Cybersecurity in Prognostics and Health Management
##plugins.themes.bootstrap3.article.main##
##plugins.themes.bootstrap3.article.sidebar##
Published
Oct 17, 2024
Kai Goebel
Abstract
PHM continues to show its value by improving operational efficiencies, increasing safety, reducing downtime, and decreasing cost of operations. PHM technologies are therefore not only being deployed as retrofit solutions but are being integrated into new systems as standard practice. Deployment covers areas such as medical equipment, nuclear power plants, aeronautics applications, oil and gas, mining, and many others. As the impact of PHM increases, it is imperative to also consider the potential vulnerabilities that are being exposed. Hackers have famously used Supervisory Control and Data Acquisition (SCADA) and Programmable Logic Controller (PLC) systems to sabotage industrial facilities. As such, it is important to understand the exposure to malfeasance to ensure that PHM does not end up being the enabling mechanism for unauthorized access to the system it is meant to keep in running order. It is also important to understand the measures that need to be taken to avoid or respond to an attack. These range from extensive penetration testing to conducting extensive counter-social engineering training, setting up a PHM-specific CERT plan and team in place. This paper discusses various threats that are emerging and that may have to be considered when designing a PHM solution. Additionally, the NIST cybersecurity framework is discussed in the context of PHM. Finally, this paper looks at the diagnostic capabilities of PHM systems to detect cyber security attacks and to contain these threats.
##plugins.themes.bootstrap3.article.details##
Keywords
PHM, Cybersecurity, IoT, Prognostics and Health Management, Cyber Threat, Attack Surface, SCADA, PLC, Vulnerability, Threat Modeling
References
15 U.S.C. § 272(e)(1)(A)(i). (2014). The Cybersecurity Enhancement Act of 2014. (S.1353), US Congress
Alney, C., (2023). Security Code Review with ChatGPT. nccgroup, https://research.nccgroup.com/2023/02/09/ security-code-review-with-chatgpt/, last accessed 10/14/23
Antón, S., Fraunholz, D., Lipps, C., Pohl, F., Zimmermann, & M., Schotten, H. (2017). Two decades of SCADA exploitation: A brief history. Proceedings IEEE Conference on Application, Information and Network Security (AINS), pp. 97-104.
Aslam, S., Jennions, I.K., Samie, M., Perinpanayagam S., & Fang, Y., "Ingress of Threshold Voltage-Triggered Hardware Trojan in the Modern FPGA Fabric–Detection Methodology and Mitigation," in IEEE Access, vol. 8, pp. 31371-31397, 2020, doi: 10.1109/ACCESS. 2020. 2973260.
Byres, E., & Fabro, M. (2015). The Repository of Industrial Security Incidents. risidata. https://www.risidata.com/, last accessed 10/14/23.
Brenner, B., (2011). SCADA Hacking madness. cso online, https://www.csoonline.com/article/2134949/scada-hacking-madness.html, last accessed 3/19/19
Cherdantseva, Y., Burnap, P., Blyth, A., Eden, P., Jones, K., Soulsby, H., & Stoddart, K., (2016). A review of cyber security risk assessment methods for SCADA systems. Computers & Security, Volume 56, pp. 1-27.
Clark, A. (2023), New AI wave will find uses and abuses in cybersecurity. Axios, https://www.axios.com/2023/02/17/cybersecurity-ai-tech-chatgpt-bing, last accessed 10/14/23.
CyberX, (2019) Global ICS & IIOT Risk Report.
Dieier, P., Macias, F., Harstad, J., Antholine, R., Johnston, S. Piyevsky, S. Schillace, M., Wilcox, G., Zaniewski, D., & Zuponcic, S. (2011). Converged Plantwide Ethernet (CPwE) Design and Implementation Guide. ENET-TD001E-EN-P, Cisco Systems, San Jose, CA and Rockwell Automation, Milwaukee, WI.
Donovan, F. (2021). What is STRIDE and how does it anticipate cyberattacks? Security Intelligence, https://securityintelligence.com/articles/what-is-stride-threat-modeling-anticipate-cyberattacks/, last accessed 1/28/2024.
