|High||High|| Use active system control and feedback testing within the control envelope. |
AND Use redundancy and consistency checking.
ANDUse Passive analysis.
|High||Med-||Add expertise. This is an unacceptable risk. DO NOT OPERATE THE ICS.|
|Medium||Med+|| Use redundancy and consistency checking. |
ANDUse Passive analysis.
|Medium||Low||Add expertise. This is an unacceptable risk. DO NOT OPERATE THE ICS.|
|Low||Med+|| Use passive analysis. |
OR Ignore detection and wait till consequences reveal attacks.
|Low||Low||Ignore detection and wait till consequences reveal attacks.|
Malicious component and composite alteration is problematic because of its effect on the internal assumptions of the ICS. For example, assumptions of stability are violated when components don;t act as modeled or models are altered to mismatch components they are intended to model. While this problem cannot be solved in the general sense, deteciton is feasible in many cases based on the differential complexity of making consistent alterations across an entire system.
Ignore detection of malicious ICS alteration and
wait till consequences reveal attacks.
This is the common approach today. In essence the ICS is assumed to operate properly after initial testing unless and until it appears to do the wrong thing from a standpoint of an operator or an exteranlly observed event (e.g., something blows up). Testing tends to be limited to test conditions based on the model of how the ICS is supposed to work and not based on arbitrary malicious alteration. Ignoring detection of alteration and waiting till an alteration is obvious from its consequences has two major problems;
Passive analysis used history from ICS components to perform analysis of historical events and detect potential circumstances when the ICS did not operate properly according to its modelled implementation. As such, it is a passive restrospective way to detect alteration or misoperation based on data produced by the system under scrutiny.
Redundancy and consistency checking.
The use of redundant (separate and different) systems to detect inconsistencies between redundant components and cause the composite to tollerate faults can cover faults caused by intentional alterations to the extent that the redundnacy is sufficiently separate and different so as to mitigate the induced alterations. However, enough alteration will always be able to produce system failures. To the defined level of simultaneous faults in the identified fault models, redundancy should be designed so as to produce inconsistencies from each identified situation that are sufficiently differentiable from iconsistencies to prevent one set of inconsistencies from masking as another one.
Active system control and feedback testing within
In this approach, signals are induced into the control system while remaining within the normal control envelope so as to cause intentional aterations to be unable to adjust all observables fast enough to provide correct output for the original unaltered system. To the extent that the alterations produce observable differences of adequate signal strength during the period of induced signals, they can be detected. The defender gets computaitonal leverage by the fact that the alteration has to alter responses in real-time while the detection system may take additional time to detect alterations. However, there is an increase in risk when near the edge of the control envelope that the induced signals will bring the system out of control. Thus care must be taken in such detection to avoid catastrophic failure conditions.
For cases where inadequate expertise is available to thse these methods, a decision should be made between avoiding inappropriate risks and adding expertise.