The anatomy of the plant design and the cyber attack of the OT - Part 2 - Cyber Industrial (2023)

I amPart 1I discussed design processes and disciplines that influence AT's security design process.In this second part I, zoom in the anatomy of the ot cyber attack on how this is related to the design process.And I will use the quantitative risk in cyber security design discuss, a discussion of a discussion, a discussion, a discussion, a discussion, a discussion about the design of cybernetics, a discussion, a discussion, a cyber design discussion.Controversial topic that many approached as "not possible".

First, let's define what I consider in the context of this article as an AT cyber attack:

"A cyber attack of OT is a cyberspace attack that points to the process automation system of a manufacturing system with the objective of interruption, deactivation, damage or malicious tax systems and installation."

With this definition, I ignore the possible interruption of business -based business functions as a result of their dependence on the process automation system (or vice -versa).

My focus in this article is in attack scenarios that try to damage the production unit and cause a shock absorber or explosions.My imaginary goal will be a process unit with its equipment modules in a petrochemical system.A chemical system in units (eg a reactor), device modules (eg a pump) and control modules (eg a pressure control loop).These device modules have a typical configuration, the risks and solutions of the process are often resolved in a similar way if we take a look at the P&D (piping and instrumentation) device, we can quickly recognize the dangers that a cyber attack canto take.

As usual, I try to address the AT security design task from a holistic perspective, identify the dangers of the production process and seek a solution by combining the task of OT safety design with the results of process and design tasks tasks.Of particular security, security design plays a fundamental function here.If you start the design process, the first questions to ask: How does it work?What can go wrong?What are we going to happen?How can we prevent this?Restrict the damage?

Let's start the discussion discussing the model of an OT cyber attack.

For a successful attack, a threat player must intend to attack;the technical ability to comply with the attack;and the opportunity to perform the attack.If one of these three factors does not have, the threat player will not be successful.

Threat players differ a lot in skills, available resources, opportunities and reasons.

For example, threat players may be insiders with direct access to process automation systems or outsiders who need to find other routes for the process automation system, for example, using network connectivity.

Insiders may have access to critical information such as network addresses, topology designs, accounts of accounts and sometimes even accounts.

We call these process threat profiles.Examination of the motivations and methods of an opponent.Threatening is the first step in the design of a cyber attack resistant automation system.It is always important to know which category of threats that defend the systems.There is a big difference if we need to defend ourselves against internal government invaders and attacks, or if we can project our security deficiencies based on non-governmental actors such as cyber criminals and hacktivists.

Another difference is the goal, for example, if the potential goal is part of the national critical infrastructure, for example, for example, a pipeline, or whether the goal is a non -strategic system.Factors of the dealer, such as the geographical place where the plant is also different.Geographical location.

We have to collect and analyze this information to understand what threats within the threat player's abilities are and what kind of weaknesses are exposed to the threat player to enjoy 2 threats in real risk analysts usually use at least 8 categories.

Threat actors perform attack actions that are performed by tactics, techniques and procedures (TTP) of their trade.In terms of difference in the areas of skills, resources and differences in "contact frequency" with the system, select different threats.And it has green circles, green means that the threat player has skills and skills, and red means that he cannot use this threat action or not.

Threats use goal weaknesses, which are shown as various concentric circles.Threats are defined at the functional level and can in principle use various weaknesses.For example, threat actors may be a news injection, a method this can explore various vulnerabilities.Any susceptibility to safety is protected by a safety measure. In general, we need various security measures to stop an OT-Ciber attack.From a risk perspective, safety measures can be implemented with yes (green circle) /no (red circle).The switch on and off may examine a risk estimate of various defense strategies.

To the left of the upper event (the circle in the middle), we have preventive safety measures, which reduces the chance of success.

If we evaluate the frequency of the threat action event, along with the risk reduction in preventive safety measures and the various risk factors that determine static and dynamic exposure, a frequency of events that is goal failure.

Safety measures In this context, not only external additional safety controls are just like firewalls and painting protection, but also contain the many configuration settings in the goal that the system protects, for example, several reading/writing protection settings.

Several security measures are usually combined with a single safety check. For example, a next generation firewall usually contains several safety measures.The goal is an element of a process automation function, for example an operational station or a controller.A superior event can be something like "unauthorized access to the operations station."It can be achieved which threat players can use for TTP to do this and which security measures can stop.and settings for automation design that reduces the risk.

In the diagram, detective controls are shown on the right side of the upper event.Detective control can also have a preventive function if used in combination with an automatic reaction (eg in an IPS) and therefore can also be used on the left side.I wanted to make the choice to put it on the right side. These safety measures reduce the severity of the consequence.They act after security violation, an example is a backup.

The most important thing is yellow circles in the drawing, which exhibit the technical consequences and functional deviations at the end as a result of the TT cyber attack.

Each goal has a definite series of functions, for example, it is probably not a process controller certainly intention to protect due to the T -cyber attack.

The consequences must be defined at a level where they can be connected to procedures identified in the process of security of the -Hazop / Lopa process.

A consequence, such as loss of control, is therefore a useless effect on detailed risk analysis.Loss of control window integrity, automated control loss, loss of tax integrity, alarm loss, loss of command integrity are more different with functionality.

