Fri Apr 8 06:49:41 PDT 2016
Incidents: Malicious ICS Alteration Detection: How should malicious ICS alteration be detected?
Options:
Option 1: Ignore detection and wait till consequences reveal attacks.
Option 2: Passive analysis.
Option 3: Redundancy and consistency checking.
Option 4: Active system control and feedback testing within control envelope.
Option 5: Add expertise.
Decision:
The table below summarizes this decision.
Risk | Expertise | Approach |
High | High | Use active system control and feedback testing within the control envelope. AND Use redundancy and consistency checking. ANDUse Passive analysis. |
High | Med- | Add expertise. This is an unacceptable risk. DO NOT OPERATE THE SYSTEM. |
Medium | Med+ | Use redundancy and consistency checking. ANDUse Passive analysis. |
Medium | Low | Add expertise. This is an unacceptable risk. DO NOT OPERATE THE SYSTEM. |
Low | Med+ | Use passive analysis. OR Ignore detection and wait till consequences reveal attacks. |
Low | Low | Ignore detection and wait till consequences reveal attacks. |
How malicious ICS alteration is detected
Basis:
Malicious ICS component and composite alteration
is problematic because of its effect on the internal assumptions of
the systems. For example, assumptions of stability are violated when
components don't act as modeled or models are altered to mismatch
components they are intended to model. While this problem cannot be
solved in the general sense, detection is feasible in many cases based
on the differential complexity of making consistent alterations across
an entire system.
Ignore detection of malicious alteration and
wait till consequences reveal attacks. This is the common
approach today. In essence the system is assumed to operate properly
after initial testing unless and until it appears to do the wrong
thing from a standpoint of an operator or an externally observed event
(e.g., something blows up). Testing tends to be limited to test
conditions based on the model of how the system is supposed to work and
not based on arbitrary malicious alteration. Ignoring detection of
alteration and waiting till an alteration is obvious from its
consequences has two major problems;
- (a) The consequences may be highly undesirable (e.g., High)
and
- (b) By the time malicious alteration becomes obvious, it may be too late for mitigation.
Thus this approach is problematic in other than low risk
environments and unacceptable in high risk environments.
Passive analysis. Passive analysis used
history from system components to perform analysis of historical events
and detect potential circumstances when the system did not operate
properly according to its modeled implementation. As such, it is a
passive retrospective way to detect alteration or misoperation based
on data produced by the system under scrutiny.
Redundancy and consistency checking.
The use of redundant (separate and different) systems to (1) detect
inconsistencies between redundant components and (2) cause the composite
to tolerate faults. This can cover faults caused by intentional alterations
to the extent that the redundancy is sufficiently separate and
different so as to mitigate the induced alterations. However, enough
alteration will always be able to produce system failures. To the
defined level of simultaneous faults in the identified fault models,
redundancy should be designed so as to produce inconsistencies from
each identified situation that are sufficiently differentiable from
inconsistencies to prevent one set of inconsistencies from masking as
another one.
Active system control and feedback testing within
control envelope. In this approach, signals are induced into
the control system while remaining within the normal control envelope
so as to cause intentional alterations to be unable to adjust all
observables fast enough to provide correct output for the original
unaltered system. To the extent that the alterations produce
observable differences of adequate signal strength during the period
of induced signals, they can be detected. The defender gets
computational leverage by the fact that the alteration has to alter
responses in real-time while the detection system may take additional
time to detect alterations. However, there is an increase in risk when
near the edge of the control envelope that the induced signals will
bring the system out of control. Thus care must be taken in such
detection to avoid catastrophic failure conditions.
Add expertise For cases where
inadequate expertise is available to use these methods, a decision
should be made between avoiding inappropriate risks and adding
expertise.
Copyright(c) Fred Cohen, 1988-2015 - All Rights Reserved
|