Industrial Control Systems (ICS) are used for managing industrial processes. These systems are responsible for controlling and regulating a large number of processes such as the distribution of gas and electricity, following up nuclear reactors, or managing tra c lights. In the last decades, ICS have seen many changes. In the past they were isolated, proprietary systems. Now they mostly use commercial o -the-shelf components, integrated with back-end systems that are often connected to corporate networks and the internet.

This evolution has made ICS easier to use. At the same time it has weakened the security and exposed the systems to remote attacks. To make things worse, ICS are rather static and use components and technologies that are quickly outdated with regards to security. Several attacks on ICS systems have made the news in recent years. The most known example is Stuxnet [ 1,2 ], a worm that infected a nuclear plant in Iran, and severely slowed down the nuclear program of the country [ 3 ]. Other notable ICS incidents include the Slammer worm disabling the David-Besse nuclear power plant in Ohio [ 4 ], the Maroochy Shire sewage spill in Australia [ 5 ], and discovery of worms and Trojan backdoors like Duqu [ 6 ] and Night Dragon [ 7 ] that gather information about control systems to make future attacks like Stuxnet possible.

Attacks on these systems can be very damaging for society. A lot of attention has been given to ICS security, and governments are aware that new security measures must be taken. This can be done from various angles: public awareness, laws, technology, etc. Organisations such as ISA, NIST, and ISO are de ning standards regarding security in industrial control systems [ 8 ]. 2

The objective of this research is to create a tool for the analysis of security in ICS. We develop a new approach to automatically draw conclusions regarding system security. It is also possible to generate suggestions that provide decision support. Important considerations during this research are: e ciency and exibility of the architecture, quality of the achieved results, and practical usability.

We aim to develop a model that takes into account the speci c requirements of ICS. Existing models for IT systems cannot be used since ICS have di erent architecture and security properties (Con dentiality, Integrity, Availability in IT versus Safety, Reliability, Availability in ICS). Attackers of ICS can range from disgruntled employees to governments, our attacker model should be able to capture them all. 3

Tools for modelling control systems or assessing their security have been developed. Homeland Security has created CSET, the Cyber Security Evaluation Tool [ 9 ]. CSET checks compliance of a system with a chosen security standard through a question and answer method. It does not provide an architectural analysis, and it also does not allow the user to reason about compromised components and their e ects on system security, which our tool does.

The KTH in Stockholm has developed CySeMoL, the Cyber Security Modelling Language [ 10,11 ]. This tool estimates the probability that attacks succeed against an enterprise system. It does not suggest system improvements to reduce this probability, or point out the weaknesses that make the attacks possible. It allows users to change their system architecture and view the resulting changes on the attack probabilities, but only the attacks de ned by the tool designers are considered. CySeMoL has to be updated when new attacks are discovered. In our tool, when new vulnerabilities are discovered, it su ces to change the security properties of the a ected components in the system model. This can be done by the user and does not require the program to be updated. For computing the attack probabilities, CySeMoL assumes that the attacker is a penetration tester who only has access to public tools, and only tries to attack the system for one week. Previous ICS incidents like Stuxnet have shown that attackers are much more powerful. Our attacker model will re ect this.

ValueSec has redesigned Lancelot [ 12 ], a tool previously used for security evaluation of ICT systems in the nancial sector. It is now a risk management platform that enables users to analyse security risks and their business implications for the energy smart grid and SCADA (Supervisory Control And Data Acquisition) environment. SCADA systems are a subset of ICS [ 8 ]. Lancelot asks a user to de ne the system's assets and to associate risk pro les to them. It then does a security analysis to detect risks and compliance issues, and prepares mitigation plans to deal with the risks that are found. Risk in Lancelot is de ned as \the potential damage that can be caused when something goes wrong with an asset or when someone/something takes advantage of an asset's vulnerabilities". It is assumed that the user of the program already has knowledge of the vulnerabilities in his system. Lancelot does not help with identifying vulnerabilities.

There are several other tools to conduct risk assessment, but they also assume that the vulnerabilities are already known [ 13 ]. Risk assessment methods usually start with a meeting between the risk assessment team and the system engineers [ 14 ]. During this meeting they brainstorm about possible vulnerabilities that the system could have. Our tool provides an automation of this phase and the results could hence be used as input for a risk assessment method. When using our tool, a system engineer only has to enter the system architecture, assign the relevant security properties to components, and the vulnerabilities are extracted automatically. 4

The rst months of the project were dedicated to a literature study about the current situation in Industrial Control Systems. Research was done on current modelling techniques, standards and guidelines related to ICS security, ICS architectures, etc.

The next step was to create a rst model and test it on a simpli ed ICS. The systems are modelled using the Inductive De nition Programming framework (IDP) [ 15,16 ]. A control system is entered as a network of components to which security properties are assigned. A logic-based theory using induction rules then allows the tool to automatically infer vulnerabilities and corresponding attacks that could occur in this system. Changing the security properties allows users to reason about scenarios in which attackers have breached or compromised certain components. It is also possible to model the consequences of system changes, newly discovered bugs, applied patches, etc.

This initial model was tested on a wind turbine case study. The results have been submitted to a conference as a rst paper.

The model will be reworked to include an attacker model and distinguish between vulnerabilities and attacks. New functionalities to improve ICS security will be added to the tool, for instance decision support allowing the user to give a desired security property and presenting him with the optimal component con guration to achieve this. Input and output handling for the tool will be improved upon. Ways to automatically add ICS-CERT vulnerabilities posted on the website into the tool's logic theory will be explored. The result of the vulnerability extraction will be compatible with risk management tools such as CORAS.

Lastly, the model will be tested on multiple case studies.

Our research involves analysing the security in Industrial Control Systems. An important aspect of engineering secure systems is the veri cation of such systems. This is where our tool can help. When a new component for ICS is developed with certain security properties, our tool can model a complete system to assess the impact of this component on system security.