Evans, S., Mishra, P., Yan, W., & Bouqata, B. (2016). Security Prognostics: Cyber meets PHM. Proceedings of IEEE PHM Conference.
Finkle, J., (2018). Schneider Electric says bug in its technology exploited in hack. Reuters, https://www.reuters.com/article/us-schneider-cyber-attack/schneider-electric-says-bug-in-its-technology-exploited-in-hack-idUSKBN1F7228 last accessed 3/19/19.
Gates, D., (2018). Boeing hit by WannaCry virus, but says attack caused little damage. Seattle Times, https:// www.seattletimes.com/business/boeing-aerospace/boeing-hit-by-wannacry-virus-fears-it-could-cripple-some-jet-production/, last accessed 4/10/2018.
Gibbs, S. (2017). Triton: hackers take out safety systems in 'watershed' attack on energy plant. The Guardian, https://www.theguardian.com/technology/2017/dec/15/triton-hackers-malware-attack-safety-systems-energy-plant, last accessed 4/10/2018.
Goebel, K., Smith, B., & Bajwa, A. (2019). Ethics in Prognostics Health Management. International Journal of PHM, 012.
Gonda, O. (2014). Understanding the threat to SCADA networks. Network Security, Volume 2014, Issue 9, pp. 17-18.
Higgins, K. (2017). Stealthy New PLC Hack Jumps the Air Gap. Dark Reading, https://www.darkreading.com/ threat-intelligence/stealthy-new-plc-hack-jumps-the-air-gap-/d/d-id/1330381, last accessed 1/28/24.
Houmb, S., & Martin, E., (2018). More exploits: the great PLC hack. control design, Oct 25, https:// www.controldesign.com/articles/2018/more-exploits-the-great-plc-hack/, last accessed, 3/26/19.
Igure, V., Laughter, S., & Williams, R., (2006). Security issues in SCADA networks. Computers & Security, 25, 498-506.
Iran Times (2018). Image source http://iran-times.com/ap-says-iran-will-be-able-to-enrich-more-uranium-sooner/, last accessed 4/7/2018.
Khemani, V., Azarian, M. H., & Pecht, M. G. (2021). Prognostics and Secure Health Management of Electronic Systems in a Zero-Trust Environment. Annual Conference of the PHM Society, 13(1). https://doi.org/10.36001/phmconf.2021.v13i1.3006
Knowles, W., Prince, D., Hutchison, D., Disso, J., & Jones, K. (2015). A Survey of Cyber Security Management in Industrial Control Systems. International Journal on Critical Infrastructure Protection, pp. 52-80.
Koch, R., & Kuehn, T. (2017). Defending the Grid: Backfitting Non-Expandable Control Systems. Proceedings 9th International Conference on Cyber Conflict
Kwon, D., Hodkiewicz, M., Fan, J., Shibutani, T., & Pecht, M. (2016). IoT-Based Prognostics and Systems Health Management for Industrial Applications. Special Section on Trends and Advances for Ambient Intelligence with Internet of Things (IoT) Systems, IEEE Access.
Lemos, R. (2019). Cybersecurity Experts Worry About Satellite & Space Systems. InformationWeek, darkReading, https://www.darkreading.com/attacks-breaches/cybersecurity-experts-worry-about-satellite-and-space-systems/d/d-id/1335131, last accessed 7/3/2019
Leyden, J. (2018). Pwned with '4 lines of code': Researchers warn SCADA systems are still hopelessly insecure. The Register, https://www.theregister.co.uk/2018/06/18/physically_hacking_scada_infosec/ last accessed 10/17/2023
Lubbock, R. (2019) Entergy's Chiltonville Training Center is an identical twin mock-up of the control room at the Pilgrim nuclear power plant. WBUR, https:// www.wbur.org/news/2019/05/31/plymouth-reactor-training-center., last accessed 12/22/2023
Mehta, A., & Gruss, M., (2019). Pentagon hopes to have new cybersecurity standards for contractors in 2020. Fifth Domain, https://www.fifthdomain.com/dod/2019/03/26/pentagon-hopes-to-have-new-cybersecurity-standards-for-contractors-in-2020/ last accessed 3/28/19.
