Risk | Expertise | Approach |
---|---|---|
High | High | Use active system control and feedback testing within the control envelope. AND Use redundancy and consistency checking. ANDUse Passive analysis. |
High | Med- | Add expertise. This is an unacceptable risk. DO NOT OPERATE THE SYSTEM. |
Medium | Med+ | Use redundancy and consistency checking. ANDUse Passive analysis. |
Medium | Low | Add expertise. This is an unacceptable risk. DO NOT OPERATE THE SYSTEM. |
Low | Med+ | Use passive analysis. OR Ignore detection and wait till consequences reveal attacks. |
Low | Low | Ignore detection and wait till consequences reveal attacks. |
Malicious component and composite alteration is problematic because of its effect on the internal assumptions of the systems. For example, assumptions of stability are violated when components don't act as modeled or models are altered to mismatch components they are intended to model. While this problem cannot be solved in the general sense, deteciton is feasible in many cases based on the differential complexity of making consistent alterations across an entire system.
Ignore detection of malicious alteration and
wait till consequences reveal attacks.
This is the common
approach today. In essence the system is assumed to operate properly
after initial testing unless and until it appears to do the wrong
thing from a standpoint of an operator or an exteranlly observed event
(e.g., something blows up). Testing tends to be limited to test
conditions based on the model of how the system is supposed to work and
not based on arbitrary malicious alteration. Ignoring detection of
alteration and waiting till an alteration is obvious from its
consequences has two major problems;
Passive analysis.
Passive analysis used
history from system components to perform analysis of historical events
and detect potential circumstances when the system did not operate
properly according to its modelled implementation. As such, it is a
passive restrospective way to detect alteration or misoperation based
on data produced by the system under scrutiny.
Redundancy and consistency checking.
The use of redundant (separate and different) systems to detect
inconsistencies between redundant components and cause the composite
to tollerate faults can cover faults caused by intentional alterations
to the extent that the redundnacy is sufficiently separate and
different so as to mitigate the induced alterations. However, enough
alteration will always be able to produce system failures. To the
defined level of simultaneous faults in the identified fault models,
redundancy should be designed so as to produce inconsistencies from
each identified situation that are sufficiently differentiable from
iconsistencies to prevent one set of inconsistencies from masking as
another one.
Active system control and feedback testing within
control envelope.
In this approach, signals are induced into
the control system while remaining within the normal control envelope
so as to cause intentional aterations to be unable to adjust all
observables fast enough to provide correct output for the original
unaltered system. To the extent that the alterations produce
observable differences of adequate signal strength during the period
of induced signals, they can be detected. The defender gets
computaitonal leverage by the fact that the alteration has to alter
responses in real-time while the detection system may take additional
time to detect alterations. However, there is an increase in risk when
near the edge of the control envelope that the induced signals will
bring the system out of control. Thus care must be taken in such
detection to avoid catastrophic failure conditions.
Add expertise
For cases where
inadequate expertise is available to thse these methods, a decision
should be made between avoiding inappropriate risks and adding
expertise.