Professional Documents
Culture Documents
Stride-Based Threat Modeling For Cyber-Physical Systems: Rafiullah Khan, Kieran Mclaughlin, David Laverty and Sakir Sezer
Stride-Based Threat Modeling For Cyber-Physical Systems: Rafiullah Khan, Kieran Mclaughlin, David Laverty and Sakir Sezer
Systems
Rafiullah Khan, Kieran McLaughlin, David Laverty and Sakir Sezer
Queen’s University Belfast, Belfast, United Kingdom
Email: {rafiullah.khan, kieran.mclaughlin, david.laverty, s.sezer}@qub.ac.uk
978-1-5386-1953-7/17/$31.00
2017
c IEEE
Authorized licensed use limited to: Uskudar Universitesi. Downloaded on September 30,2021 at 12:58:04 UTC from IEEE Xplore. Restrictions apply.
Table I
S USCEPTIBILITY OF DFD ELEMENTS TO STRIDE THREATS .
Plan
Mitigation
Identify Strategies DFD Element S T R I D E
Vulnerabilities
Analyze
Threats in the Entity
Plot DFD for DFD Data Flow
System Data Store
Decompose Components
System into Process
Components
Authorized licensed use limited to: Uskudar Universitesi. Downloaded on September 30,2021 at 12:58:04 UTC from IEEE Xplore. Restrictions apply.
Controller
Table II
P OSSIBLE T HREAT C ONSEQUENCES (TC)
BASED ON THE EXPERT
WAN
KNOWLEDGE OF SYNCHRONOUS ISLANDING TESTBED .
Figure 2. Synchronous islanding use case. in Fig. 3 consists of two processes: PID controller (which pro-
cesses received synchrophasor measurements from main grid
and microgrid) and digital-to-analog converter (that provides
torque on the drive shaft to the alternator, consequently the feedback to generator set to adjust the output of the alternator).
electrical power output increases/decreases. PMUs measure
electrical quantities in real-time from both main grid (i.e., C. Analyze Threats in the DFD
utility supply) and microgrid/generator set, and communicate
To perform threat analysis (step 3 in Fig. 1), it is necessary
synchrophasor data to the controller. The controller adjusts the
to first identify possible attacker intentions (or threat conse-
phase angle of the microgrid to synchronize it with the main
quences) based on the expert knowledge of the system. For use
grid. Once synchronized, the circuit breaker can be closed
case in Fig. 2, Table II identifies possible threat consequences
safely to connect the microgrid to the main grid. A detailed
and assigns a code to each for referencing purpose. Fig.
description of use case/testbed is available in our previous
4 graphically represents STRIDE-per-element approach for
work in [7]. The rest of the section performs STRIDE-based
threat analysis. Its results are summarized in Table III and
threat modeling for the use case. Note, due to the space
briefly explained in the following.
available, the scope of this paper is limited to only the first
1) Spoofing: Precise timing information in the use case
four steps as in Fig. 1.
is critical for the controller to synchronize the microgrid to
A. Decompose System into Components the main grid. If the time source (EE-1 or EE-2 in Fig. 3)
Step 1 (see Fig. 1) is to decompose system into its com- is spoofed by an attacker, the phase angle estimation (by P-
ponents. Based on Fig. 2, the system consists of five compo- 3 or P-7) will be incorrect. This could result in destructive
nents: PMU for main grid, PMU for microgrid, generator set, failure if controller detects synchronization and closes the
controller and circuit breaker. Note, threat analysis does not circuit breaker (TC-1). Due to incorrect timing information,
consider physical components which are not susceptible to the controller may fail to achieve synchronization (TC-4). If
cyber attacks e.g., load, electrical wire connections between disconnected microgrid cannot meet its local power demand,
circuit breaker and alternator or utility supply. it could also result in blackout (TC-5). The attackers might
spoof P-1 or P-5 to prevent system from acquiring timing
B. Plot DFD for System Components information. This could result in TC-4 and TC-5. Spoofing
As in Fig. 1, step 2 in threat modeling is to plot a DFD of phasor estimation process (P-3 or P-7) and telecom process
for each system component. Due to paper length restriction, a (P-4 or P-8) are critical as they can trick controller to assume
single DFD is plotted for the complete system (as in Fig. 3) synchronization and close the circuit-breaker (TC-1). Spoofing
instead of plotting a separate DFD for each system component. of processes P-9 to P-12 could enable attacker to cause severe
Note, the PMUs in Fig. 2 are OpenPMUs [23] which consist of damage to equipment or fail the entire synchronous islanding
four functional blocks: time source receiver, data acquisition, mechanism. E.g., safe limit for prime mover is analog signal
signal processing and telecom. The time source receiver and between 0V and 5V which could be violated by spoofing of
data acquisition functionalities are provided on a BeagleBone P-10.
board whereas, signal processing and telecom functionalities 2) Tampering: Tampering in the use case is very risky as
are provided on Raspberry Pi. Data acquisition component they could easily trick controller performing unsafe actions.
communicates with signal processing component using the In Fig. 3, tampering attacks could easily take place on DF
UDP protocol. The telecom block restructures synchrophasor elements due to unencrypted communication. Particularly,
data into IEEE C37.118 protocol format and sends to the tampering on DF-3 and DF-6 could trick controller to close
controller. Since PMUs time-stamp real-time measurements circuit breaker in non-synchronized state (TC-1). DF-2 and
using a common precise time-source, the time source element DF-5 are safe from tampering as they are not exposed to the
is also depicted in the DFD (GPS in this case). The controller network and connected using secondary NICs on Raspberry
Authorized licensed use limited to: Uskudar Universitesi. Downloaded on September 30,2021 at 12:58:04 UTC from IEEE Xplore. Restrictions apply.
