Rethinking security properties, threat models, and the design space in sensor networks: A case study in SCADA systems

doi:10.1016/j.adhoc.2009.04.012

Ad Hoc Networks

Volume 7, Issue 8, November 2009, Pages 1434-1447

https://doi.org/10.1016/j.adhoc.2009.04.012 Get rights and content

Abstract

In recent years we have witnessed the emergence and establishment of research in sensor network security. The majority of the literature has focused on discovering numerous vulnerabilities and attacks against sensor networks, along with suggestions for corresponding countermeasures. However, there has been little guidance for understanding the holistic nature of sensor network security for practical deployments. In this paper, we discuss these concerns and propose a taxonomy composed of the security properties of the sensor network, the threat model, and the security design space. In particular, we try to understand the application-layer goals of a sensor network, and provide a guide to research challenges that need to be addressed in order to prioritize our defenses against threats to application-layer goals.

Introduction

A quick look at the research literature on sensor networks does not offer a hopeful view about their security. There appears to be innumerable threats to sensor networks, such as, replication (cloning) attack, Sybil attack, communication replay, wormhole attack, time synchronization attack, localization attack, routing attack, jamming, rushing of messages, aggregation attack, false sensor data injection, reputation attack, and many others.

Contributing to this grim outlook, sensor networks are generally presented as systems with very limited resources. Typical arguments include: (1) the hardware and energy constraints of sensor nodes severely limit their ability to implement traditional security solutions, (2) sensor nodes are left unattended and are therefore easily compromised, (3) there is no trusted infrastructure; therefore, distributed protocols must be resilient to Byzantine attackers, and (4) without an online trusted third party, it is difficult to bootstrap security associations.

As a result, if we implement a security countermeasure for each of the proposed attacks, the security overhead will overwhelm the (already scarce) available resources of the sensor network. In short, attempting to create a secure sensor network appears to be an impossible task.

This is not a problem unique to sensor networks, since obtaining perfect security is impossible. The problem, however, is that deployments of sensor networks have been used chiefly for either: (1) scientific purposes, where an adversary has little incentive to attack the sensors, or (2) military deployments, where very little public data is available: as a result, most of the academic research for the security of sensor networks has been done in abstract scenarios, where any assumption is valid; such as, the type of threats the sensor network is exposed, and the architecture and resource constraints of the sensor network.

However, recently sensor networks have found their way into real commercial applications. This offers us the opportunity to use concrete practical scenarios and avoid making assumptions about abstract deployments.

In this paper we begin to address these problems and we identify some key research challenges:

•
Providing the background setting for the security of sensor networks in Supervisory Control and Data Acquisition (SCADA) systems. Identifying (1) the common architecture and resource constraints of the sensor networks, and (2) the incentives and methods an attacker can follow.
•
Providing a holistic view of the security requirements and threat models of the sensor networks. We express our holistic view with two considerations: (1) we focus on high-level security goals (we argue that previous research has focused on low-level security goals), and (2) we introduce a class of physical attacks. (previous research has focused mostly on cyber-attacks).
•
Providing a ranking of threats and security mechanisms. While our rankings may not be general enough, we believe our taxonomy is an important first step to better understand the threats against a sensor network and to understand our priorities for protecting them.
•
Defining the high-level security goals of a sensor network. While terms like availability and integrity tend to be understood informally, we provide a new interpretation of these properties in sensor networks.
•
Identifying different ways that sensor measurements are reported back to the base station: Event-based sensor measurements can compromise confidentiality of the network even when we use standard encryption algorithms.

The rest of the paper is organized as follows: In Section 2 we discuss the use of sensor networks in SCADA systems and emphasize the importance of securing sensor networks. Section 3 outlines the security properties of the sensor network as seen from the point of view of a network user. Our goal is to analyze global requirements, such as, confidentiality, availability, integrity, and privacy of the network, instead of focusing only on the requirements for secure middleware (e.g., secure routing) as previous research has done. Section 4 describes the threat model. The goal is to provide a general framework to analyze the threat models against the global security requirements by determining the conditions necessary for an attack to succeed and its estimated consequences. This framework gives us a way to identify and evaluate the things that can go wrong in the network. In Section 5 we study the security design space to identify best practices for the design and configuration of secure sensor network. Our aim is to help a system designer decide how to best defend the deployed sensor network. Finally, Section 7 concludes the paper and describes challenges and future work.

Section snippets

A motivating example: Supervisory Control and Data Acquisition Systems

One of our main motivations is to understand the practical impact of security as sensor networks start transitioning from idealized concepts to concrete practical applications. In this section we present one example of a commercial application of sensor networks.

