CPS:Stateful Policy Enforcement for Control System Device Usage

Networked control systems used in energy, manufacturing, and
transportation combine large, vulnerable attack surfaces with far
overprovisioned privileges. Often, compromising a single computer or
user account is sufficient to give an attacker free reign over
physical machinery. Significant reduction of attack surface size is
an ongoing problem, so we shift our focus to reducing the privileges
granted to system operators and embedded controllers. To this end,
we introduce C2, an enforcement mechanism for policies governing
the usage of electromechanical devices. In presenting C2, we
address two basic problems: (i.) How should a policy for physical
device usage be expressed and enforced? This is a challenging
question as the safe usage of physical devices is dependent on
mechanical limitations and the behavior of nearby devices. (ii.)
What actions should be taken if a physical machine is issued an
operation that violates the policy? C2 takes measures to ensure
unsafe behaviors are not caused when denying slightly erroneous yet
legitimate operations. We evaluate C2 against six representative
control systems, and show that it can efficiently perform policy
checks with less than 3.5% overhead, while not introducing new
unsafe behavior into a control system.

Author(s):

Stephen McLaughlin    
Pennsylvania State University
United States