Tue Mar 10 20:40:54 PDT 2015

Overarching: Content: What are the reasonably anticipated consequences of ICS information protection failures?


Options:

Fill in the table by identifying relevant content types with examples and removing or replacing consequences identified.

Decision:

For identified ICS situations, associate content and failure modes that might produce identified consequences (and the consequence types) as a result of loss of integrity (I), availability (A), confidentiality (C), control over use (U), and loss of accountability (T) and supply details of the basis for this conclusion:

Situation in the ICS environment Relevant ICS content and failure mode(s) Identified LOW consequence type(s) and description(s) Identified MEDIUM consequence type(s) and description(s) Identified HIGH consequence type(s) and description(s)
Processing rate or output quality is reduced {within / outside} of defined tolerance ranges. [IACUT] [Waste / Insured] Details [IACUT] [PR / Gross / Loss / Injury / Environment / Society] Details [IACUT] [Death / Environment / Society / Collapse / Dire] Details
Processing is stopped and has to be restarted and {no / some} equipment damage results. [IACUT] [Waste / Insured] Details [IACUT] [PR / Gross / Loss / Injury / Environment / Society] Details [IACUT] [Death / Environment / Society / Collapse / Dire] Details
Processing is stopped and cannot be restarted until {equipment / facility} is {repaired / replaced} resulting in {delay / loss / shutdown / etc.}. [IACUT] [Waste / Insured] Details [IACUT] [PR / Gross / Loss / Injury / Environment / Society] Details [IACUT] [Death / Environment / Society / Collapse / Dire] Details
Hazardous conditions arise during processing, producing undesired {internal / near-equipment / facility-wide / outside-of facility / regional / global} effects. [define area and effects] [IACUT] [Waste / Insured] Details [IACUT] [PR / Gross / Loss / Injury / Environment / Society] Details [IACUT] [Death / Environment / Society / Collapse / Dire] Details
Competitive advantage is lost or reduced (e.g., from leaked status or process details, corrupted content, etc.). [IACUT] [Waste / Insured] Details [IACUT] [PR / Gross / Loss / Injury / Environment / Society] Details [IACUT] [Death / Environment / Society / Collapse / Dire] Details
Leaked status or process details leads to {internal / external} exploitation for {illegal activities / harm to plant or facility / harm to infrastructure / harm to enterprise}. [IACUT] [Waste / Insured] Details [IACUT] [PR / Gross / Loss / Injury / Environment / Society] Details [IACUT] [Death / Environment / Society / Collapse / Dire] Details
Limited loss of control. [IACUT] [Waste / Insured] Details [IACUT] [PR / Gross / Loss / Injury / Environment / Society] Details [IACUT] [Death / Environment / Society / Collapse / Dire] Details
Substantial loss of business or harm to brand results. [IACUT] [Waste / Insured] Details [IACUT] [PR / Gross / Loss / Injury / Environment / Society] Details [IACUT] [Death / Environment / Society / Collapse / Dire] Details
Conditions interfere with contracts or upset customers. [IACUT] [Waste / Insured] Details [IACUT] [PR / Gross / Loss / Injury / Environment / Society] Details [IACUT] [Death / Environment / Society / Collapse / Dire] Details
Confidential or proprietary data leaked. [IACUT] [Waste / Insured] Details [IACUT] [PR / Gross / Loss / Injury / Environment / Society] Details [IACUT] [Death / Environment / Society / Collapse / Dire] Details
Intellectual property like patent background and design data leaked. [IACUT] [Waste / Insured] Details [IACUT] [PR / Gross / Loss / Injury / Environment / Society] Details [IACUT] [Death / Environment / Society / Collapse / Dire] Details
Medical treatment, dose, or device controls that interact with humans fail (in various ways). [IACUT] [Waste / Insured] Details [IACUT] [PR / Gross / Loss / Injury / Environment / Society] Details [IACUT] [Death / Environment / Society / Collapse / Dire] Details
Decision support mechanisms fail to provide proper assistance. [IACUT] [Waste / Insured] Details [IACUT] [PR / Gross / Loss / Injury / Environment / Society] Details [IACUT] [Death / Environment / Society / Collapse / Dire] Details
Supervisory control and data acquisition (SCADA) systems fail to operate properly. [IACUT] [Waste / Insured] Details [IACUT] [PR / Gross / Loss / Injury / Environment / Society] Details [IACUT] [Death / Environment / Society / Collapse / Dire] Details
Programmable logic controllers (PLCs) fail to operate properly. [IACUT] [Waste / Insured] Details [IACUT] [PR / Gross / Loss / Injury / Environment / Society] Details [IACUT] [Death / Environment / Society / Collapse / Dire] Details
