Mission Impact Assessment for Industrial Control Systems
1. Marina Krotofil, Mona Lange
European Network for Cyber Security
University of Lübeck, Germany
S4x15, Miami, USA – 15.01.15
Mission Impact Assessment for
Industrial Control Systems
2. What we are doing
PANOPTESEC
o EU project aimed at automated cyber defense decision
support system for critical infrastructure
o Prevent, detect, manage and react to cyber incidents in
real-time
o Improve the situational awareness
o Support the decision-making process
5. Cyber-physical systems are IT systems “embedded” in an
application in the physical world
Cyber-Physical Systems
Attack goals:
o Get the physical system in a state
desired by the attacker
o Make the physical system perform
actions desired by the attacker
7. ICS security
Continuous vulnerability disclosures and vulns for sale
Patching treadmill
Supply chain security
IT-SCADA specific security solutions
Ralph Langner: “The pro’s don’t bother with
vulnerabilities; they use features to compromise the ICS”
Vendors
Result: Focus is on protecting the
infrastructure
8. Process-related threats
PROBLEM: there is no approach to determining the
impact of a cyber threat on the operational goals
Identification of failures and hazards
o HAZOP
o PHEA
o FMEA (FMECA)
o Etc.
Raising awareness of intentional misuses
o Stuxnet
o Aurora
o And some formally/informally rumored stories
10. Process owners
Asset owners
Common
opinion about
each other
ICS stakeholders
Field equipment
Level0
Process
Level1Level2Level3Level4
Regulatory control
Supervisory Control
Process management
Corporate network
PLC PLC PLC
HMI
Engineering
station
Historian
Publishing
server
DMZ
DCS
servers
Application
servers
11. Process owners
Asset owners
ICS stakeholders
Field equipment
Level0
Process
Level1Level2Level3Level4
Regulatory control
Supervisory Control
Process management
Corporate network
PLC PLC PLC
HMI
Engineering
station
Historian
Publishing
server
DMZ
DCS
servers
Application
servers
We have a
COMMON
MISSION!!
12. Field instrumenation
Level0
Process
Level1Level2Level3Level4
Basic control
Supervisory Control
Process management
Corporate network
PLC PLC PLC
HMI
Engineering
station
Historian
Publishing
server
DMZ
DCS
servers
Application
servers
Process owners
Asset owners
Shift in defense
IT-centricity
Cyber attack
resilient missions
We have a
COMMON
MISSION!!
13. Insider threat
Business processes secure
by design
Easy target Clueless user Disgruntled
employee
Integrators, support,
contractors…
14. Mission is a set of operational tasks to
accomplish a certain purposive goal
The goal of cyber security is to protect ongoing and
planned missions (not cyber assets)
Mission impact assessment is a threat assessment
method to predict and evaluate the impact of cyber
incidents on mission execution and accomplishment
Terminology
16. Example: attack on data flow
Net. Admin
Global mission: ensure/execution of nuclear program
Mission: enrichment of uranium
Task: maintain proper rotating speed of the centrifuge
Business processes
Cyber terrain
Operational goals
Operations
· Failure modes
· Hazards
PLC Frequency
converter
Centrifuge
Workflow
Access policies
· Users
· Permissions
Engineering
station
Linkage to cyber assets
HMI
DB
Data flow
Manufacturing
workflow
17. SCADA
hacker
Data integrity: packet injection;
replay; data manipulation; …
DoS: DoS; DDoS; flooding;
starvation;….
Operator
Example: attack on data flow
Operations
· Failure modes
· Hazards
PLC Frequency
converter
Centrifuge
Workflow
Access policies
· Users
· Permissions
Engineering
station
Linkage to cyber assets
HMI
DB
Data flow
Manufacturing
workflow
I am not
controlling the
process!!
31. Timing parameter
Physical exploitation
o Timing parameters of the attack itself
o Time to disaster
o Butterfly effect, snowball effect (timing interdependencies)
(Criticality) risk assessment
o Clean-up time
o Damage recover time
o Equipment replacement
Business process assessment
o Window of opportunity to launch an attack
o Slowing down part(s) of the mission
32. Mission-centric approach
Mission awarenessThreat awarenessInfrastructure
awareness
System inventory
Configuration files
Network diagrams
Data flow diagrams
Access policies
Business processes
Workflows
Standard operating
procedures
Policies and regulations
Critical dependencies
Internal threats
External threats
Vulnerability DB, threat
sharing communities
Threat intelligence
33. Mission-centric approach
Mission awarenessThreat awarenessInfrastructure
awareness
System inventory
Configuration files
Network diagrams
Data flow diagrams
Access policies
Business processes
Workflows
Standard operating
procedures
Policies and regulations
Critical dependencies
Internal threats
External threats
Vulnerability DB, threat
sharing communities
Threat intelligence
34. Mission-centric approach
Mission awarenessThreat awarenessInfrastructure
awareness
System inventory
Configuration files
Network diagrams
Data flow diagrams
Access policies
Business processes
Workflows
Standard operating
procedures
Policies and regulations
Critical dependencies
Internal threats
External threats
Vulnerability DB, threat
sharing communities
Threat intelligence
35. Mission-centric approach
Mission awarenessThreat awarenessInfrastructure
awareness
System inventory
Configuration files
Network diagrams
Data flow diagrams
Access policies
Business processes
Workflows
Standard operating
procedures
Policies and regulations
Critical dependencies
Internal threats
External threats
Vulnerability DB, threat
sharing communities
Threat intelligence
Emerging trends
36. Mission-centric approach
Mission awarenessThreat awarenessInfrastructure
awareness
System inventory
Configuration files
Network diagrams
Data flow diagrams
Access policies
Business processes
Workflows
Standard operating
procedures
Policies and regulations
Critical dependencies
Internal threats
External threats
Vulnerability DB, threat
sharing communities
Threat intelligence
Emerging trends
38. Use case
Threat: Smart meter worm [Davis, Black Hat 2009]
o Infection during firmware update
o Wireless propagation
o Control over meter to attacker benefits
39. Approach initiation
Mission statement
Deliver accurate view of the power grid state
List all possible mission disruptions
1. Incorrect load, phase, time, temperature information
2. Missing alarms, e.g. about power outages
3. Incorrect information about grid topology
44. Mission security boundaries
Goal: protect mission boundaries
o Mission-oriented network zoning for more flexible
asset security protection
Challenge: interconnectedness of assets linked to distinct
missions of different levels of criticality
Identification: reachability analysis
49. Fresh story
Make inventory of the business processes
o ISO 27005 terminology
Prioritize and determine critical to the operations
Identify supporting assets
Identify critical assets
Perform risk assessment
o Risk avoidance
o Risk modification
50. Summary
Emerging approach -> becomes more popular
o But loads of research still needs to be done
Actionable
Sustainable