An Ontology-Driven Framework For Security And Resiliency .
An Ontology-Driven Framework for Security and Resiliencyin Cyber Physical SystemsRohith Yanambaka Venkata, Patrick Kamongi and Krishna KaviUniversity of North TexasDenton, Texas-76203Email: [ry0080, pk0158, krishna.kavi]@unt.eduAbstract—Cyber-Physical Systems (CPS) can be described as anintegration of computation and physical processes, where embedded systems monitor and control physical processes. Advances intechnologies, such as networking and processors have enabled theadoption of CPS in safety-critical systems like smart grids andautonomous vehicles. Cyber-attacks, as the name suggests, targetcomponents in the cyber space with the intention of disruptingthe functionality of the physical components. In this paper,we present an Ontology-driven framework that captures therelationship between cyber and physical systems to semanticallyreason about the impact of cyber-attacks on the physical systems.We demonstrate the idea using a reference Red-Light ViolationWarning (RLVW) Vehicle to Infrastructure (V2I) network. Ourproposed Ontology provides the ability to identify vulnerabilitiesin cyber systems that may impact a given physical system,enumerate potential mitigation steps and help design resilientphysical systems that can meet their design specifications despitethe occurrence of a cyber-attack.Keywords–Cyber Physical Systems; CPS; Security; Resiliency;Ontology.I. I NTRODUCTIONCyber-Physical Systems (CPS) are systems that involvecoordination between two components: cyber (or computational) and physical systems. Ashibani et al. [1] describeCPS as a combination of tightly integrated physical processes(such as actuation), networking and computation. The physicalprocesses are monitored and controlled by cyber subsystemsthrough network interconnects.The proliferation of CPS has gained increased traction withthe advances in networking and embedded system technologieslike system-on-chip (SoC) and wireless transmitters. With theincreased capability and complexity in CPS, they have foundapplication in domains such as smart cities, transportation, andpower grids. However, this growth has come at the cost ofpotential cyber-attacks [2]. Often, security and resiliency areeither not paid the attention they deserve or are disregardedaltogether. As a result, cyber-attacks on CPS are becoming increasingly prevalent, as evidenced by recent attacks targettingcritical infrastructure: A cyber-attack in 2016 crippled a power grid inUkraine, affecting at least 100,000 people. The attackers used software-based attacks to shut down theRemote Terminal Units (RTUs) that control circuitbreakers, causing a power outage for about an hour[3].A German steel mill was the target of a cyber-physicalattack in 2014, when malicious actors took control of the mill’s production software and caused materialdamage to the mill [4].On 21 October 2016, an attack on DNS serviceprovider Dyn caused issues for a list of well-knownservices such as Twitter, GitHub, Reddit, Spotify,Netflix, and PayPal. A Mirai botnet compromised tensof millions of IP addresses. All in all, about 100,000devices were involved. This was the then largest attackever recorded with network traffic volume reaching1.2Tbps.Perhaps the most recognizable of all the attacks wasthe STUXNET worm that infected Iranian nuclearpower plants [5]. The worm caused the centrifugesto spin too quickly and for too long, damaging ordestroying the delicate equipment in the process. Thisis an excellent example of how cyber-attacks affectphysical systems.It is evident from these examples that an attack targetting thecyber domain (cyber-attacks) can adversely impact the normaloperation of the physical systems that they control. The impactis especially acute in safety-critical systems.One way to understand the impact of cyber-attacks on physical systems is by modeling CPS systems using Ontologies.An Ontology is a formal description of knowledge as a setof concepts within a domain and the relationships that holdbetween them [6]. To enable such a description, we need toformally specify components such as individuals (instances ofobjects), classes, attributes, and relations as well as restrictions,rules, and axioms. Ontologies not only introduce a shareableand reusable knowledge representation but, can also add newknowledge about a domain [6]. Ontologies provide numerousadvantages. Ontologies enable automated reasoning about data [6].They provide the ability to represent data formats,including unstructured, semi-structured or structureddata, enabling smooth data integration, easy conceptand text mining, and data-driven analytics [6].Adding additional relationships, integrating multipleOntologies and cross domain concept matching arealso possible.CPS enable technological advances in diverse critical domainssuch as healthcare, traffic flow management, and smart manufacturing. Design needs vary across the domains of operation.So, Ontologies may be able to capture complex dependenciesand relationships between the cyber and physical components
