Improving Usable Security and System Safety

Abstract

Usability in information technology systems plays of vital role in conducting operations safely and securely. The methods for judging usability vary greatly, which makes assessing any aspect of usability difficult. In cases of either safety or security, the inability to iden- tify usability shortcomings can be costly. This has been shown to be especially true for the Supervisory Control and Data Acquisition (SCADA) systems responsible for controlling national infrastructure. The literature reveals a gap in analysis methods for the identification of unsafe system states. The manner of entering these states is typically referred to as a misconfiguration, and may be accidental or intentional. Code analysis methods are used to create abstract representations of source code and binaries. The generated representations are used to indicate a level of correctness in regards to coding practices. However, there is no method currently being used for ladder logic written for SCADA systems which indicates correctness beyond identifying code which will fail to run correctly. In addressing this shortcoming, a static code analysis method was developed for the generation of abstract representations of possible system states, namely Fault Trees. Inputs into ladder logic are treated as initiating events, and the pathways through a system are mapped with the possible end states emphasized for further analysis. In this way inputs to a system can be looked at in regards to the possible states which the operator can place the system in. If the undesirable states are identified, engineering methods can be applied to mitigate or remove the undesired state. This may improve both security and usability in a system. To test the effectiveness of the static code analysis method created, a usability exper- iment was conducted. A model SCADA pipeline was created based on case studies and pipeline accident reports from the National Transportation and Safety Board. Twenty five test subjects operated the model pipeline in mock critical operating conditions. The model was first programmed using a simple ladder logic program for control. This program un- derwent the code analysis method studied, and was reconfigured to correct for the possibly unsafe system states discovered. Users were asked to reconfigure pipeline flow using both control programs to drive the model. Test subjects were then asked to ‘attack’ the model with both the simple program and the program that had undergone code analysis. This was done to more deliberately test the strength of the method, and to explore the relationship between usability and security. From this study it was shown that usability improvements, in relation to the model tested, could be made by identifying unsafe system states by using the code analysis method proposed. The number of accidental user misconfigurations resulting in an alarm condition and intentional user misconfigurations resulting in an alarm condition was significantly re- duced. It is believed that the method described shows promise as a means for conducting code analysis for the improvement of both usability and security in SCADA systems.