Message Security for Automation and Control ...

FTC 2016 - Future Technologies Conference 2016 6-7 December 2016 | San Francisco, United States

Message Security for Automation and Control Applications based on IEC61131-3 Aydin Homay

António Pina Martins

SYSTEC - Research Center for Systems – Faculty of Engineering University of Porto Porto,4200-465, Portugal [email protected]

SYSTEC - Research Center for Systems – Faculty of Engineering University of Porto Porto,4200-465, Portugal [email protected]

Mario de Sousa

Fred Kashefi

INESC TEC - INESC Technology and Science and Faculty of Engineering University of Porto Porto,4200-465, Portugal [email protected]

Computer Science and Engineering University of Texas at Arlington Arlington, TX,76019-0015, USA [email protected]

Abstract—Cyber-Physical Systems are integration of computer-based equipment used in industrial automation, embedded systems, control systems and etc. Computer-based equipment needs to be protected against unauthorized access and control. The widely accepted approach to computer security is based on security in depth, meaning that the computer system is viewed as a layered structure and security is introduced at each of the layers. In this paper, we propose a method of adding security at what is commonly viewed as the lowest level of control the PLC. The approach is based on hashing the process variables or called signals. In this approach an attacking virus is not able to interpret the variables being addressed by the control logic, and therefore inhibiting targeted attacks by a virus wishing to subtly change the controlled system operation without actually destroying the controlled plant. The approach is focused towards DCS whose operation is based on maintaining all variables in an RTDB that exist in the RTOS and used by IEC61131-3 based application. Keywords—Message; Virus; Cybersecurity; Authentication; Industrial Control Systems

I.

INTRODUCTION

The nation's critical infrastructures (CI) such as those found in Supervisory Control and Data Acquisition (SCADA), Distributed Control Systems (DCS) and generally industrial control systems (ICS), that are essential for day-to-day operation of the economy, security and government. These are ushered by insecure connectivity to traditional network. Electric power production and distribution, water treatment and supply, gas and oil production and distribution, nuclear plants, transportation systems, and telecommunication systems are excellent examples of CI. Protecting and assuring the availability of CI is vital to the world economies. CI assets are often privately held and can cross international borders via industrial and non-industrial networks, for example The August 2003 northeast blackout, which also affected Canada, shows how CI crosses international boundaries [1]. In June 1999, a 16‐inch‐diameter steel pipeline owned by The Olympic

Pipe Line Company ruptured and released about 237,000 gallons of gasoline into a creek that flowed through Whatcom Falls Park in Bellingham, Washington. [2] On October 31, 2001, Vitek Boden was convicted of 26 counts of willfully using a restricted computer to cause damage and 1 count of causing serious environmental harm. [3] In August 2003, a computer virus was blamed for bringing down train signaling systems throughout the eastern U.S. The signaling outage briefly affected the entire CSX system, which covers 23 states east of the Mississippi River. [4] In May 2004, coastguard stations around the UK were severely disrupted after a computer worm rough down IT systems. The Sasser worm hit all 19 coastguard stations and the service's main headquarters, leaving staff reliant on paper maps and pens. [5] Mid 2010, the Stuxnet ICS attack targeted the Siemens automation products, and after this attack the ICS security was thrust into spotlight and all automation products suppliers started to re-examine their business approach to cyber security, eliminates gaps previously viewed low risk and improve practice in general [6]. As can be seen from the previous examples, industrial control equipment is susceptible to computer-based attacks. It may therefore be concluded that computer-based equipment used in industrial automation needs to be protected against relevant attacks. The widely accepted approach to computer security is based on security in depth, meaning that the computer system is viewed as a layered structure and security is introduced at each of the layers. With this approach, even if an attacker manages to penetrate the defenses of the outer layer, that attacker does not have automatic access to all devices inside the network as each device will itself include an additional layer of security protections. In this paper, we propose a simple but strong security control solution, what we will call a logic application level security particularly for SCADA and DCS. This proposed method is based on message integrity and should not be viewed as the main, nor the only level of protection that an industrial automation system is expected to have, but can be a low level security procedure that avoids intelligent attacks such as Stuxnet.

1|Page 978-1-5090-4171-8/16/$31.00 ©2016 IEEE

FTC 2016 - Future Technologies Conference 2016 6-7 December 2016 | San Francisco, United States II.