Figure 1. The Red Light Violation Warning system [8].and potentially identify common design principles acrossmultiple domains. Cyber-attacks may or may not affect thephysical system of a CPS. To understand the impact of attackson the functioning of physical components, the relationshipscaptured by the Ontology can be used to semantically reasonabout security and resiliency of the physical components.In this paper, we present our Ontology-driven frameworkthat captures some of the physical and cyber componentsof a Vehicle-to-Infrastructure (V2I) reference architecture [7],including design goals and requirements specification fromtheir design artifacts. This includes information such as functional, security and resiliency requirements. The objective isto understand the relationship between the cyber and physicalcomponents of the V2I CPS system to be able to reasonabout security and resiliency of the physical system. TheOntology will help understand the impact of cyber-attacks onthe physical components. This information can then be used toidentify mitigation techniques (in physical or cyber domains)and design changes that can help improve the security andresiliency of the physical system.The paper is split into 6 sections. In section II, we brieflydescribe the reference architecture that is used to validatethe Ontology. Section III outlines some of our previouslydeveloped tools that perform vulnerability management. TheCPS Ontology and the reasoning process are briefly describedin section IV. A case study using the Red-Light ViolationWarning (RLVW) and the CPS Ontology is presented insection V, followed by the conclusion in section VI.II.R EFERENCE ARCHITECTURE - R ED L IGHT V IOLATIONWARNING (RLVW)The RLVW safety application involves providing a cooperative vehicle and infrastructure system that assists drivers inavoiding crashes at signalized intersections by first advisingthe driver of a signalized intersection, followed by a warningto the vehicle’s driver if, based on their speeds and distance tothe intersection, they may violate an upcoming red light. Asa vehicle equipped with a Driver Vehicle Interface (DVI), ascreen on the dash that displays alerts from the infrastructureas the vehicle approaches an intersection equipped with aRoad Side Equipment (RSE)-controlled traffic light. It receivesmessages about the signal phase and timing (SPaT), intersection geometry, and position correction information [7]. SPaT,a traffic signal control information that conveys the currentmovement state of each active phase in the system can aid insafety, mobility and monitoring the environment [9]. The driveris alerted or warned if the RLVW application determines thatgiven current operating conditions, the driver is predicted toviolate the red light.The RLVW system is one of six safety applications developed by the United States Department of Transportation[7]. The goal of the RLVW application is to improve roadway safety by reducing red-light running and collisions atsignalized intersections [7]. The infrastructure and vehiclecomponents include both cyber and physical components.Figure 1 shows various components of the RLVW application.We will evaluate our Ontology with this architecture as abaseline. This application contains:1) Infrastructure component: The infrastructure componentis responsible for warning drivers of an approaching intersection well in advance. In addition, drivers also need to bewarned if their approach is likely to result in a red lightviolation.2) Vehicle component: The vehicle component is responsible for sensing the world, conveying intent (to other vehiclesand the infrastructure) and situational awareness. All of thisinformation needs to be sent to the infrastructure. Sensing the world includes measuring speed, gettingcurrent Global Positioning System (GPS) coordinatesand determining the lane currently being driven on. Conveying intent is vital in a connected vehicle environment (especially Vehicle to Vehicle network). Theinformation exchanged may influence the behavior ofother entities in the network. Situational awareness involves attributing context tothe data collected by a physical component. For example, if a sensor measures the speed of the vehicleto be 60 miles per hour, the relevant cyber componentneeds to determine if this is a safe speed given thecurrent context. This speed may be acceptable on ahighway but, not within city limits.3) Design goals: In this section, we look at some ofthe design goals and specifications of the RLVW applicationbefore we present a preliminary outline of our Ontology designin the subsequent sections.Figure 2 outlines some of the important design goalsof the communication model being considered. The threeprimary objectives of V2I is to prevent/minimize fatalities,injuries and property damage. One of the ways this can beachieved is by using the RLVW application, which attemptsto satisfy the design goals by reducing red light running andtraffic collisions. The various design specifications and theirrelationships are reflected in Figure 2.
