Abstract
In this paper, we propose a new method for threat modelling of industrial control systems (ICS). The method is designed to be flexible and easy to use. Model elements inspired by IEC 62443 and Data Flow Diagrams (DFD) are used to create a model of the ICS under consideration. Starting from this model, threats are identified by investigating how the confidentiality, integrity and availability of different functions in the ICS can be attacked. Finally, threats are prioritised and mitigations are proposed for those threats that are not accepted by the ICS owner. We briefly illustrate the use of the method on a simplified and fictitious power grid secondary substation case.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Alexander, O., Belisle, M., Steele, J.: Mitre att &ckŸ for Industrial Control Systems: Design and Philosophy, p. 29 . The MITRE Corporation, Bedford, MA, USA (2020)
FlĂ„, L.H., Borgaonkar, R., TĂžndel, I.A., Jaatun, M.G.: Tool-assisted threat modeling for smart grid cyber security. In: 2021 International Conference on Cyber Situational Awareness, Data Analytics and Assessment (CyberSA), pp. 1â8. IEEE (2021)
French, S.: Cyhazopâbringing cyber to the hazop. https://risktec.tuv.com/risktec-knowledge-bank/business-continuity-management/cyhazop-bringing-cyber-to-the-hazop/. Accessed 7 April 2023
Holik, F., FlÄ, L.H., Jaatun, M.G., Yayilgan, S.Y., Foros, J.: Threat modeling of a smart grid secondary substation. Electronics 11(6), 850 (2022)
IEC: Industrial Communication NetworksâNetwork and System SecurityâPart 2-1: Establishing an Industrial Automation and Control System Security Program. Geneva. International Electrotechnical Commission (2010)
IEC: Security for Industrial Automation and Control Systems. Part 4-2: Technical Security Requirements for IACS Components. International Electrotechnical Commission, Geneva (2019)
IEC: Security for Industrial Automation and Control Systems. Part 3-2: Security Risk Assessment for System Design. International Electrotechnical Commission, Geneva (2020)
IEC: Industrial Communication NetworksâNetwork and System SecurityâPart 3-3: System Security Requirements and Security Levels. International Electrotechnical Commission, Geneva (2021)
Jamil, A.M., Ben Othmane, L., Valani, A.: Threat modeling of cyber-physical systems in practice. In: Risks and Security of Internet and Systems: 16th International Conference, CRiSIS 2021, Virtual Event, Ames, USA, November 12â13, 2021, Revised Selected Papers, pp. 3â19. Springer (2022)
Jbair, M., Ahmad, B., Maple, C., Harrison, R.: Threat modelling for industrial cyber physical systems in the era of smart manufacturing. Comput. Ind. 137, 103611 (2022)
Khalil, S.M., Bahsi, H., OchiengâDola, H., KorĂ”tko, T., McLaughlin, K., Kotkas, V.: Threat modeling of cyber-physical systems-a case study of a microgrid system. Comput. Secur. 124, 102950 (2023)
Khan, R., McLaughlin, K., Laverty, D., Sezer, S.: Stride-based threat modeling for cyber-physical systems. In: 2017 IEEE PES Innovative Smart Grid Technologies Conference Europe (ISGT-Europe), pp. 1â6 (2017). https://doi.org/10.1109/ISGTEurope.2017.8260283
Kim, K.H., Kim, K., Kim, H.K.: Stride-based threat modeling and dread evaluation for the distributed control system in the oil refinery. ETRI J. (2022)
Kohnfelder, L., Garg, P.: The threats to our products. https://shostack.org/files/microsoft/The-Threats-To-Our-Products.docx. Accessed 3 June 2023
Sion, L., Yskout, K., Van Landuyt, D., van Den Berghe, A., Joosen, W.: Security threat modeling: are data flow diagrams enough? In: Proceedings of the IEEE/ACM 42nd International Conference on Software Engineering Workshops, pp. 254â257 (2020)
Swiderski, F., Snyder, W.: Threat Modeling. Microsoft Press, Redmond, WA (2004)
Young, W., Leveson, N.: Systems thinking for safety and security. In: Proceedings of the 29th Annual Computer Security Applications Conference, pp. 1â8 (2013)
Acknowledgements
This work has been supported by WP2 of CINELDIâCentre for intelligent electricity distribution, an 8-year Research Centre under the FME-scheme (Centre for Environment-friendly Energy Research, 257626/E20). The authors gratefully acknowledge the financial support from the Research Council of Norway and the CINELDI WP2 partners.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2024 The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd.
About this paper
Cite this paper
FlÄ, L.H., Jaatun, M.G. (2024). A Method for Threat Modelling of Industrial Control Systems. In: Onwubiko, C., et al. Proceedings of the International Conference on Cybersecurity, Situational Awareness and Social Media. CYBER SCIENCE 2023. Springer Proceedings in Complexity. Springer, Singapore. https://doi.org/10.1007/978-981-99-6974-6_13
Download citation
DOI: https://doi.org/10.1007/978-981-99-6974-6_13
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-99-6973-9
Online ISBN: 978-981-99-6974-6
eBook Packages: Physics and AstronomyPhysics and Astronomy (R0)