Friday, September 11, 2015

Cyber physical attacks to critical infrastructure (Part II: Attack and defense)


Although the number and nature of cyber attacks on control systems that could have effects on the physical environment is very broad, we will only consider those that have been studied by various stakeholders in the industrial Cyber Security.

In particular, recent studies define the following categories depending on the purpose of physical cyber attack:
  • Damage to equipment 
  • Damage to Production 
  • Deterioration of compliance
Let’s see each of them in detail:

Damage to equipment


 Such cyber attacks are intended to produce permanent failures and breakdowns industrial equipment interacting with the physical environment. In particular, attacks have been studied on the following elements:

  • Pipes and pipelines: The valve opening and closing quickly, and sometimes coordinated, is capable of causing a physical phenomenon called "water hammer" consisting of an increase in pressure inside the pipe can be higher than the structural strength thereof, causing breakage and subsequent discharge of fluid (liquid or gas) to drive.
  • Tanks: In many cases Tanks are designed to withstand very high internal pressures, but at very low internal pressure (or vacuum), collapse. Sudden changes in the temperature inside a tank can lead to abrupt changes in internal pressure, which could eventually collapse it.
  • Generators: As demonstrated in the Aurora experiment, opening and closing off phase switches from a generator connected to an electrical substation produce kinetic effects that just physically breaking it.
  • Engines: Stuxnet cyber attack in the last phase tended to accelerate the engines of uranium centrifuges for long periods of time causing material fatigue and subsequent failure.
  • Chemical Reactors: The most common chemical reactions typically occur at high temperatures, so a change in the conditions of reaction control may be associated with a significant increase in temperature would cause thermal damage to the reactor structure, reaching its total destruction.


It is also possible to combine two or more of these attacks each other, so that the power loss is associated with a loss of control of some element or its inlet in an unstable operating condition.
Although we have been considering these as attacks, there are historical examples on great industrial accidents caused by abnormal functions in control systems.
The following points will demonstrate how these detection technologies can help on detecting some operational failures that could lead to serious industrial accidents as well.

Damage to Production


The purpose of this type of cyber attacks to the process is altering the financial results of the organization that operates such processes. Among them they have been studied the following:

  • Decrease the amount of final product: By changing certain variables control the process at specific points, you can alter the amount of product obtained. A clear example of this is built on the production of vinyl acetate monomer [7] Black Hat in Las Vegas in August 2015.
  • Decrease in product purity: If the alterations made to the process control variables do change the purity of the final product, you can produce a significant devaluation of the same. A concrete example is the Paracetamol, whose purity can alter the price by several orders of magnitude.
  • Increase in operating and maintenance costs: Cyber ​​attacks can cause alarm processes intentionally to force recalibration of the field elements as often as desired attackers, thereby increasing the costs of the targeted organization. Moreover, repeated attacks on processes with different values ​​is one of the most common practices of hiding them, because that way the suspicions maintenance teams move the organization.

Deterioration of compliance


 Legal and regulatory frameworks to be met by organizations, makes certain commitments made by them can have very significant penalties for breach thereof. Among this kind of commitment we can find the following:
  • Safety regulations: Altering a security parameter of the industrial plant may entail a violation of any rules of physical security which in turn is liable to a major fine if inspection.
  • Impact on the environment: discharges into rivers or waste production values of certain compounds above the permissible threshold are punished with significant financial penalties.
  • Contractual breaches: The purity or quantity alteration of the product can make certain clauses of the contracts do not meet preventing accorded billing and causing significant economic losses to the organization.
All these cyber attacks studied in the past year, have a number of common characteristics:

  • Semantic attacks: They are necessary depth knowledge of the environment, the process and the variables to be altered to produce the desired effects.
  • Targeted to the control network: Using "legitimate” users and systems, over unauthenticated control protocols and "valid" commands, and executed with appropriate permissions.
  • Conducted by multidisciplinary teams: Composed by an IT team (Network and Systems), an OT team (SCADA) and process engineers (of the attacked sector)
  • In view of the nature of cyber-physical and processes attacks, and the above on the technical characteristics of the control networks, critical infrastructure protection presents a number of problems that can only be addressed using the solutions that describe the next point.

 It might seem that this type of attack is too complicated or exceptional to take into account in our risk analysis, but do not forget that:

  1. They are targeted attacks intended to cause physical damage and could be executed or sponsored by state organizations.
  2. Already they materialized before and were not mere theoretical laboratory studies.
  3. In both cases the cyber attack had an external source to the facilities attacked even when isolated from the Internet is assumed. (The average number of connections found in control networks assessment is 11)
  4. The success of these attacks could endanger human lives.
  5. The PIC 8/2011 of Critical Infrastructure Protection Act explicitly mentions the need to consider in the risk assessment of this type of infrastructure events of very high impact, such as the case of these attacks.

Another common thinking when suppressing these cyber-physical attacks from risk analysis could be considering them covered by safety plans. As showed in the Mogford report after the Texas City refinery accident, there was a lack of preventative maintenance on safety critical systems. So once again, we can not relay on initial conditions to establish the actual security state of infrastructure, we need to assess it on a periodic basis.

Critical Infrastructure Protection


Cyber security is founded on three pillars: people, procedures and technologies. In this case it cannot be otherwise, so these sections formulate a series of recommendations to protect such infrastructure from cyber-physical attacks seen before.

People


As we saw earlier in this note such cyber attacks can only materialize through joint action of experts in different fields (IT Technology, OT technology and Industrial process to attack). It is necessary for critical infrastructure have multidisciplinary teams in their Cyber Security organizations working in a coordinated way in order to protect them.
This is one of the most common problems encountered in implementing the CIP law because the existing inertia in many organizations  the world of control and security have always been in different functional areas and with different officials and budgets.
The awareness of senior management of the infrastructure operator is required to make critical changes needed in the functional organizations to ensure a unique multidisciplinary team responsible for this Cyber Security.

Procedures


It is a priority to establish changes in the procurement procedures of the critical infrastructure operators requiring the inclusion of Cyber security requirements for solutions in automation and control, just as there are for safety on plants. Deploying controls and countermeasures in the control networks without this approach in design will be much more difficult and expensive  
Given the semantic nature of these attacks is necessary expand risk analysis for contemplating processes attacks. As seen above this is only possible with the participation of process control engineers in this activity where Cyber security and safety come to converge. (Hazard / Risk Analysis).

Technologies


For everything mentioned above, the security measures to be taken in such environments must take into account the importance of availability in such control networks. Any measure to be implemented should be as safe as possible in terms of the impact on the process to protect. According to the Department of Industrial CERT Homeland Security, the impact of the various protection technologies to consider when deploying in such networks is as follows:


  
As can be seen, intrusion detection systems are the technology with less impact on industrial control networks.


Within this technology, and considering the significant limitations that exist for installing third party software on the control systems (SCADA Servers, engineering work stations and operating positions or HMI) is indicated selecting NIDS technology (network Intrusion Detection System) since modification of the existing network architecture or reconfiguring any of the systems won’t be necessary.
Posted by at
Labels: , , ,