Sat Aug 16 06:08:58 PDT 2014

Incidents: Malicious Alteration Detection: How should malicious ICS alteration be detected?


Options:

Option 1: Ignore detection and wait till consequences reveal attacks.
Option 2: Passive analysis.
Option 3: Redundancy and consistency checking.
Option 4: Active system control and feedback testing within control envelope.
Option 5: Add expertise.

Decisions:

The table below summarizes this decision.
Risk Expertise Approach
High High Use active system control and feedback testing within the control envelope.
AND Use redundancy and consistency checking.
ANDUse Passive analysis.
High Med- Add expertise. This is an unacceptable risk. DO NOT OPERATE THE SYSTEM.
Medium Med+ Use redundancy and consistency checking.
ANDUse Passive analysis.
Medium Low Add expertise. This is an unacceptable risk. DO NOT OPERATE THE SYSTEM.
Low Med+ Use passive analysis.
OR Ignore detection and wait till consequences reveal attacks.
Low Low Ignore detection and wait till consequences reveal attacks.
How malicious alteration is detected

Basis:

Malicious component and composite alteration is problematic because of its effect on the internal assumptions of the systems. For example, assumptions of stability are violated when components don't act as modeled or models are altered to mismatch components they are intended to model. While this problem cannot be solved in the general sense, deteciton is feasible in many cases based on the differential complexity of making consistent alterations across an entire system.

Ignore detection of malicious alteration and wait till consequences reveal attacks.
This is the common approach today. In essence the system is assumed to operate properly after initial testing unless and until it appears to do the wrong thing from a standpoint of an operator or an exteranlly observed event (e.g., something blows up). Testing tends to be limited to test conditions based on the model of how the system is supposed to work and not based on arbitrary malicious alteration. Ignoring detection of alteration and waiting till an alteration is obvious from its consequences has two major problems;


Thus this approach is problematic in other than low risk environments and unacceptable in high risk environments.

Passive analysis.
Passive analysis used history from system components to perform analysis of historical events and detect potential circumstances when the system did not operate properly according to its modelled implementation. As such, it is a passive restrospective way to detect alteration or misoperation based on data produced by the system under scrutiny.

Redundancy and consistency checking.
The use of redundant (separate and different) systems to detect inconsistencies between redundant components and cause the composite to tollerate faults can cover faults caused by intentional alterations to the extent that the redundnacy is sufficiently separate and different so as to mitigate the induced alterations. However, enough alteration will always be able to produce system failures. To the defined level of simultaneous faults in the identified fault models, redundancy should be designed so as to produce inconsistencies from each identified situation that are sufficiently differentiable from iconsistencies to prevent one set of inconsistencies from masking as another one.

Active system control and feedback testing within control envelope.
In this approach, signals are induced into the control system while remaining within the normal control envelope so as to cause intentional aterations to be unable to adjust all observables fast enough to provide correct output for the original unaltered system. To the extent that the alterations produce observable differences of adequate signal strength during the period of induced signals, they can be detected. The defender gets computaitonal leverage by the fact that the alteration has to alter responses in real-time while the detection system may take additional time to detect alterations. However, there is an increase in risk when near the edge of the control envelope that the induced signals will bring the system out of control. Thus care must be taken in such detection to avoid catastrophic failure conditions.

Add expertise
For cases where inadequate expertise is available to thse these methods, a decision should be made between avoiding inappropriate risks and adding expertise.

Copyright(c) Fred Cohen, 1988-2012 - All Rights Reserved