See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/299542268

Cyber Physical Security for Industrial Control Systems and IoT

Article in IEICE Transactions on Information and Systems · April 2016

DOI: 10.1587/transinf.2015ICI0001

CITATIONS READS

28 940

1 author:

Kazukuni Kobara
National Institute of Advanced Industrial Science and Technology
140 PUBLICATIONS 1,196 CITATIONS

SEE PROFILE

All content following this page was uploaded by Kazukuni Kobara on 23 July 2017.

The user has requested enhancement of the downloaded file.

IEICE TRANS. INF. & SYST., VOL.E99–D, NO.4 APRIL 2016
787

INVITED PAPER Special Section on Information and Communication System Security

Cyber Physical Security for Industrial Control Systems and IoT

Kazukuni KOBARA†a) , Member

SUMMARY Cyber-attacks and cybersecurity used to be the issues for

those who use Internet and computers. The issues, however, are expanding 2. Industrial Control System
to anyone who does not even use them directly. The society is gradually
and heavily depending on networks and computers. They are not closed
within a cyberspace anymore and having interaction with our real world In this section, we explain the situation and features of ICS
with sensors and actuators. Such systems are known as CPS (Cyber Phys- in terms of security by introducing an example of a typical
ical Systems), IoT/E (Internet of Things/Everything), Industry 4.0, Indus- ICS configuration.
trial Internet, M2M, etc. No matter what they are called, exploitation of any
of these systems may cause a serious influence to our real life and appro-
priate countermeasures must be taken to mitigate the risks. In this paper,
2.1 Example of ICS Configuration
cybersecurity in ICS (Industrial Control Systems) is reviewed as a leading
example of cyber physical security for critical infrastructures. Then as a Even though ICS configurations are rich in variety in prac-
future aspect of it, IoT security for consumers is explained. tice, an example is shown in Fig. 1 to grab a rough image of
key words: security, Cyber Physical System, Industrial Control System, ICS. In this figure, actuators and sensors are connected to the
IoT, M2M
field/sensor networks (or data buses), which are usually pro-
prietary and industry specific. The sensors and actuators are
1. Introduction
controlled and managed by controllers such as PLC (Pro-
grammable Logic Controller) and DCS (Distributed Control
Future society will heavily depend on computers and net-
System). These controllers are also connected to a control
works in any aspect. This has already been or is becoming
system network, which is used to manage the sensors, actua-
true in most of social infrastructures based on ICS (Indus-
tors and their controllers, e.g. to change the set point by way
trial Control Systems), which include critical manufactur-
of HMI (Human Machine Interface), to update their logic or
ing, chemical industry (dealing hazardous materials), smart
programs by way of EWS (Engineering Work Station), to
systems for power grid, energy-networks, cities, home, agri-
collect logs by Historian, and to supervise them by SCADA
cultures, healthcare, automotive and so on. In a broad
(Supervisory Control And Data Acquisition) systems and so
sense, they are also known as CPS (Cyber Physical Sys-
on.
tems), IoT/E (Internet of Things/Everything), Industry 4.0,
Control system networks usually consist of Industrial
Industrial Internet, M2M and so on, and have a common
Ethernet that is compatible with standard Ethernet protocols
feature that they consist of sensors and actuators, and have
but their hardware is designed for real time processing and
interfaces and interactions with our physical world. The
consequences of cyberattacks on such systems will not be
confined within a cyberspace but flood into our real life.
Taking this situation into account, this paper reviews
the cybersecurity in ICS as a leading example of such cyber
physical security, and then considers the future of them. In
Sect. 2, the situation of ICS is explained. In Sect. 3, their
security threats and their countermeasures are summarized.
Then, cyber physical security in future, especially of IoT for
consumers, is considered in Sect. 4, and finally concluded in
Sect. 5.

Manuscript received October 22, 2015.

Manuscript revised December 19, 2015.
Manuscript publicized January 13, 2016.
†
The author is with National Institute of Advanced Industrial
Science and Technology (AIST), Tsukuba-shi, 305–8568 Japan.
a) E-mail: kobara conf-ml@aist.go.jp
DOI: 10.1587/transinf.2015ICI0001 Fig. 1 An example of ICS configuration

Copyright 
c 2016 The Institute of Electronics, Information and Communication Engineers
 IEICE TRANS. INF. & SYST., VOL.E99–D, NO.4 APRIL 2016
788

Fig. 2 OS ratio in ICS [1]

Fig. 3 Network connectivity of ICS [1]

harsh environments. To manage the production or opera-

tion, some information is usually exchanged between cor-
porate networks and control system networks, and some of
the maintenances might be performed remotely, which are
called remote maintenance.

