Critical Infrastructure Protection against targeted attacks on cyber-physical systems

Critical Infrastructure Protection against targeted attacks on cyber-physical systems

Protocol behavior analysis and operational correlation detection

Author: Enrique Martín García Telvent Global Services [email protected]

August the 25th 2015


Protocol behavior analysis detection and operational correlation

2

Contents

Introduction ..................................................................................................................................... 3

Critical sector and critical infrastructure ...................................................................................... 4

Legal framework .............................................................................................................................................. 4 Technical characteristics. ................................................................................................................................. 5

Taxonomy of attacks on cyber-physical systems ........................................................................ 7

Damage to equipment ...................................................................................................................................... 7 Damage to Production ...................................................................................................................................... 8 Deterioration of compliance ............................................................................................................................. 8

Critical Infrastructure Protection ................................................................................................... 9

People ............................................................................................................................................................... 9 Procedures ........................................................................................................................................................ 9 Technologies .................................................................................................................................................. 10

Network intrusion detection System (NIDS) ............................................................................................. 11

NIDS based on deep protocol behavior inspection .................................................................................... 12

Operational Correlation ............................................................................................................................. 13

Future trends: S-IDS .................................................................................................................................. 14

Detection of cyber-physical attacks ............................................................................................ 15

Conclusions .................................................................................................................................. 17

About Telvent Global Services .................................................................................................... 17

Acknowledgements ...................................................................................................................... 17

References .................................................................................................................................... 18



3

Introduction

From the Aurora [1]

experiment cyber attack on a power generator in 2007, which was intended to

demonstrate the ability to produce physical damage to assets remotely, to this day, this type of attack

has materialized twice.

The first cyber-physical attack in history recorded, documented and widely known in the field of

industrial cyber security professionals was STUXNET [2]

(2010), which marked the beginning of the

development of this discipline and most protective standards for critical infrastructure, as it

demonstrated the enormous destructive power of malware aimed at the destruction of the centrifuges

in charge of uranium enrichment that Iran would use in its production of nuclear weapons.

The second cyber attack with physical consequences occurred recently (end of 2014) in a German

steel plant [3]

, in which a cyber attack triggered after access control network from the business

network, did not allow a graceful shutdown for a blast furnace, although the details and effects

thereof have not been studied with the same detail as in the case of STUXNET.

In 2015 the interest on such attacks focus in altering the physical behavior of the environment

through cyber attacks has increased through experiments carried out on cars [4]

, medical instruments [5]

and numerous automation devices connected to the Internet.

This technical note (White Paper) looks the higher impact (and therefore riskier) attacks on cyber-

physical systems in critical infrastructure control networks and propose protection by making some

changes on organizations structures and procedures and new technologies of intrusion detection

based on analysis behavior of control protocols and correlation of operational events.



4

Critical sector and critical infrastructure

To put into context the domain to protect from such attacks, we describe the characteristics

considered critical infrastructure in Europe and in Spain.

Legal framework

In January 2009 it came into effect Directive 2008/114 / EC of the Council of the European Union

which established the need to identify Europe's critical infrastructures in order to design strategies to

protect them.

In this Directive the need to identify infrastructure of energy and transport sectors, leaving open the

possibility that all member states identify additional critical sectors.

As of December 2014 the European Agency for Network Security and Information Agency (ENISA)

published a guide [6]

for the identification of critical assets

This guide showed critical sectors already identified by the member countries of the Union and can

be seen in the following table:



5

Spain has identified twelve critical sectors:

Energy (With three subsectors: Electricity, Oil and Gas)

Nuclear

Economics (Finance and Tax Administration)

Water

Transportation (With three subsectors: air, sea and land)

Food

Information Technologies and Communications

Chemical

Health

Space

Public administration

Investigation

In each of these sectors they have been appointed or will be appointed in the near future, a set of

Critical Operators (OC), which are those owners or operators of infrastructures which provide

essential services and whose attack could lead to damages broad sectors of the population. This set of

infrastructures will shape our domain to protect and share a number of common technical

characteristics.

