Fri Apr 8 06:49:41 PDT 2016
Overarching: Content: What are the reasonably anticipated consequences of ICS information protection failures?
Options:
Fill in the table by identifying relevant content types with examples and removing or replacing consequences identified.
Decision:
For identified ICS situations, associate content and failure modes
that might produce identified consequences (and the consequence types)
as a result of loss of integrity (I), availability (A),
confidentiality (C), control over use (U), and loss of accountability
(T) and supply details of the basis for this conclusion:
Situation in the ICS environment |
Relevant ICS content and failure mode(s) |
Identified LOW consequence type(s) and description(s) |
Identified MEDIUM consequence type(s) and description(s) |
Identified HIGH consequence type(s) and description(s) |
Processing rate or output quality is reduced {within / outside} of defined tolerance ranges. |
|
[IACUT] [Waste / Insured] Details |
[IACUT] [PR / Gross / Loss / Injury / Environment / Society] Details |
[IACUT] [Death / Environment / Society / Collapse / Dire] Details |
Processing is stopped and has to be restarted and {no / some} equipment damage results. |
|
[IACUT] [Waste / Insured] Details |
[IACUT] [PR / Gross / Loss / Injury / Environment / Society] Details |
[IACUT] [Death / Environment / Society / Collapse / Dire] Details |
Processing is stopped and cannot be restarted until {equipment / facility} is {repaired / replaced} resulting in {delay / loss / shutdown / etc.}. |
|
[IACUT] [Waste / Insured] Details |
[IACUT] [PR / Gross / Loss / Injury / Environment / Society] Details |
[IACUT] [Death / Environment / Society / Collapse / Dire] Details |
Hazardous conditions arise during processing, producing undesired {internal / near-equipment / facility-wide / outside-of facility / regional / global} effects. [define area and effects] |
|
[IACUT] [Waste / Insured] Details |
[IACUT] [PR / Gross / Loss / Injury / Environment / Society] Details |
[IACUT] [Death / Environment / Society / Collapse / Dire] Details |
Competitive advantage is lost or reduced (e.g., from leaked status or process details, corrupted content, etc.). |
|
[IACUT] [Waste / Insured] Details |
[IACUT] [PR / Gross / Loss / Injury / Environment / Society] Details |
[IACUT] [Death / Environment / Society / Collapse / Dire] Details |
Leaked status or process details leads to {internal / external} exploitation for {illegal activities / harm to plant or facility / harm to infrastructure / harm to enterprise}. |
|
[IACUT] [Waste / Insured] Details |
[IACUT] [PR / Gross / Loss / Injury / Environment / Society] Details |
[IACUT] [Death / Environment / Society / Collapse / Dire] Details |
Limited loss of control. |
|
[IACUT] [Waste / Insured] Details |
[IACUT] [PR / Gross / Loss / Injury / Environment / Society] Details |
[IACUT] [Death / Environment / Society / Collapse / Dire] Details |
Substantial loss of business or harm to brand results. |
|
[IACUT] [Waste / Insured] Details |
[IACUT] [PR / Gross / Loss / Injury / Environment / Society] Details |
[IACUT] [Death / Environment / Society / Collapse / Dire] Details |
Conditions interfere with contracts or upset customers. |
|
[IACUT] [Waste / Insured] Details |
[IACUT] [PR / Gross / Loss / Injury / Environment / Society] Details |
[IACUT] [Death / Environment / Society / Collapse / Dire] Details |
Confidential or proprietary data leaked. |
|
[IACUT] [Waste / Insured] Details |
[IACUT] [PR / Gross / Loss / Injury / Environment / Society] Details |
[IACUT] [Death / Environment / Society / Collapse / Dire] Details |
Intellectual property like patent background and design data leaked. |
|
[IACUT] [Waste / Insured] Details |
[IACUT] [PR / Gross / Loss / Injury / Environment / Society] Details |
[IACUT] [Death / Environment / Society / Collapse / Dire] Details |
Medical treatment, dose, or device controls that interact with humans fail (in various ways). |
