Skip to main content

Challenges in OT Security and Their Impacts on Safety-Related Cyber-Physical Production Systems

Abstract

In Cyber-Physical Production Systems (CPPS), integrity and availability of hardware and software components are necessary to ensure product quality and the safety of employees and customers, while the confidentiality of engineering artifacts and product details must be kept to hide company secrets. At the same time, an increasing number of Internet connected control systems causes the presence of new attack vectors. As a result, unauthorized hardware/software modifications of CPPS components through cyber attacks become more prevalent. This development raises the demand for proper protection measures significantly, not only to ensure product quality and security but also the safety of people working with the machinery. In this chapter, we describe vulnerable assets of Operational Technology (OT) and identify information security requirements for these assets. Based on this assessment, possible attack vectors and threat models are discussed. Furthermore, measures against the mentioned threats and security relevant differences between OT and Information Technology (IT) systems are outlined. To manage a CPPS and its related threats, risk management will be addressed in more detail. Although safety and security should no longer be viewed as isolated, there are several challenges of integrating safety and security, which can lead to struggles and trade-offs. For this reason, the “Safety and Security Lab in Industry” currently investigates different aspects of future integrated solutions covering both safety and security. Challenges of such integrated solutions are outlined at the end of the chapter.

This is a preview of subscription content, log in via an institution.

Buying options

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   54.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   69.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
Hardcover Book
USD   99.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Notes

  1. 1.

    https://www.enisa.europa.eu/topics/nis-directive

  2. 2.

    https://www.ris.bka.gv.at/GeltendeFassung.wxe?Abfrage=Bundesnormen&Gesetzesnummer=20010536

References

  1. S. Vitturi, C. Zunino, and T. Sauter, “Industrial communication systems and their future challenges: Next-generation Ethernet, IIoT, and 5G,” Proceedings of the IEEE, vol. 107, no. 6, pp. 944–961, 2019.

    Article  Google Scholar 

  2. I. Reithner, M. Papa, B. Lueger, M. Cato, S. Hollerer, and R. Seemann, “Development and Implementation of a Secure Production Network,” Proceedings of the 31st DAAAM International Symposium, pp. 736–745, 2020.

    Google Scholar 

  3. J. Jasperneite, T. Sauter, and M. Wollschlaeger, “Why we need automation models: Handling complexity in Industry 4.0 and the Internet of Things,” IEEE Industrial Electronics Magazine, vol. 14, no. 1, pp. 29–40, 2020.

    Article  Google Scholar 

  4. E. J. Colbert and A. Kott, Cyber-security of SCADA and other industrial control systems. Springer, 2016, vol. 66.

    Google Scholar 

  5. M. Bajer, “Control systems integration using OPC standard,” AGH Master Thesis, W. Grega-Supervisor, Krakow & Antwerp, 2008.

    Google Scholar 

  6. E. Geisberger and M. Broy, Integrierte Forschungsagenda Cyber-Physical Systems: acatech STUDIE. Deutschland: acatech, 2012.

    Google Scholar 

  7. G. Martins, S. Bhatia, X. Koutsoukos, K. Stouffer, C. Tang, and R. Candell, “Towards a systematic threat modeling approach for cyber-physical systems,” in 2015 Resilience Week (RWS). IEEE, 2015, pp. 1–6.

    Google Scholar 

  8. R. E. Petruse, I. Bondrea, and I. C. Nicolae, “Main requirements of a cyber physical production system demonstrator,” Acta Universitatis Cibiniensis. Technical Series, vol. 71, no. 1, pp. 76–80, 2019.

    Article  Google Scholar 

  9. International Organization for Standardization (ISO), “Robots and robotic devices - Collaborative robots,” Geneva, CH, Feb. 2016.

    Google Scholar 

  10. R. Siegwart, I. R. Nourbakhsh, and D. Scaramuzza, Introduction to Autonomous Mobile Robots, 2nd ed. Cambridge, Massachusetts: The MIT Press, 2004.

    Google Scholar 

  11. O. Khatib, “Mobile manipulators: Expanding the frontiers of robot applications,” in Field and Service Robotics, A. Zelinsky, Ed. Springer, 1998, pp. 6–11.

    Google Scholar 

  12. B. Vogel-Heuser, T. Bauernhansl, and M. ten Hompel, Eds., Handbuch Industrie 4.0 Bd.  2: Automatisierung, 2nd ed., ser. Springer Reference Technik. Berlin: Springer, 2017.

