Threat mitigation in industrial internet: Case variable-frequency drive
Kankaanranta, Antti (2018)
2018
Tietotekniikka
Tieto- ja sähkötekniikan tiedekunta - Faculty of Computing and Electrical Engineering
This publication is copyrighted. You may download, display and print it for Your own personal use. Commercial use is prohibited.
Hyväksymispäivämäärä
2018-04-04
Julkaisun pysyvä osoite on
https://urn.fi/URN:NBN:fi:tty-201802271321
https://urn.fi/URN:NBN:fi:tty-201802271321
Tiivistelmä
Industrial Internet devices have faced new threats by attackers with high resources. Thus, the cybersecurity of such devices has to improve. Variable-frequency drives (VFD) were selected as the target devices to study cybersecurity of industrial internet devices and give recommendations of how to improve their cybersecurity.
The current status of cybersecurity of VFDs was studied in the thesis. The study was performed by interviewing product development engineers of a VFD manufacturer. VFD’s assets were recognized in the interviews also. Security weaknesses were found during the interviews and potential attacks against those weaknesses were also identified.
The attacks were categorized and values were assigned to attack’s effectiveness and complexity. The description of attacks included also a some hints how the attacks could be performed and why attacker might want to perform the operation. Finally the attack tree were performed based on the attacks.
The thesis presented also mitigation strategies which were found from literature. It was also presented how the strategies suited for the VFD context. There was a study of what mitigation strategies VFD are applying. A prioritisation workshop was organized for prioritising the unapplied mitigation strategies. The prioritisation was necessary because there was the need to perform important strategies first. The attendees of the workshop were product managers, software architect and cybersecurity chief of VFD manufacturer. The prioritisation method used was Weighted Shortest Job First. The method notified business value, time criticality, risk reduction and how much effort the job might take to get done.
The most important mitigation strategy was Access Control. Second important strategy was Logging and Event Management. Third important strategy was User Authentication and Authorization. A possible explanation for the prioritisation might be that there were customer requirements for the strategies. However, the discussion in prioritisation workshop cleared the general view of mitigation strategies. Thus, those strategies got highest points in the business value, time criticality and risk reduction.
The current status of cybersecurity of VFDs was studied in the thesis. The study was performed by interviewing product development engineers of a VFD manufacturer. VFD’s assets were recognized in the interviews also. Security weaknesses were found during the interviews and potential attacks against those weaknesses were also identified.
The attacks were categorized and values were assigned to attack’s effectiveness and complexity. The description of attacks included also a some hints how the attacks could be performed and why attacker might want to perform the operation. Finally the attack tree were performed based on the attacks.
The thesis presented also mitigation strategies which were found from literature. It was also presented how the strategies suited for the VFD context. There was a study of what mitigation strategies VFD are applying. A prioritisation workshop was organized for prioritising the unapplied mitigation strategies. The prioritisation was necessary because there was the need to perform important strategies first. The attendees of the workshop were product managers, software architect and cybersecurity chief of VFD manufacturer. The prioritisation method used was Weighted Shortest Job First. The method notified business value, time criticality, risk reduction and how much effort the job might take to get done.
The most important mitigation strategy was Access Control. Second important strategy was Logging and Event Management. Third important strategy was User Authentication and Authorization. A possible explanation for the prioritisation might be that there were customer requirements for the strategies. However, the discussion in prioritisation workshop cleared the general view of mitigation strategies. Thus, those strategies got highest points in the business value, time criticality and risk reduction.