A Malware-Tolerant, Self-Healing Industrial Control System Framework

  • Michael DenzelEmail author
  • Mark Ryan
  • Eike Ritter
Conference paper
Part of the IFIP Advances in Information and Communication Technology book series (IFIPAICT, volume 502)


Industrial Control Systems (ICSs) are computers managing many critical infrastructures like power plants, aeroplanes, production lines, etc. While ICS were specialised hardware circuits without internet connection in former times, they are nowadays commodity computers with network connection, TCP/IP stack, and a full operating system, making them vulnerable to common attacks. The defensive mechanisms, however, are still lacking behind due to the strong requirement for availability of ICSs which prohibits to deploy typical countermeasures like e.g. an anti-virus. New techniques are needed to defend these systems under their distinct prerequisites.

We introduce the concept of a malware-tolerant ICS network architecture which can still operate securely even when some components are entirely compromised by an attacker. This was done by replacing all single point-of-failures with multiple components verifying each other. We provide ProVerif proofs to show the correctness of the network protocol one-by-one assuming each device compromised.

Furthermore, we added a self-healing mechanism based on invariants to the architecture on network as well as system level which will reset failed or compromised systems. To demonstrate system level self-healing, we implemented it on top of FreeRTOS and ARM TrustZone. The network level self-healing was incorporated into the ProVerif proofs by formally verifying the absence of type 1 (falsely identified attacks) and type 2 errors (missed attacks).