INDUSTRIAL CONTROL SYSTEMS

The basic operation of an ICS is shown in Figurer 1. The ICS is a general term for several types of control systems, that includes SCADA, DCS and other control system configurations such as Programmable Logic Controllers (PLC). Human – Machine Interface (HMI)

Rem. Diagnostic and Maintenance

Set points, Control algorithms, Process Data

Manipulated Value

Controlled Value

Controller

Sensors

Actuators Control processor Process Inputs

Process Outputs Disturbance

Fig. 1. The ICS operation in a general view

The PLC was originally designed for a small size factory automations, which did employ one or more machines with fair amount of the material transferred in line of the product. In such environment, operator visually monitored the product as they moved through the manufacturing line. Such manufacturing process has been very intensive logic control oriented with mostly high-speed requirements. The DCS, however in contrast is designed for a large size factory automation with one or more pipelined process units. In this type of environment operator is unable to monitor the whole production line. The material is kept within a vessel which is hidden from the operator monitoring view. Control of such a process requires a large amount of simple or complex analog control (i.e., PID or loop control), although the response time is not that fast (100ms or greater) [7]. The SCADA is designed for a large geographical area may be composed of one ore more factories, networks and industrial systems. III.

DISTRIBUTED CONTROL SYSTEMS

DCS is a particular type of ICS which is used to control, processes in oil, gas, petrochemical factories, nuclear power plant, smart grid and etc. A DCS system contains control loop, HMI designer, diagnostic tools, data servers, I/O cards, expansions, redundancy, network and so on. Control loop is the most important part of DCS that usually used one or more than one advanced PLC with a memory, processor, network, RealTime Operating System (RTOS) or Embedded Operating System (EOS). Application Station

Plant LAN Workstation

Controller 1

Controller n

The advances made in the microprocessor, has allowed the technologies to merge. Due to this advancement the functionality differences between this two systems are narrowed down to just a few parameters. In the both systems, control algorithms and logic which knows by logic application, are typically written by an engineer using a development workstation that is distinct from the PLC, and once compiled are downloaded to the PLC where they will run. Control programs are commonly written using one or more of the programming languages defined in the IEC 61131-3 international standard. However, recently the IEC 61499 standard come in spotlight but still majority of industries have designed based on IEC 61131-3. To obtain security, both the engineering workstation as well as the PLC itself must be made secure. IV.

Once Stuxnet had infected a computer within the organization it began to find the Engineering Work Station (EWS), which are typical Windows based computers that used to program PLCs, design new HMIs, set configuration on control system devices, networks, I/O channels and etc. Since most of these computers are non-networked, Stuxnet would first try to spread to other computers on the LAN through the zero-day vulnerabilities, two-year-old vulnerabilities and etc. to come inside of the organization. Then, the virus try’s to find the targeted computer through the removable drives. Like the EWS system. For this, the virus usually use to read the predefined application signatures like the Siemens`s solution the STEP 7 projects or can also use the information referred by particular standards like TC6 [26]. When Stuxnet finally found a suitable computer, one that ran STEP 7, it would then modify the code on the PLC by using the network configuration and also the other information and metadata related with the control (logic) application. Victims attempting to verify the issue would not see any rogue PLC code as Stuxnet hides its modifications [9]. To avoid this kind of unauthorized modifications the authors proposed a solution in the section VIII. V.

Fig. 2. Current DCS topology integrating multiple I/O buses such as Fieldbus, Device Net, AS-Interface, HART, and conventional I/O into a single system

STUXNET VIRUS

The term computer virus was coined by Fred Cohen in 1985 [8]. But the new generation of viruses, particularly those ones is designed to attack the industrial zones has so different behaviors than classical definitions. Viruses like Stuxnet, Duqu, and Flame were designed to steal information from industry. They have a clear strategy. They want to be hidden. Therefore, they need to avoid any physical snap destructive behaviors, at least not until the end of the mission. However, the following explanation scenario is only speculation driven by the technical features of Stuxnet but it illustrates the above fact about the new generation of viruses.

RELEVANT SECURITY STANDARDS

Every secured computer system must require all users to be authenticated at login time. After all, if the operating system cannot be sure who the user is, it cannot know which files and other resources the user can access. While authentication may sound like a trivial topic, it is a bit more complicated than you might expect [9].

