Industry 4.0 is driving manufacturing centers to utilize networked devices, many of which are potentially deployed with security vulnerabilities. Unfortunately, these devices often lack effective host-level protections and may have service lives beyond the vendor's support. At the same time, traditional network security solutions, such as firewalls, often leave coverage gaps and lack the necessary trust to ensure they do not become launchpads for future attacks. Therefore, adopting Industry 4.0 potentially amplifies the manufacturing domain's attack surface, creating new ways for attackers to steal proprietary data, sabotage manufacturing operations by making defective parts, and deny users access to critical machines.
This dissertation aims to design a practical system for defending manufacturing deployments from network attacks. We leverage advances in software-defined networking to provide device-specific network protections that can be "bolted-on'' to existing manufacturing networks in the form of a security gateway. Such a bolt-on approach allows for protecting existing machines without requiring modifications to the machines or their software. For a security gateway to be effective it must (1) be able to identify and mitigate vulnerabilities present in manufacturing devices, and (2) be trusted to enforce these protections even when the gateway itself is under attack.
The key contributions of this thesis are the following. We build a vulnerability assessment tool, C3PO, for analyzing networked 3D printers and their deployments, which we then use to evaluate 13 networked 3D printers and 5 manufacturing center deployments. Our evaluation identified common vulnerabilities such as susceptibility to denial of service attacks, not encrypting sensitive data in transit, and a lack of network isolation. These identified vulnerabilities inform the device-specific network protections the security gateway must provide. Next, we design a low-cost, trusted security gateway system, Jetfire, by building on top of a micro-hypervisor root of trust. We use formal modeling to guide the application of micro-hypervisor provided capabilities to provide an end-to-end guarantee that all packets are processed by the correct network protection (e.g., those identified by C3PO). We then demonstrate how this trusted architecture can be used to secure networked 3D printers by mitigating identified vulnerabilities as well as providing more elaborate protections such as behavior-based anomaly detection.
|Commitee:||Lewis, Grace , Rowe, Anthony , DeVincent Wolf, Sandra|
|School:||Carnegie Mellon University|
|Department:||Electrical and Computer Engineering|
|School Location:||United States -- Pennsylvania|
|Source:||DAI-B 82/7(E), Dissertation Abstracts International|
|Keywords:||3D printing, Network function virtualization, Network security, Software-defined networking|
Copyright in each Dissertation and Thesis is retained by the author. All Rights Reserved
The supplemental file or files you are about to download were provided to ProQuest by the author as part of a
dissertation or thesis. The supplemental files are provided "AS IS" without warranty. ProQuest is not responsible for the
content, format or impact on the supplemental file(s) on our system. in some cases, the file type may be unknown or
may be a .exe file. We recommend caution as you open such files.
Copyright of the original materials contained in the supplemental file is retained by the author and your access to the
supplemental files is subject to the ProQuest Terms and Conditions of use.
Depending on the size of the file(s) you are downloading, the system may take some time to download them. Please be