ICS security: Thinking outside the cybersecurity "box"

Continuing the discussion, today we will look at our next topic. As a brief refresher on the series focus, traditional cybersecurity training and practitioners often emphasizes seeking digital Indications of Compromise when conducting threat hunting. However, in this series, we will explore cybersecurity techniques for ICS that are more physical and outcome-based.

Process Invariants: The Immutable Guardians of ICS

Amidst the buzzing activity of modern industries, there exists a set of steadfast rules, as unyielding as the laws of nature. They are the process invariants, conditions that are always true, regardless of the myriad of operations taking place. These invariants, by virtue of their unwavering consistency, can be harnessed as powerful instruments for detecting anomalies and potential cyber intrusions in the realm of industrial control systems.

Understanding invariants:

Process invariants, in essence, represent the fundamental truths tied to specific physical or chemical processes. Think of them as the 'axioms' of an industrial operation, conditions that must hold true for the system to function correctly. Any deviation from these conditions not only poses a risk to operational integrity but might also signal a potential cyber risk or activity.

For instance, in a chemical reaction that always yields a specific volume of gas, any deviation in the produced volume could be considered a violation of a process invariant. This could be an indicator of tampering or interference with the controlled environment or parameters of the reaction.

Four quick examples:

Chemical Equilibrium: In a controlled chemical process, certain reactions reach a state of equilibrium where the concentration of reactants and products remains constant over time. Any sudden shift in this equilibrium could suggest external interference.

Thermal Dynamics: In a controlled heating system, the amount of energy input should always equate to the rise in temperature and heat lost to the environment. If the system suddenly starts overheating with no increase in energy input, it could be a sign of a compromised control system.

Fluid Dynamics: In a hydraulic system, the conservation of mass dictates that the volume of fluid entering a system must equal the volume exiting it. Discrepancies might indicate sensor tampering or malfunction, or in a darker scenario, a deliberate cyber-attack to cause a system failure.

Mechanical Load Balancing: In machinery with moving parts, there's an expected balance of forces. A sudden vibration or imbalance can indicate a breach of this invariant, suggesting potential tampering or mechanical failures.

Advantages and Potential “Gotchas”

The primary advantage of relying on process invariants as a security measure is their inherent nature. They are rooted in scientific principles and physical laws, making them reliable indicators of system health. Furthermore, since they are always true, they serve as a constant benchmark, allowing for real-time anomaly detection.

However, like all systems, relying solely on process invariants has its challenges. Accurate identification and measurement of these invariants require deep domain knowledge and comprehensive asset visibility. Sans this comprehensive understanding and holistic view of the system, distinguishing between genuine violations due to equipment aging or wear and tear, and those arising from cyber threats, renders process invariants obfuscated.

As digital transformation drives more capabilities into the ICS environment, security teams need deep and comprehensive asset visibility and a CMDB for all assets, throughout the layers of OT.

Cybersecurity in OT as a practice is evolving. As cybersecurity practitioners, we must use every resource available to help secure our environments. We have a duty to fully understand, and leverage people, processes, and technology. If the process invariants can give us IoCs then… why not?

Next topic: Behavioral Analytics of Operations