2|Page 978-1-5090-4171-8/16/$31.00 ©2016 IEEE

FTC 2016 - Future Technologies Conference 2016 6-7 December 2016 | San Francisco, United States In the case of PLC based systems there is no IT security for logic application (control loop) level, which exists in regular PC, thus the downloaded logic application is always running without any privileging, authentication or security validation process. This means that, the execution of each instruction may raise security deficiencies. Having a weak unauthorized access, for example having retouch on operands of stacked instruction that is waiting to get processing resource, can make an unpredictable catastrophic event in the control system and industrial plant. However, there are several standards [10–14] that provides a set of rules and procedures to make control systems more secure but none of them touches on the security at the logic application level. In the 1970s the distributed control system (DCS) introduced to solve the direct digital control (DDC) system inflexibility. The DCS offered many advantages over its predecessors. For starters, the DCS distributed major control functions, such as controllers, easy expendable I/O channels and cards, operator stations, historians, and engineering stations onto different boxes. The key system functions were designed to be redundant. As such the DCS tended to support redundancy for all single point failures like data highways, controllers, I/O and networks and, in some cases redundant fault-tolerant workstations. In such configurations, if any part of the DCS fails, the plant can continue to operate [15]. If the PLC infected by a virus the control system will move to a critical single point failure which can be recognized by observing an anomaly in the process of physical elements of control plant or as we explain in the previous section, can disappear between signals and control data in communication or logic application level. Thus, much of this change has been driven by the everincreasing performance/price ratio of the associated hardware. The evolution of communication technology and of the supporting components has dramatically altered the fundamental structure of the control system. Communication technology such as Ethernet and TCP/UDP/IP combined with standards such as OPC allowed third-party applications to be integrated into the control system. Also, the general acceptance of object-oriented design, software component design, and supporting tools for implementation has facilitated the development of better user interfaces and the implementation of reusable software. Major DCS suppliers introduced a new generation of process control systems based on these developments. Security standards generally specify what has to be done or achieved but not how to go about doing it. In this section, a very brief overview of the most important industrial control security systems is provided. One aspect that is common among all standards is that all of assumed PLCs are in low component compatible level [10-14], so they put PLCs out of the security standards scope or at least if they have procedure, is just in operating system level not in application (control logic) level, which makes PLCs more treatable. ISO/IEC 27001:2005 - ISO/IEC 27002:2005 is addressed all Industries. IEC 62351:2007 addressed data and communications security and used information security for power system control operations.

IEC 62210:2003 addressed power system control and associated communications - data and communication security electrical distribution. This standard applies to computerized supervision, control, metering, and protection systems in electrical utilities. It deals with security aspects related to communication protocols used within and between such systems and, the access to use of the systems. IEC TC 65 WG 10 IEC/PAS 62443-3-1:2008, addressed Electrical distribution/transportation ISA99. Note: There is an agreement between ISA and IEC by which ANSI/ISA99 standards will form the base documents for the IEC 62443 series. The U.S. Information Technology Laboratory published "Guide to Industrial Control Systems (ICS) Security Supervisory Control and Data Acquisition (SCADA) systems, Distributed Control Systems (DCS), and other control system configurations such as Programmable Logic Controllers (PLC)" in 2011 [16]. But even inside of this document there is no procedure for PLC code (logic application) level security. VI.

THE IEC61131 STANDARD

The IEC 61131 standard standardizes the behavior of PLC systems. It is built out of several parts, which covers both the PLC hardware as well as the programming system. More specifically, part 3 of this standard (more commonly known as IEC61131-3) defines the common concepts used in PLC programming as well as additional new programming methods. IEC 61131-3 sees itself as a guideline for PLC programming, not as a rigid set of rules. The IEC 61131-3 standard focuses on the PLC programming languages, and how these programs should be interpreted and executed. It introduced 5 languages, which can be categorized into 2 parts: text based languages (IL - Instruction List, and ST -Structured Text) and graphical languages (LD - Ladder Diagram, FBD - Function Block Diagram, and SFC - Sequential Function Chart). Moreover, there is a possibility to use C language as a hosted function block inside of ST or FBD, which we call C function or C code and as we will see in the solution part of our paper to implement our idea to have an authentication protocol inside of IEC 61131-3 languages. [17] The important note is that, more than 90% of control logics around the world developed are based on this family the reason why it is brought the spotlight. VII.

