"Yeah, it does have a...Windows `98 Vibe'': Usability Study of Security
Features in Programmable Logic Controllers
- URL: http://arxiv.org/abs/2208.02500v1
- Date: Thu, 4 Aug 2022 07:20:00 GMT
- Title: "Yeah, it does have a...Windows `98 Vibe'': Usability Study of Security
Features in Programmable Logic Controllers
- Authors: Karen Li, Kopo M. Ramokapane, Awais Rashid
- Abstract summary: Misconfigurations of Programmable Logic Controllers (PLCs) are often left exposed to the Internet.
We explore the usability of PLC connection configurations and two key security mechanisms.
We find that the use of unfamiliar labels, layouts and misleading terminology exacerbates an already complex process.
- Score: 19.08543677650948
- License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
- Abstract: Programmable Logic Controllers (PLCs) drive industrial processes critical to
society, e.g., water treatment and distribution, electricity and fuel networks.
Search engines (e.g., Shodan) have highlighted that Programmable Logic
Controllers (PLCs) are often left exposed to the Internet, one of the main
reasons being the misconfigurations of security settings. This leads to the
question -- why do these misconfigurations occur and, specifically, whether
usability of security controls plays a part? To date, the usability of
configuring PLC security mechanisms has not been studied. We present the first
investigation through a task-based study and subsequent semi-structured
interviews (N=19). We explore the usability of PLC connection configurations
and two key security mechanisms (i.e., access levels and user administration).
We find that the use of unfamiliar labels, layouts and misleading terminology
exacerbates an already complex process of configuring security mechanisms. Our
results uncover various (mis-) perceptions about the security controls and how
design constraints, e.g., safety and lack of regular updates (due to long term
nature of such systems), provide significant challenges to realization of
modern HCI and usability principles. Based on these findings, we provide design
recommendations to bring usable security in industrial settings at par with its
IT counterpart.
Related papers
- Securing the Open RAN Infrastructure: Exploring Vulnerabilities in Kubernetes Deployments [60.51751612363882]
We investigate the security implications of and software-based Open Radio Access Network (RAN) systems.
We highlight the presence of potential vulnerabilities and misconfigurations in the infrastructure supporting the Near Real-Time RAN Controller (RIC) cluster.
arXiv Detail & Related papers (2024-05-03T07:18:45Z) - SoK: Security of Programmable Logic Controllers [2.4833449443424245]
We conduct the first comprehensive systematization of knowledge that explores the security of PLCs.
We introduce a novel threat taxonomy for PLCs and Industrial Control Systems.
We identify and point out research gaps that, if left ignored, could lead to new catastrophic attacks against critical infrastructures.
arXiv Detail & Related papers (2024-03-01T04:53:41Z) - A Survey and Comparative Analysis of Security Properties of CAN Authentication Protocols [92.81385447582882]
The Controller Area Network (CAN) bus leaves in-vehicle communications inherently non-secure.
This paper reviews and compares the 15 most prominent authentication protocols for the CAN bus.
We evaluate protocols based on essential operational criteria that contribute to ease of implementation.
arXiv Detail & Related papers (2024-01-19T14:52:04Z) - DASICS: Enhancing Memory Protection with Dynamic Compartmentalization [7.802648283305372]
We present the DASICS (Dynamic in-Address-Space Isolation by Code Segments) secure processor design.
It offers dynamic and flexible security protection across multiple privilege levels, addressing data flow protection, control flow protection, and secure system calls.
We have implemented hardware FPGA prototypes and software QEMU simulator prototypes based on DASICS, along with necessary modifications to system software for adaptability.
arXiv Detail & Related papers (2023-10-10T09:05:29Z) - Leveraging Traceability to Integrate Safety Analysis Artifacts into the
Software Development Process [51.42800587382228]
Safety assurance cases (SACs) can be challenging to maintain during system evolution.
We propose a solution that leverages software traceability to connect relevant system artifacts to safety analysis models.
We elicit design rationales for system changes to help safety stakeholders analyze the impact of system changes on safety.
arXiv Detail & Related papers (2023-07-14T16:03:27Z) - A Novel Approach to Identify Security Controls in Source Code [4.598579706242066]
This paper enumerates a comprehensive list of commonly used security controls and creates a dataset for each one of them.
It uses the state-of-the-art NLP technique Bidirectional Representations from Transformers (BERT) and the Tactic Detector from our prior work to show that security controls could be identified with high confidence.
arXiv Detail & Related papers (2023-07-10T21:14:39Z) - Recursively Feasible Probabilistic Safe Online Learning with Control Barrier Functions [60.26921219698514]
We introduce a model-uncertainty-aware reformulation of CBF-based safety-critical controllers.
We then present the pointwise feasibility conditions of the resulting safety controller.
We use these conditions to devise an event-triggered online data collection strategy.
arXiv Detail & Related papers (2022-08-23T05:02:09Z) - Safe RAN control: A Symbolic Reinforcement Learning Approach [62.997667081978825]
We present a Symbolic Reinforcement Learning (SRL) based architecture for safety control of Radio Access Network (RAN) applications.
We provide a purely automated procedure in which a user can specify high-level logical safety specifications for a given cellular network topology.
We introduce a user interface (UI) developed to help a user set intent specifications to the system, and inspect the difference in agent proposed actions.
arXiv Detail & Related papers (2021-06-03T16:45:40Z) - Runtime Safety Assurance Using Reinforcement Learning [37.61747231296097]
This paper aims to design a meta-controller capable of identifying unsafe situations with high accuracy.
We frame the design of RTSA with the Markov decision process (MDP) and use reinforcement learning (RL) to solve it.
arXiv Detail & Related papers (2020-10-20T20:54:46Z) - Dos and Don'ts of Machine Learning in Computer Security [74.1816306998445]
Despite great potential, machine learning in security is prone to subtle pitfalls that undermine its performance.
We identify common pitfalls in the design, implementation, and evaluation of learning-based security systems.
We propose actionable recommendations to support researchers in avoiding or mitigating the pitfalls where possible.
arXiv Detail & Related papers (2020-10-19T13:09:31Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.