PreventOTPhysDamage: Anticipating and Preventing Catastrophic OT Physical Damage Through System Thinking Analysis

Summary Statement

Most attacks on Energy Delivery Systems (EDS) have either targeted the IT infrastructure (e.g., the Aramco Shamoo attack) or circuit breakers of the Operational Technology (e.g., the Ukraine attack.)  In cases like these where there is no physical damage, recovery is largely a matter of restarting computers and resetting breakers. But, if the Operational Technology equipment, especially large, costly, and critical customized equipment, is physically damaged, recovery can take weeks or even months.  An example of this kind of attack was to the centrifuges of the Iranian uranium enrichment facility.

It is important that we identify and anticipate such dangers in advance – which is the goal of this research. Our research uses a system-theoretic approach to develop an analysis tool that OT operators can use to identify vulnerable EDS targets and failure scenarios and develop enhancements to the hierarchical control structure to minimize possible physical damage. The goal is to eliminate or restrict hazard conditions that can lead to a dramatic loss, and implement effective countermeasures during design and/or operation for OT operators.

To illustrate the importance and significance of this research, an analysis of the MIT Cogeneration Facility has started. Using our physical property analysis of the Operational Technology being used, a serious vulnerability has been uncovered related to Variable Frequency Drives (VFDs) and their associated capacitors. As shown in Figure 1, VFDs are used extensively at the MIT Cogeneration facility and are commonly found in EDS.

It is important to realize that increasingly, to provide maximum flexibility, VFDs are operated under software/firmware control. Even the safety features are under software control. So, a successful cyber attack could cause major harm. To demonstrate this vulnerability, we modified only a few lines of firmware (similar to what was done to other devices during the Ukrainian attack) on a small VFD test kit which resulted in an explosion of the capacitors, as shown in Figure 2.

In studying the analysis of the VFD vulnerabilities at the MIT Cogeneration Facility, the magnitude of the threat is illustrated by comparing the size of the VFD test kit with the actual VFDs used, as shown in Figure 3.

A successful attack, similar to that demonstrated in Figure 2, would likely not only physically damage the VFD but also nearby equipment. Our proposed PreventOTPhysDamage tool can help avoid such a situation.

The tool, with extensive graphical and easy-to-use interface, will be used by OT operators. It will have several capabilities:

1. It will guide the OT operators to identify critical cybersecurity vulnerabilities that have potential for significant OT physical damage.
2. For each such situation, it will help to define the hierarchical control structure, including the processes, the controllers (which might be mechanical, electronic, and/or human), and the sensors and actuators that are intended to provide cybersecurity protection.
3. It will evaluate the effectiveness of the control mechanisms, focusing on Goal, Action Condition, Observability Condition, and Model Condition.
4. It will specifically highlight dangers possible due to failure of physical/operational controls, physical failures, dysfunctional interactions/communications, and/or unhandled external disturbances.
5. The tool will provide recommendations for improving the cybersecurity of the vulnerability and provide a risk assessment.

As an initial test case, we are progressing at the MIT Cogeneration facility with our systematic systems-theoretic analysis of the control structures and OT operator procedures and controls needed to mitigate catastrophic damage.

Assessment of Originality and Relevance of Proposed Research

Since we do not want to duplicate research already done nor research that would have no value, we have extensively investigated the originality of our proposed research and its likely relevancy to the EDS industry.

We have done this in multiple ways.

First, we studied the existing published literature and could find no papers that address the issues that we are investigating and that we presented at the CREDC Industry Workshop.

But, since literature can be scattered and often incomplete, we have reached out to hundreds of experts in the Industrial Control Systems (ICS) industry, and especially the EDS industry.

We accomplished this is multiple ways (in each case, asking “Have they seen such research published anywhere? Is this important?”):

1. We presented our preliminary results at the ARC Forum, an annual gathering of over 300 professionals in ICS, and especially EDS, in February 2017. From the podium, we asked our questions. Not surprisingly, everything thought that preventing physical damage was important. No one identified any prior published work.
2. We presented the same work, in poster form, at the CREDC Industry Workshop and got similar responses. In that case, we were able to speak to people one-on-one. In fact, six of the industry representatives requested that we contact them to follow up further. This included people from ABB and PNNL, and others who were very familiar with the state-of-the-art.
3. Furthermore, we reached out to our collaborators at places like ExxonMobil, Schneider Electric, Engie, etc. and sent them a draft of the paper we are writing, based on the CREDC poster. We asked them to ask around their organizations the same questions, and got the same responses: They agreed that our report was reasonable and accurate and that they had not seen any such findings published. We even communicated with an internationally known cybersecurity organization (who requested anonymity) that has a group specializing on ICS, who also agreed.

Energy Delivery System (EDS) Gap Analysis

To date, most attacks on Energy Delivery Systems (EDS) have either targeted the IT infrastructure (e.g., the Aramco Shamoo attack) or circuit breakers of the Operational Technology (e.g., the Ukraine attack.)  In cases like these where there is no physical damage, recovery is largely a matter of restarting computers and resetting breakers. But, if the Operational Technology equipment, especially large, costly, and critical customized equipment, is physically damaged, recovery can take weeks or even months.  An example of this kind of attack was to the centrifuges of the Iranian uranium enrichment facility.

The Aurora Vulnerability research demonstrated this danger to generators and alerted utilities to introduce procedures to mitigate such an attack.  It is important that we identify and anticipate such dangers in advance.  As most informed experts have noted, although we can make it more difficult for an attacker by air-gapping and other means, “prevention (of cyber attack) is futile.” So, we need to take steps to anticipate and mitigate the physical damage that can be accomplished by a cyber attack – which is the goal of this research.

Our research uses a system-theoretic approach to develop an analysis tool that OT operators can use to identify vulnerable EDS targets and failure scenarios and develop enhancements to the hierarchical control structure to minimize possible physical damage. The goal is to eliminate or restrict hazard conditions that can lead to a dramatic loss, and implement effective countermeasures during design and/or operation for OT operators.

Reference the research activity fact sheet (PDF) for an extended gap analysis and bibliography.

How does this research activity address the Roadmap to Achieve Energy Delivery Systems Cybersecurity?

• Assess and Monitor Risk
• Develop and Implement New Protective Measures to Reduce Risk

More Information

Research Posters:

• PreventOTPhysDamage: Anticipating and Preventing Catastrophic OT Physical Damage Through System Thinking Analysis (2020 Industry Workshop)
• PreventOTPhysDamage: Anticipating and Preventing Catastrophic OT Physical Damage Through System Thinking Analysis (2017 Industry Workshop)