    Google Scholar 

  13. Y. Ro, A. Brem, and P. Rauschnabel, Augmented Reality Smart Glasses: Definition, Concepts and Impact on Firm Value Creation. Gewerbestrasse 11, 6330 Cham, Switzerland: Springer International Publishing AG, 2017, ch. 12, pp. 169–181.

    Google Scholar 

  14. A. Grau, M. Indri, L. L. Bello, and T. Sauter, “Industrial robotics in factory automation: From the early stage to the Internet of Things,” in IECON 2017 - 43rd Annual Conference of the IEEE Industrial Electronics Society, 2017, pp. 6159–6164.

    Google Scholar 

  15. Statista, “Wie hoch schätzen Sie das Risiko für Ihr Unternehmen ein, Opfer von Cyberangriffen/Datenklau zu werden?,” 2019, accessed: 2020-10-16. [Online]. Available: https://de.statista.com/statistik/daten/studie/760006/umfrage/wahrgenommenes-risiko-von-cyberangriffen-unter-unternehmen-in-deutschland/.

  16. C. Fife, “What’s Required To Secure The IoT?” 2015, accessed: 2020-10-23. [Online]. Available: https://www.citrix.com/blogs/2015/04/09/whats-required-to-secure-the-iot/.

  17. Barrgroup-Dictionary, “Embedded System,” 2020, accessed: 2020-10-14. [Online]. Available: https://barrgroup.com/embedded-systems/glossary-embedded_system.

  18. TÜV Austria, Fraunhofer Austria Research GmbH, “Safety & security in der Mensch-Roboter-Kollaboration,” 2016. [Online]. Available: https://www.tuv.at/fileadmin/user_upload/docs/group/innovation/tuv-austria-white-paper-deutsch/003_tuv_austria_white_paper_III_einfluss_it_security_sicherheit_in_der_mensch_roboter_kollaboration_fraunhofer_DE_WEB.pdf.

  19. M. Kumar, J. Meena, R. Singh, and M. Vardhan, “Data outsourcing: A threat to confidentiality, integrity, and availability,” in 2015 International Conference on Green Computing and Internet of Things (ICGCIoT). IEEE, 2015, pp. 1496–1501.

    Google Scholar 

  20. F. Accerboni and M. Sartor, “ISO/IEC 27001’,” Quality Management: Tools, Methods, and Standards. Emerald Publishing Limited, pp. 245–264, 2019.

    Google Scholar 

  21. Y. Lu and M. Zhu, “A control-theoretic perspective on cyber-physical privacy: Where data privacy meets dynamic systems,” Annual Reviews in Control, vol. 47, pp. 423–440, 2019.

    Article  Google Scholar 

  22. P. Van Aubel, E. Poll, and J. Rijneveld, “Non-repudiation and end-to-end security for electric-vehicle charging,” in 2019 IEEE PES Innovative Smart Grid Technologies Europe (ISGT-Europe). IEEE, 2019, pp. 1–5.

    Google Scholar 

  23. A. Shostack, Threat modeling: Designing for security. John Wiley & Sons, 2014.

    Google Scholar 

  24. R. Vigo, “The cyber-physical attacker,” in International Conference on Computer Safety, Reliability, and Security. Springer, 2012, pp. 347–356.

    Google Scholar 

  25. M. T. Swarup Bhunia, Hardware Security: A Hands-on Learning Approach. Morgan Kaufmann, 2019.

    Google Scholar 

  26. D. Dolev and A. Yao, “On the security of public key protocols,” IEEE Transactions on information theory, vol. 29, no. 2, pp. 198–208, 1983.

    Article  MATH  Google Scholar 

  27. M. Rocchetto and N. O. Tippenhauer, “On attacker models and profiles for cyber-physical systems,” in European Symposium on Research in Computer Security. Springer, 2016, pp. 427–449.

    Google Scholar 

  28. N. Hoque, M. H. Bhuyan, R. C. Baishya, D. K. Bhattacharyya, and J. K. Kalita, “Network attacks: Taxonomy, tools and systems,” Journal of Network and Computer Applications, vol. 40, pp. 307–324, 2014.

    Article  Google Scholar 

  29. A. Humayed, J. Lin, F. Li, and B. Luo, “Cyber-physical systems security-a survey,” IEEE Internet of Things Journal, vol. 4, no. 6, pp. 1802–1831, 2017.

