Oct 10, 2017 - 4. testing communication model of SIEM. In the concluding section .... priate standards and guidelines for their design, evaluation and testing. 5.
Published by the joint 11th ASQF/FOKUS WS on Testing and Validation @ 10.10.2017, FhG-FOKUS
Trustworthiness Testing with Models of Complex Hybrid Systems Jan de Meer1 1
smartspacelab.eu GmbH Berlin; DIN NIA 043 member; ETSI-ISO/IEC JTC1 Security Liaison Officer; Abstract. Complex Hybrid Systems are considered to be a joint system model comprising of a physical system architecture and behavior and of an ICT-based data computation and communication system. Whereas the physical system model specifies dependencies among domains, devices, components etc. that are compiled into a specific Reference Architecture Model - the computation and communication model represents so-to-say the state changes of dynamically changing system configurations. In the joint model of Complex Hybrid Systems a certain system configuration is semantically represented by a graph that can semantically be manipulated, according to the inherited formal semantics of graphs. Executable semantic models allow forecast simulations of expected or unexpected system behavior, especially in the fields of system security and safety analysis. By reasoning about system behavior on the graph manipulation level, system complexity is translated to formal graph theory. With respect to testing the Graph Theoretical Model is the decision-taking instance about analyzing test results and about deriving follow-up test cases in a cyclic and real-time way of performance. Formally spoken there are two levels of semantics: the first one comprises the anticipated executable graph theoretical semantics based upon publicly available sophisticated tools; the second one is of technical nature, i.e. the specification in a technical language like UML with its GUI, AutomantionML for I4.0 Applications, XML for data representations etc. for which editors and repository tools are widely used. Aim of this contribution is to demonstrate the correspondence between the two levels of semantics, i.e. one for reasoning and the other one for specification purposes. The latter one is also called technical level of semantics because it is based on technical tools for editing and repository management as mentioned above. Reasoning and specifying correspondence to each other by a homomorphism. It is argued that the rules of translation between the two levels of semantics shall be matters of appropriate standards.
Keywords: Model-based Testing, Complex Hybrid Systems, Abstract Event Data Types, Graph Theory, Reference Architecture Model Testing, Critical Infrastructures, Internet-of-Things, Smart City, Smart Grid, Industry4.0, Standards, Semantics, Tools.
Published by the joint 11th ASQF/FOKUS WS on Testing and Validation @ 10.10.2017, FhG-FOKUS
1
Introduction into Complex Hybrid Systems
Cyber Physical Systems (CPS) is a widely used nice notion to express likely the same of what we want to describe as a Complex Hybrid Systems (CHS). We prefer the latter notion because it is the combination of hybrid technologies, sometimes more than two technologies that make the difference (e.g. ICT, Electricity, Plants and Buildings) and thus make a system complex in structure, behavior and understanding. At the other hand-side there is no clear definition in the realm of standards of what a 'cyber system' is about. Obviously and more clear is the meaning of a physical system. So we can imagine it as the 'physical' infrastructures of our living environments such as cities, homes, fabrics, working places, governments, plants, enterprises, traffic, energy, water, devices etc. However in order to transform those real things into the cyber world they will not become virtual (i.e. cyber?) but possibly embedded into an ICT Infrastructure which makes sense definitely. So with respect to testing a CPS respectively a CHS, we need to handle complexity and heterogeneity of incorporated various divergent technologies. The CHS is modeled by a multi-model usually comprising a Reference Architecture Model (RAM) and a technical specification based on editing and repository tools (e.g. UML). There are more than a single RAM, i.e. for each infrastructure there is a RAM. So far we have one for Smart Grid, Smart City, Internet of Things, I4.0-systems and more will come. In this paper however we want to add a semantic model and tools in order to reduce complexity. Notice complexity is inherent to the RAM and technical specification. Consequently we need an additional semantic level on which we can reason about behavior or test results. This approach is called a two-level semantics model. Because of inherent complexity, a CHS cannot be evaluated by testing. So more or less 'unknown' systems will be deployed and will permanently evolve and used by