An ICS Cyber Vulnerability Beyond Stuxnet
Ralph Langner and other ICS cyber security experts have warned that the critical ICS vulnerabilities that can cause significant damage and/or personal injuries lie in the functional design of the instrumentation and control systems. Additionally, a presentation was made at the October 2013 ICS Cyber Security Conference where a DOD ICS researcher called ICS cyber warfare a “race to the bottom”. That is, where sensing and control actually occur. The field devices at the level “0” layer do the real time sensing of the physical parameters such as pressure, temperature, flow, voltage, current, chemical composition, etc and send this data to the controllers to make real time changes occurring in milliseconds without any operator intervention.
A presentation was made at the S4 Conference on Hart vulnerabilities. HART stands for Highway Addressable Remote Transducer protocol which is commonly used in many industrial applications at the level 0 layer. HART can either be wired or wireless and this vulnerability will affect either. Effectively the vulnerability allows several possible outcomes:
Take over a single device
Use the compromised device to take over all of the other devices on the HART highway
Use the compromised devices to take over the asset management software
There are a number of vendors that offer asset management software. Asset management software can be installed on the control system PC and used to monitor the digital data from HART or Foundation Fieldbus-enabled field devices. The asset management software provides an operator interface between the HART or Foundation fieldbus-enabled field device and the remote PC, which is networked to the control system via simple Ethernet. The asset management software provides the remote operator with COMPLETE ACCESS to both the primary variable and many secondary variables transmitted digitally by the HART or Foundation fieldbus-enabled field device. The asset management software enables the remote operator to check the field device measurement output, RECONFIGURE THE DEVICE, check calibration logs, and check error alerts without having to be present at the site.
I believe this type of vulnerability can compromise the integrity of HART and fieldbus messaging from a sensor to a controller. The strategic importance of this cannot be underestimated as this is the input to the HMI that affects the real time view and input to the controllers that affect real time control of tens of thousands of industrial processes. The vulnerability allows the reconfiguration of the field devices (change the variables, limits, alarm ranges, etc.), even reflash and write to EEPROM. As asset management software is used for predictive maintenance programs, the potential integrity compromise can affect maintenance as well as operational decisions. Moreover, it is not clear how one would detect this type of compromise if the data remains within the acceptable operating range which itself can be compromised. This vulnerability is beyond Stuxnet as it is not specific to any vendor, any specific process, the input data would be accepted by the controllers without question, and the initial compromise would be difficult to detect.
The asset management software vulnerability could cause an impact in either of two directions – the field devices where physical damage could occur or the ERP system where financial damage could occur. The security researcher that found the vulnerability was an ERP security expert concerned with access to the ERP. One can only wonder what is happening with ICS experts intending on doing physical damage.
With all of the new vulnerabilities being found, maybe there should be a consideration for all critical control and safety systems to go “back to the future” – 4-20ma point-to-point serial.
Additional links on the vulnerability can be found at waltboyes.livejournal.com.