Alvaro A. Cárdenas
University of California, Berkeley
In this paper we attempt to answer two questions: (1) Why should we be interested in the security of control systems? And (2) What are the new and fundamentally different requirements and problems for the security of control systems? We also propose a new mathematical framework to analyze attacks against control systems. Within this framework we formulate specific research problems to (1) detect attacks, and (2) survive attacks.
Control systems are computer-based systems that monitor and control physical processes. These systems represent a wide variety of networked information technology (IT) systems connected to the physical world. Depending on the application, these control systems are also called Process Control Systems (PCS), Supervisory Control and Data Aquisition (SCADA) systems (in industrial control or in the control of the critical infrastructures), or Cyber-Physical Systems (CPS) (to refer to embedded sensor and actuator networks).
Control systems are usually composed of a set of networked agents, consisting of: sensors, actuators, control processing units, and communication devices. Most industrial control systems have a hierarchical structure.
Figure 1 shows a common network architecture: In the first layer the physical infrastructure is instrumented with sensors and actuators. These field devices are connected via a field area network to programmable logic controllers (PLCs) or remote terminal units (RTUs), which in turn implement local control actions (regulatory control). A control network carries real-time data between process controllers and operator workstations. The workstations are used in area supervisory control, planning the physical infrastructure setpoints. The higher level is the site manufacturing operations, which is in charge of production control, optimizing the process, and keeping a process history.
Several control applications can be labeled as safety-critical: their failure can cause irreparable harm to the physical system being controlled and to the people who depend on it. SCADA systems, in particular, perform vital functions in national critical infrastructures, such as electric power distribution, oil and natural gas distribution, water and waste-water treatment, and transportation systems. They are also at the core of health-care devices, weapons systems, and transportation management. The disruption of these control systems could have a significant impact on public health, safety and lead to large economic losses.
Controllers are computers. Most of the original physical controls (traditionally conformed of a logic of electromechanical relays) have been replaced by microprocessors and embedded operating systems. These controllers may provide many functionalities, such as flexible configuration via a web server, and digital communication capabilities that allow remote access and control. The increased complexity of the software base may also increase implementation flaws (software bugs).
Networked. Control systems are not only remotely accessible, but increasingly -for efficiency reasons- they are being connected to corporate networks and the Internet. Even control systems designed to be closed may, in practice, not be perfectly isolated: connectivity through uncontrolled connections can occur in many ways (e.g., via mobile devices). Similarly, Internet-connected embedded devices (including CPS) are expected to be the largest contributors to the growth of the Internet in future years , and are expected to have major technical, economic and societal impact. The security challenges of CPS will become more severe as the scale and scope of the Internet grows.
Commodity IT solutions. Although in the past control systems were generally made up of proprietary software and hardware components, today many control systems employ commodity IT systems; such as, off-the-shelf Windows computers, TCP/IP networking etc. Consequently, control systems inherit the vulnerabilities of these components.
Open design. Increasingly, even protocols that are unique to control systems are now more open and more accessible, therefore it is easier for an attacker to obtain the necessary knowledge to attack the system. This point is, however, controversial: security professionals generally argue that open design is preferable because they can find and fix bugs more easily. The debate between open design and closed design is an active one .
Increasing size and functionality. Wireless sensor networks and actuators are allowing industrial control systems to instrument and monitor larger number of events and operations. Some infrastructures are also changing to provide new functionalities, such as the Smart Grid program . It is a standard security concern that new functionalities may give rise to new vulnerabilities.
Large and highly skilled IT global workforce. Larger groups of people can now find and generate attack vectors for computer-based systems.
Cybercrime. Less computer-skilled people also have access to a number attack tools and cybercrime networks. A driving factor for the interest of cybercrime in control systems is extortion.
In the previous section we presented a high-level description of the reason why current control systems are now more vulnerable than before. In this section we discuss some specific events showing that the threat to control systems is real. While there has been some reported indirect attacks to control systems -mostly the side-effects of worms- in this section we concentrate on intentional attacks.