Figure 2. Design goals for RLVW.The National Institute of Standards and Technology (NIST)has published a framework that provides guidance in designing, building, verifying, and analyzing complex CPS systems[10]. The CPS Framework captures the generic functionalitiesthat CPS provide, and the activities and artifacts needed tosupport conceptualization, realization, and assurance of CPS[10]. The framework describes the following series of stepswithin a reference architecture. The domain of the CPS needs to be identified. Facets or views on CPS encompassing identified responsibilities in the system engineering process [10]need to be identified. These include conceptualization,realization, and assurance. They contain well-definedactivities and artifacts (outputs) for addressing designgoals (or concerns) [10]. Aspects need to be consolidated. Aspects are highlevel groupings of cross-cutting concerns. Concernsare interests in a system relevant to one or morestakeholders. These may include Functional, Business,Timing, Data, Trustworthiness, etc [10].Our objective is to reason about security and resiliencyso, we focus only on the trustworthy concerns. Trustworthiness is the demonstrable likelihood that the system performsaccording to designed behavior under any set of conditionsas evidenced by characteristics including, but not limited to,safety, security, privacy, reliability and resilience [10]. In thenext section, we briefly describe vulnerability assessment forcyber systems using some of our previous work.III. V ULNERABILITY- BASED T HREATS A SSESSMENTGiven a deployed Cyber-Physical System that leveragesone or more IT (or cyber) components for normal operations,security evaluation of the IT system is a priority.In our previous work, we have designed solutions (VULCAN [11], and NEMESIS [12]) to automate essential securitymanagement tasks to assist in identifying, assessing and mitigating the threats that may affect any given IT system (thisapply to the Cyber components that power a Cyber-PhysicalSystem).Let us consider an example of an IT component (that ispart of a Cyber-Physical System) such as the “Qualcomm SD820 Firmware”. Our VULCAN Framework [11], enable us tomodel and represent such an IT component using a CommonPlatform Enumeration (CPE) standard [13].An Ontology Knowledge Base (OKB), which is a populated Ontology, plays a central role within the VULCANframework by capturing various critical public data feeds of ITproducts (e.g., Application/Software, Operating System, andHardware) vulnerability, attack, and mitigation informationusing an evolving and semantically rich Ontology model.The vulnerability index generated by VULCAN capturesinformation about publicly known vulnerabilities (includingtheir insightful information) that affect our assessed IT component. Figure 3 shows a simplified view of the generatedvulnerability index to highlight a few vulnerabilities (includingtheir vulnerability description, severity score and CommonWeakness Enumeration (CWE) [14] identifier) that affects ourassessed IT product (viz., Qualcomm SD 820 Firmware). ThisSystem-on-Chip (SoC) is commonly used in level 3 and level4 autonomous vehicles.With the amount of semantically rich information capturedwithin the generated vulnerability index of the assessed ITcomponent, we can reason and infer various insights in regardsto the current vulnerability status of the ”Qualcomm SD820 Firmware” and how many of its vulnerabilities have adamaging impact (if exploited by a malicious actor) to thecore of the Cyber-Physical System in operation.Using this vulnerability index, our NEMESIS architecturecan assist in performing various threat modeling, and riskassessment tasks of the for the IT product. This information
may be useful towards designing and CPS that are inherentlyresilient to the modeled threats.Table I illustrates a sample view of how NEMESIS classifies vulnerabilities (that affect the assessed IT component“Qualcomm SD 820 Firmware”) into possible threat types(using STRIDE threat model [15]) that could arise from theirexploitation. For instance, “CVE-2018-3594” [16] vulnerability was identified by VULCAN that it affects our assessed ITcomponent, then NEMESIS determines that this vulnerabilitycould lead to “Tampering, Information Disclosure, Repudiation, and Elevation of Privilege” STRIDE threat types (asshown in Table I).TABLE I. QUALCOMM SD 820 FIRMWARE: THREATCLASSIFICATION R11001I10010D00001E10011In Table II we illustrate how NEMESIS ranks all theclassified threat types by the average severity of all the foundvulnerabilities that can lead to each of the STRIDE threattypes. For instance, “Information Disclosure” threat type is themost severe threat that the assessed IT component “QualcommSD 820 Firmware” is exposed to.TABLE II. QUALCOMM SD 820 FIRMWARE: THREAT TYPESRANKINGThreat TypeTamperingDenial of ServiceSpoofingInformation DisclosureRepudiationElevation of PrivilegeSeverity [0-10]8.195.07.59.08.578.78Security practitioners can use the information for assessingIT products (or cyber component of CPS) to strategize cybermitigations and resiliency measures to counter any of theperceived threat types that could impact the critical missionsof the operational Cyber-Physical System.IV. CPS O NTOLOGY DESIGN AND REASONING PROCESSCyber systems usually include processors, memory modules, network interfaces and software products. We brieflydiscussed vulnerability assessment and management for cybersystems by introducing some of our previous work in Section III. also previously demonstrated the ability to enforcedifferentiated levels of security for Internet of Things (IoT)devices [17]. Now, our goal is to understand how thesecyber (or IT) vulnerabilities affect physical systems. Thechallenge is to capture the relationship between cyber andphysical components to semantically reason about security andresiliency. The Ontology will be able to provide an insight intopotential mitigation techniques, which may involve changes inthe design or patching and updating software packages in thecyber domain. Design goals and components of a CPS domain needto be identified in consultation with domain experts.The relationships between various components in thedomain need to be identified within the context of thedesign goals identified in the previous step.Given all components and their relationships, threatmodeling needs to be performed so that only threatsrelevant to the given CPS are considered.The CPS needs to be redesigned if required.The redesigned system needs to be validated to ensureit still complies with the design specifications.We have constructed an Ontology for the trustworthinessconcern based on NIST’s CPS framework. Figure 4 depicts apreliminary design for the CPS Ontology that is capable ofreasoning against a limited set of vulnerabilities that we willdiscuss in Section V. The Ontology was implemented usingOWL web semantic language [18] on Protege Ontology editor[19].The design specifications from Figure 2 were translatedinto an Ontology. The RLVW concept contains five differentknowledge points: physical components and cyber componentswhich are self-explanatory, Abstract, Vehicle and Infrastructure. The infrastructure and vehicle components are mappedto the cyber and physical concepts. A knowledge point calledAbstract captures all the design goals of a CPS domain(The RLVW safety application in this scenario). The twocomponents of interest in this Ontology are the traffic lightand RSE. The traffic light interacts with the RSE to displaytraffic lights and transition between them.Design goals may be security requirements (from SecurityService Level Agreements or SSLAs), Resiliency goals andFunctional requirements. Lee et al., [20] describe an Ontologyto capture SSLAs, which can be used to understand securityagreements of a service provider or to audit compliance todesign specifications [20].V. C ASE S TUDYLet us evaluate this Ontology using a few simple examples.We use the STRIDE threat modeling discussed in Section IIIand the design specifications from Section 2. The configurationof system components is as follows:Figure 3. Qualcomm SD 820 Firmware – Vulnerability Index Sample Qualcomm 820a SoC powers a vehicle.The DVI is controlled by Android Auto operatingsystem [21].