MESSAGE AUTHENTICATION

Maintaining and assuring the accuracy and consistency of message/data over its entire life-cycle called message/data integrity [18]. The focus of this paper concerns a study of the logical integrity not physical integrity. In a more precise way, the main focus is on data security. If unintended changes are the result of unauthorized access, it may also be a failure of data security. Message authentication code (MAC) is a way to avoid unintended changes over a message. The MAC works based on hashing. The sender of a message runs it through a MAC algorithm to produce a MAC data tag which is basically a hashed value of message generated by using a hash algorithm. The message and the MAC tag are then sent to the receiver. The receiver, in turn, runs the message portion of the transmission through the same MAC algorithm using the same key, producing a second MAC data tag. The receiver then

3|Page 978-1-5090-4171-8/16/$31.00 ©2016 IEEE

FTC 2016 - Future Technologies Conference 2016 6-7 December 2016 | San Francisco, United States compares the first MAC tag which received in the transmission to the second generated MAC tag. If they are equal, the receiver can safely assume that the message has not been changed during transmission [19].

Fig. 3. The message authentication code operation

VIII.

LOGIC APPLICATION LEVEL SECURITY

This paper proposes the use of a mechanism the authors named the Instruction Authenticator (IA), which is a control application (control logic) level security solution based on the cryptography and hashing algorithms. The IA can authorize each instruction`s input/output based on MAC and simple hashing algorithms. Choosing the hash algorithm to use in the IA heavily depends on the control system timing requirements (Hard or Soft Real-time). A good hash function needs a wellimplemented algorithm to achieve a good performance. Ideally, the hash function should have a worst case access cost order O(n) which is order O(1) in average cost [20] (except from the point of space). See Figure 4 and Figure 5. The basic requirement of a hash algorithm is that the function should provide a uniform distribution of hash values. A non-uniform distribution increases the number of collisions and the cost of resolving them because this could be dangerous for complex control systems with a very large number of variables in the RTDB [21]. Uniformity sometimes is difficult to ensure by design, but may be evaluated empirically using statistical tests [22, 23] that are not our target in this paper. The implementation of IA requires some technical supports and changes in modeled industrial plant. This change includes the control system`s database, HMIs (like the faceplates and process displays), logic applications based on IEC61131-3, network, and I/O channels configuration and, redundancies. Subsequently in the PLC application side like, the Real-Time Database (RTDB) connection string, third party data provider`s settings, threads, and sockets are also needed to respect some new policies and procedures that later we will discuss them. The signal sets are presented as an RTDB scheme inside of PLC`s operating system as presented in Table I. As it is showed in this table, all values should be signed by the ‘RTDB Thread’ because this is the only module which has an authorized access to the RTDB, see Figure 5. The confidential column is introduced to avoid IA solution`s overhead by forcing message security just only on the necessary signals and, finally the first and the last columns respectively is an entity relationship between a signal and the hashed value of the signal. The downloaded RTDB must be protected by allocating an isolated location in physical memory. Note that, in the IA solution each thread in RTOS/EOS can be Alice (message sender) or can be Bob (message receiver). Thus, all communications between Alice and Bob are encrypted by a shared key. See Figure 5.

TABLE I. Ri

RTDB SCHEME

List of all signals in the RTDB

1245

Signed Value (x) MAC(k,x1)

Confidential False

E873 3457893…

Hashed (Ri)

1246

MAC(k,x2)

True

DF873 E87894…

1247

MAC(k,x3)

True

VE3E8987392…

1248

MAC(k,x4)

True

E83EE387391…

1249

MAC(k,x5)

True

DF87 E873997…

A. Plant Model Implementation The EWS usually is not connected to the internet and it has IT securities. Such system has always a logic editor environment like STEP7 module from the SIEMENS`s solution. This used by a process engineer to have designed a control logic application which mostly used ST and FBD (like the small presented application in Figure 3) or SFC languages. Figure 4 shows a small logic application that used FBD language in design time and ST language in build time, to have a ready check control loop before starting the pump that we are going to use it in our real example as a water outlet flow. A logic application can be a User Defined Function (UDF) or Program Organization Unit (POU) or any other type that introduced in IEC611131-3. Figure 4 also shows the threads are using a shared key. This key is generated by a key generator. The key generator can just generate a key in startup time and after each cool or warm restart, the key has to be generated. This key is going to be used in MAC as a signature for the hashed values which are going to be transferred via socket or pipeline.