2.2 Features of ICS in Terms of Security

One of the most significant features of ICS is that they have

interfaces with the real world and due to this they might
cause a serious problem to our real life after exploitation
by attackers and crackers. Other features include:
1) Availability is usually higher priority than confidential-
ity and integrity.
2) Life cycle is longer than usual ICT (Information and
Communication Technologies). Fig. 4 Number of reported ICS incidents and vulnerabilities for Fiscal
3) Loosely isolated from the Internet. Years
4) Proprietary and/or specific purpose protocols and oper-
ating systems are used. targets are covering even isolated environments, propri-
Due to 1) and 2), conventional ICT countermeasures etary and industry specific protocols, software and operating
are not necessarily applicable as they are. E.g. rapid and systems.
frequent patching to bugs is not suitable for some sensitive In fact, the number of incidents and vulnerabilities re-
ICS since patching may deteriorate the compatibility with ported to ICS-CERT [2] is increasing as shown in Fig. 4 af-
minor device drivers or the performance the system must ter the epoch-making incident Stuxnet [3], which targeted
satisfy, though patching is a must and a fundamental coun- industry specific software and closed network and then ru-
termeasure in ICT. ined centrifuges for nuclear material in Iran in 2010. Similar
Due to 3) and 4), ICS did not used to be a major target trend can also be observed in the repository of industrial se-
of cyberattacks. The situation, however, has been chang- curity incidents [4].
ing. Proprietary and/or specific purpose protocols and op-
erating systems are gradually replaced with general purpose 3. Cybersecurity Threats and Countermeasures in ICS
ones with which adversaries are familiar. Isolated environ-
ments are gradually getting connected to other networks. As In this section, major cybersecurity threats and their coun-
shown in Fig. 2 and Fig. 3, the major OS in ICS was Win- termeasures for ICS are summarized in Sect. 3.2 to 3.4 while
dows followed by Unix, Linux and RTOS (Real Time OS), introducing a visualization method for their relationship in
and then more than one third of them were connected to a Sect. 3.1.
network as of 2008 [1]. This trend will be inherited to smart Publicly available major tools are introduced in
manufacturing, Industry 4.0, Industrial Internet and so on Sect. 3.2 to 3.4. While these tools might be abused for at-
where more ICT technologies are introduced. tacks and some of the readers might think that these infor-
On the other hand, trend of cyberattacks is also chang- mation should be hidden, this is not a recommended strat-
ing. Their purposes are shifting from fun and curiosity to egy. These tools are fundamental for adversaries and they
moneymaking, terrorism, cyberware and so on to impose ad- use more powerful and tailored ones. Protection side should
versaries’ demands. Their methodologies are becoming per- recognize this, and confirm that the potential targets can re-
sistent rather than casual while changing their targets from sist against at least these fundamental tools.
general public to intended organizations such as critical in-
frastructures and their related organizations. Their system
KOBARA: CYBER PHYSICAL SECURITY FOR INDUSTRIAL CONTROL SYSTEMS AND IOT
789

One approach to express security risks visually is to

3.1 Relationship between Security Risks and Countermea- create an attack tree, which shows a problem as the root and
sures its sources as the leaves. Weaknesses of attack trees, how-
ever, are that they do not express which paths are most risky
One of the most difficult parts of managing potential secu- and which are not, which countermeasures are effective to
rity risks is to identify an optimal set of effective counter- which paths. To overcome these weaknesses, we propose to
measures against security threats taking their costs, perfor- improve the attack tree by adding the following expressions
mance deterioration, interoperability with current and future (we call it extended attack tree):
systems and management styles and so on. Inappropriate
1) The severity level of each stage (node).
or few countermeasures may cause security problems and
2) The transferability from one stage to another.
the cost of expensive over-spec countermeasures may ex-
3) Countermeasures and their effects.
ceed the expected damage by the security threats. In order
to look for an optimal set of countermeasures, it is impor- In the examples Fig. 5 and Fig. 6, the red part represents
tant to grasp the relationship between security threats and an attack tree and then the above expressions are added as
their countermeasures, and this can be intuitively depicted follows. The severity is expressed as the darkness of the
by visualization. color of the stages. The transferability is expressed as the
thickness of the line between stages. While the severity and
the transferability in Fig. 5 are divided into four and three
levels, respectively, their precision should be customized de-
pending on the application. Countermeasures are divided
into prior and posterior. In Fig. 5, they are colored in green
and purple, respectively, with arrows or lines they are re-
lated to. In the case of monochrome, their texture should
be changed instead of the colors. Gray boxes are used for
notes, and in Fig. 6 the notes show the related subsections in
this paper with the dotted black lines as the separators.
The risks are expressed as the combination of the sever-
ity level and the transferability to reach at the severity level.
Once risks are identified, one can take the actions: 1) Re-
duce, 2) Accept, 3) Transfer and 4) Avoid, to them. Reduc-
tion of risks is achieved by application of prior and posterior
countermeasures. If the residual risks are small, they may
Fig. 5 Example of enrichment for attack tree

Fig. 6 An example of relationship between cybersecurity threats and countermeasures

