STRIDE-based Threat Modeling for Cyber-Physical Systems

Rafiullah Khan; Kieran McLaughlin; David Laverty; Sakir Sezer

doi:10.1109/ISGTEurope.2017.8260283

STRIDE-based Threat Modeling for Cyber-Physical Systems

Rafiullah Khan, Kieran McLaughlin, David Laverty, Sakir Sezer

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

51 Citations (Scopus)

6185 Downloads (Pure)

Abstract

Critical infrastructures and industrial control systems are complex Cyber-Physical Systems (CPS). To ensure reliable operations of such systems, comprehensive threat modeling during system design and validation is of paramount significance. Previous works in literature mostly focus on safety, risks and hazards in CPS but lack effective threat modeling necessary to eliminate cyber vulnerabilities. Further, impact of cyber attacks on physical processes is not fully understood. This paper presents a comprehensive threat modeling framework for CPS using STRIDE, a systematic approach for ensuring system security at the component level. This paper first devises a feasible and effective methodology for applying STRIDE and then demonstrates it against a real synchrophasor-based synchronous islanding testbed in the laboratory. It investigates (i) what threat types could emerge in each system component based on the security properties lacking, and (ii) how a vulnerability in a system component risks the entire system security. The paper identifies that STRIDE is a light-weight and effective threat modeling methodology for CPS that simplifies the task for security analysts to identify vulnerabilities and plan appropriate component level security measures at the system design stage.

Original language	English
Title of host publication	2017 IEEE PES: Innovative Smart Grid Technologies Conference Europe (ISGT-Europe): Proceedings
Publisher	Institute of Electrical and Electronics Engineers Inc.
Number of pages	6
ISBN (Electronic)	978-1-5386-1953-7
ISBN (Print)	978-1-5386-1954-4
DOIs	https://doi.org/10.1109/ISGTEurope.2017.8260283
Publication status	Published - 18 Jan 2018
Event	IEEE International Conference on Innovative Smart Grid Technologies - Turin, Italy Duration: 26 Sep 2017 → 29 Sep 2017 http://sites.ieee.org/isgt-europe-2017/

Conference

Conference	IEEE International Conference on Innovative Smart Grid Technologies
Abbreviated title	IEEE ISGT Europe 2017
Country/Territory	Italy
City	Turin
Period	26/09/2017 → 29/09/2017
Internet address	http://sites.ieee.org/isgt-europe-2017/

Keywords

Smart Grid
Synchrophasor
cyber attacks
Cyber defence
STRIDE
Cyber Security
Threat Modeling
Microgrid
power system
Monitoring
PROTECTION

UN SDGs

This output contributes to the following UN Sustainable Development Goals (SDGs)

Access to Document

10.1109/ISGTEurope.2017.8260283Licence: Unspecified

STRIDE-based threat modeling for cyber-physical systems
© 2018 IEEE. This work is made available online in accordance with the publisher’s policies. Please refer to any applicable terms of use of the publisher.
Accepted author manuscript, 913 KBLicence: Unspecified

R1452ECI: Converged Approach towards Resilient Industrial control systems and Cyber Assurance
Sezer, S., Laverty, D., McLaughlin, K., McLoone, S. & Morrow, D. J.
01/08/2014 → 31/12/2017
Project: Research

Research Institute in Trustworthy Industrial Control Systems (External organisation)
Kieran McLaughlin (Member)
2014 → …
Activity: Membership types › Membership of external research organisation

Cite this

@inproceedings{891a6f4f54a546828816fd7b72413cc0,

title = "STRIDE-based Threat Modeling for Cyber-Physical Systems",

abstract = "Critical infrastructures and industrial control systems are complex Cyber-Physical Systems (CPS). To ensure reliable operations of such systems, comprehensive threat modeling during system design and validation is of paramount significance. Previous works in literature mostly focus on safety, risks and hazards in CPS but lack effective threat modeling necessary to eliminate cyber vulnerabilities. Further, impact of cyber attacks on physical processes is not fully understood. This paper presents a comprehensive threat modeling framework for CPS using STRIDE, a systematic approach for ensuring system security at the component level. This paper first devises a feasible and effective methodology for applying STRIDE and then demonstrates it against a real synchrophasor-based synchronous islanding testbed in the laboratory. It investigates (i) what threat types could emerge in each system component based on the security properties lacking, and (ii) how a vulnerability in a system component risks the entire system security. The paper identifies that STRIDE is a light-weight and effective threat modeling methodology for CPS that simplifies the task for security analysts to identify vulnerabilities and plan appropriate component level security measures at the system design stage.",

keywords = "Smart Grid, Synchrophasor, cyber attacks, Cyber defence, STRIDE, Cyber Security, Threat Modeling, Microgrid, power system, Monitoring, PROTECTION",

author = "Rafiullah Khan and Kieran McLaughlin and David Laverty and Sakir Sezer",

