6/1/2020 Kim Gudeman
CIRI researcher Jason Jaskolka has developed a tool that helps identify and mitigate cybersecurity vulnerabilities within critical infrastructure.
Written by Kim Gudeman
In a critical infrastructure system, such as a wastewater plant, there are numerous components that are connected and interdependent. These interdependencies can lead to implicit interactions that introduce vulnerabilities in large and complex systems.
Jason Jaskolka, a researcher with the Critical Infrastructure Resilience Institute, has developed a tool that helps identify and mitigate cybersecurity vulnerabilities by “reading between the lines” and searching for implicit interactions between components of a system. Implicit interactions are interactions that were not intended by designers and architects and are unknown to the owners and operators of operational systems. He recently worked with the City of Ottawa (Ca.) Wastewater department to test the tool on a real-world system.
“The utility provided me with a process and system that they wanted to have analyzed,” said Jaskolka, an assistant professor of systems and computer engineering at Carleton University in Canada. “After doing an analysis, we discovered that the tool provides a picture that is valid when compared to the real system.”
Jaskolka analyzed processes that are common in SCADA systems, which are frequently used to monitor and control industrial plants or equipment. Specifically, he used the tool to provide a formal understanding of how and why implicit interactions exist, the resulting deficiencies, and a better assessment of the risks.
Jaskolka said the results confirmed risks that the SCADA operators were already aware of, while informing of them of new potential vulnerabilities.
“The results exceeded the expectations,” he said. “It really helped me feel confident that the tool does what it is intended to do.”
The risk posed by implicit interactions threatens systems of all kinds, which was demonstrated publicly by hackers taking control of a Jeep Cherokee SUV in 2015. The hackers exposed the existence of implicit interactions between the vehicle’s infotainment system and its transmission controls. In addition to transportation systems, Jaskolka also envisions the applicability of the developed methodology and framework to supply chain logistics, as well as command and control processes.
Now that the prototype has been validated, the next step is to create outputs that are more user-friendly, such as a report that can be read by C-suite executives as well as SCADA operators. Jaskolka would also like to build additional analysis functionality, some of which was suggested through follow-up research with the utility.
“I am grateful to the City of Ottawa for allowing me to work with them,” Jaskolka said. “I received a lot of great feedback, which has generated new ideas on everything from usability to marketing.”