Incidents: Malicious ICS Alteration Detection: How should malicious ICS alteration be detected?

Options:

Decision:

Basis:

Malicious ICS component and composite alteration is problematic because of its effect on the internal assumptions of the systems. For example, assumptions of stability are violated when components don't act as modeled or models are altered to mismatch components they are intended to model. While this problem cannot be solved in the general sense, detection is feasible in many cases based on the differential complexity of making consistent alterations across an entire system.

Ignore detection of malicious alteration and wait till consequences reveal attacks.
This is the common approach today. In essence the system is assumed to operate properly after initial testing unless and until it appears to do the wrong thing from a standpoint of an operator or an externally observed event (e.g., something blows up). Testing tends to be limited to test conditions based on the model of how the system is supposed to work and not based on arbitrary malicious alteration. Ignoring detection of alteration and waiting till an alteration is obvious from its consequences has two major problems;

• (a) The consequences may be highly undesirable (e.g., High) and
• (b) By the time malicious alteration becomes obvious, it may be too late for mitigation.

Passive analysis.
Passive analysis used history from system components to perform analysis of historical events and detect potential circumstances when the system did not operate properly according to its modeled implementation. As such, it is a passive retrospective way to detect alteration or misoperation based on data produced by the system under scrutiny.

Redundancy and consistency checking.
The use of redundant (separate and different) systems to (1) detect inconsistencies between redundant components and (2) cause the composite to tolerate faults. This can cover faults caused by intentional alterations to the extent that the redundancy is sufficiently separate and different so as to mitigate the induced alterations. However, enough alteration will always be able to produce system failures. To the defined level of simultaneous faults in the identified fault models, redundancy should be designed so as to produce inconsistencies from each identified situation that are sufficiently differentiable from inconsistencies to prevent one set of inconsistencies from masking as another one.

Active system control and feedback testing within control envelope.
In this approach, signals are induced into the control system while remaining within the normal control envelope so as to cause intentional alterations to be unable to adjust all observables fast enough to provide correct output for the original unaltered system. To the extent that the alterations produce observable differences of adequate signal strength during the period of induced signals, they can be detected. The defender gets computational leverage by the fact that the alteration has to alter responses in real-time while the detection system may take additional time to detect alterations. However, there is an increase in risk when near the edge of the control envelope that the induced signals will bring the system out of control. Thus care must be taken in such detection to avoid catastrophic failure conditions.

Add expertise
For cases where inadequate expertise is available to use these methods, a decision should be made between avoiding inappropriate risks and adding expertise.