|
[IACUT] [Waste / Insured] Details |
[IACUT] [PR / Gross / Loss / Injury / Environment / Society] Details |
[IACUT] [Death / Environment / Society / Collapse / Dire] Details |
Decision support mechanisms fail to provide proper assistance. |
|
[IACUT] [Waste / Insured] Details |
[IACUT] [PR / Gross / Loss / Injury / Environment / Society] Details |
[IACUT] [Death / Environment / Society / Collapse / Dire] Details |
Supervisory control and data acquisition (SCADA) systems fail to operate properly. |
|
[IACUT] [Waste / Insured] Details |
[IACUT] [PR / Gross / Loss / Injury / Environment / Society] Details |
[IACUT] [Death / Environment / Society / Collapse / Dire] Details |
Programmable logic controllers (PLCs) fail to operate properly. |
|
[IACUT] [Waste / Insured] Details |
[IACUT] [PR / Gross / Loss / Injury / Environment / Society] Details |
[IACUT] [Death / Environment / Society / Collapse / Dire] Details |
Distributed Control Systems (DCS) fail to {accurately depict sensory data / properly actuate}. |
|
[IACUT] [Waste / Insured] Details |
[IACUT] [PR / Gross / Loss / Injury / Environment / Society] Details |
[IACUT] [Death / Environment / Society / Collapse / Dire] Details |
ICS {internal / external} communications mechanisms fail to operate properly. |
|
[IACUT] [Waste / Insured] Details |
[IACUT] [PR / Gross / Loss / Injury / Environment / Society] Details |
[IACUT] [Death / Environment / Society / Collapse / Dire] Details |
Critical infrastructure systems fail {causing ICS effects / as a result of ICS failures}. |
|
[IACUT] [Waste / Insured] Details |
[IACUT] [PR / Gross / Loss / Injury / Environment / Society] Details |
[IACUT] [Death / Environment / Society / Collapse / Dire] Details |
Legally protected confidential medical, privacy, or other data inadequately protected in ICS environment. |
|
[IACUT] [Waste / Insured] Details |
[IACUT] [PR / Gross / Loss / Injury / Environment / Society] Details |
[IACUT] [Death / Environment / Society / Collapse / Dire] Details |
{Internal/External} information asks ICS to operate in an {undesired/unsafe} mode. |
|
[IACUT] [Waste / Insured] Details |
[IACUT] [PR / Gross / Loss / Injury / Environment / Society] Details |
[IACUT] [Death / Environment / Society / Collapse / Dire] Details |
Legal mandates inadequately carried out in the ICS environment. |
|
[IACUT] [Waste / Insured] Details |
[IACUT] [PR / Gross / Loss / Injury / Environment / Society] Details |
[IACUT] [Death / Environment / Society / Collapse / Dire] Details |
Legal {retention / disposition / holds} impact ICS {operations / historians}. |
|
[IACUT] [Waste / Insured] Details |
[IACUT] [PR / Gross / Loss / Injury / Environment / Society] Details |
[IACUT] [Death / Environment / Society / Collapse / Dire] Details |
Industry-specific regulations unable to be properly met or demonstrated. |
|
[IACUT] [Waste / Insured] Details |
[IACUT] [PR / Gross / Loss / Injury / Environment / Society] Details |
[IACUT] [Death / Environment / Society / Collapse / Dire] Details |
Contractually mandated controls unable to be properly met or demonstrated. |
|
[IACUT] [Waste / Insured] Details |
[IACUT] [PR / Gross / Loss / Injury / Environment / Society] Details |
[IACUT] [Death / Environment / Society / Collapse / Dire] Details |
Contractual limitations on {use / sharing / disposition} improperly fulfilled. |
|
[IACUT] [Waste / Insured] Details |
[IACUT] [PR / Gross / Loss / Injury / Environment / Society] Details |
[IACUT] [Death / Environment / Society / Collapse / Dire] Details |
Contract performance data improperly {provided / applied}. |
|
[IACUT] [Waste / Insured] Details |
[IACUT] [PR / Gross / Loss / Injury / Environment / Society] Details |
[IACUT] [Death / Environment / Society / Collapse / Dire] Details |
Government classified or restricted data improperly handled. |
|
[IACUT] [Waste / Insured] Details |