Supervisory Control and Data Acquisition Systems (SCADA) refers to large scale, distributed measurement (and control) networks. They are used to monitor or to control chemical or transport processes, municipal water supply systems,

Security requirements

We classify the goals of a sensor network into two classes: (1) gathering information from a set of sensors in different locations, and (2) preventing the use of the resources of a sensor network by an unauthorized party.

Availability and integrity represent the goals of using a sensor network: availability refers to the ability to collect data and integrity refers to our confidence that the data collected is correct.

Confidentiality and privacy represent the protection against the possible

Threat model

It is impossible to achieve perfect security. Not only will an all powerful adversary defeat any security mechanism, but defending against, and responding to every possible attack vector is prohibitively costly. Therefore, equally important to defining security (defining the security requirements) is defining what we are secure against (defining the threat model).

The goal of defining a threat model is to formalize our perceived risk. Risk is defined as the estimation of two quantities: (1) the

Assumptions and design space

The majority of research in the security of sensor networks has focused on implementing security mechanisms for devices with severe resource constraints and no online trusted third party. While this scenario covers a large class of practical sensor networks, it is important to realize that these are not the only sensor networks available. Sensor networks have been used for a wide variety of applications and systems with vastly varying requirements and characteristics. In a recent study [15],

Understanding the consequences of attacks against SCADA systems

While we believe that our models can be useful to model general sensor network deployments, in this final section we show an example of the role of sensor networks in SCADA systems.

Parallel to this work, we have been studying the consequences of attacks against control systems [31]. A proper threat assessment of control systems, and in particular, the role that sensor networks play in achieving the operational goals of the control system can help us integrate the ideas we introduced in this

Conclusions

In this paper, we presented a taxonomy with the aim to provide a holistic view of the security of sensor networks. We believe this research direction will provide a better understanding of the security issues and will help the network designer decide on the most effective security mechanisms under resource constraints. However, there are many research challenges that need to be addressed first, such as, developing a systematic analysis of the threat model and its relation to the security

Acknowledgements

We would like to thank Zong-Syun Lin, Saurabh Amin, Hsin-Yi Tsai, and Yu-Lun Huang for their work on the chemical reactor plant. We would also like to thank Kristofer Pister for discussions on the practical applications of sensor networks. This work was supported in part by TRUST (Team for Research in Ubiquitous Secure Technology), which receives support from the National Science Foundation (NSF award number CCF-0424422) and the following organizations: AFOSR (#FA9550-06-1-0244) Cisco, British

Alvaro A. Cardenas received a B.S. with a major in electrical engineering and a minor in mathematics from the Universidad de los Andes, Bogota, Colombia, in 2002, and an M.S. and a Ph.D. in electrical and computer engineering from the University of Maryland, College Park, in 2002 and 2006, respectively. He is currently a postdoctoral scholar at the University of California, Berkeley. His research interests include information security, statistics, and machine learning. He received a two-year

References (32)

V. Gupta et al.
Sizzle: a standards-based end-to-end security architecture for the embedded internet
Pervasive and Mobile Computing
(2005)
Hart, <http://www.hartcomm2.org/frontpage/wirelesshart.html>, WirelessHart...
ISA, <http://www.isa.org/isasp100>, Wireless Systems for Automation [cited June, 2007]....
J. Slay et al.
Lessons learned from the Maroochy water breach
U.S.G.A. Office, Critical infrastructure protection, Multiple efforts to secure control systems are under way, but...
J. Eisenhauer, P. Donnelly, M. Ellis, M. O’Brien, Roadmap to secure control systems in the energy sector, energetics...
N.W. Group, Internet security glossary, <http://rfc.net/rfc2828.html>, May...
M. Manzo, T. Roosta, S. Sastry, Time synchronization attacks in sensor networks, in: SASN’05: Proceedings of the Third...
T. Roosta, W.-C. Liao, W.-C. Teng, S. Sastry, Testbed implementation of a secure flooding time synchronization...
J. Newsome, E. Shi, D. Song, A. Perrig, The Sybil attack in sensor networks: analysis and defenses, in: IPSN’04:...

J.R. Douceur, The Sybil attack, in: IPTPS’01: Revised Papers from the First International Workshop on Peer-to-Peer...

B. Parno, A. Perrig, V. Gligor, Distributed detection of node replication attacks in sensor networks, in: IEEE...

A.A. Cárdenas, S. Radosavac, J.S. Baras, Performance comparison of detection schemes for mac layer misbehavior, in:...