Technical characteristics.

Many classified as critical infrastructure have a hybrid architecture in which there are networks of

classical information technology (IT Network) and industrial control networks (OT Network)

managing the elements that interact with the physical environment (cyber-physical systems). A basic

scheme of this type of infrastructure could be the following:



6

Cyber-physical systems control a particular process and are managed by network systems, operate

according to the following basic scheme:

The sensors measure the current process values on fixed intervals and send them to the control units

assessing the need to send orders to the actuators to assure process remains within the values for

which it was created and behave according to the original design.

Today all this traffic control has been migrating to TCP and conventional operating systems, which

has made no earlier existing attack surfaces appear.

The key characterisitics of the OT networks can be summarized as follows:

Less devices and services than IT networks.

They should never be directly connected to Internet.

Execute repetitive operations between its nodes and systems.

Very sensitive to delays or communication problems.

But these classes of networks also have strong weakness as:

Use of unsecure or unauthenticated protocols.

Often not segmented logically or physically.

No possibility of installing third party software on some systems.

No possibility of patching or update certain systems

These features and constraints make protection of such critical networks very special and, as

discussed below, using specific strategies and technologies for this type of environment.



7

Taxonomy of attacks on cyber-physical systems

Although the number and nature of cyber attacks on control systems that could have effects on the

physical environment is very broad, we will only consider those that have been studied by various

stakeholders in the industrial Cyber Security.

In particular, recent studies [7] [10]

define the following categories depending on the purpose of

physical cyber attack:

Damage to equipment

Damage to Production

Deterioration of compliance

Let’s see each of them in detail:

Damage to equipment

Such cyber attacks are intended to produce permanent failures and breakdowns on industrial

equipment interacting with the physical environment. In particular, attacks have been studied on the

following elements:

Pipes and pipelines: The valve opening and closing quickly, and sometimes coordinated, is

capable of causing a physical phenomenon called "water hammer" consisting of an increase

in pressure inside the pipe that can be higher than the structural strength thereof, causing

breakage and subsequent discharge of fluid (liquid or gas).

Tanks: In many cases Tanks are designed to withstand very high internal pressures, but at

very low internal pressure (or vacuum), collapse. Sudden changes in the temperature inside a

tank can lead to abrupt changes in internal pressure, which could eventually collapse it.

Generators: As demonstrated in the Aurora experiment, opening and closing off phase

switches from a generator connected to an electrical substation produce kinetic effects that

physically break it.

Engines: Stuxnet cyber attack in the last phase tended to accelerate the engines of uranium

centrifuges for long periods of time causing material fatigue and subsequent failure.

Chemical Reactors: The most common chemical reactions typically occur at high

temperatures, so a change in the conditions of reaction control may be associated with a

significant increase in temperature would cause thermal damage to the reactor structure,

reaching its total destruction.

It is also possible to combine two or more of these attacks each other, so that the power loss is

associated with a loss of control of some element or its inlet in an unstable operating condition.

Although we have been considering these as attacks, there are historical examples on great industrial

accidents caused by abnormal functions in control systems [12]

.

The following points will demonstrate how these detection technologies can help on detecting some

operational failures that could lead to serious industrial accidents as well.



8

Damage to Production

The purpose of this type of cyber attacks to the process is altering the financial results of the

organization that operates such processes. Among them they have been studied the following:

Decrease the amount of final product: By changing certain variables control the process at

specific points, you can alter the amount of product obtained. A clear example of this is built

on the production of vinyl acetate monomer [7] Black Hat in Las Vegas in August 2015.

Decrease in product purity: If the alterations made to

the process control variables do change the purity of the

final product, you can produce a significant devaluation

of the same. A concrete example is the Paracetamol,

whose purity can alter the price by several orders of

magnitude.

