More possible common threads in major ICS cyber incidents – unintended system interactions

One of the most important aspects in addressing ICS cyber security is the concept of “systems of systems”.  Unlike IT where you can test a box and label it and the system secure, control system cyber security requires testing the overall system. That is because even if the individual boxes are secure, the communication protocols may not be secure or there may be unintended system interactions.

The crash of an Airbus A400M airlifter that killed four people on May 9 may have been caused by new software that cut off the engine-fuel supply. The aircraft featured new software that would trim the fuel tanks allowing the aircraft to fly certain military maneuvers.

This is not the first instance where unintended ICS interactions have affected the overall system. A number of years ago, a power plant connected a dispatch system to its plant distributed control system (DCS) as it was the utility’s most economic unit. Both software systems were tested but there was no testing of the integrated system. When the systems were connected, the unit was ramped back and forth across its full load range at the maximum ramp rate. The DCS effectively maintained the control variables within constraints so the operator was not aware of the turbine cycling. This is really important as operators often rely on the DCS to protect the plant and in this case it was the DCS causing the problem with no indications. However, the turbine rotor was subjected to significant stress. The analysis showed the turbine SIGNIFICANTLY exceeded the design stress curves 3 times in the 3 hour period. The event impacted the turbine rotor’s lifetime and the dispatch status of the unit reducing the revenue generation from the ancillary services market. The situation threatened the viability of the unit to compete in the marketplace and will result in the utility having to repair or replace the turbine rotor earlier than expected.

Another case of unintended system interaction was the implementation of a turbine vendor’s security patch. The turbine vendor did not coordinate the new security functionality with the existing engineering design.  The “uncoordinated” patch resulted in the loss of view and loss of control of the turbine.

There have been many other examples of significant system impacts from the unintended consequences of system interactions. To date, most of these problems have been unintentional. However, the impacts have been very significant. Furthermore, it wouldn’t be that difficult to cause these issues intentionally with small chance of detection.

Joe Weiss

Show Comments
Hide Comments

Join the discussion

We welcome your thoughtful comments.
All comments will display your user name.

Want to participate in the discussion?

Register for free

Log in for complete access.

Comments

  • <p>Joe - Your comments on system testing and examples of a lack thereof in ICS are helpful, but your view of IT is just plain wrong.</p> <p>"Unlike IT where you can test a box and label it and the system secure, control system cyber security requires testing the overall system." Perhaps this is true for desktop management, but system testing is very important and often done with a lot more rigor in IT than ICS.</p> <p>Last month I was at a large participant in the water sector. In addition to the ICS, they had an ERP system that was critical to business. They had a complete test environment for the ERP, and a long set of tests they ran to insure the required functionality was not affected prior to a change being pushed out to production.</p> <p>This is yet another area where OT could benefit from IT's experience in setting up test environments and system related regression test plans.</p> <p>Dale Peterson @digitalbond, digitalbond.com </p>

    Reply

RSS feed for comments on this page | RSS feed for all comments