Cyber (sic) Citizens. Since testing remains incomplete we need to evaluate a new correctness notion, that we call trustworthiness and that shall give Cyber Citizens a kind of trust in technology. It is achieved by continuously evaluating short-term the evolving system by subscribing to various sensor abstract data types or by compiling so-called Information Security Indicators (ISI) [4,5,6]. The latter is so-to-say the medium term evaluation that may show deviations from 'normal' behavior over time. This combined testing and evaluating activity is executed at the semantic level of the joint multi-model and is explained in the following sections, comprising: 1. testing complexity of CHS 2. testing trustworthiness of PoT 3. testing architectural models of RAM 4. testing communication model of SIEM In the concluding section a prospect is given to the joint model of 2 levels of semantics. Whereas the first semantic level of semantics is implemented by graph and set theory and, the second level of semantics is implemented by the UML2 specification language. The glue between both levels of semantics must be achieved by a standard that prescribes the translation of semantic elements from the first level to the descriptive elements on the second level of semantics. A possible standard of the mapping prescription has been started by the ETSI Industrial Specification Group on Information Security Indicators and can be expected in spring 2018. 2
Published by the joint 11th ASQF/FOKUS WS on Testing and Validation @ 10.10.2017, FhG-FOKUS
2
Testing Complex Hybrid Systems
The combination of technologies of computation, information and data capturing with technologies of physical infrastructures of a city, plant, fabric, home, hospital, data center etc. we call a Complex Hybrid System (CHS); that is, prevailing of any physical infrastructure by digital information communication and data acquisition technologies. In the realm of digitalization this kind of digital pervasion can be observed for example at energy generation and distribution systems, i.e. so-called Smart Grids or, but especially to Industrial Automation and Control Systems (IACS) [2, 3] to be digitally redesigned and deployed to industrial factories and plants, Smart Cities, Smart Devices (Things), Smart Services in the fields of Cloud Computing, health care, logistics of containers, vessels, vehicles, airplanes etc. Analysis and Testing of CHS gets confronted with complex system management, hybrid architecture and behavior raising complexity to a magnitude of system analysis nowadays. Consequently CHS are more vulnerable to failures but also to attacks from inside and outside of the system or infrastructure. From system management point of view, how can we handle daily and ubiquitously the increase of complexity of CHS, not only with respect to functionality from the provider's point of view but also from a user's point of view believing in technology. However trustworthiness (as defined in fig.1) imposes answers to questions of how to live trustfully as a Cyber Citizen in my Smart City or Smart Home, using Smart Grids or Smart Services interfacing with Ambient Intelligence Technologies or, working in Smart Factories by means of Critical Infrastructures like Internet of Things etc.
3
Testing Trustworthiness
Fig. 1. The Pentagon of Trustworthiness Model [1]. 3
Published by the joint 11th ASQF/FOKUS WS on Testing and Validation @ 10.10.2017, FhG-FOKUS
The Pentagon of Trust (PoT) in figure 1[1] shows 5 features, trusted CHS shall obey. The above-mentioned formal graph-theoretical model [5, 6] invents semantics by vertices, edges (notice for completeness it shall be said, there must also be a graph constructor, but which is not applied here). When the PoT constraints are translated into Graphs one vertex comprises use cases selected from the 5 sets of Trustworthiness Indicators: 1) trustworthiness in organizations, applicability of systems, products and services; 2) safety and reliability of system functions; 3) information confidentiality; 4) Usability of the final product, service or system; 5) Sustainability with respect to regulation, laws and standards. An edge of the PoT graph represents 'security-bydesign' engineering relations like 'includes', 'extends', 'refines', 'depends' etc. which results in a static architectural graph. As we have learned from these considerations a test suite can also be represented by a graph with edges denoting to the tested behavior. Provided if tested IAC System and the semantic model run in parallel and are both connected to the 'ADT Lake' they may subscribe to crtical testing data types and may feed them into the semantic graph model running in parallel to the IACS at the graph manipulation tool. Hence the combination of the ADT Lake with graph manipulation tool allows for real time visualizing and simulation.