National Cyber Security Centre. Denial of Service Guidance. https://www.ncsc.gov.uk/collection/denial-service-dos-guidance-collection, last accessed 10/16/2023
NIST, (2012), SP 800-30 Guide for Conducting Risk Assessments, NIST report, Revision 1.
NIST, (2018). Framework for Improving Critical Infrastructure Cybersecurity. NIST public report, version 1.1, April 16 https://doi.org/10.6028/ NIST.CSWP.04162018 8
NIST, (2023). CSWP 29 (Initial Public Draft), The NIST Cybersecurity Framework 2.0
Park, D., & Walstrom, M. (2017). Cyberattack on Critical Infrastructure: Russia and the Ukrainian Power Grid Attacks. Jackson School of International Studies, U. Washington, https://jsis.washington.edu/news/cyberattack-critical-infrastructure-russia-ukrainian-power-grid-attacks/, last accessed 10/13/2023
Pauli, D., (2014). Hackers gain 'full control' of critical SCADA systems. itn news, https://www.itnews.com.au/ news/hackers-gain-full-control-of-critical-scada-systems-369200 last accessed 3/19/19
Pauli D., (2016). Shamoon malware returns to again wipe Saudi-owned computers. The Register, https:// www.theregister.co.uk/2016/12/02/accused_iranian_disk_wiper_returns_to_destroy_saudi_orgs_agencies/, last accessed 3/19/19
Peterson, S., & Faramarzi, P. (2011). Iran hijacked US drone, says Iranian engineer. Christian Science Monitor, https://www.csmonitor.com/World/Middle-East/2011/1215/Exclusive-Iran-hijacked-US-drone-says-Iranian-engineer , last accessed 4/10/2018
Saleh, S., Prateek, M., & Poor, V., (2018). 27th USENIX Security Symposium. August 15–17, 2018, Baltimore, MD.
Samrin, R., & Vasumati, D. (2017). Review on Anomaly based Network Intrusion Detection System. Proceedings of 2017 International Conference on Electrical, Electronics, Communication, Computer and Optimization Techniques (ICEECCOT).
SCADA Strangelove http://www.scada.sl/
Shi, Q., Forte, D., Tehranipoor, M.M. (2018). Deterrent Approaches Against Hardware Trojan Insertion. In: Bhunia, S., Tehranipoor, M. (eds) The Hardware Trojan War. Springer, Cham. https://doi.org/10.1007/978-3-319-68511-3_13.
Sikder, A., Petracca, G., Aksu, H., Jaeger, T., & Uluagac, S. (2018). A Survey on Sensor-based Threats to Internet-of-Things (IoT) Devices and Applications. arXiv:1802.02041v1 [cs.CR] 6 Feb 2018.
Son, Y., Shin, H., Kim, D., Park, Y. Noh, J. Choi, K., Choi, J., & Kim, Y., (2015). Rocking Drones with Intentional Sound Noise on Gyroscopic Sensors. 24th USENIX Security Symposium, pp. 881-996.
Storm, D. (2014). Hackers exploit SCADA holes to take full control of critical infrastructure. Computerworld, Jan.15, 2014, https://www.computerworld.com/article/2475789/hackers-exploit-scada-holes-to-take-full-control-of-critical-infrastructure.html last accessed 10/16/2023
Stouffer, K., Falco, J., Scarfone, K., (2011). Guide to industrial control systems (ICS) security. NIST special publication, 800, 16-16.
Ten, C., Liu, C., & Govindarasu, M., (2007). Vulnerability Assessment of Cybersecurity for SCADA Systems Using Attack Trees. Proceedings of Power Engineering Society General Meeting.
Tippenhauer, N., Poepper, C., Rasmussen, K., & Capkun, S. (2011). On the Requirements for Successful GPS Spoofing Attacks. Proceedings of 18th ACM Computer and Communication Security, pp. 75-86.
Tsiatsis, V., Karnouskos, S., Hoeller, J., Boyle, D., & Mulligan, C. (2019). Internet of Things. Academic Press.
US Congress. (1990a). H.R.3030, Clean Air Act.