Fig. 4. Uprotected logic is actuelly the Engineering Worksttion and before compile and download time. As it showen in the below part the used variables will be get hashed before download and after bulid time.

4|Page 978-1-5090-4171-8/16/$31.00 ©2016 IEEE

FTC 2016 - Future Technologies Conference 2016 6-7 December 2016 | San Francisco, United States

si  S , S  s1, s2 ,.., sn ^ r  R  ri    1r  R i





Fig. 5. The picture shows the operating system of an advanced PLC that used in DCS and has Real-Time Database, I/O thread pooler, Key generator and distributor module, RTDB database provider which implemented in RTDB thread in an isolated memory section. Then it shows also, the logic interpreter that implemented in a multithreaded way

There exists no plain text inside isolated memory area of RTOS/EOS that refers to the signals except the identical attribute introduced by ‘r’ and it is always a unique and constant value, which even by changing the name of signal still remains the same value. We assume that between logic interpreter module and the RTDB exists a secure connection string which is provided by the third party and has several relatively secure solutions. The only thread which knows how to get a connection string to the RTDB is the ‘RTDB Thread’, other threads included the logic interpreter threads, need to send a read/write request with signal`s hashed value and signed with the sender to this thread. This idea is a derived solution from Service Oriented Architecture (SOA) which application components provide services to other components via a communications protocol, typically over a network [25]. B. Mathematical Implementation In the introduced equations by [24], the complexity and overhead of using a solution based on hashing and cryptography did not address very well. In this paper, we will solve this lack of modeling by introducing some constraints on the complexity of IA overhead. Equation (1) (relational algebra) is a variables (or signals) database with an identifiable attribute that we called ‘r’ that, introduces a relationship between in signal and logic application variable, particularly those variables that are used to store data from the I/O cards. Equation (2) is a hashing algorithm. To make the presentation easy to understand, we will use the MD5. The hi is a hashed version of ri which is used also, as an index for signal si, by this way we can have an access to the signal sets in the complexity of O(1). Equation (3) shows a read request for the signal si in the relation with ri with hashed value of hi and the same scenario for a write request showed in Equation (4). Equation (5) is a mathematical model to explain the functionality of key generator and distributor thread. Equation (6) shows how threads should have signed the messages in the isolated memory section and Equation (7) is presenting the logic interpreter.



1 128 R  r1, r2 ,.., rn ^ hi  H  hi   2 h  MD5





ri  R,







hi  MD5ri  





R H (ri ), ri  x 







W hi , H ( x), x)  





 KG ( Idthread i )  keythread i  

n









i 1







n 1 MACk , H ri   thread 0



instructions 1





TRTDB MACk , ipi   xhi ipi 



i 0



For sure applying the hashing over all signals and variables will effects on the execution time while most of control systems are hard or soft real-time, thus to avoid this overhead, we will apply the hash function only on signals which have confidential flag true. IX.

A SIMPLE REAL EXAMPLE

For an example of the use the IA approach, we assumed a logic application that is developed using the FBD language to control the level of a tank in Figure 5, and we defined a signals list in Table I to use in our control system. TABLE II.

SIGNALS TABLE

List of all signals in the example Ri S1

1245

INLT_2020_VV

False

Hashed Value (Hi) E873 3457893…

S2

1246

PMP_2020_OFF

True

DF873 E87894…

S3

1247

PMP_2020_OV

True

VE3E8987392…

S4

1248

PMP_2020_RD

True

E83EE387391…

S5

1249

TK_2020_LEVEL

True

DF87 E873997…

Caption/Label a

Confidential

Caption or Label is a name of signal which is meaningful just for process engineer

To control incoming flow and outgoing flow we defined s1 – s4 as Boolean types and s5 integer type to store the current level of tank. There is a butterfly valves for water inlet and a pump for water outlet. The pump has three signals (s2-s4) which used respectively to check the current status, maintenance status and ready to work status. The signals are labeled in such a way to present functionality of them then,