Increase in operating and maintenance costs: Cyber attacks can cause alarm processes

intentionally to force recalibration of the field elements as often as desired attackers, thereby

increasing the costs of the targeted organization. Moreover, repeated attacks on processes

with different values is one of the most common practices of hiding them, because that way

the suspicions maintenance teams move the organization.

Deterioration of compliance

Legal and regulatory frameworks to be met by organizations, makes certain commitments made by

them can have very significant penalties for breach thereof. Among this kind of commitment we can

find the following:

Safety regulations: Altering a security parameter of the industrial plant may entail a

violation of any rules of physical security which in turn is liable to a major fine if inspection.

Impact on the environment: discharges into rivers or waste production values of certain

compounds above the permissible threshold are punished with significant financial penalties.

Contractual breaches: The purity or quantity alteration of the product can make certain

clauses of the contracts do not meet preventing accorded billing and causing significant

economic losses to the organization.

All these cyber attacks studied in the past year, have a number of common characteristics:

Semantic attacks: They are necessary depth knowledge of the environment, the process and

the variables to be altered to produce the desired effects.

Targeted to the control network: Using "legitimate” users and systems, over

unauthenticated control protocols and "valid" commands, and executed with appropriate

permissions.

Conducted by multidisciplinary teams: Composed by an IT team (Network and Systems),

an OT team (SCADA) and process engineers (of the attacked sector)



9

In view of the nature of cyber-physical and processes attacks, and the above on the technical

characteristics of the control networks, critical infrastructure protection presents a number of

problems that can only be addressed using the solutions that describe the next point.

It might seem that this type of attack is too complicated or exceptional to take into account in our

risk analysis, but do not forget that:

1. They are targeted attacks intended to cause physical damage and could be executed or

sponsored by state organizations.

2. Already materialized before and were not mere theoretical laboratory studies.

3. In both cases the cyber attack had an external source to the facilities attacked even when

isolated from the Internet is assumed. (The average number of connections found in control

networks assessment is 11 [11]

)

4. The success of these attacks could endanger human lives.

5. The PIC 8/2011 of Critical Infrastructure Protection Act explicitly mentions the need to

consider in the risk assessment of this type of infrastructure events of very high impact, such

as the case of these attacks.

Another common thinking when suppressing these cyber-physical attacks from risk analysis could be

considering them covered by safety plans. As showed in the Mogford [13]

report after the Texas City

refinery accident, there was a lack of preventative maintenance on safety critical systems. So once

again, we can not relay on initial conditions to establish the actual security state of infrastructure, we

need to assess it on a periodic basis.

Critical Infrastructure Protection

Cyber security is founded on three pillars: people, procedures and technologies. In this case it cannot

be otherwise, so these sections formulate a series of recommendations to protect such infrastructure

from cyber-physical attacks seen before.

People

As we saw earlier in this note such cyber attacks can only materialize through joint action of experts

in different fields (IT Technology, OT technology and Industrial process to attack). It is necessary

for critical infrastructure have multidisciplinary teams in their Cyber Security organizations

working in a coordinated way in order to protect them.

This is one of the most common problems encountered in implementing the CIP law because the

existing inertia in many organizations the world of control and security have always been in

different functional areas and with different officials and budgets.

The awareness of senior management of the infrastructure operator is required to make critical

changes needed in the functional organizations to ensure a unique multidisciplinary team responsible

for this Cyber Security.

Procedures

It is a priority to establish changes in the procurement procedures of the critical infrastructure

operators requiring the inclusion of Cyber security requirements for solutions in automation and

control, just as there are for safety on plants. Deploying controls and countermeasures in the control

networks without this approach in design will be much more difficult and expensive



10

Given the semantic nature of these attacks is necessary expand risk analysis for contemplating

processes attacks. As seen above this is only possible with the participation of process control

engineers in this activity where Cyber security and safety come to converge. (Hazard / Risk

Analysis).

