Process Sensor Cyber Security Is A Vital Issue

Uploaded on 2022-01-15 in TECHNOLOGY--Resilience, FREE TO VIEW, BUSINESS-Production-Utilities, BUSINESS-Production-Manufacturing, BUSINESS-Production-Energy

Process sensors are ubiquitous and are under the auspices of the engineering organizations. Process sensors are the input to control and safety systems and provide input for operator decisions.

Like our fingers, eyes, and ears that provide input to the brain to make the right decisions, if the process sensor input is not secure and accurate, catastrophic failures can occur.

This has often meant that attention to safety, which the engineering organizations understand, has outrun attention to security, which is something that the engineering organizations have tended to view as the responsibility of the IT organization. In turn, the IT organizations have tended to overlook process sensor security, seeing that as an engineering responsibility that’s outside their own scope.

At the process sensor level, however, safety and security are really the same issue.

The Challenge Of Securing Process Sensors

Some example process sensor cyber-related incidents include:

  • Dam collapse from erroneous low-level readings
  • Sensor malfunctioned resulting in the release of 10 million gallons of untreated wastewater
  • Safety relief valve in a nuclear plant did not lift because the pressure sensor never reached its setpoint 
  • One voltage sensor failure in combined cycle plant in Florida caused a 200MW load swing at the plant that resulted in a 50MW load swing in New England
  • Tank farm explosions from erroneous level sensor readings
  • Airplane crashes from erroneous sensor readings
  • Refinery explosion from erroneous sensor readings

Three US national laboratories did a detailed survey issues in 2021 of sensors used in building controls and heating, ventilation, and air conditioning (HVAC), Sensor impacts on building and HVAC controls: A critical review for building energy performance.  According to this document, “Cybersecurity threats are increasing, and sensor data delivery could be hacked as a result. How hacked sensor data affects building control performance must be understood. A typical situation could include sensor data being modified by hackers and sent to the control loops, resulting in extreme control actions. To the best of the authors’ knowledge, no such study has examined this challenge.”

Process sensors have no cyber security, authentication, or cyber logging. Consequently, it is not possible to know whether these incidents were intentional or malicious but made to look like they were unintentional.  

There are three questions that are often asked about cyber security of process sensors:

  • Do you need a physical presence to compromise the sensor? No, it can be done remotely.
  • How much harm can cyber-related sensor impacts cause? The field calibrator calibrates one sensor at a time but connects insecurely to the Internet. The Asset Management Systems (AMS) has access to thousands of sensors. Meanwhile, the AMS has insecure connections to the Internet and often is connected to the Corporate Enterprise Resource Planning (ERP) systems. Some real examples of catastrophic failures from sensor issues were provided.
  • What happens when the compromised sensor data is sent to the cloud to be used in big data analytics for IOT or Industry4.0 applications? The sensor data is assumed to be uncompromised.

These deficiencies lead to a need for a training environment to:

  • Better understanding of how an adversary may interrupt, degrade, or possibly damage and destroy infrastructure.
  • Develop forensic capability to detect process sensor cyber-related issues.

It should be noted that an appropriate training facility would accomplish the above tasks  whether the sensor issues are malicious or unintentional.

Process sensor security may amount to a gap in standards and regulation

Three significant events have highlighetd the importance of estblishing robust cybers security practices:

- Based on discussions with the Transportation Security Administration (TSA), the recognition that the TSA pipeline cyber security guidelines did not address control systems including the sensors.

- The “discovery” in Abu Dhabi that more than 3000 sensors had no ability to have passwords https://www.controlglobal.com/blogs/unfettered/a-vulnerability-worse-than-log4j-and-it-can-blow-up-facilities-and-shut-down-the-grid/.

- The realisation that current pipeline cyber security guidelines effectively excluded the process sensors -  "Inventory should not include individual instruments that are not network connected".

As the cyber insecure sensors in the Abu Dhabi petrochemical plant show, digital sensors have built-in backdoors for performing remote calibration and other maintenance activities. That makes sense as a convenient, labor-saving design feature. It makes the sensors easier to upgrade and maintain. These same backdoors, however, can be exploited as vulnerabilities, even when the sensors do not appear to be connected to networks.

In essence, the backdoor in the process sensors allows for two-way communication to/from the Internet with no cyber security protection.  

An indication of the disconnect between engineering and cyber security is that many engineers would be willing to pay extra to have the backdoors because it makes their jobs easier despite the cyber risk. The same cyber vulnerabilities in the process sensors also exist for the field calibrators and the AMS. At the 2016 ICS Cyber Security Conference, the U.S. Air Force Institute of Technology (AFIT) and a Russian security researcher independently demonstrated how process sensor cyber vulnerabilities could be exploited. 

While considerable progress has been made for control system (Guidance now exists with the ISA/IEC-62433 standards, NIST SP800 series standards, and various other guidance documents), however, these standards do not yet address cyber security considerations at the lower levels and additional research, training, and testing to improve process sensor cyber security is required from both industry and government.