Distributed Control Systems (DCS) fail to {accurately depict sensory data / properly actuate}. [IACUT] [Waste / Insured] Details [IACUT] [PR / Gross / Loss / Injury / Environment / Society] Details [IACUT] [Death / Environment / Society / Collapse / Dire] Details
ICS {internal / external} communications mechanisms fail to operate properly. [IACUT] [Waste / Insured] Details [IACUT] [PR / Gross / Loss / Injury / Environment / Society] Details [IACUT] [Death / Environment / Society / Collapse / Dire] Details
Critical infrastructure systems fail {causing ICS effects / as a result of ICS failures}. [IACUT] [Waste / Insured] Details [IACUT] [PR / Gross / Loss / Injury / Environment / Society] Details [IACUT] [Death / Environment / Society / Collapse / Dire] Details
Legally protected confidential medical, privacy, or other data inadequately protected in ICS environment. [IACUT] [Waste / Insured] Details [IACUT] [PR / Gross / Loss / Injury / Environment / Society] Details [IACUT] [Death / Environment / Society / Collapse / Dire] Details
{Internal/External} information asks ICS to operate in an {undesired/unsafe} mode. [IACUT] [Waste / Insured] Details [IACUT] [PR / Gross / Loss / Injury / Environment / Society] Details [IACUT] [Death / Environment / Society / Collapse / Dire] Details
Legal mandates inadequately carried out in the ICS environment. [IACUT] [Waste / Insured] Details [IACUT] [PR / Gross / Loss / Injury / Environment / Society] Details [IACUT] [Death / Environment / Society / Collapse / Dire] Details
Legal {retention / disposition / holds} impact ICS {operations / historians}. [IACUT] [Waste / Insured] Details [IACUT] [PR / Gross / Loss / Injury / Environment / Society] Details [IACUT] [Death / Environment / Society / Collapse / Dire] Details
Industry-specific regulations unable to be properly met or demonstrated. [IACUT] [Waste / Insured] Details [IACUT] [PR / Gross / Loss / Injury / Environment / Society] Details [IACUT] [Death / Environment / Society / Collapse / Dire] Details
Contractually mandated controls unable to be properly met or demonstrated. [IACUT] [Waste / Insured] Details [IACUT] [PR / Gross / Loss / Injury / Environment / Society] Details [IACUT] [Death / Environment / Society / Collapse / Dire] Details
Contractual limitations on {use / sharing / disposition} improperly fulfilled. [IACUT] [Waste / Insured] Details [IACUT] [PR / Gross / Loss / Injury / Environment / Society] Details [IACUT] [Death / Environment / Society / Collapse / Dire] Details
Contract performance data improperly {provided / applied}. [IACUT] [Waste / Insured] Details [IACUT] [PR / Gross / Loss / Injury / Environment / Society] Details [IACUT] [Death / Environment / Society / Collapse / Dire] Details
Government classified or restricted data improperly handled. [IACUT] [Waste / Insured] Details [IACUT] [PR / Gross / Loss / Injury / Environment / Society] Details [IACUT] [Death / Environment / Society / Collapse / Dire] Details
Controls with regard to {import / export / transport / some other requirement} not properly carried out. [IACUT] [Waste / Insured] Details [IACUT] [PR / Gross / Loss / Injury / Environment / Society] Details [IACUT] [Death / Environment / Society / Collapse / Dire] Details
Required {reporting / tracking / accountability} mechanisms not properly functioning. [IACUT] [Waste / Insured] Details [IACUT] [PR / Gross / Loss / Injury / Environment / Society] Details [IACUT] [Death / Environment / Society / Collapse / Dire] Details
Controlled {substances / devices / artifacts} inadequately controlled. [IACUT] [Waste / Insured] Details [IACUT] [PR / Gross / Loss / Injury / Environment / Society] Details [IACUT] [Death / Environment / Society / Collapse / Dire] Details
Personally identifying information not properly controlled. [IACUT] [Waste / Insured] Details [IACUT] [PR / Gross / Loss / Injury / Environment / Society] Details [IACUT] [Death / Environment / Society / Collapse / Dire] Details
Medical information (test results, fees, providers, etc.) not properly controlled. [IACUT] [Waste / Insured] Details [IACUT] [PR / Gross / Loss / Injury / Environment / Society] Details [IACUT] [Death / Environment / Society / Collapse / Dire] Details
ICS production output tainted in obvious ways [IACUT] [Waste / Insured] Details [IACUT] [PR / Gross / Loss / Injury / Environment / Society] Details [IACUT] [Death / Environment / Society / Collapse / Dire] Details
ICS production output tainted in non-obvious ways harming down-stream application [IACUT] [Waste / Insured] Details [IACUT] [PR / Gross / Loss / Injury / Environment / Society] Details [IACUT] [Death / Environment / Society / Collapse / Dire] Details
