Confidentiality, the C in CIAA, is Just as Important for Control System Security as for Data System Security

Cyber security analysts often discuss the security of a system in terms of CIAA: Confidentiality, Integrity, Availability, and Authenticity.  Cyber attacks that intend to affect the functionality of a system usually try to affect the Integrity or Availability of some part of the system.  However, sophisticated attackers don’t just cavalierly engage in an attack against a new system.  First, they determine exactly what is the purpose of the system, what technologies are used, and what is network architecture, and what components comprise the system.  That’s from Rob Joyce, the head hacker a the NSA.  In a recent talk (1) Rob discussed how they do their offensive work, and what you need to do to protect your systems against the sophisticated attacker like a nation-state actor.

The first thing the sophisticated attacker does is map out your system.  They sit back and observe.  Sometimes for days, weeks, or even months.  The attacker wants to know exactly what components and technologies are in the system, what is the network topology, and where each component is located.  This allows them to plan an attack with the greatest likelihood of success and the least chance of being detected in the system for long periods of time.  This kind of well planned and orchestrated attack is particularly effective in attacking controls systems, as the attacker will need to know where each control management component, sensor, and actuator is located.  The attacker can then use this information to plan an effective attack.

An essential part of observing involves watching network traffic, determining where it comes from, where it’s going to, and what it does.  This allows the attacker to create a map of your entire system that includes all the components, what each one does, when it operates, what other components it talks to, what the network looks like, and where each component resides in that network.

Observing network traffic to determine the use of each component usually requires the ability to read the contents of the control system messages.  Plaintext messages, i.e. ones that are not encrypted, are usually simple to understand by just reading them as ASCII or determining values that are encoded as typical integer and floating point types.  For example, a message that is labeled with a topic of “pump1_set_pressure” leaves little doubt as to what the data included in the message represents.  Similarly, a series of messages with this topic that contains values ranging from e.g. 200 to 1000 over long periods of time suggests the normal operating range for this component.  And perhaps the commands are seen once an hour every hour suggesting the commands are expected at a rate of a regular period.  These are useful pieces of data for a attacker that has malicious intent to ultimately cause malfunction or damage to the system.  Such information would allow the attacker to plan an attack that does not appear anomalous or use messages that are unusual for that particular network or system.  These are the kinds of under-the-radar attacks that are the hardest to detect, and the hardest to prevent.  Furthermore, because the messages are in plaintext, the attacker can easily craft messages of their own design to be injected into the system to carry out their attack.

Unauthorized users observing messages and determining their meaning and use is a violation of confidentiality of the system.  A system that is protected for confidentiality does not leak the kinds of information described in the scenario above.  Operators of controls systems are often told that confidentiality doesn’t matter for their systems as long as the information arrives on time (Availability), is correct (Integrity), and comes with the right signature (Authenticity).  But, as we have shown above, the effective cyber attack, that is likely to disable or damage your system, starts with the “C” in CIAA, and only then moves on to actually try to affect the functioning of the system.  Does your cyber security system protect the confidentiality of your control system?


David Viel is Founder of Cognoscenti Systems, which is dedicated to building new, secure foundations for systems.



Leave a Reply