Time Source Controller
Time Source
Receiver
(GPS Satellites) DF-1 (GPS)
DF-2 PID Controller
EE-1 P-1 DF-6
Signal Processing DF-3 P-9
ADC Data
Main Grid (Phasor Telecom
Acquisition Synchrophasor
Estimation)
P-2 P-3 P-4 Digital2Analog
Converter
DS-1 Configurations DS-2 Configurations P-10
Synchrophasor
PMU main-grid DF-8
P-12 DF-7
Circuit Breaker
Circuit Breaker
Controller EE-2
Time Source DF-4 Time Source
Receiver
(GPS Satellites)
Load (GPS)
Prime Mover DF-5
P-5
Controller
Signal Processing
P-11 ADC Data
DC Power Acquisition
(Phasor Telecom
Estimation)
Coupled Prime- P-6 P-7 P-8
Mover &
Alternator
DS-3 Configurations Configurations
DS-4
Generator Set
PMU micro-grid
DFD Elements:
External Entity (EE) Process (P) Data Flow (DF) Data Store (DS) Trust Boundary
Figure 3. Data flow diagram for synchronous islanding testbed. Grey tags are used for referencing purpose and are not part of the DFD. Solid lines with no
arrow sign on both sides are electrical wired connections which are safe from cyber attacks.
Authorized licensed use limited to: Uskudar Universitesi. Downloaded on September 30,2021 at 12:58:04 UTC from IEEE Xplore. Restrictions apply.
Table III Table IV
T HREAT MODELING USING STRIDE- PER - ELEMENT METHODOLOGY. T HREAT MODELING USING STRIDE- PER - INTERACTION METHODOLOGY.
Authorized licensed use limited to: Uskudar Universitesi. Downloaded on September 30,2021 at 12:58:04 UTC from IEEE Xplore. Restrictions apply.
perform STRIDE-based threat modeling. It was observed that develop appropriate security solutions. The output of STRIDE
certain STRIDE threats impact a group of DFD elements. can feed into risk analysis processes to establish the most
Spoofing and tampering are especially critical and they impact critical threats and furthermore the development of the most
the operations of other elements (particularly in the physical appropriate mitigation measures that should be applied.
domain) resulting in more severe consequences for the system.
ACKNOWLEDGMENT
Further, STRIDE helped to identify that the attacker can
achieve a specific malicious objective in various ways. E.g., This work was funded by the EPSRC CAPRICA project
attacker can achieve TC-1 through spoofing of P-4, P-8, EE- (EP/M002837/1).
1, EE-2 etc or through tampering on DF-3, DF-6, etc (see R EFERENCES
Table III). This helps analysts to developed more appropriate
[1] R. M. Lee, M. J. Assante, and T. Conway, “Analysis of the Cyber Attack
security solutions. on the Ukrainian Power Grid - Defense Use Case,” in Technical Report,
STRIDE-per-element analysis in Section III-C highlighted SANS ICS, March 2016.
the significance of securing the system at the component level. [2] R. M. Lee, M. J. Assante, and T. Conway, “ICS CP/PE (Cyber-to-
Physical or Process Effects) case study paper - German Steel Mill Cyber
It was observed that entire system security can only be ensured Attack,” in Technical Report, SANS ICS, 2014.
if all of its components are secure. However, it was identified [3] J. Slay and M. Miller, “Lessons Learned from the Maroochy Water
that STRIDE-per-element approach may not be sufficient to Breach,” in Critical Infrastructure Protection, 2008.
[4] R. Khan, K. McLaughlin, D. Laverty, and S. Sezer, “Threat Analysis of
identify certain threats due to inadequate technical knowledge BlackEnergy Malware for Synchrophasor based Real-time Control and
of system components or if threats appear only in interactions Monitoring in Smart Grid,” in ICS-CSR conference, 2016.
(e.g., P-4 and P-9 in Table IV). Thus, STRIDE-per-interaction [5] J. P. Farwell and R. Rohozinski, “Stuxnet and the Future of Cyber War,”
in Survival, vol. 53, no. 1, pp. 2340, 2011.
should also be considered to complement threat analysis and [6] I. M. Dragomir and S. S. Iliescu, “Synchrophasors Applications in Power
plan more effective security measures. System Monitoring, Protection and Control,” in CSCS conference, 2015.