4
Testing RAMs
We want to demonstrate now two different types of basic reference models: a) Industrial Reference Architecture Model (RAM I4.0) of the Physical System; b) Security & Safety Information Event Management Model (SIEM) of the ICT-based computation and communication system. Both of which are integrated into a Complex Hybrid System (CHS); the system is called hybrid because of its physical and computational nature in parallel and it is called complex because of its unfeasibility to keep control in or to test each single state of the CHS. The latter problem of uncertainty is solved by inventing the notion of resiliency of the semantic model based on graphs. A vertex of a graph is an abstraction of system states that can be handled in a similar way. An edge of a graph symbolizes a set of system indicators that change the system state into another one, which is a formal graph manipulation. In the program of work of the standardization bodies currently there exist three socalled Reference Architecture Models (RAMs): RAMI4.0 for Industry4.0, SCIAM for Smart City, SGAM for Smart Grid. The RAMs usually obey three system dimensions (syntactically the 3 dimensions are written as a of an Abstract Data Type (ADT), i.e. : 1. RAMI4.0: ; 2. SCIAM: ; 3. SGAM: ;
4
Published by the joint 11th ASQF/FOKUS WS on Testing and Validation @ 10.10.2017, FhG-FOKUS
Although there are strong similarities between the dimensions of the various RAMs, they are not the same. In general the first dimension can be said to be the interoperability (system layers) dimension, the second dimension deals with the addressed application domain (except RAMI4.0 since there is the production life cycle dimension) which in a wider sense is application of production systems and, the third dimension handles the system's organizational structure, i.e. zones. How can structural RAM information being used for testing or validation? Tests must demonstrate the required capabilities of the modeled RAM dimensions: 1. By the concept of interoperability (CoI) tests on all defined layers of RAMI4.0, SCIAM, SGAM etc. are to be executed which is almost well understood and the normal case of testing. Security Testing of Layers may basically deal with the so-called C-I-A criteria, i.e. interoperability testing obeying communication confidentiality, data integrity and peer-to-peer user authenticity. 2. the second domain is less obvious, since it addresses various organizational concepts to be tested such as the process of an 'Industrial Production Life Cycle', but also physical concepts specifying smart cities or smart grids. Hence deep knowledge is required about the concept of organizational and physical structures (CoS) dealing with configuration and functioning of industrial production plants, (i.e. I4.0), of various city infrastructures (i.e. Supply/Water/Waste, Transportation, Health Care, Civil Security, Energy, Buildings, Industries), or of energy grid infrastructures (i.e. Energy Generation, Transmission, Distribution, Distributed Energy Resources, Customer Premises). Thus RAM testing obeys mainly physical criteria or measurable safety and security criteria about the tested physical components and systems, e.g. Indicators (Sensors) placed to Distributed Energy Resources (DER) to measure the state of energy transmission, e.g. a smart meter. 3. The third RAM domain comes along with the concept of zones (CoZ). Zones are necessary to keep control of security and of course of safety. Industrial production plant zones structure the 'connected world' of a global zone into many local (plant) zones such as enterprises, work centers, stations, control devices, field devices and products; zones of smart cities and smart grids are identical, i.e. both structure its global market zone into zones of enterprise and people, operation control, stations, fields and processes; The forthcoming Digital Era of CHS, i.e. Industry4.0, Smart Cities, Smart Grids, Internet of Things - renders very sophisticated challenges to the operation, evaluation and testing of safety and security being a combination of physical operation and information computational system constraints and rules. Thus in the realm of testing, real-time constraints on the behavior of physical devices in system domains and zones must be combined with e.g. big data computational constraints. Information computations take computational resources such as time delays, transmission bandwidth, computation memories and CPU capacity etc. Furthermore computational devices and networks are interfaces for breaching. All of which will impact the major asset of a CHS, i.e. the Real Time Control (RTC) of the physical devices and networks. In order to become capable of testing we need a series of new appropriate standards! For I4.0 system evaluation there is already a standard on Security for Industrial Automation and Control Systems (IACS), i.e. IEC 62443 part 3-3[2] and part 4-2[3];
5
Published by the joint 11th ASQF/FOKUS WS on Testing and Validation @ 10.10.2017, FhG-FOKUS
all other areas, e.g. Smart Grid, Smart City, IoT etc. suffer from the absence of appropriate standards and guidelines for their design, evaluation and testing.