5|Page 978-1-5090-4171-8/16/$31.00 ©2016 IEEE

FTC 2016 - Future Technologies Conference 2016 6-7 December 2016 | San Francisco, United States used a Program Organization Unit (POU) to implement the control scenario that is, keeping the level of tank always under 5m. Thus, the controller should have a send the close command to the water inlet`s valve and subsequently will do Turn-On the pump to fetch the overflow water until the signal s5 raised the set-point which is being under 5 meter. We also, assumed there is a virus like Stuxnet, passed all IT securities and related procedures that we informed in ICS security standards previously, also this virus has an access to engineering workstation and can read the plant process model. By considering having an isolated memory space for the engineering software on the engineering work station operating system`s and implementing a built-in version of our presented solution used system, we can provide all critical data like RTDB, signals database and etc. in protected way by using encryption or hashing scenarios. Thus even by having unauthorized access to those data, attacker will not be able to

Fig. 6. Water tank with a water inlet valve and water outlet pump that used a simple PLC to control the level below of max (set-point)

have a clear understand and also needs to come over to the effort that applied by IA processes. Since there is no connection from the ICS`s network to the internet or intranet, then we assumed the PLC’s can only have infected by a virus via physical connection like the engineering workstation that is connect to the DCS`s network and is the main responsible of logic application downloader. But what we want to protect? To answer this question, we need to understand what is the action or mission of our targeted virus. The Stuxnet had try to have a R/W permission on the control signals which we called in this paper, unauthorized access. We know each signal is a variable in the PLC level and is an I/O in the hardware level which is connected to an actuator or sensor in the plant via I/O cards and wiring system. we also assumed exist an FPGA on the board of each I/O card`s that allows to have the same hashing function on the physical card firmware. By above assumptions we are trying to protect unauthorized access to the control system through hiding all communications data between related modules such as PLCs and I/O cards, we also need to hide related communications inside of RTOS between different threats. Figure 3. But we know by protecting all communications we will put an extremely large overhead on the control system, thus for be able to avoid this problem, we only hide those signals which,

are so important and also in the communication level we will protect only the identifiable distinguish ri. However, selecting the hashing algorithm is depended on the several parameters related with control system. By hiding each signal, a virus like Stuxnet cannot identify the signals tag or labels so the sent command for him will be fuzzy value and he will not be able to have a proposed change on the values and also will not possible to him to have well understand about our control logic or control plant, however still virus can change the value randomly but this kind of attack for sure has a physical effects which is easily to have a recognize by people and there is no guarantee this change can raise any catastrophic problem so investigating lot of money and resource to lead such a cyber-attack is completely no sensible and economic. X.

CONCLUSION

For industrial manufacturers with a complex process industries, selecting the best automation technology is not as easy as it once was. Might be a diced ago was fairly easy to determine whether a PLC or a DCS was right for your application, because their strengths and weaknesses were well understood. But in recent years the advancement of the microprocessor, which has allowed the technologies to merge made this decision more difficult. Nowadays, manufacturers typically require a process control system that can deliver both PLC and DCS capabilities. Computer-based equipment used in industrial automation needs to be protected against unauthorized access and control. The widely accepted approach to computer security is based on security in depth, meaning that the computer system is viewed as a layered structure and security is introduced at each of the layers. In this paper, we proposed a method of adding security at what is commonly viewed as the lowest level of control – the Programmable Logic Controller (PLC). The approach is called IA and it works based on encrypting the process variable identifiers so an attacking virus is not able to interpret the variables being addressed by the control logic, and therefore inhibiting targeted attacks by a virus wishing to subtly change the controlled system operation without actually destroying the controlled plant. Then we used a really simple example to show how IA works and to use this method what we need to implement. We also introduced a mathematical model of IA that makes our method easy understandable. ACKNOWLEDGMENT This work is financed by the ERDF – European Regional Development Fund through the Operational Programme for Competitiveness and Internationalization – COMPETE 2020 Programme within project POCI-01-0145-FEDER-006961, and by National Funds through the FCT- Fundação para a Ciência e a Tecnologia (Portuguese Foundation for Science and Technology) as part of project UID/EEA/50014/2013 and PD/BD/114097/2015. [1]

[2]

REFERENCES Critical Foundations—Protecting America’s Infrastructures. Report of the president’s commission on critical infrastructure protection, http://www.fas.org/sgp/library/pccip.pdf; 1997 [accessed 4.8.2006]. National Transportation Safety Board, Washington, D.C, “Pipeline Accident Report: Pipeline Rupture and Subsequent Fire in Bellingham,

6|Page 978-1-5090-4171-8/16/$31.00 ©2016 IEEE

FTC 2016 - Future Technologies Conference 2016 6-7 December 2016 | San Francisco, United States

[3]

[4]

