Browse > Article
http://dx.doi.org/10.13089/JKIISC.2017.27.6.1467

Derivation of Security Requirements of Smart Factory Based on STRIDE Threat Modeling  

Park, Eun-ju (Center for Information Security Technologies(CIST), Korea University)
Kim, Seung-joo (Center for Information Security Technologies(CIST), Korea University)
Publication Information
Journal of the Korea Institute of Information Security & Cryptology / v.27, no.6, 2017 , pp. 1467-1482 More about this Journal
Abstract
Recently, Interests on The Fourth Industrial Revolution has been increased. In the manufacturing sector, the introduction of Smart Factory, which automates and intelligent all stages of manufacturing based on Cyber Physical System (CPS) technology, is spreading. The complexity and uncertainty of smart factories are likely to cause unexpected problems, which can lead to manufacturing process interruptions, malfunctions, and leakage of important information to the enterprise. It is emphasized that there is a need to perform systematic management by analyzing the threats to the Smart Factory. Therefore, this paper systematically identifies the threats using the STRIDE threat modeling technique using the data flow diagram of the overall production process procedure of Smart Factory. Then, using the Attack Tree, we analyze the risks and ultimately derive a checklist. The checklist provides quantitative data that can be used for future safety verification and security guideline production of Smart Factory.
Keywords
Cyber Physical Systems; Smart Factory; The Fourth Industrial Revolution; Threat Modeling; Security Requirements;
Citations & Related Records
연도 인용수 순위
  • Reference
1 Emerson, "Emerson Wireless Security - Automation Solutions", Emerson Process Management, Feb. 2016.
2 MSB, "Guide to Increased Security in Industrial Control Systems", Swedish Civil Contingencies Agency, Nov. 2014.
3 SANS Institute, "Securing Industrial Control Systems-2017", Jun. 2017.
4 Kaspersky, "Industrial Control Systems Vulnerabilities Statistics", 2016.
5 MITRE, https://cve.mitre.org/
6 Microsoft, https://msdn.microsoft.com/en-us/library/ee823878(v=cs.20).aspx
7 Microsoft, Microsoft Threat Modeling Tool, https://www.microsoft.com/en-us/download/details.aspx?id=49168
8 Injae Lee, "Domestic and Overseas Introduction Trends of Smart Factory", Institute for Information and Communications Technology Promotion, Sep. 2016.
9 Edward A. Lee, "Cyber Physical Systems: Design Challenges", 11th IEEE International Symposium on Object Oriented Real-Time Distributed Computing (ISORC), pp. 363-369, May. 2008.
10 Alvaro A. Cardenas, Saurabh Amin, Shankar Sastry, "Secure Control: Towards Survivable Cyber-Physical Systems", The 28th International Conference on Distributed Computing Systems Workshops, pp. 495-500, Jun. 2008.
11 Cyber Physical Systems Public Working Group, "Framework for Cyber-Physical Systems Release 1.0", May. 2016.
12 NIST, "Framework for Cyber-Physical Systems: Volume 1, Overview ", Jun. 2017.
13 NIST, "Framework for Cyber-Physical Systems: Volume 2, Working Group Reports", Jun. 2017.
14 Brian Meixell, "Out of Control: Demonstrating SCADA Exploitation", Black Hat USA 2013.
15 NIST, "Guide to Industrial Control Systems (ICS) Security ", 2015.
16 Karnouskos, Stamatis. "Stuxnet worm impact on industrial cyber-physical system security." IECON 2011-37th Annual Conference on IEEE Industrial Electronics Society. IEEE, pp. 4490-4494, Jan. 2011.
17 Ciancamerla, Ester, Michele Minichino, and S. Palmieri. "Modeling cyber attacks on a critical infrastructure scenario." Information, intelligence, systems and applications (IISA), 2013 fourth international conference on. IEEE, pp. 1-6, Jul. 2013.
18 Spenneberg, Ralf, Maik Bruggemann, and Hendrik Schwartke. "Plc-blaster: A worm living solely in the plc." Black Hat Asia, Marina Bay Sands, Singapore, 2016.
19 DEF CON 25 Hacking Conference, https://www.defcon.org/html/defcon-25/dc-25-index.html
20 Wollschlaeger, Martin, Thilo Sauter, and Juergen Jasperneite. "The future of industrial communication: Automation networks in the era of the internet of things and industry 4.0." IEEE Industrial Electronics Magazine, vol.11, no.1, pp. 17-27, Mar. 2017.   DOI
21 Black Hat USA 2016, http://www.blackhat.com/us-16/
22 Lucas Apa, "Compromising Industrial Facilities from 40 Miles Away", Black Hat USA 2013.
23 Kim, HyungJun. "Security and vulnerability of SCADA systems over IP-based wireless sensor networks." International Journal of Distributed Sensor Networks, vol.8, no.11, Jan. 2012.
24 Thilo Sauter, "The continuing evolution of integration in manufacturing automation", IEEE Industrial Electronics Magazine, vol.1, no.1, pp.10-19, May. 2007.   DOI
25 Sivakorn, Suphannee, Jason Polakis, and Angelos D. Keromytis. "HTTP Cookie Hijacking in the Wild: Security and Privacy Implications.", Black Hat USA 2016.
26 NIST, "Framework for Cyber-Physical Systems: Volume 3, Timing Annex ", Jun. 2017.
27 D. Bauer, D. Stock, T. Bauernhansl, "Movement Towards Service-orientation and App-orientation in Manufacturing IT", Procedia CIRP, vol.62, pp.199-204, May. 2017.   DOI
28 Korea Embedded Software and System Industry Association, "Smart Factory Status and Implications", KESSIA ISSUE REPORT, Nov. 2015.
29 James Kettle, "Server-Side Template Injection: RCE for the modern webapp", Black Hat USA 2015.
30 Vanhoef, Mathy, and Tom Van Goethem. "HEIST: HTTP Encrypted Information can be Stolen through TCP-windows.", Black Hat USA 2016.
31 OWASP AppSec Europe '16, https://2016.appsec.eu/
32 Kyle Wilhoit, "The Little Pump Gauge That Could: Attacks Against Gas Pump Monitoring Systems", Black Hat USA 2015.
33 Jason Larsen, "Remote Physical Damage 101 - Bread And Butter Attacks", Black Hat USA 2015.
34 ShmooCon Speakers 2016, http://shmoocon.org/2015/12/08/shmoocon-speakers-2016/
35 Sergey Temnikov, "Pwning the Industrial IoT: RCEs and backdoors are around!", DEF CON 25, 2017
36 Black Hat Asia 2017, https://www.blackhat.com/asia-17/