RITICS: Trustworthy Industrial Control Systems

Industrial control systems (ICSs) can take on a range of configurations, involving diverse mixtures of hardware, software, human inputs, network topologies and communication protocols. Generally, an ICS instance may be described as a set of supervisory devices -- including a single device in some cases -- which, through the acquisition of data and the ability to issue instructions, controls the actions and reactions of field devices responsible for the execution of an industrial process or processes. In large utility scale industrial processes, ICSs are manifest as Supervisory Control and Data Acquisition (SCADA) systems; characterised by geographically dispersed control targets requiring centralised management over disparate communication networks, often using diverse protocols and modalities, with varying reliability and latency. At more local scales, such as may be found in manufacturing plants, access to high reliability networks enables ICS specification to be freed of SCADA type constraints, giving rise to ICS manifestations referred to as Distributed Control Systems (DCSs). Examined on even smaller scales, specialised computers known as Programmable Logic Controllers (PLCs) provide control of small numbers of devices and in some cases may represent the entire ICS for a small organisation -- where the scale of a DCS may well be inappropriate. It follows that SCADA systems are often comprised of numerous DCS and PLC subsystems and components.

Typically, data input in ICSs is provided by a series of sensors and semi-automated input procedures and control output is issued to field devices such as actuators, switches and other components. Often, general definitions of ICSs stop here, neglecting to include the complex human behavioural and wider organisational policy aspects that are integral to the real-world use and integrity of such systems. Therefore, whenever referring to ICS of any form, this bid will implicitly include such factors, as to neglect doing so would significantly limit the mission of developing trustworthy ICSs, from the outset.

Some of the key trends in the development and implementation of ICS of relevance to this bid may be summarised as: the evolution of organisations towards adopting IT solutions to support ICS functions, despite the lack of organisational cultures/structures where the utility and security of both are planned and managed in joint technical committees; increased availability and uptake of ICS solutions in industry of varying scales due to factors such as the drive towards the use of COTS protocols/code modules/middleware for ICS design and delivery (eg: http://openscada.org/); increased interconnectivity of organisations' cyber infrastructures motivated by economic and efficiency drivers; the move toward decentralised control, exploiting edge computing advances; and the loss of expertise in legacy ICS components (configurations, dependencies and failure modes).

From both the perspectives of attack success probability and consequence, any one of the above suggest an increase of threat risk to ICSs that would be worth considering. Viewed in combination, however, the argument for increased risk becomes far more explicit and the complexity of the vulnerabilities that need to be addressed begins to become apparent. ICSs are integral to utility, manufacturing and processing industries of all scales and, as a result, the socio-economic impact of their compromise or failure has the potential to be very significant.

This research project will address Challenge 3 of the call document: ``What could be novel, effective and efficient interventions?''. In particular, we expect to produce models and tools in support of effective interventions.

Some of the main outputs of our initial work will include: a mapping of known/well understood cyber threat mitigation strategies to the ICS threat space, identifying the quick wins; revealing potential drivers, policies and initiatives that are needed at various scales for implementing mitigation measures and identifying barriers to innovation and adoption of good practices; and identifying technology, organisational social-science and behavioural capability gaps for threat mitigation risk and containing impact within scales. In the longer term we expect to design novel models and tools in support of efficient and effective interventions.

Our impact on the industrial sector will focus on two main areas: extending knowledge by deepening the understanding of the threats, vulnerabilities and risks in the ICS domain; expanding capability through building new technical capabilities. Specifically, we will: undertake underpinning research on ICS security; develop research techniques to identify areas of higher risks in ICS; and, in the longer term, apply the results of our research to build innovative solutions. This will maker it safer to conduct business in one part of cyberspace by providing trustworthy industrial control systems.

One role of RITICS will be to identify security challenges from the ICS domain and expose the academic community to them -- this will provide a new source of intellectually challenging and practically-oriented problems for the academic cyber security community to address.

The results of our investigation will have an impact on the education of developers of Industrial Control Systems. We expect to acquire a better understanding of common weaknesses and associated vulnerabilities which will inform our teaching programs and, through CPNI and other government agencies, could be disseminated more widely to the practitioner community.