[5]

[6] [7] [8] [9] [10]

[11] [12] [13] [14] [15]

Washington June 10, 1999,” Washington, D.C NTSB/PAR-02/02 PB2002-916502, Oct. 2002. Vitek Boden, Cyber Crime and Information Warfare: A 30-Year History. Available: http://www.bloomberg.com/ss/10/10/1014_cyber_attacks/8.htm (2016). Gordon and J. Malik, Eds, Official (ISC)2® guide to the CISSP® CBK®: Certified Information Systems Security Professional. Boca Raton: CRC Press, 2015. BBC NEWS, Worm brings down coastguard PCs systems.: Coastguard stations around the UK have been severely disrupted after a computer worm brought down IT. Available: http://news.bbc.co.uk/2/hi/technology/3682803.stm (2016). By ARC Advisory Group, “Risk Drives Industrial Control SystemCyber Security Investment,” ARC Advisory Group, May. 2011. Process Automation, DCS vs. PLC, Siemens, USA, PAWP-00015-0907 2.5MNew0907, 2007. Ludwig, Mark (1998). The giant black book of computer viruss. Show Low, Ariz: American Eagle. p. 13. ISBN 978-0-929408-23-1. S. Tanenbaum, Modern operating systems, 3rd ed. Upper Saddle River, N.J.: Prentice Hall, 2008. K. Stouffer, J. Falco, K. Scarfone, Guide to Industrial Control Systems (ICS) Security, Special Publication 800-82, Computer Security Division Information Technology Laboratory National Institute of Standards and Technology Gaithersburg, MD 20899-8930, June 2011. Industrial communication networks Network and system security, 62443, 2013. NIST Cybersecurity FrameworkISA99 Response to Request for Information, 99, 2013. Information technology — Security techniques — Security requirements for cryptographic modules, ISO/IEC 19790:2012(E), 2012. Information technology — Security techniques — Test requirements for cryptographic modules, 24759:2014(E), 2014. K. Stouffer, J. Falco, and K. Kent, Guide to Industrial Control Systems (ICS) security: Supervisory Control and Data Acquisition (SCADA) systems, Distributed Control systems (DCS), and other control system

[16]

[17]

[18]

[19] [20]

[21] [22]

[23]

[24] [25]

[26]

configurations such as Programmable Logic Controllers (PLC) : recommendations of the National Institute of Standards and Technology, Computer security. Gaithersburg, MD: U.S. Department of Commerce, National Institute of Standards and Technology, 2011. ENIS, Protecting Industrial Control Systems: Annex III. ICS Security Related Standards, Guidelines and Policy Documents. European Network and Information Security Agency, 2011. K. H. John and M. Tiegelkamp, IEC 61131-3: Programming Industrial Automation Systems: Concepts and Programming Languages, Requirements for Programming Systems, Decision-Making Aids. Berlin, Heidelberg: Springer Berlin Heidelberg, 2010. Boritz, J. "IS Practitioners' Views on Core Concepts of Information Integrity". International Journal of Accounting Information Systems. Elsevier. Retrieved 12 August 2011. Pass, Rafael, A Course in Cryptography (PDF), retrieved 31 December 2015. T. H. Cormen and Cormen, Thomas H. Introduction to algorithms, Introduction to algorithms, 2nd ed. Cambridge, Mass, London: MIT Press, 2001. Tao Xie, Fanbao Liu, Dengguo Feng, “Fast Collision Attack on MD5,” 2013. K. Pearson, “X. On the criterion that a given system of deviations from the probable in the case of a correlated system of variables is such that it can be reasonably supposed to have arisen from random sampling,” Philosophical Magazine Series 5, vol. 50, no. 302, pp. 157–175, 1900. R. L. Plackett, “Karl Pearson and the Chi-Squared Test,” International Statistical Review / Revue Internationale de Statistique, vol. 51, no. 1, p. 59, 1983. Chapter 1: Service Oriented Architecture (SOA). Msdn.microsoft.com. Retrieved on May 30, 2014. A. Homay, M. Sousa, A. Martins, “Instruction Authenticator Framework for Distributed Control Systems based on IEC 61131-3, FAIM2016, 2016. TC6, PLCOpen, URL, http://www.plcopen.org/pages/tc6_xml/xml_intro/index.htm

7|Page 978-1-5090-4171-8/16/$31.00 ©2016 IEEE