Root Cause Analysis of Cybersecurity Incidents on Pipelines Using the NFR Approach

• Autorzy: Subramanian Nary

Identyfikatory

DOI

10.34808/tq2021/25.3/b

• Języki publikacji: EN

Abstrakty

EN

Pipelines transporting oil, gas, water, and other substances form part of the critical infrastructure of the society and are mostly controlled by advanced automation technology. This automation enables remote control and monitoring of pipeline operations by means of wide area networks that include microwaves, satellites, and cellular technologies. Often these pipeline control systems are also connected to the Internet to permit their operational control from anywhere. However, this bridging of the so-called “air-gap” between the critical infrastructure control system and the Internet has also introduced cybersecurity weaknesses that allows malicious actors to take control away from legitimate users of the system. While cybersecurity needs to be built into the system during the design phase itself, it is important, especially after a cybersecurity incident, to know the actual causes behind the incident so that appropriate countermeasures may be taken quickly to avoid a recurrence of the incident. Typical techniques to identify these root causes include five whys, fishbone diagrams, and causal factors analysis; this paper presents an alternate technique to identify root causes for pipeline cybersecurity incidents based on the NFR Approach where NFR stands for Non-Functional Requirements of the pipeline system. The NFR Approach starts with the requirements for the system in the first place, establishes the relationships between the design of the system and its requirements, and then identifies the root causes in a structured manner. In this paper, the NFR Approach is applied to analyze root causes of the Florida water system attack that occurred in February 2021. The advantages of the NFR Approach over traditional methods to identify root causes especially for pipeline incidents include the traceability of the causes to the requirements of the system, identification of synergistic and conflicting operational goals, and historical record-keeping.

Słowa kluczowe

EN

root cause; cybersecurity; pipeline; critical infrastructure; NFR approach

PL

cyberbezpieczeństwo; rurociąg; infrastruktura krytyczna; podejście NFR

• Wydawca: Politechnika Gdańska
• Czasopismo: TASK Quarterly : scientific bulletin of Academic Computer Centre in Gdansk
• Rocznik: 2021
• Tom: Vol. 25, No 3
• Strony: 295--314
• Opis fizyczny: Bibliogr. 17 poz., rys., tab.

Twórcy

autor

Subramanian Nary

• Department of Computer Science, The University of Texas at Tyler, 3900 University Blvd, Tyler, TX 75799, USA

Bibliografia

• [1] M Yoon, C B Warren and S Adam, 2007, Pipeline System Automation and Control, ASME Press
• [2] Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1, National Institute of Standards and Technology, April 2018 https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf
• [3] Infrastructure Security, Cybersecurity and Infrastructure Security Agency, https://www.cisa.gov/infrastructure-security
• [4] N Subramanian, 2008, Improving Security of Oil Pipeline SCADA Systems Using Service-Oriented Architectures, Lecture Notes in Computer Science, November, 5333, 344 – 353
• [5] Solutions for Oil & Gas Pipelines, Brochure, Honeywell, May 2016 https://www.honeywellprocess.com/library/marketing/brochures/Solutions-OilandGas-pipelines.pdf
• [6] M S Warren, Florida Water System Hack Offers Lessons for Other States, April 19 https://www.govtech.com/security/florida-water-system-hack-offers-lessons-for-other-states.html
• [7] K Lyon, June 5, 2021, Hackers reportedly used a compromised password in Colonial Pipeline cyberattack https://www.theverge.com/2021/6/5/22520297/compromised-password-reportedly-allowed-hackers-colonial-pipeline-cyberattack
• [8] B Miller and D C Rowe, October 2012, A Survey of SCADA and Critical Infrastructure Incidents, Proceedings of the ACM Special Interest Group on Information Technology Education, Calgary, Canada
• [9] What is Cybersecurity?, Cybersecurity and Infrastructure Security Agency, November 14, 2019, https://us-cert.cisa.gov/ncas/tips/ST04-001
• [10] M Ahola, The Role of Human Error in Successful Cyber Security Breaches, https://blog.usecure.io/the-role-of-human-error-in-successful-cyber-security-breaches
• [11] Root Cause Analysis https://des.wa.gov/services/risk-management/about-risk-management/enterprise-risk-management/root-cause-analysis
• [12] N Subramanian, 2021, Root Cause Analysis, Encyclopedia of Cryptography and Security (3rd Ed.), Editors: S. Jajodia and H. C. A. van Tilborg, Springer Publication https://link.springer.com/referenceworkentry/10.1007/978-3-642-27739-9 1498-1
• [13] V C Moreno et. al., May 2018, Analysis of Physical and Cyber Security-Related Events in the Chemical and Process Industry, Journal of Process Safety and Environmental Protection, Elsevier, 116 621 – 631
• [14] M Panini et. al., May 2021, Analysis of Cybersecurity-related Incidents in the Process Industry, Journal of Reliability Engineering System Safety, Elsevier, 209
• [15] N Subramanian and J Zalewski, June 2016, Quantitative Assessment of Safety and Security of System Architectures for Cyberphysical Systems Using the NFR Approach, IEEE Systems Journal, 10 (2) 397 – 409
• [16] B Krebs, February 10, 2021, What’s most interesting about the Florida water system hack? That we heard about it at all. https://krebsonsecurity.com/2021/02/whats-most-interesting-about-the-florida-water-system-hack-that-we- heard-about-it-at-all/
• [17] TeamViewer company website https://www.teamviewer.com/en-us/

Uwagi

PL

Opracowanie rekordu ze środków MNiSW, umowa Nr 461252 w ramach programu "Społeczna odpowiedzialność nauki" - moduł: Popularyzacja nauki i promocja sportu (2021).