Wednesday, January 26, 2011

ICS-CERT Updates Information on GPS Outage

Yesterday afternoon the DHS Industrial Control System Cyber Emergency Response Team (ICS-CERT) published an advisory updating the information available about the scheduled tests of the global positioning system (GPS) that could potentially affect the operations of some industrial control systems. I covered the initial alert and addressed a reader comment in separate blogs yesterday.

The follow-up advisory outlines additional information that ICS-CERT received about the potential effects of the testing. They note that the FAA told them that the area potentially affected by the GPS testing decreased with altitude with only a 20-mile radius being affected at sea-level. Since the center of the testing area is off the coast of Georgia for the only test still in progress, there is no forecast effect on ground based control systems. The advisory also updates the information on the timing of the tests to indicate that the current testing in the area off the coast of Georgia will continue until February 11th with a second round of tests to be held during the period of February 15th thru the 22nd.

The alert provides more details on the types of ICS that could have been affected if the tests had been done in an area nearer to a potentially affected facility. The advisory notes:

“GPS is widely used in control system environments, particularly as a timing reference signal for cellular based remote terminal units (RTUs), for intelligent electronic devices (IEDs) [NOTE: That acronym is going to cause some confusion in DHS.] used in the energy sector, and for position detection in railroad positive train control (PTC) applications.”
ICS-CERT notes that, in the short term, there is little that facilities that rely on GPS timing signals in the operation of their ICS can do to mitigate this vulnerability. Yes, this is really about an inherent vulnerability to jamming operations that these systems have. In the longer term ICS-CERT recommends that:

“ICS owners and operators of control systems that are reliant on GPS timing signals (i.e., cellular RTUs, IEDs) should consider including integrated backup timing systems to accommodate the temporary loss of GPS due to interference or actual failure.”
NOTE: This is the same advice that Bert provided in his comment to yesterday’s posting on the initial alert.

Signal Spoofing

During my time in the military I spent a lot of time using tactical radios. After I was a victim of an apparent Soviet (or maybe East German) attempt to spoof a command to move my location during a tactical exercise near the inter-German border I got some additional training on radio communications spoofing, or the sending of radio signals to simulate legitimate communications with the intent to cause operational confusion.

Facilities using GPS signals for control system operations would appear to be potentially vulnerable to spoofing of those signals. Depending on the exact use of those GPS timing signals, a local radio transmitter spoofing the timing signals could cause disruption of process operations.

This is potentially a more problem than jamming. When jamming is detected, or a signal is lost, it is relatively easy to implement back up procedures (if they exist). When a signal is spoofed, the system would attempt to continue routine operations, but would be relying on corrupted timing data. This could result in all sorts of problems with mis-timed ICS operations.

It would seem to me that this apparent vulnerability could be dealt with by including a signals analysis check into the timing signals processing. If there were a sudden change in the timing-signal strength, that check would verify the time-hack against the most recent one received before the change. If there were an elapsed time discrepancy, then the signals analysis system would change the ICS to using the back-up timing system. This might be more difficult to implement in the remote terminal units.

No comments:

/* Use this with templates/template-twocol.html */