5)
• Selection of Security Controls
–Selected security controls (1/2):
24.10.2017
Principles and risk assessment of managing distributed
ontologies hosted by embedded devices for controlling
industrial systems
18
Threats Security Control
Spoofing Strong Authentication, Secret data protection
Tampering
Integrity, Strong Authorization, Use of digital signatures, Use of
Tamper-resistant protocols
Repudiation Use of digital signatures, Audit and Logging
Information
disclosure
Confidentiality, Authorization, Use of privacy-enhanced protocols,
Strong Encryption, Non-storage of passwords in plain texts
Denial of
Service
Availability, Authorization, Authentication, Validate and filter input
Elevation of
Privilege
Authorization (Use of Access Control Lists), Use of least privilege
service to run processes and access resources
19. Use Case TM & RA (5/5)
• Selection of Security Controls
–Selected security controls (2/2):
24.10.2017
Principles and risk assessment of managing distributed
ontologies hosted by embedded devices for controlling
industrial systems
19
Security Requirements Security Control
Identification and
authentication control
Multifactor authentication (for Humans and devices),
Use of Strong passwords, PKI certificates and tokens,
System use notification
User Control
Authorization enforcement, Session control, Session
lock, Audit records, digital signatures and timestamps
System Integrity
Cryptographic integrity protection, communication link
protection, input validation, session integrity
Data Confidentiality Information confidentiality, use of cryptography
Restricted Data Flow Network segmentation, Boundary protection
Timely Response to
events
Audit log accessibility and continuous monitoring
Resource Availability Denial of Service protection, System Backup
20. Discussion (1/3)
• Tampering with data (1/2)
24.10.2017
Principles and risk assessment of managing distributed
ontologies hosted by embedded devices for controlling
industrial systems
20
21. Discussion (2/3)
• Tampering with data (2/2)
24.10.2017
Principles and risk assessment of managing distributed
ontologies hosted by embedded devices for controlling
industrial systems
21
22. Discussion (3/3)
• Denial of Service (DoS) attacks pose a high risk on the
devices and may occur if there is a congestion of the
network as a result of high amounts of requests (or
queries) sent to the devices
• The actual impact of this attack depends on the number
of devices because it grows with smaller number of
devices in the network
• An effective way to guard against this attack is through
authentication and authorization
24.10.2017
Principles and risk assessment of managing distributed
ontologies hosted by embedded devices for controlling
industrial systems
22
23. Conclusions
24.10.2017
Principles and risk assessment of managing distributed
ontologies hosted by embedded devices for controlling
industrial systems
23
• A knowledge-based solution is used to argue that security
for developments that manage semantic descriptions
should be considered at design phase
• This article claims that different type of attacks to assets
that are common in semantic-based solutions can be
analyzed within TM and RA techniques
• In order to achieve an optimal result, an expert on
security should assess the probability of different attacks
and the designer of the solution should value the impact
24. Further work
24.10.2017
Principles and risk assessment of managing distributed
ontologies hosted by embedded devices for controlling
industrial systems
24
• A ”futuristic” challenge… how such techniques could be
included in ontologies so that designers would use
ontological models to assess automatically the
probability, impact and possible threats to the system
• This would reduce time and efforts in performing TM and
RA assessment
25. 24.10.2017
Principles and risk assessment of managing distributed
ontologies hosted by embedded devices for controlling
industrial systems
25
• The project leading to this paper has received funding
from the European Union’s Horizon 2020 research and
innovation programme under grant agreement n° 644429
correspondent to the project shortly entitled MUSA, Multi-
cloud Secure Applications
Acknowledgement