US Congress. (1990b). H.R.5931, Pollution Prevention Act.
VDI (2011). IT Security for Industrial Automation. VDI/VDE Guideline 2183.
Wang, X., Tehranipoor M., & Plusquellic, J., "Detecting malicious inclusions in secure hardware: Challenges and solutions," 2008 IEEE International Workshop on Hardware-Oriented Security and Trust, Anaheim, CA, USA, 2008, pp. 15-19, doi: 10.1109/HST.2008.4559039.
Wuesst, C. (2014). Targeted Attacks Against the Energy Sector. Symantec Report.
Zetter, K. (2014). Countdown to Zero Day. Crown Publishers, New York.
Zetter, K. (2016). Everything we know about Ukraine’s Power Plant Hack. Wired, https://www.wired.com/ 2016/01/everything-we-know-about-ukraines-power-plant-hack/, last accessed 4/10/2018
Alney, C., (2023). Security Code Review with ChatGPT. nccgroup, https://research.nccgroup.com/2023/02/09/ security-code-review-with-chatgpt/, last accessed 10/14/23
Antón, S., Fraunholz, D., Lipps, C., Pohl, F., Zimmermann, & M., Schotten, H. (2017). Two decades of SCADA exploitation: A brief history. Proceedings IEEE Conference on Application, Information and Network Security (AINS), pp. 97-104.
Aslam, S., Jennions, I.K., Samie, M., Perinpanayagam S., & Fang, Y., "Ingress of Threshold Voltage-Triggered Hardware Trojan in the Modern FPGA Fabric–Detection Methodology and Mitigation," in IEEE Access, vol. 8, pp. 31371-31397, 2020, doi: 10.1109/ACCESS. 2020. 2973260.
Byres, E., & Fabro, M. (2015). The Repository of Industrial Security Incidents. risidata. https://www.risidata.com/, last accessed 10/14/23.
Brenner, B., (2011). SCADA Hacking madness. cso online, https://www.csoonline.com/article/2134949/scada-hacking-madness.html, last accessed 3/19/19
Cherdantseva, Y., Burnap, P., Blyth, A., Eden, P., Jones, K., Soulsby, H., & Stoddart, K., (2016). A review of cyber security risk assessment methods for SCADA systems. Computers & Security, Volume 56, pp. 1-27.
Clark, A. (2023), New AI wave will find uses and abuses in cybersecurity. Axios, https://www.axios.com/2023/02/17/cybersecurity-ai-tech-chatgpt-bing, last accessed 10/14/23.
CyberX, (2019) Global ICS & IIOT Risk Report.
Dieier, P., Macias, F., Harstad, J., Antholine, R., Johnston, S. Piyevsky, S. Schillace, M., Wilcox, G., Zaniewski, D., & Zuponcic, S. (2011). Converged Plantwide Ethernet (CPwE) Design and Implementation Guide. ENET-TD001E-EN-P, Cisco Systems, San Jose, CA and Rockwell Automation, Milwaukee, WI.
Donovan, F. (2021). What is STRIDE and how does it anticipate cyberattacks? Security Intelligence, https://securityintelligence.com/articles/what-is-stride-threat-modeling-anticipate-cyberattacks/, last accessed 1/28/2024.
Evans, S., Mishra, P., Yan, W., & Bouqata, B. (2016). Security Prognostics: Cyber meets PHM. Proceedings of IEEE PHM Conference.
Finkle, J., (2018). Schneider Electric says bug in its technology exploited in hack. Reuters, https://www.reuters.com/article/us-schneider-cyber-attack/schneider-electric-says-bug-in-its-technology-exploited-in-hack-idUSKBN1F7228 last accessed 3/19/19.
Gates, D., (2018). Boeing hit by WannaCry virus, but says attack caused little damage. Seattle Times, https:// www.seattletimes.com/business/boeing-aerospace/boeing-hit-by-wannacry-virus-fears-it-could-cripple-some-jet-production/, last accessed 4/10/2018.
Gibbs, S. (2017). Triton: hackers take out safety systems in 'watershed' attack on energy plant. The Guardian, https://www.theguardian.com/technology/2017/dec/15/triton-hackers-malware-attack-safety-systems-energy-plant, last accessed 4/10/2018.
