Abstract
This work presents a probabilistic symbolic formal method, based on queuing networks, forchecking the robustness of security protocols. The method has been developed to verify thesecurity promises of availability and synchronisation of state between devices, instead of thosethat are traditional analysed such as confidentiality/secrecy, integrity, authentication, (CIA)and non-repudiation. This research uses a network of M/M/c/K queues to model packetstravelling through the state machine of a device, or between networked devices. This method-ology allows for the modelling of distributed systems, which are been computationally hard forother methods in this domain. The method relaxes the level of proof required for a symbolicformal method to calculating the likelihood that a promise is violated. The reduction in proofand complexity translates to modelling either the most likely state of the system. However,unlike other formal methods, the granularity of queuing network doesn’t encapsulate messagecontent.This method builds upon on the work of Osorio & Bierlaire by presenting an implementa-tion with additional state space configurations and probability distributions, along with proofsof completeness and correctness for the implementation. The additional state space configu-rations provide a view of the total number of packets in each queue; the ordering of differenttypes of packets in a queue; and the number of packets in each stage of the queue.The second part of this thesis present a series of security vulnerabilities discovered withinthe IEC61850 substation automation standard (SAS), and its supplementary security standardIEC62351, using the queuing network methodology. These smart grid (SG) standards were cho-sen as a testbed for finding robustness attacks within a protocol because their primary concernis with the safe and efficient operation of the SG, which means that the focus is on quality ofservice (QoS) promises, that enforce hard real time limits on the data communication acrossthe network, over security. However, some of the decisions made to ensure the QoS are metsuch as the omission of acknowledgement messages and requests for retransmission, may alsoundermine the robustness promises. The SG sector has historically been dependent on therelative obscurity of the standards to limit the attack surface of these communication networks,but the introduction of TCP/IP technologies and the increase in complexity of the standards,to allow for two-way communication between devices, has greatly undermined this approach.This increase in attack surface has been demonstrated in recent years with the stuxnet andcrash overide attacks.Using the queuing network method against these standards allowed the author to developdomain specific attacks, instead of searching for attacks usually deployed against traditionalinternet technologies. The philosophical approach used in this research was to develop modelsof how the devices reach undesirable states, before describing what level of access and abilitiesthe adversary required to implement the attack. This approach is agnostic to the adversary’smethods of entry and techniques used execute the abilities.During the course of this research project the queuing network was used to show that a re-stricted adversary can cause a desynchronisation of state between devices during the issuanceof IEC61850 control commands and the desynchronisation of a device from a timing source withthe correct accuracy. The method was also used to show probability of success of a maliciouslyinjected Generic Object Oriented Substation Events (GOOSE) message to cause a denial ofservice attack. A context-free grammar was used to demonstrate how a race condition in theIEC61850’s association model can be used in a credential intercept attack. These attacks werepublished across five papers.
Original language | English |
---|---|
Qualification | Ph.D. |
Awarding Institution |
|
Supervisors/Advisors |
|
Award date | 1 Nov 2020 |
Publication status | Published - 2020 |