Poor resilience in energy delivery systems (EDS) is a national
existential threat from vulnerability to cyberattacks inflicting
permanent damage on critical physical components. A PLC is
commonly the device controlling such components, e.g., bulk
power generators. Our proof-of-concept implementation
dramatically mitigate threats to such cyber-physical systems
(CPS) by specifically leveraging what NIST 800-160 calls out
as “highly assured, kernel-based operating systems [OS] in
Programmable Logic Controllers [PLC]”.
We have decomposed the OpenPLC Project codebase,
constructing the overall CPS demonstration from distinct,
communicating components in hierarchically ordered security
integrity domains. Traditional integrity mandatory access
control (MAC) policy controls cross-domain flows, verifiably
enforced by a security kernel-based OS. Only a processing
component in the highest integrity domain can directly send/
receive control signals, enforcing “safe region” operating
constraints to prevent physical damage. This very small attack
surface protects the high-integrity components, making the
overall CPS resilient to skilled adversaries’ attacks, even
though the much larger lower integrity components running
on the same OS, hardware and network infrastructure may be
thoroughly compromised. We make available the
restructured OpenPLC source to encourage PLC
manufacturers to deliver verifiable PLC products to, as NIST
puts it, “achieve a high degree of system integrity and
availability” for EDS.
