A Modal Model of Stuxnet Attacks on Cyber-Physical Systems: A Matter of Trust
Gerry Howser and Bruce McMillin

The 8th International Conference on Software Security and Reliability
To appear, 2014

Multiple Security Domains Nondeducibility, MSDND(ES), yields results even when the attack hides important information from electronic monitors and human operators. Because MSDND(ES) is based upon modal frames, it is able to analyze the event system as it progresses rather than relying on traces of the system. Not only does it provide results as the system evolves, MSDND(ES) can point out attacks designed to be missed in other security models. This work examines information flow disruption attacks such as Stuxnet and formally explains the role that implicit trust in the cyber security of a cyber physical system (CPS) plays in the success of the attack. The fact that the attack hides behind MSDND(ES) can be used to help secure the system by modifications to break MSDND(ES) and leave the attack nowhere to hide. Modal operators are defined to allow the manipulation of belief and trust states within the model. We show how the attack hides and uses the operator's trust to remain undetected. In fact, trust in the CPS is key to the success of the attack.

Keywords: cyber-physical systems, information flow security, doxastic logic, security models, nondeducibility, Stuxnet

For more information contact: Gerry Howser or Bruce McMillin.