Too often, discussions on cyber-physical attack scenarios and how to prevent them are focused on the idea that a cyber attacker could disrupt or freeze process control, thereby causing downtime. This thinking is in alignment with the common misconception that cyber-physical security would be just another form of information security, with the major difference being that the basic protective priorities of confidentiality, integrity, availability (CIA) only need to be reordered to availability, integrity, confidentiality (AIC), and bingo!, we can secure process control by using otherwise identical concepts, products, and procedures from infosec.
The misconception is due to framing the problem within the conceptual space of information security, ignoring the physical side of process control – which shouldn’t surprise when infosec people are invited to lead the discussion. However, cybernetics is not the same as IT, and the availability of digital components (in infosec terms) is not necessarily the highest priority of cyber-physical defense.
Interestingly, fiction writer Tom Clancy had this insight intuitively when writing his thriller “Threat Vector” in which a Chinese state-owned hacker organization (the “Red Hacker Alliance”) cyber-attacks US critical infrastructure. In the following quote, the villain named “Tong” is a Chinese super-hacker that may have been modeled with characters like Ugly Gorilla in mind:
“During a public dispute between China’s state-owned petroleum organization and an American oil company over a pipeline contract in Brazil, Tong came before the leadership of the MSS [Ministry of State Security] and asked them, quite simply, if they would like his Red Hacker Alliance to destroy the oil company. He was asked by the ministers if he intended to destroy the American oil company’s dominance in the marketplace.
‘That is not what I mean. I mean, physically ruin them.’ – ‘Shut their computers down?’ (…) ‘Of course not. We need their computers. We have obtained command-level control of their pipelines and oil-drilling capacity. We have kinetic capabilities at their locations. We can cause actual real-world destruction.’”
(Tom Clancy, Threat Vector)
Malicious process control requires fully-functional control systems, making the digital disruption of SCADA and PLCs look like a foolish beginner’s mistake. A cyber-physical attack is not an attack against a control system, but an attack against the physical equipment or process that it controls. It is therefore a dangerous oversimplification to identify cyber-physical defense with ICS security or, even worse, SCADA security.
What we really have to be concerned about is digital process control security, which cannot be assured without understanding the physical process and equipment and their specific analog vulnerabilities, and which may even involve analog components such as last-line-of-defense analog safeguards for high-value targets. That’s the major reason why we include process and equipment engineering principles in Critical Penetration Analysis.