Formally and practically verifying flow properties in industrial systems

Abstract

Industrial systems are nowadays regularly the target of cyberattacks, the most famous being Stuxnet. At the same time such systems are increasingly interconnected with other systems and insecure media such as Internet. In contrast to other IT systems, industrial systems often do not only require classical properties like data confidentiality or authentication of the communication, but have special needs due to their interaction with physical world. For example, the reordering or deletion of some commands sent to a machine can cause the system to enter an unsafe state with potentially catastrophic effects. To prevent such attacks, the integrity of the message flow is necessary. We provide a formal definition of Flow Integrity. We apply our definitions to two well-known industrial protocols: OPC-UA and MODBUS. Using Tamarin, a cryptographic protocol verification tool, we confirm that most of the secure modes of these protocols ensure Flow Integrity given a resilient network. However, we also identify weaknesses in a supposedly secure version of MODBUS, as well as subtleties in the handling of sequence numbers in OPC-UA. We also practically examine an OPC-UA stack named python-opcua, where some of the subtleties are not handled correctly.