[IACUT] [PR / Gross / Loss / Injury / Environment / Society] Details |
[IACUT] [Death / Environment / Society / Collapse / Dire] Details |
Controls with regard to {import / export / transport / some other requirement} not properly carried out. |
|
[IACUT] [Waste / Insured] Details |
[IACUT] [PR / Gross / Loss / Injury / Environment / Society] Details |
[IACUT] [Death / Environment / Society / Collapse / Dire] Details |
Required {reporting / tracking / accountability} mechanisms not properly functioning. |
|
[IACUT] [Waste / Insured] Details |
[IACUT] [PR / Gross / Loss / Injury / Environment / Society] Details |
[IACUT] [Death / Environment / Society / Collapse / Dire] Details |
Controlled {substances / devices / artifacts} inadequately controlled. |
|
[IACUT] [Waste / Insured] Details |
[IACUT] [PR / Gross / Loss / Injury / Environment / Society] Details |
[IACUT] [Death / Environment / Society / Collapse / Dire] Details |
Personally identifying information not properly controlled. |
|
[IACUT] [Waste / Insured] Details |
[IACUT] [PR / Gross / Loss / Injury / Environment / Society] Details |
[IACUT] [Death / Environment / Society / Collapse / Dire] Details |
Medical information (test results, fees, providers, etc.) not properly controlled. |
|
[IACUT] [Waste / Insured] Details |
[IACUT] [PR / Gross / Loss / Injury / Environment / Society] Details |
[IACUT] [Death / Environment / Society / Collapse / Dire] Details |
ICS production output tainted in obvious ways |
|
[IACUT] [Waste / Insured] Details |
[IACUT] [PR / Gross / Loss / Injury / Environment / Society] Details |
[IACUT] [Death / Environment / Society / Collapse / Dire] Details |
ICS production output tainted in non-obvious ways harming down-stream application |
|
[IACUT] [Waste / Insured] Details |
[IACUT] [PR / Gross / Loss / Injury / Environment / Society] Details |
[IACUT] [Death / Environment / Society / Collapse / Dire] Details |
HMI doesn't accurately reflect actual activities of the system under control |
|
[IACUT] [Waste / Insured] Details |
[IACUT] [PR / Gross / Loss / Injury / Environment / Society] Details |
[IACUT] [Death / Environment / Society / Collapse / Dire] Details |
Sensor output doesn't accurately reflect actual phenomena being sensed |
|
[IACUT] [Waste / Insured] Details |
[IACUT] [PR / Gross / Loss / Injury / Environment / Society] Details |
[IACUT] [Death / Environment / Society / Collapse / Dire] Details |
System operates open loop for a period of time |
|
[IACUT] [Waste / Insured] Details |
[IACUT] [PR / Gross / Loss / Injury / Environment / Society] Details |
[IACUT] [Death / Environment / Society / Collapse / Dire] Details |
Safety system cross-linked with control system |
|
[IACUT] [Waste / Insured] Details |
[IACUT] [PR / Gross / Loss / Injury / Environment / Society] Details |
[IACUT] [Death / Environment / Society / Collapse / Dire] Details |
Safety system overwhelmed by control system |
|
[IACUT] [Waste / Insured] Details |
[IACUT] [PR / Gross / Loss / Injury / Environment / Society] Details |
[IACUT] [Death / Environment / Society / Collapse / Dire] Details |
Assumptions about process inputs (e.g., materials, amounts, concentrations, etc.) don't match reality |
|
[IACUT] [Waste / Insured] Details |
[IACUT] [PR / Gross / Loss / Injury / Environment / Society] Details |
[IACUT] [Death / Environment / Society / Collapse / Dire] Details |
Positive feedback modes occur in unanticipated ways during operation |
|
[IACUT] [Waste / Insured] Details |
[IACUT] [PR / Gross / Loss / Injury / Environment / Society] Details |
[IACUT] [Death / Environment / Society / Collapse / Dire] Details |
Process mechanisms (e.g., mechanical structures) get altered by control system exploitation |
|
[IACUT] [Waste / Insured] Details |
[IACUT] [PR / Gross / Loss / Injury / Environment / Society] Details |
[IACUT] [Death / Environment / Society / Collapse / Dire] Details |
Theft or unaccounted for removal of materials from control system elements |