Y.-C. Hu et al.

Ariadne: a secure on-demand routing protocol for ad hoc networks

Wireless Networks

(2005)

H. Chan et al.

On the distribution and revocation of cryptographic keys in sensor networks

IEEE Transactions on Dependable and Secure Computing

(2005)

K. Römer et al.

The design space of wireless sensor networks

IEEE Wireless Communications

(2004)

Cited by (99)

Cyber-physical systems security: A systematic review
2024, Computers and Industrial Engineering
In recent years, cyber-physical systems (CPS) have been to many vital areas, including medical devices, smart cars, industrial systems, energy grid, etc. As these systems increasingly rely on Internet, ensuring their security requirements, which are different from those of ordinary information technology systems, has become an important research topic. However, the area is not yet well structured and, therefore, it is essential to review and analyze recent work in this field to better understand the adopted approaches and also to identify corresponding gaps and future interesting research directions. This article is based on a systematic literature review that addresses core issues in CPS security. Part of the focus is placed on the defense mechanisms introduced to help the system fully recover from attacks. However, the framework devoted to risk/threat assessments has also been highlighted, as there is a substantial need to strengthen the systems architecture to be more proactive. In addition, the ethical and societal impact of CPS is emphasized since it is essential to get a vision of the unintended outcomes of the possible evolution of these systems.
Threat modeling – A systematic literature review
2019, Computers and Security
Cyber security is attracting worldwide attention. With attacks being more and more common and often successful, no one is spared today. Threat modeling is proposed as a solution for secure application development and system security evaluations. Its aim is to be more proactive and make it more difficult for attackers to accomplish their malicious intents. However, threat modeling is a domain that lacks common ground. What is threat modeling, and what is the state-of-the-art work in this field? To answer these questions, this article presents a review of threat modeling based on systematic queries in four leading scientific databases. This is the first systematic literature review on threat modeling to the best of our knowledge. 176 articles were assessed, and 54 of them were selected for further analysis. We identified three separate clusters: (1) articles making a contribution to threat modeling, e.g., introducing a new method, (2) articles using an existing threat modeling approach, and (3) introductory articles presenting work related to the threat modeling process. The three clusters were analyzed in terms of a set of criteria, for instance: Is the threat modeling approach graphical or formal? Is it focused on a specific attack type and application? Is the contribution validated empirically or theoretically? We observe from the results that, most threat modeling work remains to be done manually, and there is limited assurance of their validations. The results can be used for researchers and practitioners who want to know the state-of-the-art threat modeling methods, and future research directions are discussed.
Model of Threats to the Integrity and Availability of Information Processed in Cyberspace
2023, Symmetry
A Control and Attack Detection Scheme for Fuzzy Systems Against Cyber-Attacks
2023, IEEE International Conference on Fuzzy Systems
Cyberattacker Profiles, Cyberattack Models and Scenarios, and Cybersecurity Ontology
2023, Advances in Information Security
Analysis of Vulnerability Trends and Attacks in OT Systems
2023, Lecture Notes in Networks and Systems

View all citing articles on Scopus

Tanya Roosta received her B.S., M.S. and Ph.D. in electrical and computer sciences from the University of California at Berkeley. She also holds an M.A. from the University of California at Berkeley in statistics. She received the 3-year National Science Foundation fellowship for her graduate studies. Her research interests include sensor network security, fault detection, reputation systems, privacy issues associated with the application of sensors at home and health care, and sensor networks used in critical infrastructures. Her additional research interests include: robust statistics, outlier detection, statistical modeling, and the application of game theory to sensor network design.

Shankar Sastry received a B.Tech. from the Indian Institute of Technology, Bombay, in 1977, and an M.S. in EECS, an M.A. in mathematics, and a Ph.D. in EECS from the University of California at Berkeley, in 1979, 1980, and 1981, respectively. Dr. Sastry is currently the dean of the College of Engineering. He was formerly the director of CITRIS (Center for Information Technology Research in the Interest of Society) and the Banatao Institute. He served as the chair of the EECS Department, as the director of the Information Technology Office at DARPA, and as the director of the Electronics Research Laboratory at Berkeley, an organized research unit on the Berkeley campus conducting research in computer sciences and all aspects of electrical engineering. He is the NEC Distinguished Professor of Electrical Engineering and Computer Sciences and holds faculty appointments in the Departments of Bioengineering, EECS, and Mechanical Engineering.

View full text