5
Testing SIEM
Whereas the RAMs show to us the more static CHS structure comprising architectural elements like layers, components, zones and organizational elements like production hierarchies or life cycles (see section 3) - the SIEM Model invents the more dynamic industrial production real-time control life cycle as it is given in figure 2. The SIEM Model comprises the CHS underlying interaction and communication model operating on as the basic Abstract Data Type (ADT). All communicating components of a RAM are interconnected by the publish-subscribe communication paradigm/platform (PSCP). The PSCP is also called 'Data Lake' because it comprises a big number of data of raw and categorized data. Whereas raw data is issued by sensors or metering devices and categorized data is compiled from raw data with additional categorization meta data. Categorized data is represented by socalled 'Information Security Indicators (ISI)' and is also added as a compiled to the data lake. For example data sources such as sensors and meters (link 'H' in figure 2) publish their measurements as an to the PSCP by creating a typed event containing fresh data which is managed in real-time by SIEM; all other components ('I', 'II', 'III' in figure 2) that require information from any source, like the decision-making one or an observer performing tasks of testing of some physical component or process, simply subscribe to the respective event type of the PSCP. If a concrete measurement value exist that fit to the subscribed type, SIEM will immediately notify the subscriber.
6
Published by the joint 11th ASQF/FOKUS WS on Testing and Validation @ 10.10.2017, FhG-FOKUS
Fig. 2. Basic IACS Model. The basic IACS model of figure 2 which uses also the publish-subscribe communication paradigm of the ADT Lake, i.e. SIEM, shows the basic three canonical components of an Industrial Automation and Control System (IACS) comprising the Automated and Controlled Plant (III), a Security Operation Control (SOC) Station (II) and a Human or Machine Actor (I). Communication to and from a CHS changes also its state. Hence, in the model of the 1st level of semantics, a state change is modeled as a relation between vertices and edges of a graph. A new edge is added if a state change has occurred. Thus transforming the system into a new configuration. In figure 2 this kind of dynamics is represented by the technical feed-back loop 'H' that maps the measurements taken at the IACS plant (III) and feed it back to the SOC (II). The state change in the technical system of figure 2 occurs by the advise taken at the SOC and executed by the actor (II) that controls the energy/asset flow into the IACS plant. The graph semantics models dynamics, i.e. state changes - by manipulating the graph according to manipulation rules. Similar, state changes of an IACS depend on measured input variables and the current state. Thus many options exist to take decisions in the current state. By the Graph Manipulation Tool the anticipated state changes can be simulated and visualized by the GUI. Graph simulations allow vanishing or adding edges to the graph depending on the constraining rules annotated to the edges.
7
Published by the joint 11th ASQF/FOKUS WS on Testing and Validation @ 10.10.2017, FhG-FOKUS
6
Conclusions
By executing security testing and evaluation of the new digital automation and control systems resp. infrastructures such as 'Internet of Things', I4.0 Plants, Smart Cities or Smart Grids etc. one has to consider sorts of physical system safety and security with respect to layers, domains and zones as it is defined by the various RAMs and standards [2, 3]. This is due to the fact that ICT is the means not the asset. The CHS asset or parts of to be protected are the devices of IoT, the services of Smart City, the energy distribution infrastructure of Smart Grid, the automation and control Systems of I4.0 etc. ICT is just the means to acquire information necessary to protect the assets against malfunctioning or attackers etc. Nevertheless by the process of digitization systems and infrastructure get at first more vulnerable because of the opening of all physical networks to the digital control which is nowadays not yet mature enough to protect our real assets. In order to develop security and safety strategies for the protection of our smart world to come, ETSI (among others) has started recently a new standardization project [4, 5, 6] using a model-based approach aiming at a common language and semantics to model properties of Complex Hybrid Systems (CHS) whose architecture is specified by a RAM. The anticipated language allows expressing security and safety constraints in terms of set-theoretical ADTs that can easily being translated to Graph representation. Graph Manipulation Theory is the anticipated semantics of a publishsubscribe communication paradigm underlying the Complex Hybrid System model. The tooling is achieved by available Graph Manipulation Tools from public domain such as the experimental 'GraGra' from TUB or the more powerful one from KIT [7, 8]. Other approaches use for data representation and analysis the Mathworks tool Matlab®. In any case the anticipated language must be capable to handle translations to and from the chosen semantic tool. In case of graph manipulation tooling applied to I4.0 IACS a graph model represents a 'state of production' which changes to another 'state of production' by the influence from the environment, i.e. inputoutput data, persons, product maturity, security conditions, privacy data violations etc. The implemented guarding rules test these conditions and when true the guards will enable the computation of the next system state modeled as a graph. Vice versa you may also simulate possible next system states by exploring the available guards of a RAM model in a certain state. This is a good evaluation method if a system in a critical state must be transformed into a system with a safer state. There exists a homomorphism of models that can be transformed from one state to another state of the same modeling type (horizontal mappings) by using either graphs supported by tools or alternatively the common language based on abstract event data types (ADT). Models of different types can be translated from one model representation to the other one, i.e. graphs to data types and vice versa (vertical mappings).