HMI doesn't accurately reflect actual activities of the system under control [IACUT] [Waste / Insured] Details [IACUT] [PR / Gross / Loss / Injury / Environment / Society] Details [IACUT] [Death / Environment / Society / Collapse / Dire] Details
Sensor output doesn't accurately reflect actual phenomena being sensed [IACUT] [Waste / Insured] Details [IACUT] [PR / Gross / Loss / Injury / Environment / Society] Details [IACUT] [Death / Environment / Society / Collapse / Dire] Details
System operates open loop for a period of time [IACUT] [Waste / Insured] Details [IACUT] [PR / Gross / Loss / Injury / Environment / Society] Details [IACUT] [Death / Environment / Society / Collapse / Dire] Details
Safety system cross-linked with control system [IACUT] [Waste / Insured] Details [IACUT] [PR / Gross / Loss / Injury / Environment / Society] Details [IACUT] [Death / Environment / Society / Collapse / Dire] Details
Safety system overwhelmed by control system [IACUT] [Waste / Insured] Details [IACUT] [PR / Gross / Loss / Injury / Environment / Society] Details [IACUT] [Death / Environment / Society / Collapse / Dire] Details
Assumptions about process inputs (e.g., materials, amounts, concentrations, etc.) don't match reality [IACUT] [Waste / Insured] Details [IACUT] [PR / Gross / Loss / Injury / Environment / Society] Details [IACUT] [Death / Environment / Society / Collapse / Dire] Details
Positive feedback modes occur in unanticipated ways during operation [IACUT] [Waste / Insured] Details [IACUT] [PR / Gross / Loss / Injury / Environment / Society] Details [IACUT] [Death / Environment / Society / Collapse / Dire] Details
Process mechanisms (e.g., mechanical structures) get altered by control system exploitation [IACUT] [Waste / Insured] Details [IACUT] [PR / Gross / Loss / Injury / Environment / Society] Details [IACUT] [Death / Environment / Society / Collapse / Dire] Details
Theft or unaccounted for removal of materials from control system elements [IACUT] [Waste / Insured] Details [IACUT] [PR / Gross / Loss / Injury / Environment / Society] Details [IACUT] [Death / Environment / Society / Collapse / Dire] Details
Addition of materials to control system elements [IACUT] [Waste / Insured] Details [IACUT] [PR / Gross / Loss / Injury / Environment / Society] Details [IACUT] [Death / Environment / Society / Collapse / Dire] Details
Deceptions of sensors and/or actuators carried out against control systems [IACUT] [Waste / Insured] Details [IACUT] [PR / Gross / Loss / Injury / Environment / Society] Details [IACUT] [Death / Environment / Society / Collapse / Dire] Details
Simulations substituted for actual elements of control systems [IACUT] [Waste / Insured] Details [IACUT] [PR / Gross / Loss / Injury / Environment / Society] Details [IACUT] [Death / Environment / Society / Collapse / Dire] Details
Repeated cycling of power / other external supply and/or demand [IACUT] [Waste / Insured] Details [IACUT] [PR / Gross / Loss / Injury / Environment / Society] Details [IACUT] [Death / Environment / Society / Collapse / Dire] Details
Waveform attacks on external supply and/or demand [IACUT] [Waste / Insured] Details [IACUT] [PR / Gross / Loss / Injury / Environment / Society] Details [IACUT] [Death / Environment / Society / Collapse / Dire] Details
Social influence effects on user behavior effecting control system [IACUT] [Waste / Insured] Details [IACUT] [PR / Gross / Loss / Injury / Environment / Society] Details [IACUT] [Death / Environment / Society / Collapse / Dire] Details
[IACUT] [Waste / Insured] Details [IACUT] [PR / Gross / Loss / Injury / Environment / Society] Details [IACUT] [Death / Environment / Society / Collapse / Dire] Details
[IACUT] [Waste / Insured] Details [IACUT] [PR / Gross / Loss / Injury / Environment / Society] Details [IACUT] [Death / Environment / Society / Collapse / Dire] Details
[IACUT] [Waste / Insured] Details [IACUT] [PR / Gross / Loss / Injury / Environment / Society] Details [IACUT] [Death / Environment / Society / Collapse / Dire] Details
[IACUT] [Waste / Insured] Details [IACUT] [PR / Gross / Loss / Injury / Environment / Society] Details [IACUT] [Death / Environment / Society / Collapse / Dire] Details
[IACUT] [Waste / Insured] Details [IACUT] [PR / Gross / Loss / Injury / Environment / Society] Details [IACUT] [Death / Environment / Society / Collapse / Dire] Details
[IACUT] [Waste / Insured] Details [IACUT] [PR / Gross / Loss / Injury / Environment / Society] Details [IACUT] [Death / Environment / Society / Collapse / Dire] Details
[IACUT] [Waste / Insured] Details [IACUT] [PR / Gross / Loss / Injury / Environment / Society] Details [IACUT] [Death / Environment / Society / Collapse / Dire] Details
Reasonably anticipated consequences of security failures