Technologies

For everything mentioned above, the security measures to be taken in such environments must take

into account the importance of availability in such control networks. Any measure to be implemented

should be as safe as possible in terms of the impact on the process to protect. According to the

Department of Industrial CERT Homeland Security, the impact of the various protection

technologies to consider when deploying in such networks is as follows:

As can be seen, intrusion detection systems are the technology with less impact on industrial control

networks.

Within this technology, and considering the significant limitations that exist for installing third party

software on the control systems (SCADA Servers, engineering work stations and operating positions

or HMI) is indicated selecting NIDS technology (network Intrusion Detection System) since

modification of the existing network architecture or reconfiguring any of the systems won’t be

necessary.



11

Network intrusion detection System (NIDS)

According to the taxonomy of intrusion detection systems defined by Debar and its working group [8]

,

the most suitable System is shown in the following figure:

The detection method should not be based on signatures since it should be frequently updated and it

does not offer protection against 0-day vulnerabilities, making detection behavior as the most

appropriate choice.

The behavior detection should be passive to be as non-intrusive as possible in the network and not

interfere with the commands and actions that are exchanged over the network.

Given the importance of the transitions have been in the control of industrial processes, the NIDS

should consider this type of paradigm, and finally should be monitored continuously since these

networks are operating in 24x7x365 basis.

Regarding detection technology for behavioral anomalies, there are several alternatives: inspection

message headers (headers) detection, inspection message payload (Payload) detection or a

combination of both. In the present note we will use the last option as it is the only one capable of

detecting this type of semantic attacks and is used by the deep protocol behavior inspection

technology we propose as network intrusion detection in critical infrastructure.



12

NIDS based on deep protocol behavior inspection

Once selected detection technology we will explain how to implement it in such environments. Since

its operation is based on detecting events that differ from the normal behavior (anomalies), we must

first build the pattern (behavioral blueprint).

The construction of this pattern can be performed on a specific-based manner (introducing the

topological and operational information network) or unattended using learning-based technology. The

first option is rarely useful as the knowledge of low-level details in the implementation of control

networks organizations own is in many cases dating back to the FAT (Factory Acceptance Test) or

the SAT (Site Acceptance Test), so usually very old information being outdated and not maintained

systematically through change management procedures in line with best practices.

Selecting unattended construction method by learning, we must remember that it is very important

that this normal behavior pattern is built in an environment as similar as possible to the production

environment on which detecting anomalous behavior is performed.

The scheme of operation of this type of intrusion detection sensors is as follows:

Although learning is automatic it must

always be adjusted by control

engineers who are familiar with the

process to eliminate any undesired

operation generated by unscheduled

interventions once verified by the

control personnel. Additionally, in the

phase detection such events should be

able to be included in the pattern of

behavior (Blueprint) to avoid

unwanted alerts (false positives).

The behavioral blueprint obtained after the learning and customization phase includes the following

elements:

Control Network Communication profile

At this time the NIDS knows every possible tuple in the control network (traffic matrix):

Src IP,Src Port -> Dest. IP,Dest Port

From this moment, we can be alerted by:

• New devices on the network

• Devices trying to connect to our network that are not in our Model

• Devices sending information out of our network to devices out of the model.



13

Protocols, messages and values matrix

In order to detect advanced operation issues or attack to processes we need to use the technology of

deep protocol behavior inspection (DPBI), since with this we will know:

The control protocols operating in the network

Messages that are used within each protocol

The distribution of values within each message field of actual network control protocols.

All this information must be organized in a logical manner in order to obtain the pattern of behavior

which subsequently compares all messages obtained from the network. The DPBI NIDS is

responsible for generating this model during the learning phase using its advanced technology on

behavior modelling.

From this point we can start the detection phase and be alerted of any communication diverge from

the newly built behavioral blueprint.

Operational Correlation

Despite the power detection technology DPBI control environments, we need to be able to generate

alerts to detect cyber attacks on physical process (operations that are within the behavior pattern and

executed from the control network stations also found in the pattern.).