|
[IACUT] [Waste / Insured] Details |
[IACUT] [PR / Gross / Loss / Injury / Environment / Society] Details |
[IACUT] [Death / Environment / Society / Collapse / Dire] Details |
Addition of materials to control system elements |
|
[IACUT] [Waste / Insured] Details |
[IACUT] [PR / Gross / Loss / Injury / Environment / Society] Details |
[IACUT] [Death / Environment / Society / Collapse / Dire] Details |
Deceptions of sensors and/or actuators carried out against control systems |
|
[IACUT] [Waste / Insured] Details |
[IACUT] [PR / Gross / Loss / Injury / Environment / Society] Details |
[IACUT] [Death / Environment / Society / Collapse / Dire] Details |
Simulations substituted for actual elements of control systems |
|
[IACUT] [Waste / Insured] Details |
[IACUT] [PR / Gross / Loss / Injury / Environment / Society] Details |
[IACUT] [Death / Environment / Society / Collapse / Dire] Details |
Repeated cycling of power / other external supply and/or demand |
|
[IACUT] [Waste / Insured] Details |
[IACUT] [PR / Gross / Loss / Injury / Environment / Society] Details |
[IACUT] [Death / Environment / Society / Collapse / Dire] Details |
Waveform attacks on external supply and/or demand |
|
[IACUT] [Waste / Insured] Details |
[IACUT] [PR / Gross / Loss / Injury / Environment / Society] Details |
[IACUT] [Death / Environment / Society / Collapse / Dire] Details |
Social influence effects on user behavior effecting control system |
|
[IACUT] [Waste / Insured] Details |
[IACUT] [PR / Gross / Loss / Injury / Environment / Society] Details |
[IACUT] [Death / Environment / Society / Collapse / Dire] Details |
|
|
[IACUT] [Waste / Insured] Details |
[IACUT] [PR / Gross / Loss / Injury / Environment / Society] Details |
[IACUT] [Death / Environment / Society / Collapse / Dire] Details |
|
|
[IACUT] [Waste / Insured] Details |
[IACUT] [PR / Gross / Loss / Injury / Environment / Society] Details |
[IACUT] [Death / Environment / Society / Collapse / Dire] Details |
|
|
[IACUT] [Waste / Insured] Details |
[IACUT] [PR / Gross / Loss / Injury / Environment / Society] Details |
[IACUT] [Death / Environment / Society / Collapse / Dire] Details |
|
|
[IACUT] [Waste / Insured] Details |
[IACUT] [PR / Gross / Loss / Injury / Environment / Society] Details |
[IACUT] [Death / Environment / Society / Collapse / Dire] Details |
|
|
[IACUT] [Waste / Insured] Details |
[IACUT] [PR / Gross / Loss / Injury / Environment / Society] Details |
[IACUT] [Death / Environment / Society / Collapse / Dire] Details |
|
|
[IACUT] [Waste / Insured] Details |
[IACUT] [PR / Gross / Loss / Injury / Environment / Society] Details |
[IACUT] [Death / Environment / Society / Collapse / Dire] Details |
|
|
[IACUT] [Waste / Insured] Details |
[IACUT] [PR / Gross / Loss / Injury / Environment / Society] Details |
[IACUT] [Death / Environment / Society / Collapse / Dire] Details |
Reasonably anticipated consequences of security failures
The key for the above table is as follows:
Key | Description |
Waste | Wasted time and effort (inefficiency) |
Insured | Losses reasonably covered by insurance (e.g., shrinkage, minor accidents and injuries). |
PR | Substantial negative publicity. |
Gross | Acts viewed as gross negligence. |
Losses | Substantial enterprise value reduction. |
Injury | Serious bodily harm. |
Environment | Limited environmental damage. |
Society | Limited societal harm. |
Death | Loss of (human) life |
Environment | Serious environmental damage. |
Society | Serious societal damage |
Collapse | Enterprise Collapse. |
Dire | Other dire consequences. |
Key for protection failures
Basis: Describe the basis for each claim or refer to external
documentation. Add rows as necessary. At least the following areas
should be considered in your analysis, even if many of them may not be
placed in the table:
Processing rate or output quality is reduced {within / outside} of defined tolerance ranges.
