Johnson, C. W. , Saleem, M. H., Evangelopoulou, M. , Cook, M. , Harkness, R. and Barker, T. (2017) Defending Against Firmware Cyber Attacks on Safety-Critical Systems. Proceedings 35th International System Safety Conference, Albuquerque, NM, USA, 21-25 Aug 2017.
|
Text
150355.pdf - Accepted Version 203kB |
Abstract
In the past, it was not possible to update the underlying software in many industrial control devices. Engineering teams had to ‘rip and replace’ obsolete components. However, the ability to make firmware updates has provided significant benefits to the companies who use Programmable Logic Controllers (PLCs), switches, gateways and bridges as well as an array of smart sensor/actuators. These updates include security patches when vulnerabilities are identified in existing devices; they can be distributed by physical media but are increasingly downloaded over Internet connections. These mechanisms pose a growing threat to the cyber security of safety-critical applications, which are illustrated by recent attacks on safety-related infrastructures across the Ukraine. Subsequent sections explain how malware can be distributed within firmware updates. Even when attackers cannot reverse engineer the code necessary to disguise their attack, they can undermine a device by forcing it into a constant upload cycle where the firmware installation never terminates. In this paper, we present means of mitigating the risks of firmware attack on safety-critical systems as part of wider initiatives to secure national critical infrastructures. Technical solutions, including firmware hashing, must be augmented by organizational measures to secure the supply chain within individual plants, across companies and throughout safety-related industries.
Item Type: | Conference or Workshop Item |
---|---|
Status: | Published |
Refereed: | Yes |
Glasgow Author(s) Enlighten ID: | Cook, Mr Marco and Evangelopoulou, Miss Maria and Johnson, Professor Chris and Harkness, Mr Robert |
Authors: | Johnson, C. W., Saleem, M. H., Evangelopoulou, M., Cook, M., Harkness, R., and Barker, T. |
College/School: | College of Science and Engineering > School of Computing Science |
Copyright Holders: | Copyright © 2017 The Authors |
Publisher Policy: | Reproduced with the permission of the Authors |
University Staff: Request a correction | Enlighten Editors: Update this record