We call these error modes, different automation functions and their components have different error modes.However, the error modes of a process controller and a SPS overlap also differ from essential points.Error modes differ for automation functions and sometimes differ by provider for the same function.However, we structured the various technical deviations that can be used later when analyzing the risk master.

Not every threat action can cause any functional deviation, it depends on the definition of the upper event.A superior event, such as "unauthorized access to an engineering station", has different functional deviations for similar threats, such as "unauthorized access to a 24 × 7 visited operational station." This is because you have a different task, although bothare essentially a Microsoft -Desktop computer. A superior event, such as “unauthorized access to a non -assisted operational station” may have other defined controls.

Security measures may also differ and static and dynamic exposure may differ differently. In general, the same series of threats leads to a different probability.Not necessarily as a probability.The formula is also used to determine the risk of terrorism.This formula has the advantage that we can treat the threat player differently from the cyber resistance of the function.

The frequency of the event can be converted to probability if we need this, for example, if we have a frequency of events of 1 times in a thousand years, which gives a probability that the event will take place over the next 10 years of 0.01 10 years isan example. We generally use a period that meets the life expectancy of the system function.

Event frequencies were defined by the government for various types of effects, there are criteria for individual risk (employees within investment, social risk (publicly outside the system) and environmental risk. Governments do so to restrict the risk.

Figure 4 shows some examples of European countries, in this case for individual risk criteria.The reliability of the process defines the annuality of the goal so, the maximum frequency of events for a certain level of impact.These criteria come from these regulatory criteria and corporate policy.

They differ by country, differ by type of risk and differ by company.^stOT Cyber Law discussed inPART 1The security project must meet these criteria, as incidents as a result of a process automation error can lead to deaths in the petrochemical and oil and gas industry.

If we withdraw in Figure 2 for the anatomy of cyber attacks, we can find that functional deviations resulting from cyber attack may be connected to the cause or lop / hazop analysis protection measures.I number in the drawing (Figure 2) from 1 to 5:

1. This is the scenario where attack on two functions should aim to cause the problem, for example, the Basic Process Control System (BPCs) and the Instrumented Security System (SIS).The BPCs) cause, and the second is to prevent the intervention SIS from preventing it.
2. This is the scenario where an attack on a single function, for example, BPCs is sufficient to cause damage.This can sometimes be as simple as all alarms.This is usually configured as a separate service with a specific TCP address, so a simple ARP poisoning attack that creates a well for this traffic would be sufficient.
3. In scenario 3, we take the SIS, the ESD function (emergency shutdown).To stop.The pump damages it.
4. There are also cases where SIS does not intervene, usually not for process scenarios with deaths, but stopped scenery that can lead to serious damage.If the proportion of oxygen becomes too high, it can lead to an explosion.
5. This scenario captures the fire brigade and the gas controller (FGS).If the FGS has recognized a leak, it can stop the pump and feed to the leakage.However, an attack may change these actions.

The 5 scenarios above are the most common scenarios that can be used by a cyber attack, but there are also other less obvious scenarios.

In the text above, we built cyber attack scenarios for a certain danger / function and bind them to the security scenarios of the Hazop / Lopa process.We call these scenarios scenarios, as these scenarios indicate a certain loss if this scenario developed.The probability of this scenario is no longer the probability of process reliability, which is based on random failures, but now it is the likelihood of the cyber attack scenario caused by deliberate measures.-Document.

We ignore the effects of a cyber attack on business functions. If we had included this in the risk assessment area, we would also need loss scenarios for this part of the design.

You may have discovered that all cyber attacks have been defined as a risk of a single function.The idea is that if all functions correspond to risk criteria, the overall rate of valuable events resulting (or probability) also meets the requirements for system automation.

Unfortunately, it is rare for all components to meet the criteria.It always gives functions/components that do not exist.In Figure 5, for example, we show all these cyber dangers with their threats and consequences.To offer security measures, we can define a handling/writing handling protection, but that's all.Field equipment, sensors and actuators usually do not protect itself strongly.This access to these functions can only be performed by stronger protected functions that correspond to the criteria.

In such cases, a single stage analysis is no longer possible and we need to consider attacks at various cyber stages and attacks that step by step in the system.

In the example of Figure 5 (right diagram) from the point where an extinction terminal server (TS) can be used and used as a platform to attack the next jump in the scenario, the next leap would be the instrument classification system (IAMSS).If this second step is successful, we can enter the field equipment from there and possibly cause deviation from the process that leads to the loss scenario we analyze.

In this case, we have to use the probabilities, because we need to appreciate the conditional probability that all steps of the scenario are successful.And there is a disjunctive.There are also scenarios where this is not the case where we have dependent events (therefore, the probability of the next step is influenced by the likelihood of the previous step), but I leave this level of detail for another article.The purpose of this two -part article is to show that cyber security is much more than the firewall configuration.

At the moment, the news is that we need to create a risk record when creating a system and protection to analyze the various aspects.A risk record is the compilation of loss scenarios that we can analyze in many ways.Normally, thousands of scenarios that we take into account all the variations caused by the number of threats, threats, weaknesses and consequences actors.

If we have a risk record, we can group the threat actors and verify the risk of a specific group of threats. We can consider the risk by process automation function or a combination of functions (which can see certain types of TTP, much more.

Obviously, this is not a manual construction effort and requires tools to create this risk record. However, the result offers a wealth of information that can be used to make the right security design decisions based on real loss scenarios.