 IEICE TRANS. INF. & SYST., VOL.E99–D, NO.4 APRIL 2016
790

be acceptable by preparing risk finances for them. If they including the port numbers used in ICS. To enhance the us-
are not acceptable even after the reduction, they should be ability of these search results, some projects map the rough
transferred to insurance or outsourcing. If even transfer is location of identified vulnerable services and devices [11]–
not possible, one should consider avoiding the services or [13].
projects causing the unacceptable residual risks. If the targets do not have publicly known vulnerabil-
Figure 6 is an example to image this concept, and pre- ities, further vulnerabilities are examined. Some of the
cise relationship among security threats and their counter- modern ICS devices or services provide Web interfaces,
measures should be created in each industry or application which might be vulnerable to SQL/OS command injections
area with collaboration among its stakeholders. The created or cross site exploits including cross site scripting, cross site
one should, then, be used in the area or industry as a com- request forgery and so on. They may also equip inappro-
mon reference. Optimal sets of countermeasures, however, priate remote access control such as default IDs and pass-
vary in each organization or product depending on the man- words, bypassing mechanism to their authentication and ac-
agement policy so on. It is not necessarily recommended to cess control schemes. ICS and embedded devices tend to
apply all the available countermeasures without taking the be used with their default IDs and passwords, which are
cost, performance deterioration, compatibility with current publicly available at various sites including [14]. Bypassing
and future systems and management styles and so on into mechanisms may be prepared to deal with password loss,
account, especially in a constraint environment like ICS. and these information may be either written in a manual, or
The check box in the upper left corner in each coun- discussed in the Internet [15], [16].
termeasure is to show which countermeasures are not taken Needless to say, a must countermeasure against recon-
and instead which ones are taken to look for an optimal set naissance from Internet is to place devices and servers be-
of countermeasures. While conventional security check lists hind a firewall or a security gateway. While this is basic, a
assume that all the terms should be satisfied and it is not considerably high number of them are still accessible from
clear what will happen and what to do when some of the Internet as shown by SHODAN etc.
terms are not satisfied, the check boxes here in the extended To grasp the reconnaissance activities on them,
attack tree are to support risk control by looking for alterna- ICS/SCADA honeypots are useful. They mimic the behav-
tives, or deciding whether its residual risks are acceptable or ior of common industrial control protocols and then mon-
not when some countermeasures are hard to satisfy. itor the activities on them. Such honeypots can be con-
In the following subsections, security risks and their structed using CONPOT [17], etc. For telnet-based devices,
countermeasures are explained more concretely. which are common in certain types of IoT devices, IoTPOT
is available [18].
3.2 Risks and Countermeasures around Remote Access Against Web exploitation, Web applications should be
created ideally to avoid the above vulnerabilities. If they
This subsection corresponds with the upper right area in have already been created, their vulnerabilities should be
Fig. 6. Some of the ICS open communication ports that examined with Web application penetration tools including
are accessible from the Internet for remote maintenance and OWASP ZAP [19] that can work with external tools such as
these will be the target to analyze. Nikto [20], Burp Suite [21], sqlmap [22], sslscan [23], etc.
In most cases, the first step of cyberattacks is recon- For remote access for remote maintenance, user au-
naissance of targets [5], which remotely scouts the targets’ thentication and access control should be reviewed and
profile and configurations including not only networks and strengthened. Default IDs and passwords must be changed
systems but also internal information such as operators and and bypassing mechanisms that are available from remote
their operational roles. In the case of APT (Advanced Per- must be disabled, though these are fundamental as well.
sistent Threats), this phase is performed elaborately and For ICS embedded devices and services, there are certi-
persistently. fication programs called Functional Security Assessment for
While port and vulnerability scanners such as Nmap [6] Embedded Device Component (FSA-E) and System (FSA-
and Nessus [7]/OpenVAS [8], have been popular for looking S), respectively. They are parts of ISASecure’s Embedded
for open ports, services and their vulnerabilities from In- Device Security Assurance (EDSA) [24] and System Secu-
ternet, another approach utilizing dedicated search engines rity Assurance (SSA) [25] certifications, respectively. They
such as SHODAN [9] and ERIPP† [10], has been becoming are being or has standardized as IEC 62443 (Industrial com-
serious since they can easily list up vulnerable targets right munication networks) in Part 4-2 (Technical security re-
after a vulnerable is discovered in a service. They create a quirements for IACS components) and Part 3-3 (System se-
database of IP addresses, port numbers and their contents curity requirements and security levels), respectively.
displayed after connection such as banner, HTML title tags,
etc. Then IP addresses and port numbers can be searched 3.3 Risks and Countermeasures around Software
from a key word related to the service. ERIPP currently
covers only port 80, and SHODAN is covering more ports This subsection corresponds with the left area in Fig. 6. Dis-
covery of new vulnerabilities by adversaries is a serious is-
†
As of August 2015, this service is unavailable. sue since they are used for zero-day attacks. For software,
KOBARA: CYBER PHYSICAL SECURITY FOR INDUSTRIAL CONTROL SYSTEMS AND IOT
791