Processing is stopped and has to be restarted and {no / some} equipment damage results.
Processing is stopped and cannot be restarted until {equipment / facility} is {repaired / replaced} resulting in {delay / loss / shutdown / etc.}.
Hazardous conditions arise during processing, producing undesired {internal / near-equipment / facility-wide / outside-of facility / regional / global} effects. [define area and effects]
Competitive advantage is lost or reduced (e.g., from leaked status or process details, corrupted content, etc.).
Leaked status or process details leads to {internal / external} exploitation for {illegal activities / harm to plant or facility / harm to infrastructure / harm to enterprise}.
Limited loss of control.
Substantial loss of business or harm to brand results.
Conditions interfere with contracts or upset customers.
Confidential or proprietary data leaked.
Intellectual property like patent background and design data leaked.
Medical treatment, dose, or device controls that interact with humans fail (in various ways).
Decision support mechanisms fail to provide proper assistance.
Supervisory control and data acquisition (SCADA) systems fail to operate properly.
Programmable logic controllers (PLCs) fail to operate properly.
Distributed Control Systems (DCS) fail to {accurately depict sensory data / properly actuate}.
ICS {internal / external} communications mechanisms fail to operate properly.
Critical infrastructure systems fail {causing ICS effects / as a result of ICS failures}.
Legally protected confidential medical, privacy, or other data inadequately protected in ICS environment.
{Internal/External} information asks ICS to operate in an {undesired/unsafe} mode.
Legal mandates inadequately carried out in the ICS environment.
Legal {retention / disposition / holds} impact ICS {operations / historians}.
Industry-specific regulations unable to be properly met or demonstrated.
Contractually mandated controls unable to be properly met or demonstrated.
Contractual limitations on {use / sharing / disposition} improperly fulfilled.
Contract performance data improperly {provided / applied}.
Government classified or restricted data improperly handled.
Controls with regard to {import / export / transport / some other requirement} not properly carried out.
Required {reporting / tracking / accountability} mechanisms not properly functioning.
Controlled {substances / devices / artifacts} inadequately controlled.
Personally identifying information not properly controlled.
Medical information (test results, fees, providers, etc.) not properly controlled.
ICS production output tainted in obvious ways
ICS production output tainted in non-obvious ways harming down-stream application
HMI doesn't accurately reflect actual activities of the system under control
Sensor output doesn't accurately reflect actual phenomena being sensed
System operates open loop for a period of time
Safety system cross-linked with control system
Safety system overwhelmed by control system
Assumptions about process inputs (e.g., materials, amounts, concentrations, etc.) don't match reality
Positive feedback modes occur in unanticipated ways during operation
Process mechanisms (e.g., mechanical tructures) get altered by control system exploitation
Theft or unaccounted for removal of materials from control system elements
Addition of materials to control system elements
Deceptions of sensors and/or actuators carried out against control systems
Simulations substituted for actual elements of control systems
Repeated cycling of power / other external supply and/or demand
Waveform attacks on external supply and/or demand
Social influence effects on user behavior effecting control system
Basis:
Different ICS mechanisms have different implications in different
situations in terms of the consequences of protection failures.
