skip to main content
OSTI.GOV title logo U.S. Department of Energy
Office of Scientific and Technical Information

Title: Common Control System Vulnerability

Abstract

The Control Systems Security Program and other programs within the Idaho National Laboratory have discovered a vulnerability common to control systems in all sectors that allows an attacker to penetrate most control systems, spoof the operator, and gain full control of targeted system elements. This vulnerability has been identified on several systems that have been evaluated at INL, and in each case a 100% success rate of completing the attack paths that lead to full system compromise was observed. Since these systems are employed in multiple critical infrastructure sectors, this vulnerability is deemed common to control systems in all sectors. Modern control systems architectures can be considered analogous to today's information networks, and as such are usually approached by attackers using a common attack methodology to penetrate deeper and deeper into the network. This approach often is composed of several phases, including gaining access to the control network, reconnaissance, profiling of vulnerabilities, launching attacks, escalating privilege, maintaining access, and obscuring or removing information that indicates that an intruder was on the system. With irrefutable proof that an external attack can lead to a compromise of a computing resource on the organization's business local area network (LAN), access to the controlmore » network is usually considered the first phase in the attack plan. Once the attacker gains access to the control network through direct connections and/or the business LAN, the second phase of reconnaissance begins with traffic analysis within the control domain. Thus, the communications between the workstations and the field device controllers can be monitored and evaluated, allowing an attacker to capture, analyze, and evaluate the commands sent among the control equipment. Through manipulation of the communication protocols of control systems (a process generally referred to as ''reverse engineering''), an attacker can then map out the control system processes and functions. With the detailed knowledge of how the control data functions, as well as what computers and devices communicate using this data, the attacker can use a well known Man-in-the-Middle attack to perform malicious operations virtually undetected. The control systems assessment teams have used this method to gather enough information about the system to craft an attack that intercepts and changes the information flow between the end devices (controllers) and the human machine interface (HMI and/or workstation). Using this attack, the cyber assessment team has been able to demonstrate complete manipulation of devices in control systems while simultaneously modifying the data flowing back to the operator's console to give false information of the state of the system (known as ''spoofing''). This is a very effective technique for a control system attack because it allows the attacker to manipulate the system and the operator's situational awareness of the perceived system status. The three main elements of this attack technique are: (1) network reconnaissance and data gathering, (2) reverse engineering, and (3) the Man-in-the-Middle attack. The details of this attack technique and the mitigation techniques are discussed.« less

Authors:
Publication Date:
Research Org.:
Idaho National Laboratory (INL)
Sponsoring Org.:
USDOE
OSTI Identifier:
911570
Report Number(s):
INL/EXT-05-00993
TRN: US200801%%31
DOE Contract Number:
DE-AC07-99ID-13727
Resource Type:
Technical Report
Country of Publication:
United States
Language:
English
Subject:
99 - GENERAL AND MISCELLANEOUS//MATHEMATICS, COMPUTING, AND INFORMATION SCIENCE; BUSINESS; COMMUNICATIONS; COMPUTERS; CONSOLES; CONTROL EQUIPMENT; CONTROL SYSTEMS; LAUNCHING; LOCAL AREA NETWORKS; MITIGATION; SECURITY; VULNERABILITY; control system; vulnerability