The discussions must be trans-disciplinary and must include engineers and facility operators as well as IT and OT networking personnel. The numerous actual control system cyber incidents clearly demonstrate that current approaches fail to sufficiently consider the engineer/operator roles and responsibilities in identifying and mitigating threats. This will need cooperation between physical security, network security, and engineering/operational security disciplines which can be fostered and enhanced via collaboration between professional associations and industry groups. 

The networking community currently dominates cyber security and views all sectors as effectively being an extension of IT. Meanwhile, the engineering community has limited participation in cyber security decision making process as the engineering equipment that is often vulnerable is ignored by networking cyber security. 

 A cross-disciplinary approach represents an important first step in bringing the engineering discipline to help address the cyber security of control systems which is generally not done when the focus is just securing the networks.

There are two distinct categories of process sensors to be addressed:

  • Legacy devices - These are the devices currently in use and those still being built. There is no cyber security in these devices or cyber security standards to address these device limitations.
  •  Nextgen devices - Nextgen is still “on the drawing board”. ISA/IEC62443-4-2 can addresses these devices. However, at today’s funding level, Nextgen is arguably years from a prototype.

Historically, the network community has questioned whether process sensors should be within the scope of cyber security efforts. They question if process sensors are computers and if they are on networks. Process sensors may not look like computers, but they have similar components such as microprocessors which perform familiar computing functions. Sensors are also on networks, often serial as opposed to routable networks.

The confusion may arise because many in the networking community view networks as being routable networks and therefore don’t recognize serial networks as being networks.

A way forward for process sensor security

Consideration should be given to establish a formal Group involving the relevant are engaged to develop policy and to determine what organizations are best suited to oversee this new and expanding area of training and research for control system field device cyber security.

This Group should develop a White Paper to clearly define what is unique about legacy control system field devices and what needs to be done to provide improved cyber security and identify the resources needed  to speed up  developing cyber security standards, frameworks, recommended practices, and information sharing.

Historically, standards have been driven by industry. It’s time for the industry that relies on process sensors to take the lead in closing the gap between cyber security and safety engineering.

Joe Weiss is Managing Partner at Applied Control Solutions

You Might Also Read:

Industrial Control System Security Is Overlooked:

 

« North Korean Hackers Stole $400m In Crypto Currency
REvil Cyber Ransomware Gang Members Arrested »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Becrypt

Becrypt

Becrypt is a trusted provider of endpoint cybersecurity software solutions. We help the most security conscious organisations to protect their customer, employee and intellectual property data.

Green Hills Software

Green Hills Software

Green Hills Software is the largest independent vendor of embedded secure software solutions for applications including the Internet of Things.

MKD-CIRT

MKD-CIRT

MKD-CIRT is the national Computer Incident Response Team for Macedonia.

Entreda

Entreda

Entreda offers a unified platform to automate cybersecurity and compliance policy enforcement for your devices, users, networks, applications.

SEWORKS

SEWORKS

SEWORKS provides offensive and defensive app security that ensures mobile and web apps are safe from dangerous hacking threats.

National Cybersecurity Preparedness Consortium (NCPC) - USA

National Cybersecurity Preparedness Consortium (NCPC) - USA

The mission of the NCPC is to provide research-based, cybersecurity-related training, exercises and technical assistance to local jurisdictions, counties, states and the private sector.

Client Solution Architects (CSA)

Client Solution Architects (CSA)

Client Solution Architects (CSA) is a leading digital transformation consulting firm focused on the U.S. Defense Department and all U.S. Federal enterprise information technology service areas.

Strike Security

Strike Security

Strike Security offers a continuous penetration testing platform that combines automation with ethical hackers.

BalkanID

BalkanID

BalkanID is an Identity governance solution that leverages data science to provide visibility into your SaaS & public cloud entitlement sprawl.

VinCSS

VinCSS

VinCSS Internet Security Services JSC is a leading organization working in the field of researching, developing, producing products as well as providing cyber security services.

Insight Enterprises

Insight Enterprises

Insight is a leading solutions integrator, helping you navigate today’s ever-changing business environment with teams of technical experts and decades of industry experience.

Daisy Corporate Services

Daisy Corporate Services

Daisy is one of the largest providers of communications and IT solutions across the UK, with a portfolio spanning unified communications, cloud, cyber security and resilience.

Mindcore Technologies

Mindcore Technologies

Mindcore provide cyber security services, managed IT services and IT consulting services to businesses in NJ, FL, and throughout the United States.

42Crunch

42Crunch

42Crunch provides API security testing and threat protection. We proactively test, fix and protect your APIs from development to runtime.

ETI-NET

ETI-NET

ETI-NET is the worldwide leader in managing critical data for industries that never stop.

Tausight

Tausight

Tausight is an AI-Powered patient data security startup with a mission of reducing healthcare cyber incidents using a more proactive, risk management philosophy.