More possible common threads in major ICS cyber incidents – unintended system interactions

May 21, 2015

One of the most important aspects in addressing ICS cyber security is the concept of “systems of systems”.  Unlike IT where you can test a box and label the system secure, ICS cyber security requires testing the overall system. There have been many examples of system impacts including significant equipment damage and even deaths from the unintended consequences of ICS system interactions.

One of the most important aspects in addressing ICS cyber security is the concept of “systems of systems”.  Unlike IT where you can test a box and label it and the system secure, control system cyber security requires testing the overall system. That is because even if the individual boxes are secure, the communication protocols may not be secure or there may be unintended system interactions.

The crash of an Airbus A400M airlifter that killed four people on May 9 may have been caused by new software that cut off the engine-fuel supply. The aircraft featured new software that would trim the fuel tanks allowing the aircraft to fly certain military maneuvers.

This is not the first instance where unintended ICS interactions have affected the overall system. A number of years ago, a power plant connected a dispatch system to its plant distributed control system (DCS) as it was the utility’s most economic unit. Both software systems were tested but there was no testing of the integrated system. When the systems were connected, the unit was ramped back and forth across its full load range at the maximum ramp rate. The DCS effectively maintained the control variables within constraints so the operator was not aware of the turbine cycling. This is really important as operators often rely on the DCS to protect the plant and in this case it was the DCS causing the problem with no indications. However, the turbine rotor was subjected to significant stress. The analysis showed the turbine SIGNIFICANTLY exceeded the design stress curves 3 times in the 3 hour period. The event impacted the turbine rotor’s lifetime and the dispatch status of the unit reducing the revenue generation from the ancillary services market. The situation threatened the viability of the unit to compete in the marketplace and will result in the utility having to repair or replace the turbine rotor earlier than expected.

Another case of unintended system interaction was the implementation of a turbine vendor’s security patch. The turbine vendor did not coordinate the new security functionality with the existing engineering design.  The “uncoordinated” patch resulted in the loss of view and loss of control of the turbine.

There have been many other examples of significant system impacts from the unintended consequences of system interactions. To date, most of these problems have been unintentional. However, the impacts have been very significant. Furthermore, it wouldn’t be that difficult to cause these issues intentionally with small chance of detection.

Joe Weiss