Goebel, K., Smith, B., & Bajwa, A. (2019). Ethics in Prognostics Health Management. International Journal of PHM, 012.
Gonda, O. (2014). Understanding the threat to SCADA networks. Network Security, Volume 2014, Issue 9, pp. 17-18.
Higgins, K. (2017). Stealthy New PLC Hack Jumps the Air Gap. Dark Reading, https://www.darkreading.com/ threat-intelligence/stealthy-new-plc-hack-jumps-the-air-gap-/d/d-id/1330381, last accessed 1/28/24.
Houmb, S., & Martin, E., (2018). More exploits: the great PLC hack. control design, Oct 25, https:// www.controldesign.com/articles/2018/more-exploits-the-great-plc-hack/, last accessed, 3/26/19.
Igure, V., Laughter, S., & Williams, R., (2006). Security issues in SCADA networks. Computers & Security, 25, 498-506.
Iran Times (2018). Image source http://iran-times.com/ap-says-iran-will-be-able-to-enrich-more-uranium-sooner/, last accessed 4/7/2018.
Khemani, V., Azarian, M. H., & Pecht, M. G. (2021). Prognostics and Secure Health Management of Electronic Systems in a Zero-Trust Environment. Annual Conference of the PHM Society, 13(1). https://doi.org/10.36001/phmconf.2021.v13i1.3006
Knowles, W., Prince, D., Hutchison, D., Disso, J., & Jones, K. (2015). A Survey of Cyber Security Management in Industrial Control Systems. International Journal on Critical Infrastructure Protection, pp. 52-80.
Koch, R., & Kuehn, T. (2017). Defending the Grid: Backfitting Non-Expandable Control Systems. Proceedings 9th International Conference on Cyber Conflict
Kwon, D., Hodkiewicz, M., Fan, J., Shibutani, T., & Pecht, M. (2016). IoT-Based Prognostics and Systems Health Management for Industrial Applications. Special Section on Trends and Advances for Ambient Intelligence with Internet of Things (IoT) Systems, IEEE Access.
Lemos, R. (2019). Cybersecurity Experts Worry About Satellite & Space Systems. InformationWeek, darkReading, https://www.darkreading.com/attacks-breaches/cybersecurity-experts-worry-about-satellite-and-space-systems/d/d-id/1335131, last accessed 7/3/2019
Leyden, J. (2018). Pwned with '4 lines of code': Researchers warn SCADA systems are still hopelessly insecure. The Register, https://www.theregister.co.uk/2018/06/18/physically_hacking_scada_infosec/ last accessed 10/17/2023
Lubbock, R. (2019) Entergy's Chiltonville Training Center is an identical twin mock-up of the control room at the Pilgrim nuclear power plant. WBUR, https:// www.wbur.org/news/2019/05/31/plymouth-reactor-training-center., last accessed 12/22/2023
Mehta, A., & Gruss, M., (2019). Pentagon hopes to have new cybersecurity standards for contractors in 2020. Fifth Domain, https://www.fifthdomain.com/dod/2019/03/26/pentagon-hopes-to-have-new-cybersecurity-standards-for-contractors-in-2020/ last accessed 3/28/19.
National Cyber Security Centre. Denial of Service Guidance. https://www.ncsc.gov.uk/collection/denial-service-dos-guidance-collection, last accessed 10/16/2023
NIST, (2012), SP 800-30 Guide for Conducting Risk Assessments, NIST report, Revision 1.