It was revealed in Section III-D that each STRIDE threat [7] I. Friedberg, D. Laverty, K. McLaughlin, and P. Smith, “A cyber-physical
security analysis of synchronous-islanded microgrid operation,” in ICS-
in the use case is due to lack of certain security properties. CSR conference, 2015.
For analysts to plan mitigation strategies, the six essential se- [8] R. Khan, K. McLaughlin, D. Laverty, and S. Sezer, “IEEE C37.118-
curity properties (authorization, authentication, confidentiality, 2 Synchrophasor Communication Framework - Overview, Cyber Vul-
nerabilities Analysis and Performance Evaluation,” in 2nd International
integrity, availability and non-repudiation) should be ensured Conference on Information Systems Security and Privacy, 2016.
for each system component. [9] Y. Wang, T. T. Gamage, and C. H. Hauser, “Security implications of
transport layer protocols in power grid synchrophasor data communica-
V. C ONCLUSIONS tion,” IEEE Transactions on Smart Grid, 2016.
[10] R. Khan, K. McLaughlin, D. Laverty, and S. Sezer, “Analysis of
Security of cyber physical systems is of paramount signifi- IEEE C37.118 and IEC 61850-90-5 Synchrophasor Communication
cance as they are ubiquitous in critical infrastructures. Previous Frameworks,” in IEEE Power and Energy Society - General Meeting
(IEEE PES-GM 2016), July 2016.
works in literature mostly focused on safety, risk and hazard [11] L. Coppolino, S. DAntonio, and L. Romano, “Exposing Vulnerabilities
aspects in cyber physical systems [16], [17], [18], [21]. Few in Electric Power Grids: An Experimental Approach,” in International
researchers have analyzed threats for cyber physical systems Journal of Critical Infrastructure Protection vol:7(1), pp:51-60, 2014.
[12] S. Pal, B. Sikdar, and J. Chow, “Real-time detection of packet drop
[24] but lack a comprehensive mechanism for ensuring system attacks on synchrophasor data,” in Smart Grid Communications (Smart-
security at the component level. GridComm), 2014 IEEE International Conference on, 2014.
This paper presented a comprehensive STRIDE-based threat [13] T. Morris et al., “Cybersecurity Testing of Substation Phasor Measure-
ment Units and Phasor Data Concentrators,” in ACM CSIIRW, 2011.
modeling for cyber physical systems. The primary contribution [14] S. Paudel, P. Smith, and T. Zseby, “Data Integrity Attacks in Smart Grid
of the paper is to formalize a systematic methodology that Wide Area Monitoring,” in ICS-CSR conference, 2016.
can be used for effective characterization of system-specific [15] D. Shepard, T. Humphreys, and A. Fansler, “Evaluation of the Vul-
nerability of Phasor Measurement Units to GPS Spoofing Attacks,” in
threat using the STRIDE approach. This is demonstrated by International Journal of Critical Infrastructure Protection, 2012.
performing threat modeling against a real laboratory based [16] W. Young and N. G. Leveson, “An Integrated Approach to Safety and
synchronous islanding testbed. The paper presented necessary Security Based on Systems Theory,” in Commun. ACM, 2014.
[17] T. A. Kletz, “HAZOP and HAZAN: identifying and assessing process
mapping of STRIDE threats to the system components using industry hazards,” in IChemE, 1999.
the DFD. Due to inter-dependencies between system com- [18] G. Macher, H. Sporer, R. Berlach, E. Armengaud, and C. Kreiner,
ponents, the entire system security can only be ensured by “SAHARA: A security-aware hazard and risk analysis method,” in
Design, Automation Test in Europe Conference Exhibition (DATE), 2015.
addressing vulnerabilities of each system component. Thus, [19] M. Abomhara, M. Gerdes, and G. M. Koien, “A STRIDE-Based Threat
this paper identified STRIDE as an effective approach towards Model for Telehealth Systems,” in NISK, 2015.
ensuring system security at the component level. [20] M. Howard and S. Lipner, The Security Development Lifecycle. Red-
mond, WA, USA: Microsoft Press, 2006.
The paper demonstrated that an attacker can achieve a [21] I. Friedberg, K. McLaughlin, P. Smith, D. Laverty, and S. Sezer, “STPA-
specific malicious objective by exploiting threats at different SafeSec: Safety and Security Analysis for Cyber-Physical Systems,” in
locations in the system. By identifying component level vul- Journal of Information Security and Applications, 2016.
[22] A. Shostack, “Threat Modeling - Designing for Security,” in Wiley, 2014.
nerabilities and their potential physical consequences, STRIDE [23] D. M. Laverty et al., “The OpenPMU Project: Challenges and Perspec-
can also effectively cope with such challenges. The results of tives,” in IEEE PES-GM, 2013.
STRIDE approach are more meaningful, easily understandable [24] E. B. Fernandez, “Threat Modeling in Cyber-Physical Systems,” in
Dependable, Autonomic and Secure Computing conference, 2016.
and comprehensive enough for system designers in order to
Authorized licensed use limited to: Uskudar Universitesi. Downloaded on September 30,2021 at 12:58:04 UTC from IEEE Xplore. Restrictions apply.