In the IT environment a denial-of-service is one of the worst case scenarios. In this case, data can no longer move and the system comes to a stop. In the ICS environment, the worst case scenario is loss of control (LOC) and/or loss of view (LOV). That is, data continues to flow and the system continues to operate but no longer as it was designed or meant to do or as the operator thinks is happening.
LOC means the control of the process has changed. This can be maliciously like Stuxnet or unintentionally where a refinery unexpectedly had valves open and close.
LOV does not just mean "the blue screen of death". It means the operator no longer has a view, or correct view, of what is actually happening with the process. There are three different aspects of LOV:
- Maliciously misleading the operator by changing the process but not letting the operator see what is actually occurring as with Stuxnet. It is also possible to provide the operator a misleading view without changing the process so the operator takes the wrong actions and effectively becomes the intruder as with 2004 INL hacking demonstration.
- Unintentionally misleading the operator such as what occurred during the 2003 North East Outage when the loss of SCADA alarms misled the operator into thinking the system was operating properly and therefore didn't take appropriate timely actions.
- Complete loss of view of the process, eg, "blue screen of death". This leads to the operator to take the safe approach of shutting down the system because the operator cannot see what is happening. An example was the Blaster worm shutting down Windows-based operator displays in combustion turbine power plants resulting in the operators shutting down their plants.
LOV and LOC can create conditions that can lead to physical destruction of equipment and personal impacts. Stuxnet exploited both LOC and LOV to damage the equipment. That is, operating the process in a way that would damage the equipment and "blinding" the operator from knowing what was actually happening.
My ICS incident database now contains more than 300 actual ICS cyber incidents. I was able to identify more than 25 incidents that were LOC and/or LOV. In most of the LOV and LOC cases, it is not clear what caused the incidents. Moreover, LOC and LOV generally are not network issues that IT can address.
These situations certainly put the critical infrastructures at risk.
Joe Weiss