Typical consequences identified include:
- LOW: Wasted time and effort (inefficiency) and Losses reasonably covered by insurance (e.g., shrinkage, minor accidents and injuries).
- MEDIUM: Substantial negative publicity, Acts viewed as gross negligence, Substantial enterprise value reduction, Serious injury, Limited environmental damage or societal harm.
- HIGH: Loss of life, Serious environmental or societal damage, Enterprise Collapse, Other dire consequences
For example, a temperature control system might have LOW
consequences in a small automated photographic developing facility, a
MEDIUM consequence in a food production facility (where redundant
tests identify a "bad batch"), and HIGH consequences in a chemical
plant where its failure causes a major explosion.
Typically, consequences resulting from information protection
failures are associated with a loss of integrity (I), availability
(A), confidentiality (C), control over use (U), or loss of
accountability (T) in an information system, with the ultimate
result leading to real-world effects through the impact of the
failures on the control system.
Processing rate or output quality is reduced {within / outside}
of defined tolerance ranges: For example, water quality goes below
required levels or tastes a bit off but remains within required levels.
Processing is stopped and has to be restarted and {no / some}
equipment damage results: For example a faulty hazard conditions
that has to be cleared to continue but lasts long enough to shut down
the process.
Processing is stopped and cannot be restarted until {equipment
/ facility} is {repaired / replaced} resulting in {delay / loss /
shutdown / etc.}: For example, too rapid opening or closing of a
valve causing overpressure causing valve or pipe breakage.
Hazardous conditions arise during processing, producing
undesired {internal / near-equipment / facility-wide / outside-of
facility / regional / global} effects. [define area and effects]:
For example leak of chemicals produced as a side effect of excess pressure
in a processing element.
Competitive advantage is lost or reduced: For example, from leaked
status or process details, corrupted content, etc.
Leaked status or process details leads to {internal / external}
exploitation for {illegal activities / harm to plant or facility /
harm to infrastructure / harm to enterprise}: For example,
real-time data exploitable in marketplaces to gain financial advantage,
details of when a particular event will happen or is hapenning, or
alteration of targeting information in flight.
Limited loss of control: For example, inability to shut
down a process using the normal method forcing physical presence.
Substantial loss of business or harm to brand results: For example tainted
production output is detected at point of sale.
Conditions interfere with contracts or upset customers: For
example, alterations to publicly accessible information or the data
supporting it that indicates process failures of security inadequcies.
Confidential or proprietary data leaked: For example,
production details indicating process problems are improperly available
on en external portal.
Intellectual property like patent background and design data
leaked: For example, access to the ICS environment might grant
access to specifics of trade secret or pre-patent process.
Medical treatment, dose, or device controls that interact with
humans fail (in various ways): For example, doses get changed due
to cosmic rays altering memory.
Decision support mechanisms fail to provide proper
assistance: For example, plant automation provides incorrect
earning messages and displayed conditions.
Supervisory control and data acquisition (SCADA) systems fail
to operate properly: For example, a maintenance change causes
the SCADA to issue commands intended to damage the plant.
Programmable logic controllers (PLCs) fail to operate
properly: For example a PLC stuck-at failure causes a valve to
refuse to shut.
Distributed Control Systems (DCS) fail to {accurately depict
sensory data / properly actuate}: For example, varying delays
through switching infrastructure cause desynchronized data to
controllers.
ICS {internal / external} communications mechanisms fail to
operate properly: For example, noise in a serial line causes
lost or corrupted protocol elements.
Critical infrastructure systems fail {causing ICS effects / as
a result of ICS failures}: For example, power outages cause molten
metal to cool to a solid.
Legally protected confidential medical, privacy, or other data
inadequately protected in ICS environment: For example,
maintenance access reveals confidential information to vendor during
upgrades.
{Internal/External} information asks ICS to operate in an
{undesired/unsafe} mode: For example an intentional atteration of
recepie values produces bad batches.
