Trust But Verify: A Framework for the Trustworthiness of Distributed Systems

Many real-time process-control and industrial control systems, such as Supervisory Control and Data Acquisition (SCADA), use a distributed software architecture and rely on trusted message exchanges among software components. This article presents the Trust but Verify (TBV) middleware that promotes the idea that software components should not blindly trust each other. The TBV intercepts messages between a sender and a receiver to verify the consistency of the messages against rules associated with message types; this verification considers the system state. Based on the verification, a message is either delivered to the recipient or blocked. Even when components are mutually authenticated, it is possible that their counterparts are faulty or acting maliciously, persuading the receiver to take harmful actions. The contributions of this article are: (1) The design of the TBV middleware. (2) A proof-of-concept implementation of the TBV on a cyberphysical system-a water treatment facility. (3) An experimental validation of the TBV through several attack scenarios that allow compromised or faulty components to randomly send erroneous messages. These experiments measure the TBV's detection rate as well as its overhead. (4) An evaluation of the TBV overhead and performance degradation.