Critical Infrastructure control systems continue to foster predictable communication paths, static configurations, and unpatched systems that allow easy access to our nation's most critical assets. This makes them attractive targets for cyber intrusion. We seek to address these attack vectors by automatically randomizing network settings, randomizing applications on the end devices themselves, and dynamically defending these systems against active attacks. Applying these protective measures will convert control systems into moving targets that proactively defend themselves against attack. Sandia National Laboratories has led this effort by gathering operational and technical requirements from Tennessee Valley Authority (TVA) and performing research and development to create a proof-of-concept solution. Our proof-of-concept has been tested in a laboratory environment with over 300 nodes. The vision of this project is to enhance control system security by converting existing control systems into moving targets and building these security measures into future systems while meeting the unique constraints that control systems face.
We are using the DoD MIL-STD as our guide for microelectronics aging (MIL-STD 883J, Method 1016.2: Life/Reliability Characterization Tests). In that document they recommend aging at 3 temperatures between 200-300C, separated by at least 25C, with the supply voltage at the maximum recommended voltage for the devices at 125C (3.6V in our case). If that voltage causes excessive current or power then it can be reduced and the duration of the tests extended. The MIL-STD also recommends current limiting resistors in series with the supply. Since we don’t have much time and we may not have enough ovens and other equipment, two temperatures separated by at least 50C would be an acceptable backup plan. To ensure a safe range of conditions is used, we are executing 24-hour step tests. For these, we will apply the stress for 24 hours and then measure the device to make sure it wasn’t damaged. During the stress the PUFs should be exercised, but we don’t need to measure their response. Rather, at set intervals our devices should be returned to nominal temperature (under bias), and then measured. The MIL-STD puts these intervals at 4, 8, 16, 32, 64, 128, 256, 512 and 1000 hours, although the test can be stopped early if 75% of the devices have failed. A final recommendation per the MIL-STD is that at least 40 devices should be measured under each condition. Since we only have 25 parts, we will place 10 devices in each of two stress conditions.