NIST, (2018). Framework for Improving Critical Infrastructure Cybersecurity. NIST public report, version 1.1, April 16 https://doi.org/10.6028/ NIST.CSWP.04162018 8
NIST, (2023). CSWP 29 (Initial Public Draft), The NIST Cybersecurity Framework 2.0
Park, D., & Walstrom, M. (2017). Cyberattack on Critical Infrastructure: Russia and the Ukrainian Power Grid Attacks. Jackson School of International Studies, U. Washington, https://jsis.washington.edu/news/cyberattack-critical-infrastructure-russia-ukrainian-power-grid-attacks/, last accessed 10/13/2023
Pauli, D., (2014). Hackers gain 'full control' of critical SCADA systems. itn news, https://www.itnews.com.au/ news/hackers-gain-full-control-of-critical-scada-systems-369200 last accessed 3/19/19
Pauli D., (2016). Shamoon malware returns to again wipe Saudi-owned computers. The Register, https:// www.theregister.co.uk/2016/12/02/accused_iranian_disk_wiper_returns_to_destroy_saudi_orgs_agencies/, last accessed 3/19/19
Peterson, S., & Faramarzi, P. (2011). Iran hijacked US drone, says Iranian engineer. Christian Science Monitor, https://www.csmonitor.com/World/Middle-East/2011/1215/Exclusive-Iran-hijacked-US-drone-says-Iranian-engineer , last accessed 4/10/2018
Saleh, S., Prateek, M., & Poor, V., (2018). 27th USENIX Security Symposium. August 15–17, 2018, Baltimore, MD.
Samrin, R., & Vasumati, D. (2017). Review on Anomaly based Network Intrusion Detection System. Proceedings of 2017 International Conference on Electrical, Electronics, Communication, Computer and Optimization Techniques (ICEECCOT).
SCADA Strangelove http://www.scada.sl/
Shi, Q., Forte, D., Tehranipoor, M.M. (2018). Deterrent Approaches Against Hardware Trojan Insertion. In: Bhunia, S., Tehranipoor, M. (eds) The Hardware Trojan War. Springer, Cham. https://doi.org/10.1007/978-3-319-68511-3_13.
Sikder, A., Petracca, G., Aksu, H., Jaeger, T., & Uluagac, S. (2018). A Survey on Sensor-based Threats to Internet-of-Things (IoT) Devices and Applications. arXiv:1802.02041v1 [cs.CR] 6 Feb 2018.
Son, Y., Shin, H., Kim, D., Park, Y. Noh, J. Choi, K., Choi, J., & Kim, Y., (2015). Rocking Drones with Intentional Sound Noise on Gyroscopic Sensors. 24th USENIX Security Symposium, pp. 881-996.
Storm, D. (2014). Hackers exploit SCADA holes to take full control of critical infrastructure. Computerworld, Jan.15, 2014, https://www.computerworld.com/article/2475789/hackers-exploit-scada-holes-to-take-full-control-of-critical-infrastructure.html last accessed 10/16/2023
Stouffer, K., Falco, J., Scarfone, K., (2011). Guide to industrial control systems (ICS) security. NIST special publication, 800, 16-16.
Ten, C., Liu, C., & Govindarasu, M., (2007). Vulnerability Assessment of Cybersecurity for SCADA Systems Using Attack Trees. Proceedings of Power Engineering Society General Meeting.
Tippenhauer, N., Poepper, C., Rasmussen, K., & Capkun, S. (2011). On the Requirements for Successful GPS Spoofing Attacks. Proceedings of 18th ACM Computer and Communication Security, pp. 75-86.
Tsiatsis, V., Karnouskos, S., Hoeller, J., Boyle, D., & Mulligan, C. (2019). Internet of Things. Academic Press.
US Congress. (1990a). H.R.3030, Clean Air Act.
US Congress. (1990b). H.R.5931, Pollution Prevention Act.
VDI (2011). IT Security for Industrial Automation. VDI/VDE Guideline 2183.
Wang, X., Tehranipoor M., & Plusquellic, J., "Detecting malicious inclusions in secure hardware: Challenges and solutions," 2008 IEEE International Workshop on Hardware-Oriented Security and Trust, Anaheim, CA, USA, 2008, pp. 15-19, doi: 10.1109/HST.2008.4559039.
Wuesst, C. (2014). Targeted Attacks Against the Energy Sector. Symantec Report.
Zetter, K. (2014). Countdown to Zero Day. Crown Publishers, New York.
Zetter, K. (2016). Everything we know about Ukraine’s Power Plant Hack. Wired, https://www.wired.com/ 2016/01/everything-we-know-about-ukraines-power-plant-hack/, last accessed 4/10/2018
Section
Technical Papers