Introduction Industry 4.0 will lead to many more critical industrial systems being Internet-connected and interdependent. Measuring the security of these distributed systems of industrial devices is vital to understand the risk of compromise this poses and to assess potential defences. This project will develop techniques to measure the security of Industry 4.0 systems. Measuring the comparative security of different products and systems enables decision makers to choose more secure products and systems, enables manufacturers to compare their security with competitors, and provides a market incentive to invest in security. By measuring security over time we can evaluate whether interventions were effective and so develop more effective interventions. Measuring security is difficult as it requires understanding the whole system in its context including the behaviour of people who use and abuse the system. Care is required to ensure that better scores can only be achieved through better security. Collecting data about the security of systems in use rather than solely in theory can be challenging as it can require cooperation from the companies whose systems are being evaluated.
Background Previously Daniel Thomas has collected data on the security of Android devices and used it to produce robust comparative metrics for different manufacturers and network operators (\Security metrics for the Android ecosystem" SPSM 2015). These measures gained international attention and were used by Google internally and in their discussions with manufacturers as well as by the USA's FTC, UK's Home Oce, and GSMA's Device Security Group. We are currently working with industry to extend these metrics to new systems. Prior work has measured aspects of the security of individual devices with respect to individual vulnerabilities, but with Industry 4.0 we need to measure the emergent security of the whole distributed system. Vulnerabilities in one device can aect the security or operation of other devices and so we need to understand the security dependencies within the system. Hence, we need to model the composition of vulnerabilities both within and between devices. Strathclyde has the facilities to perform these measurements through various test beds for industrial systems such as manufacturing (CMAC/AFRC), power networks (PNDC), and nuclear (ANRC). It also has the industrial contacts required to trial techniques developed in this project on real Industry 4.0 systems. The skills required for this work are principally data analysis to develop metrics and measure systems, and programming skills to produce honeypots and simulate industrial systems.
Aims & objectives The aim of this project would be to measure the security of whole Industry 4.0 systems. This will be accomplished through two objectives: First, realistically modeling the composition of multiple vulnerabilities within a system. Attackers often exploit multiple vulnerabilities to break all the way into a system from their initial entry point. Understanding the impact of multiple vulnerabilities in a system is presently difficult and so modelling this and the impact of their being discovered and patched over time would provide a better understanding of overall security. Second, applying these models to the measurement of the security of multi-site Industry 4.0 systems. These measurements would help evaluate how risky current deployments are and guide companies towards more secure deployments. Many industrial control systems are already connected to the Internet and can be discovered by automatic scanning. These provide some indication of the security of industrial systems and prior work has shown that they do not receive security updates and can be easily abused by remote attackers. Analysing industrial networks to determine the systems in use and the software versions they run, and inferred network topology and policy would enable comparative measures of security between different industrial facilities.
Group and training This project ts within the growing Strathclyde Security Research Group, which spans Computer & Information Science and Electronic & Electrical Engineering. This project will be supported by ongoing industrial collaborations. The student will undertake the training oered by the University as part of the PgCert Researcher Development Programme. The student will attend and present at Strathclyde Security Research Group. The student will attend various summer schools (e.g. the SecHuman summer school and ACE-CSR). To provide industrial experience for the student, we will arrange an internship at a relevant company.
Duration of studentship: 36 months with fees and stipend covered by the University of Strathclyde. for UK/EU students