Rethinking security properties, threat models, and the design space in sensor networks: A case study in SCADA systems
Introduction
A quick look at the research literature on sensor networks does not offer a hopeful view about their security. There appears to be innumerable threats to sensor networks, such as, replication (cloning) attack, Sybil attack, communication replay, wormhole attack, time synchronization attack, localization attack, routing attack, jamming, rushing of messages, aggregation attack, false sensor data injection, reputation attack, and many others.
Contributing to this grim outlook, sensor networks are generally presented as systems with very limited resources. Typical arguments include: (1) the hardware and energy constraints of sensor nodes severely limit their ability to implement traditional security solutions, (2) sensor nodes are left unattended and are therefore easily compromised, (3) there is no trusted infrastructure; therefore, distributed protocols must be resilient to Byzantine attackers, and (4) without an online trusted third party, it is difficult to bootstrap security associations.
As a result, if we implement a security countermeasure for each of the proposed attacks, the security overhead will overwhelm the (already scarce) available resources of the sensor network. In short, attempting to create a secure sensor network appears to be an impossible task.
This is not a problem unique to sensor networks, since obtaining perfect security is impossible. The problem, however, is that deployments of sensor networks have been used chiefly for either: (1) scientific purposes, where an adversary has little incentive to attack the sensors, or (2) military deployments, where very little public data is available: as a result, most of the academic research for the security of sensor networks has been done in abstract scenarios, where any assumption is valid; such as, the type of threats the sensor network is exposed, and the architecture and resource constraints of the sensor network.
However, recently sensor networks have found their way into real commercial applications. This offers us the opportunity to use concrete practical scenarios and avoid making assumptions about abstract deployments.
In this paper we begin to address these problems and we identify some key research challenges:
- •
Providing the background setting for the security of sensor networks in Supervisory Control and Data Acquisition (SCADA) systems. Identifying (1) the common architecture and resource constraints of the sensor networks, and (2) the incentives and methods an attacker can follow.
- •
Providing a holistic view of the security requirements and threat models of the sensor networks. We express our holistic view with two considerations: (1) we focus on high-level security goals (we argue that previous research has focused on low-level security goals), and (2) we introduce a class of physical attacks. (previous research has focused mostly on cyber-attacks).
- •
Providing a ranking of threats and security mechanisms. While our rankings may not be general enough, we believe our taxonomy is an important first step to better understand the threats against a sensor network and to understand our priorities for protecting them.
- •
Defining the high-level security goals of a sensor network. While terms like availability and integrity tend to be understood informally, we provide a new interpretation of these properties in sensor networks.
- •
Identifying different ways that sensor measurements are reported back to the base station: Event-based sensor measurements can compromise confidentiality of the network even when we use standard encryption algorithms.
The rest of the paper is organized as follows: In Section 2 we discuss the use of sensor networks in SCADA systems and emphasize the importance of securing sensor networks. Section 3 outlines the security properties of the sensor network as seen from the point of view of a network user. Our goal is to analyze global requirements, such as, confidentiality, availability, integrity, and privacy of the network, instead of focusing only on the requirements for secure middleware (e.g., secure routing) as previous research has done. Section 4 describes the threat model. The goal is to provide a general framework to analyze the threat models against the global security requirements by determining the conditions necessary for an attack to succeed and its estimated consequences. This framework gives us a way to identify and evaluate the things that can go wrong in the network. In Section 5 we study the security design space to identify best practices for the design and configuration of secure sensor network. Our aim is to help a system designer decide how to best defend the deployed sensor network. Finally, Section 7 concludes the paper and describes challenges and future work.
Section snippets
A motivating example: Supervisory Control and Data Acquisition Systems
One of our main motivations is to understand the practical impact of security as sensor networks start transitioning from idealized concepts to concrete practical applications. In this section we present one example of a commercial application of sensor networks.
Supervisory Control and Data Acquisition Systems (SCADA) refers to large scale, distributed measurement (and control) networks. They are used to monitor or to control chemical or transport processes, municipal water supply systems,
Security requirements
We classify the goals of a sensor network into two classes: (1) gathering information from a set of sensors in different locations, and (2) preventing the use of the resources of a sensor network by an unauthorized party.
Availability and integrity represent the goals of using a sensor network: availability refers to the ability to collect data and integrity refers to our confidence that the data collected is correct.
Confidentiality and privacy represent the protection against the possible
Threat model
It is impossible to achieve perfect security. Not only will an all powerful adversary defeat any security mechanism, but defending against, and responding to every possible attack vector is prohibitively costly. Therefore, equally important to defining security (defining the security requirements) is defining what we are secure against (defining the threat model).
The goal of defining a threat model is to formalize our perceived risk. Risk is defined as the estimation of two quantities: (1) the
Assumptions and design space
The majority of research in the security of sensor networks has focused on implementing security mechanisms for devices with severe resource constraints and no online trusted third party. While this scenario covers a large class of practical sensor networks, it is important to realize that these are not the only sensor networks available. Sensor networks have been used for a wide variety of applications and systems with vastly varying requirements and characteristics. In a recent study [15],
Understanding the consequences of attacks against SCADA systems
While we believe that our models can be useful to model general sensor network deployments, in this final section we show an example of the role of sensor networks in SCADA systems.