The key for the above table is as follows:

Key Description
Waste Wasted time and effort (inefficiency)
Insured Losses reasonably covered by insurance (e.g., shrinkage, minor accidents and injuries).
PR Substantial negative publicity.
Gross Acts viewed as gross negligence.
Losses Substantial enterprise value reduction.
Injury Serious bodily harm.
Environment Limited environmental damage.
Society Limited societal harm.
Death Loss of (human) life
Environment Serious environmental damage.
Society Serious societal damage
Collapse Enterprise Collapse.
Dire Other dire consequences.
Key for protection failures

Basis: Describe the basis for each claim or refer to external documentation. Add rows as necessary. At least the following areas should be considered in your analysis, even if many of them may not be placed in the table:
Processing rate or output quality is reduced {within / outside} of defined tolerance ranges.
Processing is stopped and has to be restarted and {no / some} equipment damage results.
Processing is stopped and cannot be restarted until {equipment / facility} is {repaired / replaced} resulting in {delay / loss / shutdown / etc.}.
Hazardous conditions arise during processing, producing undesired {internal / near-equipment / facility-wide / outside-of facility / regional / global} effects. [define area and effects]
Competitive advantage is lost or reduced (e.g., from leaked status or process details, corrupted content, etc.).
Leaked status or process details leads to {internal / external} exploitation for {illegal activities / harm to plant or facility / harm to infrastructure / harm to enterprise}.
Limited loss of control.
Substantial loss of business or harm to brand results.
Conditions interfere with contracts or upset customers.
Confidential or proprietary data leaked.
Intellectual property like patent background and design data leaked.
Medical treatment, dose, or device controls that interact with humans fail (in various ways).
Decision support mechanisms fail to provide proper assistance.
Supervisory control and data acquisition (SCADA) systems fail to operate properly.
Programmable logic controllers (PLCs) fail to operate properly.
Distributed Control Systems (DCS) fail to {accurately depict sensory data / properly actuate}.
ICS {internal / external} communications mechanisms fail to operate properly.
Critical infrastructure systems fail {causing ICS effects / as a result of ICS failures}.
Legally protected confidential medical, privacy, or other data inadequately protected in ICS environment.
{Internal/External} information asks ICS to operate in an {undesired/unsafe} mode.
Legal mandates inadequately carried out in the ICS environment.
Legal {retention / disposition / holds} impact ICS {operations / historians}.
Industry-specific regulations unable to be properly met or demonstrated.
Contractually mandated controls unable to be properly met or demonstrated.
Contractual limitations on {use / sharing / disposition} improperly fulfilled.
Contract performance data improperly {provided / applied}.
Government classified or restricted data improperly handled.
Controls with regard to {import / export / transport / some other requirement} not properly carried out.
Required {reporting / tracking / accountability} mechanisms not properly functioning.
Controlled {substances / devices / artifacts} inadequately controlled.
Personally identifying information not properly controlled.
Medical information (test results, fees, providers, etc.) not properly controlled.
ICS production output tainted in obvious ways
ICS production output tainted in non-obvious ways harming down-stream application
HMI doesn't accurately reflect actual activities of the system under control
Sensor output doesn't accurately reflect actual phenomena being sensed
System operates open loop for a period of time
Safety system cross-linked with control system
Safety system overwhelmed by control system
Assumptions about process inputs (e.g., materials, amounts, concentrations, etc.) don't match reality
Positive feedback modes occur in unanticipated ways during operation
Process mechanisms (e.g., mechanical tructures) get altered by control system exploitation
Theft or unaccounted for removal of materials from control system elements
Addition of materials to control system elements
Deceptions of sensors and/or actuators carried out against control systems
Simulations substituted for actual elements of control systems
Repeated cycling of power / other external supply and/or demand
Waveform attacks on external supply and/or demand
Social influence effects on user behavior effecting control system