Legal mandates inadequately carried out in the ICS
environment: For example, apparent shrinkage of controlled
substance inventory because of inadequate precision and accuracy in
volume measurement system.
Legal {retention / disposition / holds} impact ICS {operations
/ historians}: For example, a legal hold causes an overrun in
historian storage causing loss of more recent records.
Industry-specific regulations unable to be properly met or
demonstrated: For example, unable to clear end-of-period transactions
because control system improperly reports remaining inventory.
Contractually mandated controls unable to be properly met or
demonstrated: For example, control system unable to maintain
parameters to within tolerances.
Contractual limitations on {use / sharing / disposition}
improperly fulfilled: For example, an authoated repository system
improperly sends the wrong documents to a shredder.
Contract performance data improperly {provided / applied}:
For example, usage rates of a limited numnber of use mechanism are
incorrectly analyzed for replacement scheduling.
Government classified or restricted data improperly
handled: For example, classified control system settings
improperly displayed in unclassified closed circuit television system
surveilling the area.
Controls with regard to {import / export / transport / some
other requirement} not properly carried out: For example, mislabeling
results in transport of dangerous goods in the wrong container type.
Required {reporting / tracking / accountability} mechanisms not
properly functioning: For example inventory not properly updated
to reflect actual use in production.
Controlled {substances / devices / artifacts} inadequately
controlled: For example, pick and place picks the wrong pills for
a shipment.
Personally identifying information not properly controlled:
For example, misassignment of shippoing labels to boxes being shpped.
Medical information (test results, fees, providers, etc.) not
properly controlled: For example, misassociation of results with
patients.
ICS production output tainted in obvious ways: For example,
water comes out of the plany brown instead of clear.
ICS production output tainted in non-obvious ways harming
down-stream application: For example, steal processing produces
inferior steal resulting in weaker structures in use.
HMI doesn't accurately reflect actual activities of the system
under control: For example a replay of prior events is played
instead of live data.
Sensor output doesn't accurately reflect actual phenomena being
sensed: For example, a faulty sensor produces false readings.
System operates open loop for a period of time: For
example, the control signals are disabled by a switching
infrastructure outage.
Safety system cross-linked with control system: For example
accidental connections between respective networks.
Safety system overwhelmed by control system: For example
the synchroinzed use of multiple control points produces more force
than the safety system can compensate for.
Assumptions about process inputs (e.g., materials, amounts,
concentrations, etc.) don't match reality: For example, a heavier
grade of oil is used than designed for, a different composition of
sand and gravel is used in a cement mixer, soda pop in drinking
fountains, etc.
Positive feedback modes occur in unanticipated ways during
operation: For example, a specific conifiguration not well tested
produces undamped feedback in a subsystem when controls are synchronized
to physical parameters..
Process mechanisms (e.g., mechanical structures) get altered by
control system exploitation: For example, power cycling to cause
metal migration, bang bang commands to deform a container, inteiontal
overheating to cause power lines to droop, etc.
Theft or unaccounted for removal of materials from control
system elements: For example stealing gasoline from a pipeline or
oil from a lubricaiton system.
Addition of materials to control system elements: For
example addition of coloring to a water system, chemicals to a
chemical processing plant, sugar to a gas tank.
Deceptions of sensors and/or actuators carried out against
control systems: For example, mechanically holding a float at a
level regardless of actual fluid present.
Simulations substituted for actual elements of control
systems: For example, replacement of a portion of a water system
with a computer that provides phoney sensor data to steal water.
Repeated cycling of power / other external supply and/or
demand: For example switching on and off lighting systems in a
large building.
Waveform attacks on external supply and/or demand: For
example, systematic increases and decreases in voltage supplied by
multiple power plants feeding a central switching station combined
with changes in demand from large customers.
Social influence effects on user behavior effecting control
system: By example high volumes of toilet flushes during half-time
at a football game augmented by social media water tainting story
asking al citizens to run their water for 15 minutes.
Copyright(c) Fred Cohen, 1988-2015 - All Rights Reserved
|