The most well-known computer security incident in SCADA systems is the attack on Maroochy Shire Council's sewage control system in Queensland, Australia . On January 2000, almost immediately after the control system for the sewage plant was installed by a contractor company, the plant experienced a series of problems. These problems continued for the next four months: pumps were not running when needed, alarms were not being reported, and there was a loss of communications between the control center and the pumping stations. These problems caused the flooding of the grounds of a nearby hotel, a park, and a river with a million liters of sewage. One of the insights in analyzing this attack, is that cyberattacks may be unusually hard to detect (compared to physical attacks). The response to this attack was very slow and the attacker managed to launch 46 reported attacks until he was caught. At the beginning, the sewage system operators thought there was a leak in the pipes. Then they observed that valves were opening without being commanded to do so, but they did not think it was an attack. It was only after months of logging that they discovered that spoofed controllers were activating the valves, and it took even more time to find the culprit: a disgruntled ex-employee of the contractor company that had installed the control system originally and who was trying to convince the water treatment company to hire him to solve the problem.
There have been other recorded attacks to control systems. For example, in 2000 the Interior Ministry of Russia reported that hackers had seized temporary control of the system regulating gas flows in natural gas pipelines (it is not publicly known if there was physical damage) . The former Soviet Union was victim of another attack to their gas pipeline infrastructure in 1982 when a logic bomb caused an explosion in Siberia .
There are also several recent attacks. In 2008 a teenager in Poland used a modified TV remote control to control the switch tracks of trams. There were four derailments and twelve resultant injuries . Also, in 2008, a senior analyst for the CIA mentioned that there was evidence of computer intrusions into some European power utilities followed by extortion demands . Attacking SCADA systems for extortion is not new. Physical attacks -for extortion and terrorism- are a reality in some countries . Cyber-attacks are a natural progression to physical attacks: they are cheaper, less risky for the attacker, are not constrained by distance, and are easier to replicate and to coordinate.
Besides attacks to deployed systems, there have been numerous studies and experiments showing the vulnerabilities of control systems. On March 2007, researchers at Idaho National Laboratories investigated the results of a possible cyber attack directed against a power network. The ``Aurora Generator Test'' demonstrated the ability of a cyber attack to damage a power generator turbine . Similarly, most available penetration testing reports show how easy it is to obtain access to computers controlling our physical infrastructures, [12,10].
Researchers also demonstrated the vulnerability of embedded CPS. In a recent example, Halperin et al.  showed radio attacks to implantable cardioverter defibrillators. These attacks could compromise patient safety and privacy.
Also, new security audits are starting to reveal the vulnerability of major critical infrastructures. In a recent security audit, the Tennessee e Valley Authority (TVA), the nation's largest public power company, was found to be vulnerable to cyber attacks that could sabotage their control systems .
There is also an increase in awareness on the vulnerability of SCADA protocols. Security venues such as DEFCON, Blackhat, and RSA have recently included SCADA presentations to discuss possible attack vectors. The presentations have shown implementation vulnerabilities that allow attackers to execute arbitrary code in specific SCADA protocols. This new awareness prompted US-CERT and CERT/CC to start processing and issuing vulnerabilities on SCADA systems beginning 2006.
To our knowledge there has not been a publicly-available objective analysis of the possible consequences to attacks against critical infrastructures. In our view, while some of the reports on SCADA security might appear overly alarmist (safety safeguards in most control systems might prevent major catastrophes), the fact that a user is able to obtain unauthorized privileges in a control system should be taken seriously.
The Maroochy Shire incident showed some of the effects that attacks can have. We believe that an important direction for future research is on identifying the risks and consequences of a successful attack.
Up to now, most of the effort for protecting control systems (and in particular SCADA) has focused on reliability (the protection of the system against random faults). There is, however, an urgent growing concern for protecting control systems against malicious cyberattacks [32,8,7,31,2].
There are several industrial and government-led efforts to improve the security of control systems. Several sectors -including chemical, oil and gas, and water- are currently developing programs for securing their infrastructure. The electric sector is leading the way with the North American Electric Reliability Corporation (NERC) cybersecurity standards for control systems . NERC is authorized to enforce compliance to these standards, and it is expected that all electric utilities are fully compliant with these standards by 2010.