8
Published by the joint 11th ASQF/FOKUS WS on Testing and Validation @ 10.10.2017, FhG-FOKUS
Abbreviations ADT CHS DER GMT IACS IOT ISI KIT PoT PSCP RAM RTC SOC SIEM
Abstract Data Type (part of set-theoretical Model) Complex Hybrid Systems Distributed Energy Resources (of SGAM) Graph Manipulation Tool/Theory Industrial Automation and Control Systems Internet Of Things (DIN/ISO/IEC JTC1 WG10) Information Security Indicators (cp. ETSI ISG ISI standards) Karlsruhe Institute of Technology (offering GMT) Pentagon of Trust (acc. to JTC1 SC27 Standardization Orojects) Publish-Subscribe Communication Paradigm/Platform Reference Architecture Model Real Time Control Capability Security Operation Center (decision-making component II of figure 2) Security Information Event Management Model
9
Published by the joint 11th ASQF/FOKUS WS on Testing and Validation @ 10.10.2017, FhG-FOKUS
References 1. Jan deMeer: The BeST Model of Trustworthiness - The 4 Pillars of Trust for Cyber Defense, Poster of smartspacelab.eu GmbH (www.school-of-technology.de 2016). 2. IEC 62443-3-3:2013 Security for Industrial Automation and Control Systems part3-3: System Security Requirements and Security Levels (ANSI/ISA 62443-3-3 (99.03.03)). 3. IEC 62443-4-2 Ed.1 Security for Industrial Automation and Control Systems (IACS) part 4-2: Technical Requirements for IACS Components (IEC/TC57/WG15, SCA45A/WGA9, ISO/IEC JTC1/SC27/WG3 N1178 (2015-07 --- IT ST - Security Evaluation, Testing and Specification), https://webstore.iec.ch/preview/info_iec62443-2-4%7Bed1.0%7Db.pdf). 4. ETSI GS ISI 001-1/2 Information Security Indicators (ISI) – Indicators (INC) Part 1 Revision 1 FDA v0.0.3 Gerard Gaudin Rapporteur) „A full set of Operational Indicators for Organizations to use to benchmark their security posture“ ISI INC Part 2 „Guide to select Operational Indicators based on the full set given in INC part 1“ 5. ETSI GS ISI 002 Information Security Indicators (ISI) – Security Event Model (SEM) „A Security Event Classification Model and Taxonomy“ 6. ETSI GS ISI 006 (WD v0.0.6, Jan deMeer Rapporteur) Information Security Indicators (ISI) - An ISI-compliant Measurement and Event Management Arichtecture for Cyber Security & Safety - CSlang A Cyber Security Specification Language. 7. The Attributed Graph Grammar Werkzeug, Version 2.1(2017) der TU Berlin: http://www.user.tu-berlin.de/o.runge/agg/ 8. Karlsruhe Institut für Technologie IPD Inst. f. Programmierparadigmen: GrGen.NET Graphtransformationswerkzeug https://svn.ipd.kit.edu/trac/mx/wiki/Tools/GrGen.NET
10