Basis:

Different ICS mechanisms have different implications in different situations in terms of the consequences of protection failures.

Typical consequences identified include:

For example, a temperature control system might have LOW consequences in a small automated photographic developing facility, a MEDIUM consequence in a food production facility (where redundant tests identify a "bad batch"), and HIGH consequences in a chemical plant where its failure causes a major explosion.

Typically, consequences resulting from information protection failures are associated with a loss of integrity (I), availability (A), confidentiality (C), control over use (U), or loss of accountability (T) in an information system, with the ultimate result leading to real-world effects through the impact of the failures on the control system.


Processing rate or output quality is reduced {within / outside} of defined tolerance ranges: For example, water quality goes below required levels or tastes a bit off but remains within required levels.

Processing is stopped and has to be restarted and {no / some} equipment damage results: For example a faulty hazard conditions that has to be cleared to continue but lasts long enough to shut down the process.

Processing is stopped and cannot be restarted until {equipment / facility} is {repaired / replaced} resulting in {delay / loss / shutdown / etc.}: For example, too rapid opening or closing of a valve causing overpressure causing valve or pipe breakage.

Hazardous conditions arise during processing, producing undesired {internal / near-equipment / facility-wide / outside-of facility / regional / global} effects. [define area and effects]: For example leak of chemicals produced as a side effect of excess pressure in a processing element.

Competitive advantage is lost or reduced: For example, from leaked status or process details, corrupted content, etc.

Leaked status or process details leads to {internal / external} exploitation for {illegal activities / harm to plant or facility / harm to infrastructure / harm to enterprise}: For example, real-time data exploitable in marketplaces to gain financial advantage, details of when a particular event will happen or is hapenning, or alteration of targeting information in flight.

Limited loss of control: For example, inability to shut down a process using the normal method forcing physical presence.

Substantial loss of business or harm to brand results: For example tainted production output is detected at point of sale.

Conditions interfere with contracts or upset customers: For example, alterations to publicly accessible information or the data supporting it that indicates process failures of security inadequcies.

Confidential or proprietary data leaked: For example, production details indicating process problems are improperly available on en external portal.

Intellectual property like patent background and design data leaked: For example, access to the ICS environment might grant access to specifics of trade secret or pre-patent process.

Medical treatment, dose, or device controls that interact with humans fail (in various ways): For example, doses get changed due to cosmic rays altering memory.

Decision support mechanisms fail to provide proper assistance: For example, plant automation provides incorrect earning messages and displayed conditions.

Supervisory control and data acquisition (SCADA) systems fail to operate properly: For example, a maintenance change causes the SCADA to issue commands intended to damage the plant.

Programmable logic controllers (PLCs) fail to operate properly: For example a PLC stuck-at failure causes a valve to refuse to shut.

Distributed Control Systems (DCS) fail to {accurately depict sensory data / properly actuate}: For example, varying delays through switching infrastructure cause desynchronized data to controllers.

ICS {internal / external} communications mechanisms fail to operate properly: For example, noise in a serial line causes lost or corrupted protocol elements.

