Rethinking the Security of Industrial Control Systems
By Shantanu Rane, PARC Researcher, Cyber-Physical System Security
Modern industrial control systems are collections of networked components—sensors, actuators, controllers, computing devices—that connect the physical and digital worlds. Much of the world’s critical infrastructure, including smart power grids, nuclear power plants, military command centers, smart city installations and transportation systems, belongs to this category. Most large industrial control systems have been assembled over many decades, with the goal of achieving a desired set of goals. Power grids, for example, must distribute electrical power across large geographical areas, balancing the supply and demand at various times of the day. To make this possible, the instruments and controllers that make up these systems have been designed to be safe, reliable, easily configurable and interoperable across different manufacturers and standards. Securing these systems presents a unique set of challenges.
Security for industrial control systems has become extremely important
Until very recently, when designing the architecture of industrial control systems, security was mostly an afterthought. SCADA (Supervisory Control And Data Acquisition), the architecture used to supervise and manage large industrial control systems was not designed with security in mind. SCADA had evolved in the 1960s from methods that gathered and analyzed telemetry in power systems, with more industrial control applications coming later. From the point of view of network security, it was a simpler time: The ARPANET was just being deployed, and outside of military engagements, attacks on connected infrastructure were not commonplace.
Designers, operators, vendors and users of today’s cyber-physical systems no longer have that luxury. These days, attacks on cyber-physical infrastructure are not limited to just data breaches or malware designed to make our computers unusable; they can put human lives at risk. A virus that encrypts your hard drive is a relatively minor inconvenience, compared to an attack on a hospital’s electrical power supply, which can endanger the lives of patients.
Why is security only now becoming an important consideration? Over the past decade, we’ve seen a proliferation of smart devices that possess the capabilities of information processing and network connectivity. The defining characteristic of the Internet of Things (IoT) is that devices, previously restricted to their physical environment, are now connected to a computer network. This network could be a home network, an industrial intranet, or even the whole internet. This means that a device, or a gateway that connects a device to the network, is accessible by someone who presents the right credentials, or bypasses the credentials altogether.
As computation and connectivity have become commoditized, they have spawned a plethora of solutions that automate, improve and simplify key tasks in industrial control—from gathering sensor readings on the performance targets of a conveyor-based motor car production line, to verifying the freshness of a food shipment in a smart supply chain, to programming a CNC machine to precisely cut a block of metal into the right shape. They have also, unfortunately, exposed a rich attack surface that can be exploited by malicious hackers.
Consider, for example, the infamous Stuxnet worm that was used to attack Iranian nuclear installations. A malicious program was inserted into the unit that controlled the operation of the centrifuges in the nuclear reactor. This program caused infrequent changes in the speed at which the centrifuges rotate, which, over a period of time, would cause the centrifuges to deteriorate and fail. What made Stuxnet extremely hard to detect was that the telemetry from the centrifuges was spoofed, i.e., whenever the controller was asked to report the speed of the centrifuges, it would still report benign, expected values rather than the altered velocities induced by the worm.
Designed-in security is a worthy objective, but can be difficult to achieve
It is often claimed that the way to address this new set of cyber-physical security challenges is to construct systems that are “secure by design.” This requires a system designer to develop an understanding of an attacker’s incentives and the various ways in which he or she can compromise the operations of the system. In the recent Mirai botnet attacks, for example, the adversaries accessed their targets using commonly used default passwords, which had never been altered by their users. This simple attack infiltrated tens of thousands of devices.
The goal of designed-in security is to incorporate measures and protocols that will prevent as many known attack scenarios as possible. A bigger challenge for the security engineer is figuring out how to deal with attack methods that are hitherto unknown, and to design the system in such a way that it can mitigate the negative consequences of such novel attacks. This is a precarious undertaking, and for many industrial control systems, this type of designed-in security may be hard to achieve. That’s because many systems—think of the smart power grid, portions of which may have been in operation for decades—contain legacy equipment with old processes and protocols that must be brought up to date with current security best practices, a task easier said than done.
