ICS Defense: Thinking outside the cybersecurity "box".

Traditional cybersecurity training and practitioners often emphasize seeking digital Indications of Compromise (IoC) when conducting threat hunting. However, in this series, we will explore cybersecurity techniques that are more physical and outcome-based.

While traditional IT-driven security solutions and processes are undeniably crucial, they might not, alone, be sufficient to guarantee the safety of our critical infrastructures in today's complex threat landscape. To effectively safeguard our Industrial Control Systems (ICS), our attention should not solely be focused on digital footprints. Instead, we need to also consider the tangible outcomes in the production process. Cyberattacks often leave traces throughout the physical process's lifecycle. A detailed analysis of production performance or system event data can allow us to differentiate between genuine operational shifts and anomalous changes or deteriorations in performance. By focusing on the nuanced variations in actual physical production efficiency and outcomes, we are paving the way for a more comprehensive approach to ICS security that will redefine (and further mature) the role of ICS cybersecurity professionals.

At the heart of this novel defense strategy lie what some might term the "table stakes" in ICS security: anomaly detection using machine learning, physical layer security, passive network monitoring, and hardware-based security, among others. It all starts with visibility across as many ICS assets as possible. A deep understanding of the configuration files and key settings is necessary. This is accomplished using a comprehensive ICS Asset inventory and CMDB product (like ours – shameless plug). These technologies are all valuable, and their critical importance and integration into security frameworks cannot be understated. But for industries, especially those deeply rooted in heavy manufacturing, relying solely on these technologies could lead to potential blind spots. The way forward, it seems, is a more holistic approach—one that combines our digital strategies with physics-based anomaly detection. This approach aims to blend domain-specific knowledge of the physical process with cybersecurity principles, creating a more holistic defense. This should become the future blended profile of the next-gen ICS Cyber-defenders.

The first topic of the series: Physics-based Models for Anomaly Detection

The intersection of cyber-physical systems has long been recognized but is often inadequately addressed in the cybersecurity realm. Unlike traditional digital networks, ICSs interlace with the physical world. This tangible intertwining paves the way for a unique, potent, yet frequently overlooked, method for anomaly detection: Physics-based models.

Understanding the Concept

At the core, Physics-based Anomaly Detection revolves around the development of mathematical representations that capture the inherent behavior of physical processes within an industry. These models, grounded in established principles of physics, chemistry, and engineering, allow us to predict expected outcomes based on certain inputs or environmental conditions.

For instance, in a manufacturing environment, consider the behavior of a hydraulic press. A physics-based model of this press would consider factors like hydraulic fluid viscosity, temperature, pressure, and machine speed. With these variables, the model could predict the energy consumed during a given production cycle accurately. Any deviation from this expected energy consumption might signify a problem - either a mechanical fault, inefficiency, or potentially, a cyber intrusion.

Practical Applications and Examples

Energy Consumption - As alluded to earlier, an unexpected spike or dip in energy consumption can be a red flag. If a cooling system, for instance, begins drawing more power than its physics-based model predicts, it might indicate tampering with the system's control parameters by a malicious actor.

Material Wastage - In the context of a chemical plant, assume a process that converts raw material A into product B. A physics-based model would anticipate a certain yield from this process. If there's an unexpected increase in waste or a reduction in yield, it could signify that the control systems governing the process have been tampered with.

Production Line Timings - Consider an automated assembly line. Physics-based models can predict the time taken for an item to move from one point to another with astonishing accuracy. If items begin arriving too early or too late, without a corresponding change in the assembly line's speed, it might be a sign of a system anomaly, potentially induced by external tampering.

Equipment Wear and Tear - A physics-based model can predict the rate at which equipment wears down under normal operating conditions. If a piece of equipment starts to degrade faster, it could be due to operational parameters being manipulated outside their safe limits, possibly by a cyber attacker looking to cause physical damage.

Advantages and Challenges

Utilizing physics-based models offers several advantages. Firstly, these models can detect anomalies even in the absence of prior cyber threat intelligence. They don't need to know what a specific cyber-attack 'looks like'; they simply identify when the physical world behaves unexpectedly. Secondly, they offer a low false-positive rate. Since they're grounded in scientific principles, anomalies detected are often genuine issues.

However, the method isn't without potential challenges. Developing accurate physics-based models requires deep domain knowledge, intimate and ubiquitous access to the control configuration settings, and comprehensive enterprise asset visibility, and management. This process may not always account for every variable or unforeseen interaction. Still, when integrated with traditional cyber defense mechanisms, they can provide an additional, robust layer of protection for critical infrastructures.

Reference: M. R. G. Raman and A. P. Mathur, "A Hybrid Physics-Based Data-Driven Framework for Anomaly Detection in Industrial Control Systems," in IEEE Transactions on Systems, Man, and Cybernetics: Systems, vol. 52, no. 9, pp. 6003-6014, Sept. 2022, doi: 10.1109/TSMC.2021.3131662.

Next topic on deck: Process Invariants