fuzzing (or fuzz testing) and reverse engineering are used or JCMVP (Japan CMVP) [32] that are in accordance with
for this purpose. Fuzzing gives data in unusual format to the FIPS 140 [33]† .
target and then checks its behavior. If it gets stuck or acts
strangely, it may have some mal memory handling that leads 3.4 Risks and Countermeasures in LAN
to a buffer overflow to hijack the target. Comprehensive list
of fuzzing tools (fuzzers) is available at [26] and some of
This subsection corresponds with the lower and middle right
them support ICS specific communication protocols. ICS
area in Fig. 6. In Fig. 1, corporate networks, control system
and embedded systems tend to rely on legacy software and
networks and field/sensor networks correspond with Local
it has such vulnerabilities with non-negligible probability.
Area Networks (LAN). They are usually placed behind a
In the case of ICS and embedded systems, the tar-
firewall or a security gateway, and their levels of counter-
get of reverse engineering includes firmware whose im-
measures tend to be lower than those accessible from Inter-
ages may be downloadable from Web sites or extracted
net. Therefore, an adversary or malware, which succeeds in
from on-chip debug interfaces using hardware tools such as
intrusion there, may proceed to next attack stages relatively
JTAGulator [27]. The obtained firmware is then analyzed,
easily if no countermeasures are taken. Intrusion into LAN
vulnerabilities and hardcoded passwords may be revealed
is plotted by way of various channels including an attached
and then mal functions might be inserted to it if no coun-
file, a Web link in an e-mail, a shared folder, a brought PC,
termeasure is taken. Structure analyses of firmware and
removal media such as USB memory, or even by a mali-
then extraction of executable files are performed by using
cious insider. In case of ICS, engineering PCs or removal
firmware tools such as binwalk [28]. Once executable files
media may be brought in LAN to set-up or maintenance the
are extracted, they are analyzed further by using usual disas-
systems and so on.
sembler, debugger, etc. For this purpose, IDA [29], which is
Activities after intrusion include communication with
a disassembler and a debugger, supports various processors
C&C (Command and Control) servers, investigation of the
including those used for ICS. These analyses may eventu-
LAN while downloading and utilizing tools and/or modules
ally identify new vulnerabilities used in zero-day attacks.
necessary for further activities, escalating privilege, setting
Against vulnerabilities caused in software develop-
up backdoors, deleting logs, migrating to another network
ment, there exist ISASecure’s certification programs called
and so on. If an adversary or a malware reaches at a tar-
Software Development Security Assessment (SDSA), Se-
get, they try to collect secrets from it, modify its behavior
curity Development Lifecycle Assurance (SDLA) [31] and
or destroy it to reduce it to a critical situation or out of op-
Communication Robustness Testing (CRT). CRT certifi-
eration. In factories, secrets to protect include recipes for
cation program is available in Japan too since April of
production. Mal-operations are attempted by way of HMI
2014 [30] and CRT and SDSA are parts of EDSA certifica-
or by modifying control logics and set points for automatic
tion program. CRT, SDSA and SDLA are also under stan-
control.
dardization as IEC 62443 Part 4-1 (Product development re-
Basically, countermeasures in LAN should be taken by
quirements) as of July 2015.
assuming that adversaries may exist there. One fundamental
Against reverse engineering of firmware and soft-
countermeasure is to divide both LAN and physical space
ware, obfuscation or encryption should be applied to them.
into small zones to restrict or block unnecessary access to
Against modification of them, alteration detection should be
critical systems in a zone from other zones. To do this,
added to them. Alteration detection can be realized using ei-
one has to start with grasping the current network topol-
ther a digital signature such as RSA signature and ECDSA,
ogy and configurations correctly. This may be completed
or a Message Authentication Code (MAC) such as HMAC
instantly while running the systems with active scan using
and CMAC. These cryptographic approaches, however, re-
Nmap. It would, however, disturb or disrupt sensitive ICS.
quire the devices to hold cryptographic keys securely. While
ANTFARM (Advanced Network Toolkit for Assessments
public keys (for signature verification and encryption of
and Remote Mapping) [35] is one of the tools for this pur-
symmetric keys) and root certificates to verify them do not
pose, which can parse and analyze multiple sources of net-
need to be protected against reveal, their processing speed
work information including network device configuration
is around 100 to 1000 times slower than that using a sym-
files, traffic logs and so on, and then create a visual depic-
metric key. Therefore algorithms using a public key might
tion of the network without disturbing or disrupting sensitive
not be suited to low-end embedded devices without crypto
systems in ICS networks.
accelerators. On the other hand, while the algorithms using
While zoning may restrict or block unnecessary access
a symmetric key such as AES (Advanced Encryption Stan-
to critical systems from other zones, it cannot restrict ac-
dard) are faster than that using a public key, symmetric keys
cesses from privileged or legitimate combinations of a ter-
must be protected against not only modification but also re-
minal and an account for operation. For example, HMI
veal. Protection of keys is usually provided by a tamper
and EWS in one zone need to have access to controllers in
resistant module, whose validation or certification is pro-
vided as EAL (Evaluation Assurance Level) of CC (Com- †
FIPS 140-3 is under development [34] as of August 2015,
mon Criteria) that is in accordance with ISO/IEC 15408, which corresponds with ISO/IEC 19790 (Security requirements for
or by CMVP (Cryptographic Module Validation Program) cryptographic modules).
 IEICE TRANS. INF. & SYST., VOL.E99–D, NO.4 APRIL 2016
792

Depending on the system layer to be used, there exist

pros and cons. While the deeper layer is better to prevent in-
truders from disabling the monitoring and prevention func-
tions, available data become more raw and primitive and
harder to analyze.
Even if the above approaches fail to detect hijacked
terminals, mal-operations can still be rejected if multiple
terminal authorization is used, which is realized by let-
ting an operator input a command or order by one terminal
and then confirm that with the other independent terminals.
The requirements for the independent terminals are given as
follows [41]:

Fig. 7 Monitoring in deeper system layers 1) [Separation:] To avoid simultaneous hijacking of all
the multiple terminals, they must be placed in different
zones (or built as different systems).
2) [Independent Authentication:] Credentials to au-
other zones to change their set points and control logics, re-
thenticate the terminals must be unique to each
spectively. Zoning itself cannot restrict or block accesses
terminal to prevent impersonation using the stolen
from such legitimate terminals and accounts when they are
credentials.
hijacked.
There are two directions to deal with this. One is to Needless to say, independent authentication cannot be
enhance detection and prevention ability against terminal realized with only the same credential, i.e. the same pass-
hijacking by monitoring the symptoms and anomaly with word and the same private key among the terminals for the
IDS/IPS (Intrusion Detection/Prevention System) or more multiple terminal authorization since an adversary who has
holistically UTM (Unified Threat Management) or SIEM hijacked one terminal may send both requests and their con-
(Security Information and Event Management). The other firmations by using the same credential. While independent
is to enhance the authorization mechanism against system authentication can be realized using unique secret to each
modifications by using multiple terminal authorization and terminal or distinguishing terminals with physical ports of
safety installment. routers or hubs the terminals are connected, these cannot
As the former approach to detect and exclude hijacked distinguish and trace the operators who committed mali-
terminals, we have studied monitoring and prevention in cious operations. In addition, when authentication servers
deeper system layers, which are device I/O, hypervisor and are used, it is important to protect their databases as well
kernel as shown in Fig. 7. The approach in kernel [36], [37] since they hold verification data for all the terminals and
checks the parent-child relationship of created processes to users. LR-AKE (Leakage-Resilient Authenticated Key Es-
detect maliciously created or inserted processes by adver- tablishment) [42] not only satisfies independent authentica-
saries, in addition to the integrity check of binaries to detect tion but also provides operator authentication and resiliency
their modification and replacement. It can also control the against leakage of stored secrets from any side of servers (or
access to computing resources such as files, directories, de- their databases) and terminals without relying on expensive
vices, IP addresses and port numbers. The approach using tamper resistant modules.
lightweight pass-through type hypervisor [38], [39] provides If either multiple terminal authorization or zoning is
monitoring function for system calls invoked in the guest not employed or compromised, safety instrumented systems
OS, and hiding function for unnecessary peripheral devices will be the last resort to maintain a safe state against mal-
to the guest OS to prevent data leakage and/or malware operations. Safety instrumented systems including failsafe,
infection via removal media or peripheral devices brought limit, interlock, foolproof and so on used to be designed
from outside. The approach using a device I/O board [40] mainly against accidental non-intended errors. They should
monitors I/O of HDD/SSD, USB and Ethernet, and then furthermore take intentional mal-operations by adversaries
blocks unpermitted actions. into account. Study in [43] constructed a miniature pro-
These approaches might not be suitable for general cess control system with safety mechanisms and zoning, an-
purpose computers that are used in various ways and hard alyzed consequences of modification of its set points and
to determine allowed/disallowed actions in advance. They, alarms, and then investigated how they can be detected and
however, are applicable to computers dedicated to a specific prevented.
purpose where most operation rules are fixed in advance.
They also have an advantage that they can be applied to pre- 4. Cyber Physical Security in Future
installed and pre-configured OSes later on without changing
their configurations whereas the approach using non pass- Needless to say, one of the most significant features of cyber
through type hypervisors require to reinstall device drivers physical systems is that they have interfaces with real world,
or even abandon minor devices they do not support. and these interfaces might be abused from cyberspace to
KOBARA: CYBER PHYSICAL SECURITY FOR INDUSTRIAL CONTROL SYSTEMS AND IOT
793