Parallel to this work, we have been studying the consequences of attacks against control systems [31]. A proper threat assessment of control systems, and in particular, the role that sensor networks play in achieving the operational goals of the control system can help us integrate the ideas we introduced in this
Conclusions
In this paper, we presented a taxonomy with the aim to provide a holistic view of the security of sensor networks. We believe this research direction will provide a better understanding of the security issues and will help the network designer decide on the most effective security mechanisms under resource constraints. However, there are many research challenges that need to be addressed first, such as, developing a systematic analysis of the threat model and its relation to the security
Acknowledgements
We would like to thank Zong-Syun Lin, Saurabh Amin, Hsin-Yi Tsai, and Yu-Lun Huang for their work on the chemical reactor plant. We would also like to thank Kristofer Pister for discussions on the practical applications of sensor networks. This work was supported in part by TRUST (Team for Research in Ubiquitous Secure Technology), which receives support from the National Science Foundation (NSF award number CCF-0424422) and the following organizations: AFOSR (#FA9550-06-1-0244) Cisco, British
Alvaro A. Cardenas received a B.S. with a major in electrical engineering and a minor in mathematics from the Universidad de los Andes, Bogota, Colombia, in 2002, and an M.S. and a Ph.D. in electrical and computer engineering from the University of Maryland, College Park, in 2002 and 2006, respectively. He is currently a postdoctoral scholar at the University of California, Berkeley. His research interests include information security, statistics, and machine learning. He received a two-year
References (32)
- et al.
Sizzle: a standards-based end-to-end security architecture for the embedded internet
Pervasive and Mobile Computing
(2005) - Hart, <http://www.hartcomm2.org/frontpage/wirelesshart.html>, WirelessHart...
- ISA, <http://www.isa.org/isasp100>, Wireless Systems for Automation [cited June, 2007]....
- et al.
Lessons learned from the Maroochy water breach
- U.S.G.A. Office, Critical infrastructure protection, Multiple efforts to secure control systems are under way, but...
- J. Eisenhauer, P. Donnelly, M. Ellis, M. O’Brien, Roadmap to secure control systems in the energy sector, energetics...
- N.W. Group, Internet security glossary, <http://rfc.net/rfc2828.html>, May...
- M. Manzo, T. Roosta, S. Sastry, Time synchronization attacks in sensor networks, in: SASN’05: Proceedings of the Third...
- T. Roosta, W.-C. Liao, W.-C. Teng, S. Sastry, Testbed implementation of a secure flooding time synchronization...
- J. Newsome, E. Shi, D. Song, A. Perrig, The Sybil attack in sensor networks: analysis and defenses, in: IPSN’04:...
Ariadne: a secure on-demand routing protocol for ad hoc networks
Wireless Networks
On the distribution and revocation of cryptographic keys in sensor networks
IEEE Transactions on Dependable and Secure Computing
The design space of wireless sensor networks
IEEE Wireless Communications
Cited by (99)
Cyber-physical systems security: A systematic review
2024, Computers and Industrial EngineeringThreat modeling – A systematic literature review
2019, Computers and SecurityA Control and Attack Detection Scheme for Fuzzy Systems Against Cyber-Attacks
2023, IEEE International Conference on Fuzzy SystemsCyberattacker Profiles, Cyberattack Models and Scenarios, and Cybersecurity Ontology
2023, Advances in Information SecurityAnalysis of Vulnerability Trends and Attacks in OT Systems
2023, Lecture Notes in Networks and Systems
Alvaro A. Cardenas received a B.S. with a major in electrical engineering and a minor in mathematics from the Universidad de los Andes, Bogota, Colombia, in 2002, and an M.S. and a Ph.D. in electrical and computer engineering from the University of Maryland, College Park, in 2002 and 2006, respectively. He is currently a postdoctoral scholar at the University of California, Berkeley. His research interests include information security, statistics, and machine learning. He received a two-year graduate school fellowship from the University of Maryland and a two-year distinguished research assistantship from the Institute of Systems Research.
Tanya Roosta received her B.S., M.S. and Ph.D. in electrical and computer sciences from the University of California at Berkeley. She also holds an M.A. from the University of California at Berkeley in statistics. She received the 3-year National Science Foundation fellowship for her graduate studies. Her research interests include sensor network security, fault detection, reputation systems, privacy issues associated with the application of sensors at home and health care, and sensor networks used in critical infrastructures. Her additional research interests include: robust statistics, outlier detection, statistical modeling, and the application of game theory to sensor network design.
Shankar Sastry received a B.Tech. from the Indian Institute of Technology, Bombay, in 1977, and an M.S. in EECS, an M.A. in mathematics, and a Ph.D. in EECS from the University of California at Berkeley, in 1979, 1980, and 1981, respectively. Dr. Sastry is currently the dean of the College of Engineering. He was formerly the director of CITRIS (Center for Information Technology Research in the Interest of Society) and the Banatao Institute. He served as the chair of the EECS Department, as the director of the Information Technology Office at DARPA, and as the director of the Electronics Research Laboratory at Berkeley, an organized research unit on the Berkeley campus conducting research in computer sciences and all aspects of electrical engineering. He is the NEC Distinguished Professor of Electrical Engineering and Computer Sciences and holds faculty appointments in the Departments of Bioengineering, EECS, and Mechanical Engineering.