An Examination of Software Tool Features Needed to Help Secure Energy Delivery Industrial Control Systems

In December 2015, coordinated cyberattacks targeting Ukrainian power distribution systems’ information technology (IT), industrial control systems (ICS), and operational technology (OT) resulted in physical damage to Ethernet serial converters, intentional disabling of distribution facility backup generators, denial of service attacks on customer support call centers, and permanent destruction of workstation hard drive data, causing temporary citywide power grid failure that affected 225,000 people. It was discovered the attack in Ukraine took place months after initial network penetration, after extensive surveillance and data gathering was first performed, indicating cyber attackers are attempting to prolong intrusions and avoid detection in an effort to practice, simulate, and perfect militarized-style attack architectures to maximize damages. In March of 2018, after joint collaboration, the U.S. Department of Homeland Security and FBI released an alert that documented details of a multi-year, extensive surveillance and intrusion campaign from state sponsored “threat actors” that widely penetrated U.S. energy distribution systems with malware designed to enable covert remote access and technical manipulation abilities, to be able to perform similar attacks on American power grids. The growing number of cyber-physical intrusions to energy distribution systems require preventative, structured cybersecurity analysis to produce attack scenarios, causal factors, design changes, and new requirements to secure energy systems before systems are compromised, ideally at system design and development time. Hazard analysis, safety analysis, and reliability analysis must no longer be considered solely from the point of view of single component, engineering-based failures, but must all evolve to foresee premeditated, malicious, and coordinated actions of human organizations that intentionally cause disastrous multi-component failure scenarios after careful reconnaissance and reverse engineering. In this paper, we explain systems theoretic cybersafety, we document an exploration of software tool features that support systems theoretic cybersafety analysis automation, provide a detailed list of STAMP software tool specification requirement areas to consider when designing future systems theoretic cybersafety tools, and finally we include some data structures for systems theoretic cybersafety analysis information organization. Through an energy distribution system example in Section 3, we also demonstrate how one currently may use software tool features to perform systems theoretic cybersafety analysis using STAMP, and produce system changes to defend and defeat when analyzing existing systems or designing new ones.