attack on the real world. This threat is not only specific to protected, e.g. by using a tamper resistant module or LR-
ICS or more widely Industry 4.0 and Industrial Internet, but AKE Credential Service [60]. An advantage of the latter is
also becoming common even in consumer areas with IoT that it does not rely on an expensive tamper resistant mod-
(Internet of Things). They have the following additional ule. Another way of protection is to generate keys using
features: PUF (Physically Unclonable Functions) [61], [62] instead of
storing them on a nonvolatile memory, which can be read
1) [Physical Access:] While sensors, actuators and con-
and copied easily. The generated keys can be used to en-
trollers in factories and critical infrastructures are
crypt or deliver other keys used in applications. Advantages
placed mainly in physically protected areas, those for
of using PUF for key generation include: 1) the generated
IoT especially for consumers or small enterprises will
keys are not stored in the module when the power is off,
be placed or distributed through outside of the physi-
2) it is difficult to copy a PUF so that the copied PUF can
cally protected areas. Adversaries may have physical
generate the same keys for new challenges due to the phys-
access to them, and some of them might be cracked,
ical unclonable properties of PUF, and 3) revealed keys can
and then form which they may intrude or input mali-
be replaced with fresh ones by changing the challenges to
cious data or programs into a network while imperson-
them or by using uncontrollable noises intrinsically caused
ating the cracked devices.
in PUFs [63] and by correcting the noises at the other party
2) [Privacy:] While sensors for ICS are mainly used for
(whereas delivering a new key after encrypting it with the
measuring equipment and materials, those for IoT, es-
revealed old key compromises the freshness of the new key).
pecially for healthcare, wearable and so on, will be
Frequent and uncontrollable change of keys can miti-
used to collect privacy related or personal data around
gate the risk of keys to be extracted from the modules us-
users.
ing side-channel information such as power consumption,
3) [Intelligence:] Systems will be more intelligent with
electro-magnetic leakage, etc. If a PUF is deployed in a de-
the help of Cloud, Big Data Analyses, Machine Learn-
vice, it can also be used to distinguish the genuine module
ing, AI (Artificial Intelligent) and so on. While users
from its counterfeits to enhance the traceability in supply
will be more dependent on the intelligence, the intel-
chains when a hardware Trojan is discovered.
ligence might be abused or maliciously controlled by
adversaries.
5. Conclusion
To preserve privacy while collecting necessary data for
the intelligence, the privacy preserving methods will play In this paper, the security in ICS is reviewed as a leading
more important roles than ever. They include: example of cyber physical security especially for infrastruc-
1) [ID Anonymization:] Either removing or replacing tures where identification of optimal sets of countermea-
Personally Identifiable Information (PII) from a data sures is significant taking their restrictions and constraints
set, or collecting data not identifying individuals but into account. The necessity of cyber physical security in
verifying that they belong to a certain group with cer- future will expand not only to various infrastructures, but
tain attributes. The latter can be realized using anony- also to consumer area with IoT where preserving privacy
mous authentications [44], [45] or group signatures and physical protection of devices will play more important
over an anonymous channel [46], [47]. roles especially when adversaries can have physical access
2) [Data Anonymization:] Modification of data sets by to them.
adding noise, rounding, suppressing and generalizing I hope this paper helps the readers who are not nec-
their attributes to satisfy a certain level of privacy essarily familiar with this area understand the situation
metrics such as k-anonymity [48], l-diversity [49], t- of cyber physical security especially of ICS and IoT for
closeness [50] and differential privacy [51], or to re- consumers.
sist against de-anonymization attacks [52] while main-
taining their statistical characteristics. To brush up Acknowledgments
these skills, anonymization and de-anonymization con-
test was held in Japan [53]. The author would like to thank the reviewers for their useful
3) [Encrypted Data Processing:] Processing secrets comments and suggestions. This research was partly sup-
or encrypted data without revealing or decrypting ported by JST, Infrastructure Development for Promoting
them until the final result is obtained. This can be International S&T Cooperation.
performed using homomorphic encryptions, PPDM
(Privacy-Preserving Data Mining) [54], [55], SMC (Se- References
cure Multiparty Computation) [56]–[59] and so on.
[1] “Actual condition survey project on a threat and a measure caused by
The above cryptographic solutions require devices to
the general-purpose IT technological application which can be put
hold keys, which must be protected against steal of the de- equipment for industry (in Japanese),” Report of the maintenance
vices by adversaries who will then analyze them both inva- project on a computer security early warning system in fiscal year
sively and non-invasively. Keys in a stolen device can be 2008, http://iss.ndl.go.jp/books/R100000002-I025571148-00, 2009.
 IEICE TRANS. INF. & SYST., VOL.E99–D, NO.4 APRIL 2016
794

