Print this article

Comment

01 September 2004

Sneak path analysis

Security application finds cyber threats, then works to protect a system.

By Paul Baybutt

Traditionally, in the field of information technology cyber security has meant protection of the confidentiality, integrity, and availability of information. For manufacturing and process control systems, the meaning of cyber security must go beyond that. Industrial cyber security should be the protection of manufacturing and process control computer systems and their support systems from threats of the following:

• Cyber or physical attack by adversaries who wish to disable or manipulate them.
• Access by adversaries who want to obtain, corrupt, damage, destroy, or prohibit access to very valuable information.

There are two approaches to cyber security, asset-based and scenario-based. The asset-based analysis reflects conventional security thinking of protecting items with value. The scenario-based approach reflects traditional process engineering thinking of protecting against specific attacks. It is similar to scenario-based Process Hazard Analysis (PHA) methods, such as "what if analysis" and hazard and operability studies (HAZOP), used to protect against accidents and help ensure safety. Both the asset-based and scenario-based cyber security approaches look for vulnerabilities or weaknesses in the system that allow for successful attacks.

Other approaches have proven useful for system safety studies, including failure modes and effects analysis (FMEA), fault tree analysis (FTA), and sneak path analysis (SPA). Of these, SPA is particularly useful for analyzing security of processes.

Find the unexpected

The goal behind sneak path analysis, also called sneak circuit analysis (SCA), is to identify unexpected and unrecognized electrical paths or logic flows in electronics systems, called sneak circuits or paths, that under certain conditions produce undesired results or prevent systems from operating as intended. These paths come about in various ways. Designers do not always have a complete view of the relationship between functions and components in complex systems, particularly those with many interfaces.

System changes may falsely appear to be minor or of only local significance, and users may employ improper operating procedures. Historically, users discovered sneak paths when they observed an unintended effect during system operation.

Sneak paths may lie in hardware, software, or user actions, or some combination thereof. They are latent conditions, inadvertently and unknowingly designed or engineered into the system, that do not cause system failure until triggered by unusual circumstances. Thus, SPA differs from other analysis techniques, such as failure modes and effects analysis (FMEA), that analyze failures of components within the system.

Typically, various types of sneak conditions undergo analysis, including sneak paths that cause flows along an unexpected route, sneak timing that causes or prevents the activation or inhibition of function at an unexpected time, sneak indications that cause an ambiguous or false display of system operating conditions, and sneak labels that cause operator error through inappropriate control activation.

Traditional SPA comes from constructing topological diagrams for the system to reduce its design to the simplest elements. Patterns that appear in the diagrams are clues that enable certain questions to be asked about the system. These questions can help identify sneak conditions since, based on experience, they typify sneak conditions involving each particular pattern. Sneak conditions found then undergo verification. Conventional SPA can be complex and usually requires expert system software.

Manufacturers have used SPA in chemical process systems for purposes of identifying design errors and as an adjunct to existing hazard analysis methods such as HAZOP. The traditional SPA approach of using topological diagrams with clues is combined with another SPA approach based on path tracing between sources and targets for hazards.

The approach identifies sources and targets and considers events and conditions that could bring them into an accident relationship. This association of sources and targets offers a different way of thinking about identifying accidents. Other accident analysis methods may identify thousands of accident sequences for complex systems with the result that key accidents may be obscured or unidentified. SPA can identify accident scenarios missed by HAZOP analysis. A further advantage of SPA for accident analysis is rapid identification of accidents involving multiple failures.

There is a direct parallel for the application of SPA to process security, especially cyber security, involving deliberate acts. In this context, sources are attackers such as terrorists or disgruntled employees. Process assets are the targets of attackers.

They include such cyber assets as hardware, software, data, and information. Barriers to paths that connect sources with targets are countermeasures such as passwords, encryption, and firewalls. The key to cyber security analysis is identifying ways or paths along which attackers can penetrate cyber systems to access assets and use them to cause harm. A number of these pathways exist as design flaws and correspond to the latent conditions of conventional SPA. Others require the breaching of existing barriers and are under consideration using barrier analysis in the SPA method described.