Malware tolerance Self-healing Industrial Control System (ICS) Security 


  1. 1.
    Amir, Y., Coan, B., Kirsch, J., Lane, J.: Prime: Byzantine replication under attack. IEEE Trans. Dependable Secur. Comput. 8(4), 564–577 (2011)CrossRefGoogle Scholar
  2. 2.
    ARM: Building a secure system using trustzone technology. Technical report, ARM, April 2009.
  3. 3.
    Bessani, A.N., Sousa, P., Correia, M., Neves, N.F., Verissimo, P.: The crutial way of critical infrastructure protection. IEEE Secur. Priv. 6(6), 44–51 (2008)CrossRefGoogle Scholar
  4. 4.
    BSI: Die lage der it-sicherheit in deutschland 2014. Technical report, Bundesamt für Sicherheit in der Informationstechnik (2014).
  5. 5.
    Cai, X., Lyu, M.R., Vouk, M.A.: An experimental evaluation on reliability features of N-version programming. In: Proceedings of the International Symposium on Software Reliability Engineering (ISSRE 2005). IEEE (2005)Google Scholar
  6. 6.
    Cardenas, A.A., Amin, S., Sastry, S.: Secure control: towards survivable cyber-physical systems. In: Proceedings of the International Conference on Distributed Computing Systems. IEEE (2008)Google Scholar
  7. 7.
    Cox, B., Evans, D., Filipi, A., Rowanhill, J., Hu, W., Davidson, J., Knight, J., Nguyen-Tuong, A., Hiser, J.: N-variant systems: a secretless framework for security through diversity. Usenix Secur. 6, 105–120 (2006)Google Scholar
  8. 8.
    Dolev, D., Yao, A.C.: On the security of public key protocols. IEEE Trans. Inf. Theor. 29(2), 198–208 (1983)MathSciNetCrossRefzbMATHGoogle Scholar
  9. 9.
    Fitzek, A., Achleitner, F., Winter, J., Hein, D.: The ANDIX research OS-ARM trustzone meets industrial control systems security. In: Proceedings of the International Conference on Industrial Informatics (INDIN) (2015)Google Scholar
  10. 10.
    Fovino, I.N., Carcano, A., Masera, M., Trombetta, A.: Design and implementation of a secure modbus protocol. In: Palmer, C., Shenoi, S. (eds.) ICCIP 2009. IAICT, vol. 311, pp. 83–96. Springer, Heidelberg (2009). doi: 10.1007/978-3-642-04798-5_6 CrossRefGoogle Scholar
  11. 11.
    Ghosh, D., Sharman, R., Rao, H.R., Upadhyaya, S.: Self-healing systems - survey and synthesis. Decis. Support Syst. 42(4), 2164–2185 (2007)CrossRefGoogle Scholar
  12. 12.
    Hoekstra, M., Lal, R., Pappachan, P., Phegade, V., Del Cuvillo, J.: Using innovative instructions to create trustworthy software solutions. In: Workshop on Hardware and Architectural Support for Security and Privacy, HASP (2013)Google Scholar
  13. 13.
    Homeland Security: Recommended practice: improving industrial control systems cybersecurity with defense-in-depth strategies. Technical report, U.S. Homeland Security, October 2009.
  14. 14.
    Hong, Y., Chen, D., Li, L., Trivedi, K.S.: Closed loop design for software rejuvenation. In: Workshop on Self-healing, Adaptive, and Self-managed Systems (2002)Google Scholar
  15. 15.
    Kaspersky Lab: Empowering industrial cyber security. Technical report, Kaspersky Lab (2015).
  16. 16.
    Kuang, L., Zulkernine, M.: An intrusion-tolerant mechanism for intrusion detection systems. In: Availability, Reliability and Security, pp. 319–326. IEEE (2008)Google Scholar
  17. 17.
    Kugler, C., Müller, T.: SCADS. In: Tian, J., Jing, J., Srivatsa, M. (eds.) SecureComm 2014. LNICSSITE, vol. 152, pp. 323–340. Springer, Cham (2015). doi: 10.1007/978-3-319-23829-6_23 CrossRefGoogle Scholar
  18. 18.
    Langner, R.: Stuxnet: dissecting a cyberwarfare weapon. IEEE Secur. Priv. 9, 49–51 (2011)CrossRefGoogle Scholar
  19. 19.
    Meduna, A., Vrabel, L., Zemek, P.: Converting finite automata to regular expressions (2012). izemek/grants.php.cs?file=%2Fproj%2F589%2FPresentations%2FPB05-Converting-FAs-To-REs: pdf&id=589
  20. 20.
    Paillet, D.: Defending against cyber threats to building management systems (FM Magazine), April 2016.
  21. 21.
    Platania, M., Obenshain, D., Tantillo, T., Sharma, R., Amir, Y.: Towards a practical survivable intrusion tolerant replication system. In: 2014 IEEE 33rd International Symposium on Reliable Distributed Systems (SRDS) [1], pp. 242–252Google Scholar
  22. 22.
    Salamat, B., Gal, A., Jackson, T., Manivannan, K., Wagner, G., Franz, M.: Multi-variant program execution: using multi-core systems to defuse buffer-overflow vulnerabilities. In: Complex, Intelligent and Software Intensive Systems (CISIS) (2008)Google Scholar
  23. 23.
    Salewski, F., Wilking, D., Kowalewski, S.: The effect of diverse hardware platforms on N-version programming in embedded systems-an empirical evaluation. In: Workshop on Dependable Embedded Sytems (WDES). Citeseer (2006)Google Scholar
  24. 24.
    Sekar, R., Gupta, A., Frullo, J., Shanbhag, T., Tiwari, A., Yang, H., Zhou, S.: Specification-based anomaly detection: a new approach for detecting network intrusions. In: Proceedings of the Conference on Computer and Communications security. ACM (2002)Google Scholar
  25. 25.
    Sousa, P., Bessani, A.N., Correia, M., Neves, N.F., Verissimo, P.: Highly available intrusion-tolerant services with proactive-reactive recovery. IEEE Trans. Parallel Distrib. Syst. 21(4), 452–465 (2010)CrossRefGoogle Scholar
  26. 26.
    Stouffer, K., Lightman, S., Pillitteri, V., Abrams, M., Hahn, A.: Guide to Industrial Control Systems (ICS) security. NIST Special Publication, May 2014.
  27. 27.
    Totel, E., Majorczyk, F., Mé, L.: COTS diversity based intrusion detection and application to web servers. In: Valdes, A., Zamboni, D. (eds.) RAID 2005. LNCS, vol. 3858, pp. 43–62. Springer, Heidelberg (2006). doi: 10.1007/11663812_3 CrossRefGoogle Scholar
  28. 28.
    Tu, H.y.: Comparisons of self-healing fault-tolerant computing schemes. In: World Congress on Engineering and Computer Science (2010)Google Scholar
  29. 29.
    Verissimo, P.E.: Travelling through wormholes: a new look at distributed systems models. In: ACM SIGACT News (2006).
  30. 30.
    Veronese, G.S., Correia, M., Bessani, A.N., Lung, L.C., Verissimo, P.: Efficient Byzantine fault-tolerance. IEEE Trans. Comput. 62(1), 16–30 (2013)MathSciNetCrossRefGoogle Scholar
  31. 31.
    Virvilis, N., Gritzalis, D., Apostolopoulos, T.: Trusted computing vs. advanced persistent threats: can a defender win this game? In: Proceedings of the 10th International Conference on Autonomic and Trusted Computing (ATC), pp. 396–403. IEEE (2013)Google Scholar
  32. 32.
    Weatherwax, E., Knight, J., Nguyen-Tuong, A.: A model of secretless security in N-variant systems. In: Workshop on Compiler and Architectural Techniques for Application Reliability and Security (CATARS-2) (2009)Google Scholar
  33. 33.
    Zhou, Z., Gligor, V.D., Newsome, J., McCune, J.M.: Building verifiable trusted path on commodity x86 computers. In: IEEE Symposium on Security and Privacy (SP), pp. 616–630. IEEE (2012)Google Scholar

Copyright information

© IFIP International Federation for Information Processing 2017

Authors and Affiliations

  1. 1.School of Computer ScienceUniversity of BirminghamBirminghamUK

Personalised recommendations