NIST has also published a guideline for security best practices for general IT in Special Publication 800-53. Federal agencies must meet NIST SP800-53. To address the security of control systems, NIST has also published a Guide to Industrial Control System (ICS) Security . Although these recommendations are not enforceable, they can provide guidance for analyzing the security of most utility companies.
ISA (a society of industrial automation and control systems) is developing ISA-SP 99: a security standard to be used in manufacturing and general industrial controls.
The Department of Energy has also led security efforts by establishing the national SCADA test bed program  and by developing a 10-year outline for securing control systems in the energy sector . The report -released in January 2006- identifies four main goals: (1) measure current security, (2) develop and integrate protective measures, (3) detect intrusion and implement response strategies; and (4) sustain security improvements.
The use of wireless sensor networks in SCADA systems is becoming pervasive, and thus we also need to study their security. A number of companies have teamed up to bring sensor networks in the field of process control systems, and currently, there are two working groups to standardize their communications [14,17]. Their wireless communication proposal has options to configure hop-by-hop and end-to-end confidentiality and integrity mechanisms. Similarly they provide the necessary protocols for access control and key management.
All these efforts have essentially three goals: (1) create awareness of security issues with control systems, (2) help control systems operators and IT security officers design a security policy, and (3) recommend basic security mechanisms for prevention (authentication, access controls, etc), detection, and response to security breaches. These recommendations and standards have not considered technical details of the new research problems that arise when control systems are under attack.
While it is clear that the security of control systems has become an active area in recent years, we believe that, so far, no one has been able to articulate what is new and fundamentally different in this field from a research point of view compared to traditional IT security.
In this paper we would like to start this discussion by summarizing some previously identified differences and by proposing some new problems.
The property of control systems that is most commonly brought up as a distinction with IT security is that software patching and frequent updates, are not well suited for control systems. For example, upgrading a system may require months of advance in planning of how to take the system offline; it is, therefore, economically difficult to justify suspending the operation of an industrial computer on a regular basis to install new security patches. Some security patches may even violate the certification of control systems.
In a recent anecdote, on March 7 of 2008, a nuclear power plant was accidentally shutdown because a computer used to monitor chemical and diagnostic data from the plant's business network rebooted after a software update. When the computer rebooted, it reset the data on the control system, causing safety systems to errantly interpret the lack of data as a drop in water reservoirs that cool the plant's radioactive nuclear fuel rods .
Another property of control systems that is commonly mentioned is the real-time requirements of control systems. Control systems are autonomous decision making agents which need to make decisions in real time. While availability is a well studied problem in information security, real-time availability provides a stricter operational environment than most traditional IT systems.
Large industrial control systems also have a large amount of legacy systems. Several research efforts have tried to provide lightweight cryptographic mechanisms to ensure data integrity and confidentiality [33,30]. The recent IEEE P1711 standard is designed for providing security in legacy serial links . Having some small level of security is better than having no security at all; however, we believe that most of the efforts done for legacy systems should be considered as short-term solutions. For properly securing critical control systems the underlying technology must satisfy some minimum performance requirements to allow the implementation of well tested security mechanisms and standards.
Not all operational differences are more severe in control systems than in traditional IT systems. By comparison to enterprise systems, control systems exhibit comparatively simpler network dynamics: Servers change rarely, there is a fixed topology, a stable user population, regular communication patterns, and a limited number of protocols. Therefore, implementing network intrusion detection systems may be easier than in traditional enterprise systems .
While all these differences are important, we believe that the major distinction of control systems with respect to other IT systems is the interaction of the control system with the physical world.
In general, information security has developed mature technologies and design principles (authentication, access control, message integrity, separation of privilege, etc.) that can help us prevent and react to attacks against control systems. However, research in computer security has focused traditionally on the protection of information. Researchers have not considered how attacks affect the estimation and control algorithms -and ultimately, how attacks affect the physical world.
We argue that while the current tools of information security can give necessary mechanisms for the security of control systems, these mechanisms alone are not sufficient for the defense-in-depth of control systems.
We believe that by understanding the interactions of the control system with the physical world, we should be able to
In general, it is very difficult to have an accurate model of the process being controlled; therefore, it is common to consider an additional term , which is called the process noise, and accounts for modeling errors, uncertainties or perturbations to the system. It is common to assume that is a Gaussian random sequence with covariance and mean 0.