Application of sneak path analysis

Key steps in performing a cyber security SPA:

1. Collection of needed information
2. Development of system topology diagram
3. Identification of sources
4. Identification of targets
5. Identification of paths
6. Identification of events and impacts
7. Identification of barriers
8. Estimation of risks
9. Development of recommendations

Step 1. Collection of needed information. A user needs various types of information to conduct a cyber security SPA, including information on computer system architectures; network configurations; interfaces between systems and networks, internally and externally; security measures; system design and operation; control software logic; hardware and software used (operating systems, firmware, applications); and support systems and utilities. Also needed is intelligence on threats, including possible adversaries (such as terrorists, hackers, and disgruntled employees) and their motivation, intent, capabilities, and activities.

System perspective Example of computer system topological diagram

Step 2. Development of system topology diagram. SPA for cyber security involves the development of a topological diagram that provides a representation of the analyzed computer system. It shows networks, their components, and connections.

Step 3. Identification of sources. Using information collected in Step 1, you must identify specific sources of threats, i.e., potential adversaries with the desire to cause harm. Threats may arise externally (e.g., from terrorists, saboteurs, hostile foreign governments, criminals, hackers, activists, and sympathizers), internally from people who have some measure of unrestricted access to a facility (e.g., disgruntled employees, contractors, customers, vendors, or others), or from collusion between insiders and outsiders. Threats may be from individuals or groups.

Step 4. Identification of targets. Cyber assets at risk are potential targets. They include hardware, software, peopleware, and data.

Step 5. Identification of paths. Analysis of the system topology diagram identifies ways that sources could combine with targets to cause problems by examining flow paths through the diagram.

Step 6. Identification of events and impacts. Possible events of concern resulting from sources reaching targets through the paths identified are documented along with their potential impacts. Events considered should include the following:

• Manipulation of cyber assets to cause a hazardous material release, runaway reaction, diversion of materials for use in causing harm, contaminating or poisoning products, etc.
• Disablement, damage, or destruction of cyber assets to prevent their proper operation or cause a financial loss.
• Loss, theft, disclosure, damage, destruction, or corruption of data or information stored in cyber assets.

Impacts may include employee or public fatalities and injuries, environmental damage, property damage, financial loss, loss of production, loss of critical information, disruption of company operations, loss of reputation, etc. For convenience, events and impacts can combine in the worksheet used to record the analysis, but they may also be separate columns.

Step 7. Identification of barriers. Barrier analysis can be incorporated into SPA to account for safeguards. In SPA applied to security, existing barriers, or countermeasures, that may counteract a threat or reduce or eliminate vulnerabilities, undergo identification for consideration when recommendations for new or improved countermeasures come up for discussion.

Step 8. Estimation of risks. An estimate of the risks from threats can provide guidance in ranking the importance of threats, deciding on the need for new or improved countermeasures, and prioritizing their implementation. The severity and likelihood of attack are estimated qualitatively, and risk is evaluated as their product.

Step 9. Development of recommendations. The need for new or modified countermeasures is based on the possible impacts, existing barriers, the nature of the threat, and the risk reduction afforded by the proposed countermeasures. Countermeasures are needed that will reduce the threat risk to a tolerable or acceptable level.

The results of the analysis typically are in a spreadsheet.

Sneak path analysis works well for identifying ways attackers can connect with cyber assets so users can assess the potential for causing harm and make decisions on the need for new or improved countermeasures. The method is an alternative to asset-based and scenario-based methods. It can also include physical, personnel, and other security issues. Companies may wish to prioritize systems for analysis.

While the identification of vulnerabilities is vital to ensuring cyber security, cyber security should also be a part of an overall security management program for a facility.

Behind the byline

Paul Baybutt is president of Primatech Inc., a safety, security, and risk management consulting, training, and software company. Dr. Baybutt has worked in risk management for over 25 years. He holds a Ph.D. from the University of Manchester in England.