    Article  Google Scholar 

  30. C. Bodungen, B. Singer, A. Shbeeb, K. Wilhoit, and S. Hilt, Hacking Exposed Industrial Control Systems: ICS and SCADA Security Secrets & Solutions, 1st ed. New York: McGraw-Hill Education, 2016. [Online]. Available: https://mhebooklibrary.com/doi/book/10.1036/9781259589720.

  31. S. J. Templeton, “Security aspects of cyber-physical device safety in assistive environments,” in Proceedings of the 4th International Conference on PErvasive Technologies Related to Assistive Environments, ser. PETRA ’11. New York, NY, USA: Association for Computing Machinery, 2011. [Online]. Available: https://doi.org/10.1145/2141622.2141685.

  32. A. Treytl, T. Sauter, and C. Schwaiger, “Security measures in automation systems-a practice-oriented approach,” in 2005 IEEE Conference on Emerging Technologies and Factory Automation, vol. 2, 2005, pp. 847–855.

    Google Scholar 

  33. A. Valenzano, “Industrial cybersecurity: Improving security through access control policy models,” IEEE Industrial Electronics Magazine, vol. 8, no. 2, pp. 6–17, 2014.

    Article  Google Scholar 

  34. K. A. Stouffer, V. Pilitteri, M. Abrams, and A. Hahn, “NIST Special Publication 800-82 Revision 2. Guide to Industrial Control Systems (ICS) Security: Supervisory Control and Data Acquisition (SCADA) Systems, Distributed Control Systems (DCS), and Other Control System Configurations Such as Programmable Logic Controllers (PLC),” Gaithersburg, MD, USA, 2015.

    Google Scholar 

  35. “IEC 62443-3-3:2013 Industrial communication networks - Network and system security - Part 3-3: System security requirements and security levels,” 2013.

    Google Scholar 

  36. D. R. Preiss, Risk analysis techniques in engineering. TÜV Austria Akademie GmbH, 2020.

    Google Scholar 

  37. International Organization for Standardization (ISO), “ISO/IEC guide 73:2009 - risk management - vocabulary,” 2009.

    Google Scholar 

  38. D. W. Hubbard, The Failure of Risk Management: Why It’s Broken and How to Fix It. Wiley, 2009.

    Google Scholar 

  39. P. Gregory, CISA Certified Information Systems Auditor All-in-One Exam Guide, Fourth Edition. McGraw-Hill, 2019.

    Google Scholar 

  40. S.-H. Y. Xiaorong Lyu, Yulong Ding, “Safety and security risk assessment in cyber-physical system,” IET Cyber-Physical Systems: Theory & Applications, vol. 4–3, pp. 221–232, 2019.

    Google Scholar 

  41. E. Ruijters and M. Stoelinga, “Fault tree analysis: A survey of the state-of-the-art in modeling, analysis and tools,” Computer Science Review, vol. 15–16, pp. 29–62, 2015. [Online]. Available: https://www.sciencedirect.com/science/article/pii/S1574013715000027.

  42. L. Grunske, R. Colvin, and K. Winter, “Probabilistic model-checking support for FMEA,” pp. 119–128, 10 2007.

    Google Scholar 

  43. M. Rausand and S. Haugen, Hazard Identification. John Wiley & Sons, Ltd, 2020, ch. 10, pp. 259–337. [Online]. Available: https://onlinelibrary.wiley.com/doi/abs/10.1002/9781119377351.ch10.

  44. M. Modarres and S. W. Cheon, “Function-centered modeling of engineering systems using the goal tree-success tree technique and functional primitives,” Reliability Engineering & System Safety, vol. 64, no. 2, pp. 181–200, 1999. [Online]. Available: https://www.sciencedirect.com/science/article/pii/S0951832098000623.

  45. D. Lee, J. Lee, S.-W. Cheon, and J. Yoo, “Application of System-Theoretic Process Analysis to Engineered Safety Features-Component Control System,” 2013.

    Google Scholar 

  46. I. Friedberg, K. McLaughlin, P. Smith, D. Laverty, and S. Sezer, “STPA-safesec: Safety and security analysis for cyber-physical systems,” Journal of Information Security and Applications, vol. 34, pp. 183–196, 2017. [Online]. Available: https://www.sciencedirect.com/science/article/pii/S2214212616300850.

  47. S. Kriaa, M. Bouissou, L. Piètre-Cambacedes, and Y. Halgand, “A Survey of Approaches Combining Safety and Security for Industrial Control Systems,” Reliability Engineering and System Safety, vol. 139, pp. 156–178, 02 2015.

