Integrating the manufacturer usage description standard in the modelling of cyber–physical systems

Abstract

The continuous growth of cyber–physical systems (CPS) attacks, especially due to the conflict in Ukraine, has highlighted the need for cybersecurity management mechanisms, due to the catastrophic consequences that a failure or attack on critical infrastructures such as power plants. Indeed, Gartner predicts that by 2025, 30% of critical infrastructures will suffer a cyberattack. In this context, defining the expected behaviour of the system is key to detecting and mitigating possible vulnerabilities both in the design and runtime phases. Modelling emerges as a tool that facilitates the analysis of the security offered by the system even before the system is implemented, allowing an early risk analysis. However, creating such a model is usually challenging due to its intrinsic complexity, or the reconfiguration needed after a security assessment due to a new vulnerability. The situation gets even worse when the system is a complex CPS-of-Systems, where different Constituent Systems (CS) are interconnected since cascade effects and dependencies are stronger and we might not have all the information from the third-party CS. Also, the results of the evaluation are typically used only during the design phase, thus missing out on potential security policies and mitigations that could be used during the system operation. In this sense, the Manufacturer Usage Description (MUD) allows the manufacturer to define access control policies that reduce the attack surface of a device. However, the limited expressiveness of this standard reduces the possibilities of its application in systems with more complex policies beyond the network level. We propose the usage of the MUD standard as a source of information for CPS modelling, providing information on interactions about third-party components of the system. In addition, we define an extended MUD model that deals with the expressiveness problems of the MUD and allows to automatically generate a behavioural profile that integrates the recommendations obtained from the assessment and modelling processes. The extended MUD could be used during runtime to reduce the attack surface of the system, enforce security configuration or even discern if a component is secure enough to be part of the ecosystem. Our approach has been validated in a real use case in the context of smart grid, to show its applicability.