The second equation in Eq.(1) assumes the system is monitored by a sensor network with sensors, where , and is the measurement collected by sensor at time . Furthermore . The reason to include the observation equation is because sometimes we do not have direct measurements of the state of the system .
The estimation and control algorithms used in control systems are designed to satisfy certain operational goals, such as, closed-loop stability, safety, liveness, or the optimization of a performance function. Intuitively, our security goal is to protect these operational goals from a malicious party attacking our cyber infrastructure.
In water tank example, we may want to maintain the water levels in some bounded set (e.g., for all ), even if the system is under attack.
Motivated by our previous work , we consider DoS and deception attacks. In deception attacks (a compromise of integrity), the adversary sends false information or from (one or more) sensors or controllers. The false information can include: an incorrect measurement, the incorrect time when the measurement was observed, or the incorrect sender id. The adversary can launch these attacks by obtaining the secret key or by compromising some sensors or controllers.
In DoS attacks the adversary prevents the controller from receiving sensor measurements or the actuators from receiving control commands. To launch a DoS the adversary can jam the communication channels, compromise devices and prevent them from sending data, attack the routing protocols, flood the network with data etc.
We now present a general framework to model these attacks by using additive changes to Eq.(1):
Modeling a DoS attack on a subset of control signals.
Modeling a DoS attack on a subset of sensor nodes
Modeling a deception attack on a subset of control signals.
Modeling a deception attack on a subset of sensor nodes
Adversary Model A (p,q)-Adversary can select channels (between the sensor and the controller or between the controller and the actuator) and perform a DoS attack for units of time on all of these channels.
Security Specification While in several control problems we want to design algorithms to optimize certain performance criteria, we believe that when a system is under attack the main objective should be to maintain the safety of the physical process. In most cases the safety of the system can be defined as a bounded set such that . Let be this safety set.
We want to analyze the behavior of the system from time to . In particular, we want to study the following problem: Does there exist a suitable control sequence such that the performance process lies in a certain safety set with a sufficiently high probability under DoS attacks?
Definition of Security Given a safety parameter set and a given , we say that the dynamical system is secure if for every (p,q)-Adversary there is a control sequence such that
The feasibility problem Given history we would like to answer two questions: (1) is the system secure? and if it is, (2) how do we find a realization of that maintains the system in the safe set?
We argue that detecting attacks to control systems can be formulated as anomaly-based intrusion detection systems . The difference in control systems is that instead of creating models of network traffic or software behavior, we use instead the model of the physical system (Eq.(1). Our argument is that if we know how the output of the physical system should react to our control commands , then any attack to the sensor measurements or control system will exhibit an abnormal view of the physical process (Eq.(2). Given a sequence of observations the anomaly detector should also be able to estimate the expected control signals to detect if a controller has been compromised.
The most natural way to detect these attacks is to use sequential detection theory. Unlike previous work [19,27], we cannot use a fixed model for the attack hypothesis (this is known in statistics as a simple hypothesis testing problem) because for deception attacks, we do not know the attack sequences or that an adversary will select. Therefore we need to formulate a composite hypothesis testing problem.
We plan to investigate the effectiveness of this approach for detecting a wide range of attacks, and also to analyze the tradeoffs between the accuracy of detection, the number of false alarms, and the damage to the physical system of attacks that can go undetected in our system.
While we have not presented a model of a real system in this short paper, it is important to emphasize the need for realistic models of physical systems. We are currently experimenting our research directions with three systems: a water canal system, a water distribution network, and a chemical reactor plant. Only by experimenting and simulating realistic infrastructures will our theoretical methods be validated.
This document was generated using the LaTeX2HTML translator Version 2002-2-1 (1.71)
Copyright © 1993, 1994, 1995, 1996,
Computer Based Learning Unit, University of Leeds.
Copyright © 1997, 1998, 1999, Ross Moore, Mathematics Department, Macquarie University, Sydney.
The command line arguments were:
latex2html -split 0 -show_section_numbers -local_icons -no_navigation hotsecHTML
The translation was initiated by Alvaro on 2008-07-15