    Google Scholar 

  48. L. Chung and J. C. S. do Prado Leite, On Non-Functional Requirements in Software Engineering. Berlin, Heidelberg: Springer Berlin Heidelberg, 2009, pp. 63–379.

    Google Scholar 

  49. A. Kornecki, N. Subramanian, and J. Zalewski, “Studying interrelationships of safety and security for software assurance in cyber-physical systems: Approach based on Bayesian belief networks,” pp. 1393–1399, 01 2013.

    Google Scholar 

  50. International Organization for Standardization (ISO), “ISO 12100:2010-general principle for design-risk assessment and risk reduction.” 2010.

    Google Scholar 

  51. Federal Ministry for Climate Action, Environment, Energy, Mobility, Innovation and Technology (BMK) Austria, “Sicherheit für die digitale Transformation der Produktion,” 2020, accessed: 2020-10-22. [Online]. Available: https://www.bmk.gv.at/themen/innovation/publikationen/produktion/sigi.html.

  52. J.-P. A. Yaacoub, O. Salman, H. N. Noura, N. Kaaniche, A. Chehab, and M. Malli, “Cyber-physical systems security: Limitations, issues and future trends,” Microprocessors and Microsystems, vol. 77, p. 103201, 2020. [Online]. Available: http://www.sciencedirect.com/science/article/pii/S0141933120303689.

  53. S. F. D’amato and D. W. Mallik, “Plastic molding of articles including a hologram or other microstructure,” Dec. 10 1991, US Patent 5,071,597.

    Google Scholar 

  54. C. A. Cole and J. T. Weber, “Package integrity indicating closure,” Apr. 2 2013, US Patent 8,408,792.

    Google Scholar 

  55. V. Immler, J. Obermaier, K. K. Ng, F. X. Ke, J. Lee, Y. P. Lim, W. K. Oh, K. H. Wee, and G. Sigl, “Secure physical enclosures from covers with tamper-resistance,” IACR Transactions on Cryptographic Hardware and Embedded Systems, vol. 2019, no. 1, p. 51-96, Nov. 2018. [Online]. Available: https://tches.iacr.org/index.php/TCHES/article/view/7334.

  56. Y. Liu, K. Huang, and Y. Makris, “Hardware trojan detection through golden chip-free statistical side-channel fingerprinting,” in Proceedings of the 51st Annual Design Automation Conference, 2014, pp. 1–6.

    Google Scholar 

  57. M. M. T. Bhunia Swarup, The Hardware Trojan War. Springer-Verlag GmbH, 2017. [Online]. Available: https://www.springer.com/de/book/9783319685106.

  58. B. Bailey, “Optimization challenges for safety and security,” 2019, accessed: 2020-09-25. [Online]. Available: https://semiengineering.com/optimization-challenges-for-safety-and-security/.

  59. W. A. Arbaugh, W. L. Fithen, and J. McHugh, “Windows of vulnerability: A case study analysis,” Computer, vol. 33, no. 12, pp. 52–59, 2000.

    Article  Google Scholar 

  60. A. A. Cárdenas, S. Amin, and S. Sastry, “Research challenges for the security of control systems.” in HotSec, 2008.

    Google Scholar 

  61. B. Brenner, E. Weippl, and A. Ekelhart, “Security related technical debt in the cyber-physical production systems engineering process,” in IECON 2019-45th Annual Conference of the IEEE Industrial Electronics Society, vol. 1. IEEE, 2019, pp. 3012–3017.

    Google Scholar 

  62. G. Sabaliauskaite and A. P. Mathur, “Aligning cyber-physical system safety and security,” in Complex Systems Design & Management Asia. Springer, 2015, pp. 41–53.

    Google Scholar 

Download references

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Wolfgang Kastner .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and permissions

Copyright information

© 2023 The Author(s), under exclusive license to Springer-Verlag GmbH, DE, part of Springer Nature

About this chapter

Check for updates. Verify currency and authenticity via CrossMark

Cite this chapter

Hollerer, S. et al. (2023). Challenges in OT Security and Their Impacts on Safety-Related Cyber-Physical Production Systems. In: Vogel-Heuser, B., Wimmer, M. (eds) Digital Transformation. Springer Vieweg, Berlin, Heidelberg. https://doi.org/10.1007/978-3-662-65004-2_7

Download citation

  • DOI: https://doi.org/10.1007/978-3-662-65004-2_7

  • Published:

  • Publisher Name: Springer Vieweg, Berlin, Heidelberg

  • Print ISBN: 978-3-662-65003-5

  • Online ISBN: 978-3-662-65004-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics