Safety Watermark: A Defense Tool for Real-Time Digital Forensic Incident Response in Industrial Control Systems

Industrial Control Systems (ICSs) including those executing process safety controls, alarms, and interlocks are becoming more interconnected with other systems. Traditional process hazard analysis (PHA) rarely considered the possibility of cyber-attacks causing safety incidents in the process. Practitioners have viewed safety and security traditionally as systems with different properties. Both communities worked separately using their respective terminologies and frameworks. With the view of limited resources especially in the protection of security, it is important to be able to prioritize. A strategy is to take a top-down approach by identifying system losses that needed protection. This results in a more manageable set of potential losses. Rather than starting from the angle on how best to protect the network against the myriad of threats, a strategic approach would be to know what services and functions require protection. The novelty of this work is to use a subset of the invariants derived using a top-down approach by focusing on hazards manifestations that require protection from being comprisable digitally. This approach is called the safety watermark concept in this paper. In its most basic form, it is successfully shown to alert operators of potential safety risk manifestations with varying importance. In certain situations where the likelihood of the safety risk manifestations increases towards a cyber-attack, the safety watermark raises the alert level to potential cyber incidents. The safety watermark has been effectively utilized to demonstrate the ability in real-time to identify potential indicators of compromises in terms of system components, a yet to be commercially available capability for industrial control systems. The safety watermark possesses the ability to scale, and an example is illustrated for a consequence driven methodology like the Consequence-Based Cyber-Informed Engineering (CCE) by Idaho National Laboratory.