Abstract
Intelligent automated industrial process control requires a higher level of systems integration and connectedness than what has traditionally been the case. With such development comes increased risk of cyber-attack for Operational Technology (OT) systems such as Industrial Control Systems (ICS). For ICS, cyber-attacks can have significant consequences also in the physical world, with potentially catastrophic consequences, as experienced in the Colonial Pipeline and the Ukraine Power Grid attacks. Physical risk to the work environment, the product, and surroundings should therefore be accounted for in cybersecurity solutions for ICS.
For this purpose, models and methods are required that consider the function of the whole Cyber-Physical System (CPS) not just the ICS, with the capability of detecting and correlating observations across the layers of system control, including the physical process being controlled. To achieve this, a context-based detection approach that can model the CPS and combine this with a process-aware risk analysis for attack response is proposed. The approach also needs to be adaptable (intelligent) to account for the process dynamics and the evolving cyber-attack threats. For this purpose, diagnostic models adapted to the industrial process should be applied together with situational awareness monitoring and cyber-attack detection tools, such as ICS Intrusion Detection Systems (IDS). The capability of the ICS IDS therefore needs to be extended to cover both Information Technology (IT) and OT parts of the ICS and include an understanding of the physical system and process as a knowledge basis, fed by process sensor and instrumentation data. These diagnostic models must cover the whole CPS in the risk analysis to provide aid in the attack response decision making. To achieve this, the models need to combine the physical characteristics of the process with the characteristics of the other system layers.
Based on studies in a drilling control system environment, results indicate that existing tools can be used to detect and discern between different types of cyber-attack on Cyber-Physical Systems (CPS). This indicates feasibility with respect to monitoring of the OT and IT part of the system for building risk-based cybersecurity solutions. The challenge and novel part are to extend IT and OT systems cyber detection with automated evaluation of the resulting process risk taking physical process information into account, to make response decisions not only based on potential digital consequences but also consequences for the process and physical world.