Figure 4. An example of the CPS ontology. RSE is a facility server running Ubuntu 16.04 LTS.No identification scheme exists to authenticate entitiesin the network.The data exchanged is not validated (neither by RSEnor the vehicle).The traffic light is not designed with any niscollected/stored.A. An attack on the RSELet us consider the RLVW application discussed before.We were able to determine using the CPE identifier forSnapdragon 820a that five significant vulnerabilities couldaffect the SoC as discussed in section III. One of the mostimportant steps in threat modelling for CPS is to assign acontext to a threat/vulnerability i.e, try to understand how avulnerability affects a physical system. In the first example, letus consider a scenario where an adversary attacks the RSE (asdepicted in Figure 5). RSE is no longer trustworthy. Potentialattacks are: Spoofing : The adversary may masquerade as theRSE, sending false data to vehicles or the traffic light.The lights may flash randomly or be turned off. Thevehicle may not receive a warning from the RSEeven if a potential red light violation is detected. Forexample, CVE-2018-1111 [22] may be used to createmalicious DHCP packets to compromise the server.Tampering : Data is maliciously modified beforebeing sent to vehicles or the traffic light. The potentialimpact is similar to that of the Spoofing attack. Forexample, an adversary may us
captured by the Ontology can be used to semantically reason about security and resiliency of the physical components. In this paper, we present our Ontology-driven framework that captures some of the physical and cyber components of a Vehicle-to-Infrastructure (V2I) reference architecture [7], including design goals and requirements .
community-driven ontology matching and an overview of the M-Gov framework. 2.1 Collaborative ontology engineering . Ontology engineering refers to the study of the activities related to the ontology de-velopment, the ontology life cycle, and tools and technologies for building the ontol-ogies [6]. In the situation of a collaborative ontology .
Bruksanvisning för bilstereo . Bruksanvisning for bilstereo . Instrukcja obsługi samochodowego odtwarzacza stereo . Operating Instructions for Car Stereo . 610-104 . SV . Bruksanvisning i original
method in map-reduce framework based on the struc-ture of ontologies and alignment of entities between ontologies. Definition 1 (Ontology Graph): An ontology graph is a directed, cyclic graph G V;E , where V include all the entities of an ontology and E is a set of all properties between entities. Definition 2 (Ontology Vocabulary): The .
A Framework for Ontology-Driven Similarity Measuring Using Vector Learning Tricks Mengxiang Chen, Beixiong Liu, Desheng Zeng and Wei Gao, Abstract—Ontology learning problem has raised much atten-tion in semantic structure expression and information retrieval. As a powerful tool, ontology is evenly employed in various
entities, classes, properties and functions related to a certain view of the world. The use of an ontology, translated into an active information system component, leads to Ontology-Driven Information Systems and, in the specific case of GIS, leads to what we call Ontology-Driven Geographic Information Systems.
This research investigates how these technologies can be integrated into an Ontology Driven Multi-Agent System (ODMAS) for the Sensor Web. The research proposes an ODMAS framework and an implemented middleware platform, i.e. the Sensor Web Agent Platform (SWAP). SWAP deals with ontology construction, ontology use, and agent
Ontology provides a sharable structure and semantics in knowledge management, e-commerce, decision-support and agent communication [6]. In this paper, we described the conceptual framework for an ontology-driven semantic web examination system. Succinctly, the paper described an ontology required for developing
To enable reuse of domain knowledge . Ontologies Databases Declare structure Knowledge bases Software agents Problem-solving methods Domain-independent applications Provide domain description. Outline What is an ontology? Why develop an ontology? Step-By-Step: Developing an ontology Underwater ? What to look out for. What Is "Ontology .