[2] ICS-CERT, “Year in Review 2014,” https://ics-cert.us-cert.gov/Year- uploads/ANTFARM-Fact-Sheet.pdf, accessed June 30, 2015.
Review-2014, accessed June 30, 2015. [36] K. Suzaki, T. Yagi, K. Kobara, Y. Komoriya, N. Inoue, and T.
[3] D. Kushner, “The Real Story of Stuxnet,” IEEE Spectrum, Kawade, “OS Lockdown on Industrial Control Systems with Pro-
http://spectrum.ieee.org/telecom/security/the-real-story-of-stuxnet/, cess White List and Resource Access Control,” Poster session at
Feb. 2013. 22nd USENIX Security Symposium, Aug. 2013.
[4] RISI, “The Repository of Industrial Security Incidents,” http://www. [37] K. Suzaki, M. Kiuchi, H. Seki, and Y. Komoriya, “Whitelisting
risidata.com/Database/, accessed June 30, 2015. Technology Which Considers Attack Vectors and System Complex-
[5] Lockheed Martin, “Cyber Kill Chain,” R http://www. ity on Industrial Control Systems,” ICSJWG Fall Meeting 2014.
lockheedmartin.com/us/what-we-do/information-technology/ [38] K. Suzaki, T. Yagi, K. Kobara, and T. Ishiyama, “Kernel Memory
cyber-security/cyber-kill-chain.html, accessed June 30, 2015. Protection by an Insertable Hypervisor which has VM Introspec-
[6] Nmap, https://nmap.org/, accessed June 30, 2015. tion and Stealth Breakpoints,” Proc. IWSEC, LNCS 8639, pp.48–51,
[7] Nessus, http://www.tenable.com/products/nessus-vulnerability- 2014.
scanner, accessed June 30, 2015. [39] K. Suzaki, “DeviceDisEnabler: A hypervisor which hides devices to
[8] OpenVAS, http://www.openvas.org/, accessed June 30, 2015. protect cyber espionage,” CODE BLUE, Dec. 2014.
[9] SHODAN, http://www.shodanhq.com/, accessed June 30, 2015. [40] K. Toda, I. Ebihara, K. Segawa, K. Takahashi, and K. Kobara, “Se-
[10] Every Routable IP Project, http://beta.eripp.com, accessed June 30, curity Barrier Device Protects Critical Data Regardless of OS or Ap-
2015. plications by Just Attached,” CODE BLUE, Feb. 2014.
[11] É. Leverett, “The last gasp of the industrial air gap. . . ,” BlackHat [41] T. Sekino, K. Kobara, and H. Imai, “Anti-malware Order System Us-
US, 2012. ing Multiple Independent Terminals and Authentication Schemes,”
[12] SCADACS, https://www.scadacs.org/, accessed June 30, 2015. Proc. WPMC ’09, S43, 2009.
[13] “Introducing Shodan Maps,” https://shodanio.wordpress.com/2014/ [42] S.H. Shin, K. Kobara, and H. Imai, “A Simple Leakage-Re-
02/18/introducing-shodan-maps/ Feb. 2014, accessed June 30, 2015. silient Authenticated Key Establishment Protocol, Its Extensions,
[14] “Default Passwords,” https://cirt.net/passwords, accessed June 30, and Applications,” IEICE Trans. Fundamentals, vol.E88-A, no.3,
2015. pp.736–754, March 2005.
[15] D. Tentler, “Drinking from the caffeine firehose we know as shodan,” [43] Y. Hashimoto, T. Toyoshima, S. Yogo, M. Koike, T. Hamaguchi, S.
Defcon 20, 2012. Jing, and I. Koshijima, “Safety securing approach against cyber-at-
[16] R.W. McGrew, “SCADA HMI & Microsoft Bob Modern: Vulnera- tacks for process control system,” Computers & Chemical Engineer-
bilities, With a 90’s Flavor,” Defcon 20, 2012. ing, vol.57, pp.181–186, Oct. 2013.
[17] CONPOT, http://conpot.org/, accessed June 30, 2015. [44] S.H. Shin, K. Kobara, and H. Imai, “Anonymous Password-Au-
[18] Y.M.P. Pa, S. Suzuki, K. Yoshioka, and T. Matsumoto, “IoTPOT: thenticated Key Exchange: New Construction and Its Extensions,”
Analysing the Rise of IoT Compromises,” 9th USENIX Workshop IEICE Trans. Fundamentals, vol.E93-A, no.1, pp.102–115, Jan.
on Offensive Technologies (WOOT 15), https://www.usenix.org/ 2010.
conference/woot15/workshop-program/presentation/pa, Aug. 2015. [45] ISO/IEC JTC1, “Anonymous entity authentication,” ISO/IEC
[19] OWASP, “Zed Attack Proxy Project,” https://www.owasp.org/index. 20009.
php/OWASP Zed Attack Proxy Project, accessed June 30, 2015. [46] Tor, “The Onion Router,” https://www.torproject.org/, March 2005.
[20] Nikto, https://cirt.net/Nikto2, accessed June 30, 2015. [47] H. Fathi, S.H. Shin, K. Kobara, and H. Imai, “Protocols for pur-
[21] Burp Suite, https://portswigger.net/burp/, accessed June 30, 2015. pose-restricted anonymous communications in IP-based wireless
[22] Sqlmap, http://sqlmap.org/, accessed June 30, 2015. networks,” Elsevier Computer Communications Journal, vol.31, Is-
[23] sslscan https://github.com/rbsec/sslscan, accessed June 30, 2015. sue 15, pp.3662–3671, Sept. 2008.
[24] ISASecure, “IEC 62443-4-2 - EDSA Certification,” http://www. [48] L. Sweeney, “k-anonymity: a model for protecting privacy,” Interna-
isasecure.org/en-US/Certification/IEC-62443-4-2-EDSA- tional Journal on Uncertainty, Fuzziness and Knowledge-based Sys-
Certification, accessed June 30, 2015. tems, vol.10, Issue 5, pp.557–570, Oct. 2002.
[25] ISASecure, “IEC 62443-3-3 - SSA Certification,” http://www. [49] A. Machanavajjhala, D. Kifer, J. Gehrke, and M.
isasecure.org/en-US/Certification/IEC-62443-3-3-SSA-Certification, Venkitasubramaniam, “L-diversity: Privacy beyond k-anonymity,”
accessed June 30, 2015. ACM Trans. on Knowledge Discovery from Data (TKDD), vol.1,
[26] IPA, “Fuzzing Guide (in Japanese),” http://www.ipa.go.jp/security/ Issue 1, no.3, pp.1–12, March 2007.
vuln/documents/fuzzing-guide.pdf, accessed June 30, 2015. [50] N. Li, T. Li, and S. Venkatasubramanian, “t-closeness: Privacy be-
[27] JTAGulator, http://www.grandideastudio.com/portfolio/jtagulator/, yond k-anonymity and l-diversity,” Proc. IEEE 23rd International
accessed June 30, 2015. Conference on Data Engineering (ICDE), pp.106–115, 2007.
[28] Binwalk, http://binwalk.org/, accessed June 30, 2015. [51] C. Dwork, “Differential Privacy,” Proc. International Colloquium
[29] IDA https://www.hex-rays.com/products/ida/, accessed June 30, on Automata, Languages and Programming (ICALP), LNCS 4052,
2015. pp.1–12, 2006.
[30] CSSC Certificaiton Laboratry, “Japan’s First Certification Body [52] A. Narayanan and V. Shmatikov, “Robust de-anonymization of large
for ISASecure R
EDSA,” http://www.cssc-cl.org/en/index.html, ac- sparse datasets,” Proc. IEEE Symposium on Security and Privacy,
cessed June 30, 2015. pp.111–125, May 2008.
[31] ISASecure, “IEC 62443-4-1 - SDLA Certification,” http://www. [53] Privacy Workshop WG, “Anonymization and De-anonymization
isasecure.org/en-US/Certification/IEC-62443-4-1-SDLA- Contest (in Japanese),” http://www.iwsec.org/pws/2015/pwscup.
Certification, accessed June 30, 2015. html, accessed Aug. 30, 2015.
[32] IPA/ISEC, “Japan Cryptographic Module Validation Program,” [54] R. Agrawal and R. Srikant, “Privacy-Preserving Data Mining,” Proc.
http://www.ipa.go.jp/security/english/jcmvp.html, accessed June 30, ACM SIGMOD Conference on Managament of Data, pp.439–450,
2015. 2000.
[33] NIST, “Security requirement for cryptographic modules,” FIPS PUB [55] Y. Lindel and B. Pinkas, “Privacy Preserving Data Mining,” Journal
140-2, May 2001. of Cryptology, vol.15, no.3, pp.177–206, 2002.
[34] NIST, “FIPS 140-3 DEVELOPMENT,” http://csrc.nist.gov/groups/ [56] Sharemind, https://sharemind.cyber.ee/, accessed June 30, 2015.
ST/FIPS140 3/, accessed June 30, 2015. [57] SecureSMC, http://sesar.di.unimi.it/Sesar/securescm, accessed June
[35] “ANTFARM: Advanced Network Toolkit for Assessments and 30, 2015.
Remote Mapping,” http://energy.sandia.gov/wp/wp-content/gallery/ [58] K. Hamada, “MEVAL: A Practically Efficient System for Secure
KOBARA: CYBER PHYSICAL SECURITY FOR INDUSTRIAL CONTROL SYSTEMS AND IOT
795

