Year
2015
Abstract
Current engineering and risk management methodologies may not contain the foundational assumptions required to address the intelligent adversary’s capabilities in malevolent cyber attacks. Current methodologies focus on equipment failures or human error as initiating events for a hazard, while cyber attacks use the functionality of a trusted system to perform operations outside of the intended design and without the operator’s knowledge. These threats can bypass or manipulate traditionally engineered safety barriers and present false information, invalidating the fundamental basis of a safety analysis. Cyber threats must be fundamentally analyzed from a completely new perspective where neither equipment nor human operation can be fully trusted. A new risk analysis and design methodology needs to be developed to address this rapidly evolving threatscape. The aspect that makes a cyber attack a unique threat in the infrastructure environment is its ability to overcome the challenges of time, space, and scale. Digital systems are designed to improve automation, manipulation of information, and/or communication. The advantages and trends that make digital instrumentation and control systems attractive also increase risk. The configurable capability of a digital instrumentation and control system provides an opportunity for exploitation for purposes other than those it was designed for. This is a direct result of a “trust model” that is a foundational design assumption in almost every digital control system implementation. The trust model assumes that the information provided or the actions taken by an individual device or user inside a boundary is trusted. This is a fort mentality that assumes a separation can be maintained between the trusted system and all other digital systems. The methods to maintain this separation (air gaps, unidirectional gateways, monitoring, patching) all require a real-time level of understanding of the state of the network and the cyber threat. The very nature of modern cyber threat is a constant evolution, and there is no separation method that can protect against all threats, much less predict how cyber threat will evolve. A well-resourced and experienced malicious cyber actor, drawing upon various skills is capable of undermining the trust model at every level. This opponent continues to defeat defensive layers put in place to protect critical operational processes and infrastructure including nuclear instrumentation and control and physical protection systems. In a world of increasing connectivity and cyber threat innovation, it must be assumed that our computing environments have been compromised and that we cannot certify any system fully secure. It is reckless to presume historical analytical assumptions and approaches such as safety analysis, design basis threat and probabilistic risk assessment methodologies can cover the unique nuances of the cyber threat. Without a full understanding of how cyber systems are programmed, operated, and abused, we can hardly identify the threat much less establish effective analysis methods. The rapid adoption of digital and automation technology in critical infrastructures, including nuclear facilities, has eclipsed existing methods to identify and mitigate high-consequence events. Engineering analysis is not conducted with a cyber-informed perspective. This may lead to flawed assumptions that could obscure the relevance of severe damaging scenarios. Infrastructure asset owners are beginning to recognize the potential for unmitigated risk associated with cyber attacks, but industry is looking for a model to assess and quantify risk and encourage risk reduction methods. This paper will provide a discussion about the shortfalls of existing cyber-physical security assumptions, methods, and analysis techniques, setting up a framework or basis that can be used to launch new cyber-informed engineering analysis. Although cyber-informed engineering methods have not been fully developed or established to date, this paper will lead a discussion about how attributes of this process might be considered. Evaluating the long-term goal of developing new cyber-informed safety basis and trust principles for high consequence systems is critical.