Cyber-Safety Analysis of an Industrial Control System for Chillers Using STPA-Sec

As Industrial Control Systems (ICS) become increasingly software-intensive and more complex, the traditional approaches to cybersecurity that undertake a narrow, static technical view of the system are proving to be increasingly inept in the face of new threat vectors and vulnerabilities. To date, most attacks on Energy Systems have targeted either the IT infrastructure (e.g., the Aramco Shamoo attack) or Circuit breakers of Operational Technology (e.g., the Ukraine attack.). In such cases, recovery is usually rather fast – either by rebooting computers or resetting breakers. But, if the Operation Technology equipment, especially the important, large, customized equipment, is physically damaged, recovery can take weeks or even months. In this paper, we demonstrate the use of Systems-Theoretic Process Analysis (STPA) to identify cyber vulnerabilities that have the potential to cause physical damage in industrial control systems using the MIT Central Utilities Plant as a use-case. It is shown that the method provides a well-guided and structured analysis process to unveil new cyber vulnerabilities that span not only technical aspects but also the broader socio-organizational system. The method ties system-level losses to violation of constraints at both the component-level as well as the process level and provides recommendations to make the system more resilient by defining additional constraints to control vulnerabilities in the system.