Industrial Control System Security Is Overlooked

Uploaded on 2021-04-12 in TECHNOLOGY--Resilience, FREE TO VIEW, BUSINESS-Production-Manufacturing, TECHNOLOGY-Key Areas-Internet of Things

Industrial, manufacturing, and other organizations are in business to manufacture and/or distribute products. These organizations cannot manufacture and/or distribute products without the control systems performing reliably, safely, efficiently, and resiliently. Organizations have been making and distributing products before the advent of IP networks and can continue, though in a less efficient manner, without the IP networks. 

This was demonstrated by Ukraine when the Russians cyber attacked the electric grids in December 2015 and 2016 and the Ukrainians were able to operate the grid without their IP networks. On the other hand, control system cyber security is necessary to ensure the connected control system networks and devices can perform their functions securely so as to support safety and reliability.

Too often, the IT mentality is to focus on data security rather than what is important when control systems are involved, i.e.. safety, reliability and integrity. Real issues occur within cyber security policy-making organizations where operations and engineering support (collectively OT) is not an equal member to the CISO when the focus is Operations, its equipment, and business objectives.  

There is a popular belief that control system cyber security is an issue because of IT/OT convergence. Convergence is an issue, but it is not the fundamental issue for cyber securing control systems.

A greater problem surrounds the place of field devices in the control system architecture. Control systems are composed of field devices with their lower-level networks under the purview of engineering. Internet Protocols (generally Ethernet) and Human-Machine Interfaces (HMI’s) are under the purview of network engineers. All of these engineers collectively are part of OT.

Cyber security technology, training, and forensics exists at the Ethernet layer and OT network specialists consider cyber security part of their job. The same cannot be said at the device and facility equipment level as cyber security technology, training, and forensics currently do not exist at this level and many engineers do not recognize that cyber security is part of their job 

Yet it is lack of the cyber security organizations addressing the Level 0,1 devices that is one of the significant reasons for the broken (or never established) culture gap between IT and OT, e.g.., operations and engineering.

With respect to process sensor cyber security, a respected colleague stated: “I have spent years talking to brick walls and brick heads about the lack of security in field devices. Their response is typically that they are air gapped and that everything is safe and secure. Irrational fantasy at best. I am not alone in this quest, but I am definitely in a minority.” 

Level 0,1 Issues

Process sensors are ubiquitous. A large process facility may have 10-30,000 process sensors, a large ship may have 50-100,000 process sensors, and a large utility-scale solar facility can have millions of process sensors. Level 0,1 devices often are the least understood part of control system cyber security (and are therefore generally ignored), yet they can have some of the most significant impacts.

Process sensor issues have been directly involved in many of the more than 1,300 actual control system cyber incidents to date that have killed people and caused more than $80B in direct damage. Russia, China, and Iran are aware of the cyber security gaps in these devices and in some cases are currently exploiting the lack of sensor authentication.

Process sensors are assumed to be secure, authenticated, and correct. Those assumptions at the very least depart from the IT principle of “zero trust”. Process sensor data are the input to process control, safety systems, OT networks, predictive maintenance programs, historians, etc. Compromising process sensors (or not recognizing sensor deviations) can circumvent cyber security mitigation as well as engineering safeguard protections. However, there is minimal cyber security in the process sensor ecosystem. Worse, there are built-in vulnerabilities that cannot be bypassed. 

Level 0,1 devices are often at the root of the technical and organizational issues as these devices are directly used in safety, control, maintenance, and operations, often with different requirements, different users, and different organizational cultures.

The organizational problem at Level 0,1 is very complex. Furthermore, the organizational problem is different on the user side and vendor side. They manage different problem spaces and have different goals and strategies. I will address the complex organizational issues in a separate blog.

Level 0,1 Standards Gaps

The available standards mostly reflect the divisions in user organizations. For instance, cybersecurity standards (e.g., ISA99) exclude safety while safety standards (e.g., ISA84) do not address the unique issues of cybersecurity (defers to ISA99). Additionally, many device safety manuals don’t mention cyber security and conversely many cyber security manuals don’t mention safety. The ISASecure certification program Component Security Assurance (CSA) focuses on the cyber security of software applications, embedded devices, host devices, and network devices.

To date, there have been no process sensors certified to ISASecure because of the kind of technical gaps listed next:-

Recently, the ISA84.09 working group (the process safety/cyber security group specifically organized to address safety-security as part of an integrated safety lifecycle) performed a thorough review with participation from several industry experts. The review was made of a generic state-of-the-art digital safety (wired) pressure transmitter for conformance to the ISA 62443-4-2 standard, Technical Security Requirements for IACS Components. Pressure transmitters were selected as they are used in basic process control and process safety applications. It is expected that other transmitter types such as differential pressure, temperature, level, flow, as well as other process transmitters will have similar cyber security issues. Many of the review conclusions are also applicable to wireless and analog sensors though they were not explicitly addressed in this assessment as the focus was wired pressure transmitters in safety applications.

There is a prevailing thought that analog sensors cannot be hacked because they are only accessible from close proximity to the sensors. That is not true and has been demonstrated by various security researchers including from Russia using a project called Corsair and demonstrated in the 2016 time frame. There were other similar demonstrations including one from Dr. Juan Lopez, then at the US Air Force Institute of Technology. These existing wired and wireless digital and analog pressure transmitters with their cyber security limitations are expected to continue to be produced and used for at least the next 10-15 years so “Rip and Replace” is not an option.  