Multi-party Statistical Analysis,” Workshop on Applied Multi-Party

Computation, 2014.
[59] AIST, “A Search Technology for Databases of Compounds Using
Secure Computation,” http://www.aist.go.jp/aist e/list/latest
research/2012/20120220/20120220.html, accessed June 30, 2015.
[60] S.H. Shin, K. Kobara, and H. Imai, “A Secure Authenticated Key
Exchange Protocol for Credential Services,” IEICE Trans. Funda-
mentals, vol.E91-A, no.1, pp.139–149, Jan. 2008.
[61] G.E. Suh and S. Devadas, “Physical Unclonable Functions for De-
vice Authentication and Secret Key Generation,” Proc. 44th Design
Automation Conference, pp.9–14. IEEE, 2007.
[62] H. Kang, Y. Hori, T. Katashita, M. Hagiwara, and K. Iwamura,
“Cryptographic Key Generation from PUF Data Using Efficient
Fuzzy Extractors,” Proc. 16th International Conference on Ad-
vanced Communications Technology (ICACT 2014), pp.23–26, Feb.
2014.
[63] Y. Hori, T. Katashita, H. Kang, A. Satoh, S. Kawamura, and K.
Kobara, “Evaluation of Physical Unclonable Functions for 28-nm
Process Field-Programmable Gate Arrays,” Journal of Information
Processing, vol.22, no.2, pp.344–356, April 2014.

Kazukuni Kobara received his Ph.D. de-

gree in engineering from the University of To-
kyo in 2003. He joined the Institute of In-
dustrial Science of the University of Tokyo in
1994, and then moved to the National Insti-
tute of Advanced Industrial Science and Tech-
nology (AIST) in 2006. His research interests
include cryptography, cryptographic protocols,
cybersecurity, security risk assessment, etc. He
received the SCIS Paper Award and the Vigen-
tennial Award from IEICE in 1996 and 2003, re-
spectively. He also received the Best Paper Award of WISA, the ISITA
Paper Award for Young Researchers, the IEICE Best Paper Award and
Inose Award, the JSSM Best Paper Award and RISONA Industry-
Academia-Government Coordination Award in 2001, 2002, 2003, 2006 and
2013, respectively. He served as a member of ETC (Electronic Toll Collec-
tion System) security committees from 1999 to 2015, CRYPTREC (Cryp-
tography Research and Evaluation Committees) from 2000 to 2008, the
vice chairperson of MIC WLAN security committee in 2003, the chief in-
vestigator of INSTAC identity management committee from 2007 to 2010,
ISO/IEC JTC1 SC27 WG2 expert from 2012 to present and IEC ACSEC
(Advisory Committee on Information Security and Data Privacy) member
and JP NC chair from 2015 to present.

View publication stats