Dramatic Cyber- Physical Attack Surface Reduction Leveraging Integrity MAC Security Kernel
Poor resilience in energy delivery systems (EDS) is a national
existential threat from vulnerability to cyberattacks inflicting
permanent damage on critical physical components. A PLC is
commonly the device controlling such components, e.g., bulk
power generators. Our proof-of-concept implementation
dramatically mitigate threats to such cyber-physical systems
(CPS) by specifically leveraging what NIST 800-160 calls out
as “highly assured, kernel-based operating systems [OS] in
Programmable Logic Controllers [PLC]”.
We have decomposed the OpenPLC Project codebase,
constructing the overall CPS demonstration from distinct,
communicating components in hierarchically ordered security
integrity domains. Traditional integrity mandatory access
control (MAC) policy controls cross-domain flows, verifiably
enforced by a security kernel-based OS. Only a processing
component in the highest integrity domain can directly send/
receive control signals, enforcing “safe region” operating
constraints to prevent physical damage. This very small attack
surface protects the high-integrity components, making the
overall CPS resilient to skilled adversaries’ attacks, even
though the much larger lower integrity components running
on the same OS, hardware and network infrastructure may be
thoroughly compromised. We make available the
restructured OpenPLC source to encourage PLC
manufacturers to deliver verifiable PLC products to, as NIST
puts it, “achieve a high degree of system integrity and
availability” for EDS.
Dr. Roger R. Schell is internationally recognized for originating several key modern
security design and evaluation techniques, and was awarded patents in
cryptography, authentication and trusted workstation. His experience includes 20
years in US federal program management (computers), 30 years as a computer
industry security product vendor, and 5 years as a graduate cybersecurity
engineering faculty member.
He is President and a founder of Aesec Corporation, a start-up providing a
commercial verifiably secure operating system. Previously Dr. Schell was cofounder
and vice president for Gemini Computers, Inc., now an Aesec subsidiary.
At Gemini he directed development of their highly secure (what NSA called “Class
A1”) commercial product, the Gemini Multiprocessing Secure Operating System
(GEMSOS). He was also the founding Deputy Director of NSA’s National
Computer Security Center. He has been referred to as the "father" of the Trusted
Computer System Evaluation Criteria (the "Orange Book"). Dr. Schell is a retired
USAF Colonel. He received a Ph.D. in Computer Science from the MIT, an M.S.E.E.
from Washington State, and a B.S.E.E. from Montana State. The NIST and NSA
have recognized Dr. Schell with the National Computer System Security Award. In
2012 he was inducted into the inaugural class of the National Cyber Security Hall of
This seminar series is presented by the Cyber Resilient Energy Delivery Consortium (CREDC), a multi-university research effort. CREDC, a successor to the earlier TCIPG Project, was founded in 2016 with support from the U.S. Department of Energy and the U.S. Department of Homeland Security. It is housed in the Information Trust Institute, University of Illinois at Urbana-Champaign.