Citation Formats

Trent Nelson. Common Control System Vulnerability. United States: N. p., 2005. Web. doi:10.2172/911570.
Trent Nelson. Common Control System Vulnerability. United States. doi:10.2172/911570.
Trent Nelson. Thu . "Common Control System Vulnerability". United States. doi:10.2172/911570. https://www.osti.gov/servlets/purl/911570.
@article{osti_911570,
title = {Common Control System Vulnerability},
author = {Trent Nelson},
abstractNote = {The Control Systems Security Program and other programs within the Idaho National Laboratory have discovered a vulnerability common to control systems in all sectors that allows an attacker to penetrate most control systems, spoof the operator, and gain full control of targeted system elements. This vulnerability has been identified on several systems that have been evaluated at INL, and in each case a 100% success rate of completing the attack paths that lead to full system compromise was observed. Since these systems are employed in multiple critical infrastructure sectors, this vulnerability is deemed common to control systems in all sectors. Modern control systems architectures can be considered analogous to today's information networks, and as such are usually approached by attackers using a common attack methodology to penetrate deeper and deeper into the network. This approach often is composed of several phases, including gaining access to the control network, reconnaissance, profiling of vulnerabilities, launching attacks, escalating privilege, maintaining access, and obscuring or removing information that indicates that an intruder was on the system. With irrefutable proof that an external attack can lead to a compromise of a computing resource on the organization's business local area network (LAN), access to the control network is usually considered the first phase in the attack plan. Once the attacker gains access to the control network through direct connections and/or the business LAN, the second phase of reconnaissance begins with traffic analysis within the control domain. Thus, the communications between the workstations and the field device controllers can be monitored and evaluated, allowing an attacker to capture, analyze, and evaluate the commands sent among the control equipment. Through manipulation of the communication protocols of control systems (a process generally referred to as ''reverse engineering''), an attacker can then map out the control system processes and functions. With the detailed knowledge of how the control data functions, as well as what computers and devices communicate using this data, the attacker can use a well known Man-in-the-Middle attack to perform malicious operations virtually undetected. The control systems assessment teams have used this method to gather enough information about the system to craft an attack that intercepts and changes the information flow between the end devices (controllers) and the human machine interface (HMI and/or workstation). Using this attack, the cyber assessment team has been able to demonstrate complete manipulation of devices in control systems while simultaneously modifying the data flowing back to the operator's console to give false information of the state of the system (known as ''spoofing''). This is a very effective technique for a control system attack because it allows the attacker to manipulate the system and the operator's situational awareness of the perceived system status. The three main elements of this attack technique are: (1) network reconnaissance and data gathering, (2) reverse engineering, and (3) the Man-in-the-Middle attack. The details of this attack technique and the mitigation techniques are discussed.},
doi = {10.2172/911570},
journal = {},
number = ,
volume = ,
place = {United States},
year = {Thu Dec 01 00:00:00 EST 2005},
month = {Thu Dec 01 00:00:00 EST 2005}
}

Technical Report:

Save / Share:
  • This report is a compilation of abstracts resulting from a literature search of reports relevant to Sentry Ballistic missile system C3 vulnerability and hardness. Primary sources consulted were the DOD Nuclear Information Analysis Center (DASIAC) and the Defense Technical Information Center (DTIC). Approximately 175 reports were reviewed and abstracted, including several related to computer programs for estimating nuclear effects on electromagnetic propagation. The reports surveyed were ranked in terms of their importance for Sentry C3 VandH issues.
  • Applying current guidance and practices for common-cause failure (CCF) mitigation to digital instrumentation and control (I&C) systems has proven problematic, and the regulatory environment has been unpredictable. The potential for CCF vulnerability inhibits I&C modernization, thereby challenging the long-term sustainability of existing plants. For new plants and advanced reactor concepts, concern about CCF vulnerability in highly integrated digital I&C systems imposes a design burden that results in higher costs and increased complexity. The regulatory uncertainty in determining which mitigation strategies will be acceptable (e.g., what diversity is needed and how much is sufficient) drives designers to adopt complicated, costly solutionsmore » devised for existing plants. To address the conditions that constrain the transition to digital I&C technology by the US nuclear industry, crosscutting research is needed to resolve uncertainty, demonstrate necessary characteristics, and establish an objective basis for qualification of digital technology for nuclear power plant (NPP) I&C applications. To fulfill this research need, Oak Ridge National Laboratory is investigating mitigation of CCF vulnerability for nuclear-qualified applications. The outcome of this research is expected to contribute to a fundamentally sound, comprehensive basis to qualify digital technology for nuclear power applications. This report documents the development of a CCF taxonomy. The basis for the CCF taxonomy was generated by determining consistent terminology and establishing a classification approach. The terminology is based on definitions from standards, guides, and relevant nuclear power industry technical reports. The classification approach is derived from identified classification schemes focused on I&C systems and key characteristics, including failure modes. The CCF taxonomy provides the basis for a systematic organization of key systems aspects relevant to analyzing the potential for CCF vulnerability and the suitability of mitigation techniques. Development of an effective CCF taxonomy will help to provide a framework for establishing the objective analysis and assessment capabilities desired to facilitate rigorous identification of fault types and triggers that are the fundamental elements of CCF.« less
  • The Network Simulator is a software system that emulates a network of worker computers that communicate with the Production Program of the Los alamos Scientific Laboratory's Common File System. The simulator generates protocol messages and test data sets and sends these to and receives them from the Production Program. Both the simulator and the Production Program reside in separate partitions of an IBM 370/148 computer. This report describes the simulator's design, operation, and user inputs. 8 figures, 8 tables.
  • The report concerns process control instrument systems (both pneumatic and electric) as used in a variety of critical industries (including basic chemicals manufacture, petroleum refineries, and electric power utilities) and the vulnerability of the manufacturing industry (SIC 3821) to nuclear attack and subsequent repair requirements associated with various damage levels. Interrelationships and trade-offs, possible between the users of instrumentation, instrumentation systems themselves, and the manufacturers, are explored. Options for alleviating such instrumentation shortages as may arise following nuclear attack are discussed.