Using a system-theoretic approach to identify cyber- vulnerabilities and mitigations in industrial control systems
Author(s)Khan, Shaharyar,S.M.Massachusetts Institute of Technology.
Massachusetts Institute of Technology. Engineering and Management Program.
System Design and Management Program.
Stuart Madnick and Allen Moulton.
MetadataShow full item record
Recent cyber-physical attacks, such as Stuxnet, Triton etc., have invoked an ominous realization about the lethality of such attacks and the vulnerability of critical infrastructure, including power, gas and water distribution control systems. The traditional industrial practice to enhance security posture by utilizing IT security-biased protection methods narrowly focuses on improving cyber hygiene and individual component protection. Albeit essential and a good countermeasure against indiscriminate, non-targeted attacks, the reality of modern industrial control systems is that they are highly complex, interdependent and software-intensive sociotechnical systems. This makes traditional methods of defense largely impotent in the face of targeted attacks by advanced cyber-adversaries - as was demonstrated by Stuxnet.A new realization is aggressively permeating through the industry about the need to use a holistic approach that integrates safety and security considerations to rethink, reengineer and redesign these complex control systems. System-Theoretic Accident Model & Processes (STAMP) offers a powerful, holistic, structured framework to analyze safety and security of complex cyber-physical systems in an integrated fashion. The electric grid is universally acknowledged as the holy grail of a target for an advanced cyberadversary. In light of this, this work demonstrates the use of a STAMP-based analysis method on the electric generation and distribution system of the MIT central utilities plant. The analysis is presented in a robust and structured format which can be emulated to analyze larger systems.Several hazardous control actions such as out-of-sync breaker closure, generator overfluxing, turbine overspeed etc., are identified which could be exploited to cause permanent physical damage to the plant. While traditional counter-measures exist, it is argued that they need to be rethought in the face of potential cyber-attacks by advanced adversaries. Finally, several new functional requirements are presented which do not only span individual technical components but also the broader socio-organizational system.
Thesis: S.M. in Engineering and Management, Massachusetts Institute of Technology, System Design and Management Program, 2019Cataloged from PDF version of thesis.Includes bibliographical references (pages 123-128).
DepartmentMassachusetts Institute of Technology. Engineering and Management Program; System Design and Management Program
Massachusetts Institute of Technology
Engineering and Management Program., System Design and Management Program.