Critical infrastructure systems fail {causing ICS effects / as a result of ICS failures}: For example, power outages cause molten metal to cool to a solid.

Legally protected confidential medical, privacy, or other data inadequately protected in ICS environment: For example, maintenance access reveals confidential information to vendor during upgrades.

{Internal/External} information asks ICS to operate in an {undesired/unsafe} mode: For example an intentional atteration of recepie values produces bad batches.

Legal mandates inadequately carried out in the ICS environment: For example, apparent shrinkage of controlled substance inventory because of inadequate precision and accuracy in volume measurement system.

Legal {retention / disposition / holds} impact ICS {operations / historians}: For example, a legal hold causes an overrun in historian storage causing loss of more recent records.

Industry-specific regulations unable to be properly met or demonstrated: For example, unable to clear end-of-period transactions because control system improperly reports remaining inventory.

Contractually mandated controls unable to be properly met or demonstrated: For example, control system unable to maintain parameters to within tolerances.

Contractual limitations on {use / sharing / disposition} improperly fulfilled: For example, an authoated repository system improperly sends the wrong documents to a shredder.

Contract performance data improperly {provided / applied}: For example, usage rates of a limited numnber of use mechanism are incorrectly analyzed for replacement scheduling.

Government classified or restricted data improperly handled: For example, classified control system settings improperly displayed in unclassified closed circuit television system surveilling the area.

Controls with regard to {import / export / transport / some other requirement} not properly carried out: For example, mislabeling results in transport of dangerous goods in the wrong container type.

Required {reporting / tracking / accountability} mechanisms not properly functioning: For example inventory not properly updated to reflect actual use in production.

Controlled {substances / devices / artifacts} inadequately controlled: For example, pick and place picks the wrong pills for a shipment.

Personally identifying information not properly controlled: For example, misassignment of shippoing labels to boxes being shpped.

Medical information (test results, fees, providers, etc.) not properly controlled: For example, misassociation of results with patients.

ICS production output tainted in obvious ways: For example, water comes out of the plany brown instead of clear.

ICS production output tainted in non-obvious ways harming down-stream application: For example, steal processing produces inferior steal resulting in weaker structures in use.

HMI doesn't accurately reflect actual activities of the system under control: For example a replay of prior events is played instead of live data.

Sensor output doesn't accurately reflect actual phenomena being sensed: For example, a faulty sensor produces false readings.

System operates open loop for a period of time: For example, the control signals are disabled by a switching infrastructure outage.

Safety system cross-linked with control system: For example accidental connections between respective networks.

Safety system overwhelmed by control system: For example the synchroinzed use of multiple control points produces more force than the safety system can compensate for.

Assumptions about process inputs (e.g., materials, amounts, concentrations, etc.) don't match reality: For example, a heavier grade of oil is used than designed for, a different composition of sand and gravel is used in a cement mixer, soda pop in drinking fountains, etc.

Positive feedback modes occur in unanticipated ways during operation: For example, a specific conifiguration not well tested produces undamped feedback in a subsystem when controls are synchronized to physical parameters..

Process mechanisms (e.g., mechanical structures) get altered by control system exploitation: For example, power cycling to cause metal migration, bang bang commands to deform a container, inteiontal overheating to cause power lines to droop, etc.

Theft or unaccounted for removal of materials from control system elements: For example stealing gasoline from a pipeline or oil from a lubricaiton system.

Addition of materials to control system elements: For example addition of coloring to a water system, chemicals to a chemical processing plant, sugar to a gas tank.

Deceptions of sensors and/or actuators carried out against control systems: For example, mechanically holding a float at a level regardless of actual fluid present.

Simulations substituted for actual elements of control systems: For example, replacement of a portion of a water system with a computer that provides phoney sensor data to steal water.

Repeated cycling of power / other external supply and/or demand: For example switching on and off lighting systems in a large building.

Waveform attacks on external supply and/or demand: For example, systematic increases and decreases in voltage supplied by multiple power plants feeding a central switching station combined with changes in demand from large customers.

Social influence effects on user behavior effecting control system: By example high volumes of toilet flushes during half-time at a football game augmented by social media water tainting story asking al citizens to run their water for 15 minutes.

Copyright(c) Fred Cohen, 1988-2015 - All Rights Reserved