Industrial Control System (ICS) attacks are typically viewed as immediate disruptive events designed to directly impair, damage, or otherwise disrupt an industrial process. Yet an analysis of the most significant ICS security events to date – Stuxnet, CRASHOVERRIDE, and TRISIS – reveals more worrying ambitions. Rather than seek immediate disruption, each of these attacks sought to undermine a fundamental aspect of process integrity as part of a multi-staged intrusion event to achieve impacts far greater than simply shutting down a plant or stopping the flow of electricity.
By appreciating and understanding this nuance in past events, ICS asset owners and defenders can gain greater understanding of potential ICS attack vectors – and the appropriate responses to attacks that seek to undermine critical aspects of operational environments. Most importantly, nearly all such attacks feature at least some degree of impact on process protection or safety, resulting in potentially hazardous process conditions (and physical destruction) either through the attack lifecycle, or when a compromised process is restored without understanding (or even knowing) it has been changed.