year = "2018",

month = jan,

day = "18",

doi = "10.1109/ISGTEurope.2017.8260283",

language = "English",

isbn = "978-1-5386-1954-4",

booktitle = "2017 IEEE PES: Innovative Smart Grid Technologies Conference Europe (ISGT-Europe): Proceedings",

publisher = "Institute of Electrical and Electronics Engineers Inc.",

note = "IEEE International Conference on Innovative Smart Grid Technologies, IEEE ISGT Europe 2017 ; Conference date: 26-09-2017 Through 29-09-2017",

url = "http://sites.ieee.org/isgt-europe-2017/",

}

Khan, R, McLaughlin, K , Laverty, D & Sezer, S 2018, STRIDE-based Threat Modeling for Cyber-Physical Systems. in 2017 IEEE PES: Innovative Smart Grid Technologies Conference Europe (ISGT-Europe): Proceedings. Institute of Electrical and Electronics Engineers Inc., IEEE International Conference on Innovative Smart Grid Technologies, Turin, Italy, 26/09/2017. https://doi.org/10.1109/ISGTEurope.2017.8260283

STRIDE-based Threat Modeling for Cyber-Physical Systems. / Khan, Rafiullah; McLaughlin, Kieran ; Laverty, David ; Sezer, Sakir.

2017 IEEE PES: Innovative Smart Grid Technologies Conference Europe (ISGT-Europe): Proceedings. Institute of Electrical and Electronics Engineers Inc., 2018.

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

TY - GEN

T1 - STRIDE-based Threat Modeling for Cyber-Physical Systems

AU - Khan, Rafiullah

AU - McLaughlin, Kieran

AU - Laverty, David

AU - Sezer, Sakir

PY - 2018/1/18

Y1 - 2018/1/18

N2 - Critical infrastructures and industrial control systems are complex Cyber-Physical Systems (CPS). To ensure reliable operations of such systems, comprehensive threat modeling during system design and validation is of paramount significance. Previous works in literature mostly focus on safety, risks and hazards in CPS but lack effective threat modeling necessary to eliminate cyber vulnerabilities. Further, impact of cyber attacks on physical processes is not fully understood. This paper presents a comprehensive threat modeling framework for CPS using STRIDE, a systematic approach for ensuring system security at the component level. This paper first devises a feasible and effective methodology for applying STRIDE and then demonstrates it against a real synchrophasor-based synchronous islanding testbed in the laboratory. It investigates (i) what threat types could emerge in each system component based on the security properties lacking, and (ii) how a vulnerability in a system component risks the entire system security. The paper identifies that STRIDE is a light-weight and effective threat modeling methodology for CPS that simplifies the task for security analysts to identify vulnerabilities and plan appropriate component level security measures at the system design stage.

AB - Critical infrastructures and industrial control systems are complex Cyber-Physical Systems (CPS). To ensure reliable operations of such systems, comprehensive threat modeling during system design and validation is of paramount significance. Previous works in literature mostly focus on safety, risks and hazards in CPS but lack effective threat modeling necessary to eliminate cyber vulnerabilities. Further, impact of cyber attacks on physical processes is not fully understood. This paper presents a comprehensive threat modeling framework for CPS using STRIDE, a systematic approach for ensuring system security at the component level. This paper first devises a feasible and effective methodology for applying STRIDE and then demonstrates it against a real synchrophasor-based synchronous islanding testbed in the laboratory. It investigates (i) what threat types could emerge in each system component based on the security properties lacking, and (ii) how a vulnerability in a system component risks the entire system security. The paper identifies that STRIDE is a light-weight and effective threat modeling methodology for CPS that simplifies the task for security analysts to identify vulnerabilities and plan appropriate component level security measures at the system design stage.

KW - Smart Grid

KW - Synchrophasor

KW - cyber attacks

KW - Cyber defence

KW - STRIDE

KW - Cyber Security

KW - Threat Modeling

KW - Microgrid

KW - power system

KW - Monitoring

KW - PROTECTION

U2 - 10.1109/ISGTEurope.2017.8260283

DO - 10.1109/ISGTEurope.2017.8260283

M3 - Conference contribution

SN - 978-1-5386-1954-4

BT - 2017 IEEE PES: Innovative Smart Grid Technologies Conference Europe (ISGT-Europe): Proceedings

PB - Institute of Electrical and Electronics Engineers Inc.

T2 - IEEE International Conference on Innovative Smart Grid Technologies

Y2 - 26 September 2017 through 29 September 2017

ER -

STRIDE-based Threat Modeling for Cyber-Physical Systems

Abstract

Conference

Keywords

UN SDGs

Access to Document

Fingerprint

Projects

R1452ECI: Converged Approach towards Resilient Industrial control systems and Cyber Assurance

Activities

Research Institute in Trustworthy Industrial Control Systems (External organisation)

Cite this