Finding Dependencies between Cyber-Physical Domains for Security Testing of Industrial Control Systems

In modern societies, critical services such as transportation, power supply, water treatment and distribution are strongly dependent on Industrial Control Systems (ICS). As technology moves along, new features improve services provided by such ICS. On the other hand, this progress also introduces new risks of cyber attacks due to the strong correlation between cyber and physical domains. Performing rigorous security tests and risk analysis in these critical systems is a challenging task, because of the non-trivial interactions between digital and physical assets and the domain-specific knowledge necessary to analyze a particular system. In this work we propose a methodology to model and analyze a System Under Test (SUT) as a data flow graph that shows interactions among internal entities throughout the SUT. This model is automatically extracted from production code in Programmable Logic Controllers (PLCs). We also propose a reachability algorithm and an attack diagram that will highlight the dependencies between cyber and physical domains, thus enabling a human analyst to gauge various attack vectors in a system that arise from subtle dependencies in data and information propagation. We test our methodology in a functional water treatment testbed and demonstrate how an analyst could make use of our designed attack diagrams to reason on possible threats to various targets of the SUT.