The intent of the ISA 84.09 effort was to determine the relative conformance and applicability of the ISA 62443-4-2 Component Specification’s individual security requirements to the legacy (what is being built today as well those already installed in the field) digital safety pressure transmitter ecosystem including the transmitters, host computers, field calibrators, and local sensor networks so as to determine what, if any, compensating measures might be necessary.

The results were that most of the requirements in ISA 62443-4-2, including the fundamental requirements could not be met with some requirements not being applicable to wired-safety transmitters. 

It should be noted that a number of the requirements could be met by the host computers such as secure boot. Selected example cyber security deficiencies in the transmitters include: 

  • Lack of device cyber forensics (no ability to determine what has been changed and by whom).
  • Lack of cyber logging (no ability for long term storage of information as data is overwritten).
  • No capability of implementing AntiVirus.
  • Lack of patching capabilities.
  • Use of insecure communication protocols such as FTP, Modbus, Bluetooth, etc.

This means that compensating controls are necessary and that alternate standards/recommendations are needed to address the legacy devices that will be in use for the next 10-15 years or longer. There are compensating controls that can be developed to meet some, but possibly not all, of the pressure transmitter cyber security deficiencies and this effort is ongoing within the ISA84.09 committee. This work includes continuation of this use case that is part of a broader case study to illustrate practical activities within the overall integrated safety/security lifecycle.

As work continues, it is hoped that some discussions with various manufacturers will help to improve the initial transmitter study, as well as to begin formalizing potential compensating countermeasures. Additional off-shoots expected from this exercise are better guidance for security manuals and their relationship to safety.

Summary

Level 0,1 devices have no cyber security, authentication, or cyber logging. Yet process sensor issues have been directly involved in many of the more than 1,300 actual control system cyber incidents to date that have killed people and caused more than $80B in direct damage.

Russia, China, and Iran are aware of the cyber security gaps in these devices and in some cases are currently exploiting the lack of sensor authentication.

The ISA84.09 review of the ISA 62443-4-2 Component Cyber Security Specification identified that most of the cyber security requirements currently could not be met for a wired safety pressure transmitter. It is hoped that the Level 0,1 devices will be addressed with compensating controls where technology does not exist as they will be in use for the next 10-15 years or longer.

It is also hoped that addressing the artificial divisions in future standards work will result in more secure Level 0,1 device ecosystems. However, until the engineers believe that cyber security of their equipment and networks are important to them and the IT/OT network organizations believe that Level 0,1 devices and the process are important to them, control systems will not be able to be secured to all of our peril.

About The Author:  Joe Weiss is an international authority on cybersecurity, control systems and system security. He is Managing Partner at Applied Control Solutions.                                                

Image: Unsplash

You Might Also Read:

The SolarWinds Hack Can Directly Affect Industrial Control Systems:

 

 

 

« Cybersecurity Mergers And Acquisitions Q1 2021
How Do The Facebook & LinkedIn Data Leaks Impact Their Users? »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

National Centre of Incident Readiness & Strategy for Cybersecurity (NISC) - Japan

National Centre of Incident Readiness & Strategy for Cybersecurity (NISC) - Japan

NISC was established as a secretariat of the Cybersecurity Strategy Headquarters in collaboration with the public and private sectors to create a "free, fair and secure cyberspace" in Japan.

Guardea Cyberdefense

Guardea Cyberdefense

Guardea Cyberdefense is an IT services company specializing in the management of security projects, with a pool of skills selected from a network of specialized partners.

CybSafe

CybSafe

CybSafe is a cloud-based platform focussed on addressing the human component of cyber security - an intelligent approach to awareness training.

CyberPilot

CyberPilot

CyberPilot ApS is a Danish cybersecurity company. We work with all types of companies and organisations, both large and small, who want to achieve effective cybersecurity.

Center for Strategic Cyberspace & International Studies (CSCIS)

Center for Strategic Cyberspace & International Studies (CSCIS)

CSCIS seeks to advance global cyberspace security and prosperity by providing strategic insights for cyberspace and policy solutions to decision makers.

Invensity

Invensity

INVENSITY is an interdisciplinary technology and innovation consulting company. Centres of excellence include Cyber Security and Data Privacy.

Polyrize

Polyrize

The Polyrize continuous authorization platform for SaaS and IaaS stops tomorrow's public cloud cyber threats, today.

DestructData

DestructData

DestructData is a leading independent provider of End of Life data destruction/security solutions.

Vector Informatik

Vector Informatik

Vector Informatik is a specialist in automotove electronics and provides services, embedded software and tools for securing embedded systems against cyber-attacks.

iZOOlogic

iZOOlogic

iZOOlogic protects hundreds of the world’s leading brands, across banking, finance and government from cybercrime. We provide strong cyber defence solutions to protect client digital assets.

spiderSilk

spiderSilk

spiderSilk is a Dubai-based cybersecurity firm, specializing in simulating the most advanced cyber offenses on your technology so you can build your best security defenses.

SecurityGen

SecurityGen

SecurityGen is a global cybersecurity start-up focused on telecom security, with a focus on 5G networks.

inWebo

inWebo

inWebo is the specialist in multi-factor strong authentication (MFA). We guarantee the security of data and identities in a digital world with increasingly important economic and political stakes.

XpertDPO

XpertDPO

XpertDPO provides data security, governance, risk and compliance, GDPR and ISO consultancy to public and private sector organisations.

CIP Cyber

CIP Cyber

CIP Cyber is an online learning community with a mission of connecting, training, and certifying cybersecurity professionals to protect critical infrastructure.

Graphiant

Graphiant

Graphiant’s Data Assurance service gives businesses end-to-end control and visibility into how data travels throughout the entire business network.