A clear example of this would be a kind Aurora attack and run from a SCADA server to transmit

orders for opening and closing of switches out of phase to a remote unit (RTU) in a substation, using

the IEC 104 protocol.

To detect this cyber attack, we should be able to store all IEC 104 opening and closing aimed at RTU

we found in the control network and estimate the time difference on the immediately preceding

command sent to the RTU messages.

To do this the network intrusion detector DPBI also be able to provide the functionality described

above. (Operational correlation).

In the case of the NIDS DPBI solution for SCADA SCAB (Security Awareness Control Box for

SCADA), this correlation is implemented by deploying additional logic (script type program) that

makes this correlation.

An example of a function of this script is as follows:

function new_connection_data(conn, data, is_upstream)

local record = find_flow(conn)

if record ~= nil then

record.up_bytes = conn:upstream_num_bytes()

record.down_bytes = conn:downstream_num_bytes()

record.up_pkts = conn:upstream_num_pkts()

record.down_pkts = conn:downstream_num_pkts()

record.payload_up_bytes = conn:upstream_num_payload_bytes()

record.payload_down_bytes = conn:downstream_num_payload_bytes()

end

end



14

Future trends: S-IDS

The combination of detection technology based on control protocol behavioral anomalies, together

with the operational correlation allows us to detect cyber-physical attacks on critical infrastructure

processes, yet are somewhat craft in regard to the implementation operational and temporal

correlations.

To solve this problem it is being investigated in new detection technologies that includes this

information in the behavioral pattern automatically.

One of this technology is called Sequence-aware Intrusion Detection System [9]

and raises a number of

novel approaches in generating a behavior pattern, such as control of the order in which messages are

sent and received to the Control elements from the servers, the time between state transitions and

sending messages and standard deviation of the time.

The block architecture of a system of this type would be:

In the learning phase information from sources model input (control network protocols messages, log

file entries and values of the commands of the process) would be collected and would feed the

sequencer to maintain timing trace, before passing to process model generator.

As in the case of NIDS DPBI based, once the learning phase is finished would enter in detection

mode. First experimental results for SCADA Waters sector have been achieved and work is in

progress to decrease false positive rate (FPR) and noise reduction for the detection phase.

This is just one of today research paths on intrusion detection for industrial control system, but still is

under development and validation.



15

Detection of cyber-physical attacks

All cyber-physical attacks exposed earlier in this technical note can be detected using a combination

of technologies in network intrusion detection as deep protocol behavior inspection (DPBI) and

operational correlation.

Aurora Attack type: After creating the DPBI pattern of normal behavior for the control

network, a script that would monitor the sequence of write commands received by the RTUs

in an arbitrary period of time (seconds or milliseconds) would be deployed. In the event that

an order of writing CLOSE was sent to a given RTU with a previous OPEN value received, at

a lower time than the allowed time interval (0.2s), we would fire an alert.

Figure 1: Transition state minimal time period

Water hammer / discharges Attack Type: Assuming a scenario of progressive control as in

Figure 2, would only be possible to reach the completely closed (or open) state for the valve from

a previous state with V = 30.

Figure 2: States and transitions diagram

Any value sent in a write command to the PLC control valves would be compared to the last

write value sent. If the difference between the value of writing command and the immediately

preceding received exceeded the maximum increase in programmed control (∆V = 10), an

alert would skyrocket.

Additionally, all values in a command not included in the behavioral blueprint would trigger

an alert. (Eg V> 40)



16

Remarkably, the importance of the anomaly differs depending on the detected transition and a

criticality hierarchy may be established. In the example of Figure 2, the abnormal transition

E3 -> E5 trigger an alert warning, while the transition anomaly E1 -> E5 trigger a critical alert.

Alteration of the amount of production (vinyl acetate monomer): Any value received in the

write message on the PLC that controls the temperature of the reactor outside the distribution

of values of the behavior blueprint would trigger an alert.

Attack by temperature to chemical reactors: As in the case of water hammer, any write

command sent to the PLC progressive temperature control would be compared with the

immediately preceding. If the difference between the value of writing and the immediately

preceding received exceed the maximum temperature defined threshold, an alert would be sent

Fake maintenance: Send commands to the control elements in order to conceal attacks on

process never would have formed part of the original behavior pattern built for the network, so

any transmission of those would trigger an immediate alert.

We can summarize this in the following table:

It is important to note that the semantics needed to detect these attacks through additional

programming logic comes from the deep knowledge of the processes controls and possible

weaknesses of them. Based solely on deep protocol inspection (DPI) systems could not detect such

attacks and it is necessary to use both DPBI and Operational correlation to detect them all.

There is another very powerful implementation of the operational correlation in detecting how

allowed control operations (nodes, protocols and distribution of values) are executed on specific

time frames. (A firmware update of a PLC or RTU can be normal within one business day and

exceptional if done on weekends or at night).

Physical Attack DPI DPBI Op. Correlation

Water hammer

Aurora Attack

Engines

Chemical reactors

Quantity decrease

Purity alteration

Fake maintenance

Waste disposal

Detection Technology



17

Conclusions

The new attacks on the cyber-physical systems of industrial processes running on critical

infrastructure, require the adoption of new strategies capable of detecting without interfering with

normal operation.

The change in the functional structures (common Managers and multidisciplinary teams) and the

procedures at critical infrastructure operators (Risk Analysis and procurement requirements), it is

imperative to address this kind of physical attacks.

The only technology capable of detecting attacks from within the control network using protocols,

messages and values allowed within the same, but in order or frequency other than normal is the use

of intrusion detection systems that support the deep protocol behavior inspection (DPBI) with the

ability to implement correlation of operational events.

The implementation of these technologies in critical infrastructures control networks should be

considered seriously by those responsible for the cyber security of these facilities and the authorities

responsible for monitoring compliance with the PIC 8 / 2011 Act.

In the future, Sequence-aware NIDS (S-NIDS), or similar technologies, may help simplify the

implementation of these systems in control networks significantly improving the behavior pattern

generation and subsequent maintenance, protecting processes and cyber-physical systems on critical

infrastructures.

About Telvent Global Services

Telvent Global Services (Telvent) is a leading IT / OT highly specialized in critical infrastructure

management services for information and operational technologies that offers integrated solutions in

consulting, integration and outsourcing to throughout its lifecycle . We pursue our mission to simplify

complex technology with a range of services that responds to the needs of management and operation

of infrastructure and IT and OT systems to accompany the business performance of our customers.

Acknowledgements

To Daniel Trivelatto, Emmanuele Zambon and Damiano Bolzoni for their helpful insights and

support.



18

References

[1] Aurora Generator Test - http://edition.cnn.com/2007/US/09/26/power.at.risk/

[2] “To Kill a Centrifuge” – Ralph Langner - http://www.langner.com/en/wp-content/uploads/2013/11/To-kill-

a-centrifuge.pdf

[3] German steel plant Cyber Attack - http://www.wired.com/wp-

content/uploads/2015/01/Lagebericht2014.pdf

[4] “Chrysler recalls 1.4M vehicles after Jeep hack

http://www.computerworld.com/article/2952186/mobile-security/chrysler-recalls-14m-vehicles-after-jeep-

hack.html

[5] “Hospira LifeCare PCA Infusion System Vulnerabilities” – ICS CERT - https://ics-cert.us-

cert.gov/advisories/ICSA-15-125-01B

[6] “Methodologies for the identification of Critical Information Infrastructure assets and services”. – ENISA-

https://www.enisa.europa.eu/activities/Resilience-and-CIIP/critical-infrastructure-and-services/Methodologies-

for-identification-of-ciis

[7] “Hacking chemical plants for competition and extortion” – Marina Krotofil -

https://www.blackhat.com/docs/us-15/materials/us-15-Krotofil-Rocking-The-Pocket-Book-Hacking-Chemical-

Plant-For-Competition-And-Extortion-wp.pdf

[8] “Towards a Taxonomy of Intrusion Detection Systems and Attacks” - Malicious- and Accidental-Fault

Tolerance for Internet Applications (MAFTIA) - http://maftia.cs.ncl.ac.uk/deliverables/D3.pdf

[9] “Sequence-aware Intrusion Detection in Industrial Control Systems” – Marco Caselli, Emmanuele Zambon

and Frank Kargl - http://dl.acm.org/citation.cfm?id=2732200

[10] “REMOTE PHYSICAL DAMAGE 101 - BREAD AND BUTTER ATTACKS” – Jason Larsen -

https://www.blackhat.com/docs/us-15/materials/us-15-Larsen-Remote-Physical-Damage-101-Bread-And-

Butter-Attacks.pdf

[11] “Five myths of industrial control system security” – David Emm - http://www.scmagazineuk.com/five-

myths-of-industrial-control-system-security/article/431387/

[12] “Texas City Refinery explosion“ - https://en.wikipedia.org/wiki/Texas_City_Refinery_explosion

[13] “FATAL ACCIDENT INVESTIGATION REPORT - Isomerization Unit Explosion - Interim Report -

Texas City, Texas, USA “ John Mogford –

http://www.rootcauselive.com/Files/Past%20Investigations/BP%20Explosion/texas_city_investigation_report.

pdf

http://edition.cnn.com/2007/US/09/26/power.at.risk/

http://www.langner.com/en/wp-content/uploads/2013/11/To-kill-a-centrifuge.pdf

http://www.langner.com/en/wp-content/uploads/2013/11/To-kill-a-centrifuge.pdf

http://www.wired.com/wp-content/uploads/2015/01/Lagebericht2014.pdf

http://www.wired.com/wp-content/uploads/2015/01/Lagebericht2014.pdf

http://www.computerworld.com/article/2952186/mobile-security/chrysler-recalls-14m-vehicles-after-jeep-hack.html

http://www.computerworld.com/article/2952186/mobile-security/chrysler-recalls-14m-vehicles-after-jeep-hack.html

https://ics-cert.us-cert.gov/advisories/ICSA-15-125-01B

https://ics-cert.us-cert.gov/advisories/ICSA-15-125-01B

https://www.enisa.europa.eu/activities/Resilience-and-CIIP/critical-infrastructure-and-services/Methodologies-for-identification-of-ciis

https://www.enisa.europa.eu/activities/Resilience-and-CIIP/critical-infrastructure-and-services/Methodologies-for-identification-of-ciis

https://www.blackhat.com/docs/us-15/materials/us-15-Krotofil-Rocking-The-Pocket-Book-Hacking-Chemical-Plant-For-Competition-And-Extortion-wp.pdf

https://www.blackhat.com/docs/us-15/materials/us-15-Krotofil-Rocking-The-Pocket-Book-Hacking-Chemical-Plant-For-Competition-And-Extortion-wp.pdf

http://maftia.cs.ncl.ac.uk/deliverables/D3.pdf

http://dl.acm.org/citation.cfm?id=2732200

https://www.blackhat.com/docs/us-15/materials/us-15-Larsen-Remote-Physical-Damage-101-Bread-And-Butter-Attacks.pdf

https://www.blackhat.com/docs/us-15/materials/us-15-Larsen-Remote-Physical-Damage-101-Bread-And-Butter-Attacks.pdf

http://www.scmagazineuk.com/five-myths-of-industrial-control-system-security/article/431387/

http://www.scmagazineuk.com/five-myths-of-industrial-control-system-security/article/431387/

https://en.wikipedia.org/wiki/Texas_City_Refinery_explosion

http://www.rootcauselive.com/Files/Past%20Investigations/BP%20Explosion/texas_city_investigation_report.pdf

http://www.rootcauselive.com/Files/Past%20Investigations/BP%20Explosion/texas_city_investigation_report.pdf