It’s not just the legacy devices that are hard to secure. Some industrial applications require a new class of lightweight, low-power, cheap sensors that are deployed in swarms of hundreds or thousands. These devices may power up intermittently or be passive and draw power from other devices in their vicinity. They might engage in opportunistic communication with listening devices in their neighborhood, but could remain silent most of the time. The secure communication and storage mechanisms that are typically deployed in cybersecurity solutions are far too complex to be implemented on such lightweight devices. In addition to the conventional protocols for secure communication, secure data storage and key management, we need security approaches that inter-operate across a vast range of device capabilities.
Connection to the physical world demands new approaches to resilience against attacks
Speaking very broadly, there are two ways in which an adversary can compromise an industrial control system. The first way is by infecting a system component or a controller that interacts with that component. Stuxnet was an attack of this type. The second way, much less investigated at the present time, is by directly compromising the physical environment of a sensor or actuator. It is possible, for example, to deceive or “spoof” the readings of a sensor. A research team at the University of Texas recently showed that, by using a powerful enough transmitter, they could spoof the GPS signal being used by a UAV for its navigation. This could force the UAV to follow an unintended trajectory, ultimately leading to its capture or destruction.
As another example, rather than hacking into a temperature sensor, an adversary might surreptitiously discharge a hot or cold gas next to it, causing the temperature sensor to report an erroneous reading to the controller. The controller, not realizing that the temperature reading has been spoofed, may then take unnecessary corrective action. In doing so, it might waste precious energy resources or cause excess wear and tear on its actuators. It might also, unwittingly, take the system into an unsafe state. Cryptographic solutions cannot address such attacks.
Where do we go from here?
To diagnose attacks caused by resident threats and attacks that originate in the physical environment, we have to move beyond classical cryptographic approaches and try to understand the behavior of the system we want to protect. If we can construct a mathematical model of the system’s behavior, then a deviation from this model would suggest that an attack is imminent or is being carried out. The operators can then try to isolate the attack, for example, by disconnecting the affected components from the network, by revoking a set of compromised keys and so on.
How does one construct a mathematical model for a cyber-physical subsystem? A natural way to do this is to gather data from the sensors involved and applying machine learning techniques to derive a model. We can then use anomaly detection to detect deviant behavior that does not conform to the model. Unfortunately, anomaly detection based on machine learning techniques is not always feasible because there isn’t sufficient data to reliably distinguish between normal and abnormal behavior. This seems unusual because advancements in data science have conditioned us to believe that more data will yield more insights. However, the situation itself ought not to be surprising: anomalies, almost by definition, tend to be extremely rare, and may not provide enough learning opportunities to train the algorithms.
When a purely data-driven approach fails, it might help to model the system not just from sensor data, but from the underlying physics. The magnitude and direction of the current in electrical circuits, for example, obeys universal laws. Heat diffuses in a material according to a well-specified differential equation. Using measurements of such physical quantities, it is possible to construct “physical” models of the industrial control system or its individual components. Comparing the sensor telemetry against such models may provide clues toward detecting and predicting attacks, when approaches based solely on data-centric models no longer suffice.
In summary, while traditional cybersecurity approaches represent a necessary starting point, they will not be sufficient to secure industrial control systems of the future. These approaches, which rely on modern cryptography, will help us secure the perimeter of the industrial control system, but they are less helpful if the adversary is already inside the system, or if the adversary attacks the physical interface. Therefore, in addition to cryptographers and security analysts, it is necessary to engage with domain experts – physicists, chemical engineers, electrical engineers, control theorists – who understand specific industrial control systems and can build accurate models of their behavior. To be successful, cyber-physical security must become a truly inter-disciplinary enterprise.
Learn more about PARC’s interdisciplinary approach to cyber-physical security.
Shantanu Rane conducts research at the intersection of the fields of signal processing and applied cryptography. His recent work at PARC has focused on privacy-aware computation and cyber-physical systems security.
Our work is centered around a series of Focus Areas that we believe are the future of science and technology.
We’re continually developing new technologies, many of which are available for Commercialization.