Bridging Dolev-Yao Adversaries and Control Systems with Time-Sensitive Channels

  • Bogdan Groza
  • Marius Minea
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8328)


Defining security objectives for industrial control scenarios is a challenging task due to the subtle interactions between system components and because security goals are often far from obvious. Moreover, there is a persistent gap between formal models for channels and adversaries (usually, transition systems) and models for control systems (differential or recurrent equations). To bind these two realms, we translate control systems into transition systems by means of an abstraction with variable time granularity and compose them with a channel model that is controlled by Dolev-Yao adversaries. This opens the road for automatic reasoning about the formal model of a control system using model checkers in a context where the communication channel is tampered with. We address a security objective that has so far largely eluded in models, namely freshness, which is highly relevant for control systems. Beyond the traditional resilience to replay attacks, we point out several flavours of freshness which are often overlooked, e.g., ordering and bounded lifespan. We formalize these notions and show that their absence can lead to attacks that subvert the control system. Finally, we build a proof-of-concept implementation that we use to determine attacks on a simple model which clearly shows that real-world scenarios are within reach.


control system formal modelling freshness 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Alcaraz, C., Roman, R., Najera, P., Lopez, J.: Security of industrial sensor network-based remote substations in the context of the internet of things. Ad Hoc Networks 11(3), 1091–1104 (2013)CrossRefGoogle Scholar
  2. 2.
    Burrows, M., Abadi, M., Needham, R.: A logic of authentication. Proc. Royal Society of London. Series A, Mathematical and Physical Sciences 426(1871), 233–271 (1989)CrossRefzbMATHMathSciNetGoogle Scholar
  3. 3.
    Cárdenas, A.A., Amin, S., Sastry, S.: Research challenges for the security of control systems. In: Proc. of the 3rd Conference on Hot Topics in Security, pp. 1–6. USENIX (2008)Google Scholar
  4. 4.
    Cheminod, M., Pironti, A., Sisto, R.: Formal vulnerability analysis of a security system for remote fieldbus access. IEEE Transactions on Industrial Informatics 7(1), 30–40 (2011)CrossRefGoogle Scholar
  5. 5.
    Delzanno, G., Ganty, P.: Automatic verification of time sensitive cryptographic protocols. In: Jensen, K., Podelski, A. (eds.) TACAS 2004. LNCS, vol. 2988, pp. 342–356. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  6. 6.
    Edmonds, J., Papa, M., Shenoi, S.: Security analysis of multilayer SCADA protocols. In: Goetz, A.D.E., Shenoi, S. (eds.) Critical Infrastructure Protection. IFIP, vol. 253, pp. 205–221. Springer, Boston (2007)CrossRefGoogle Scholar
  7. 7.
    Girard, A., Pappas, G.: Approximation metrics for discrete and continuous systems. IEEE Transactions on Automatic Control 52(5), 782–798 (2007)CrossRefMathSciNetGoogle Scholar
  8. 8.
    Girard, A., Pappas, G.: Approximate bisimulation: A bridge between computer science and control theory. European Journal of Control 17(5), 568 (2011)CrossRefzbMATHMathSciNetGoogle Scholar
  9. 9.
    Lowe, G.: Casper: A compiler for the analysis of security protocols. In: 10th Computer Security Foundations Workshop, pp. 18–30. IEEE (1997)Google Scholar
  10. 10.
    Pappas, G.: Bisimilar linear systems. Automatica 39(12), 2035–2047 (2003)CrossRefzbMATHMathSciNetGoogle Scholar
  11. 11.
    Roberts, M.: Fundamentals of signals and systems. McGraw-Hill (2007)Google Scholar
  12. 12.
    Syverson, P.: A taxonomy of replay attacks. In: 7th Computer Security Foundations Workshop, pp. 187–191. IEEE (1994)Google Scholar
  13. 13.
    Tazaki, Y., Imura, J.: Discrete-state abstractions of nonlinear systems using multi-resolution quantizer. Hybrid Systems: Computation and Control, 351–365 (2009)Google Scholar
  14. 14.
    Teixeira, A., Pérez, D., Sandberg, H., Johansson, K.H.: Attack models and scenarios for networked control systems. In: Proc. of the 1st Conference on High Confidence Networked Systems, HiCoNS 2012, pp. 55–64. ACM (2012)Google Scholar
  15. 15.
    Turuani, M.: The CL-Atse protocol analyser. In: Pfenning, F. (ed.) RTA 2006. LNCS, vol. 4098, pp. 277–286. Springer, Heidelberg (2006)CrossRefGoogle Scholar

Copyright information

© Springer International Publishing Switzerland 2013

Authors and Affiliations

  • Bogdan Groza
    • 1
  • Marius Minea
    • 1
  1. 1.Politehnica University of Timişoara and Institute e-Austria TimişoaraRomonia

Personalised recommendations