ICS cyber threats are morphing into compromise of plant functionality – do we have the right tools?

Friday and Saturday July 28-29, 2017, I attended (and spoke) at my first Defcon Conference (I still have not attended BlackHat). Defcon was a zoo - people everywhere. It almost looked like Halloween with the different dress. As a novice to Defcon, I found it incredible the number of different sessions and people involved in things from lock picking to just about every form of hacking. I ran into a number of people I knew, or at least knew me, particularly at the ICS Village. In a surprise to me, Congressman Langevin visited the ICS Village and got a better idea of the different aspects of hacking control systems. There was one sensor in the ICS wall in the ICS Village. When I asked, what was being done about monitoring or securing the sensor, I was told it was just a 4-20 milli-amp sensor, why bother.

There were several very good talks at the ICS Village including Chris Sistrunk’s talk about ICS forensics. This was of great interest to me as Chris reinforced the lack of existing ICS cyber forensics. There was also several training sessions.

On Saturday I gave a presentation on the lack of authenticated, secure process sensing. There was very little understanding of sensor issues - the focus was on hacking controllers. Network-based anomaly detection systems start from the time the sensor readings are converted into IP packets in the serial-to-Ethernet convertors. There is currently an assumption by many that network anomalies equate to process anomalies – this is not true. There was little understanding sensors could be compromised before the convertor, and therefore, little question of the validity of the results from the network anomaly detection systems.

My presentation focused on the physics issues. I had not seen Marina Krotofil’s presentation at Black Hat of hacking a “non-critical” valve to cause pump cavitation https://www.wired.com/story/evil-bubbles-industrial-pump-hack. Consequently, it was interesting how my presentation dovetailed so closely with her presentation. Cyber threats are now (actually started with Stuxnet and Aurora 10 years ago) morphing to compromise of plant equipment functionality. With Aurora, engineers have known for many years you do not restart AC equipment out-of-phase with the grid. Yet this is what Aurora does. Engineers have identified operating regions as being “out-of-bounds” for operation because you could be operating on a resonance frequency, cause cavitation, or create a water hammer, etc. Pump curves specifically tell you where to avoid operation. What Marina did was to operate where there would be a known problem. Variable frequency drives explicitly identify frequencies to avoid (and they have no authentication or security). Network anomaly detection cannot find these operating conditions as it is not malware. One of my examples of sensor issues was a power plant I recently visited where the plant tripped after the pressure sensor inadvertently reached its setpoint because the sensing line was clogged. In this case, it was not possible for network monitoring to detect the degradation in sensor performance because the packets did not contain the relevant information. Several years ago, a safety relief valve in a nuclear plant not lift because the sensor could not reach its setpoint. These cases are similar to Marina’s presentation as network anomaly detection generally cannot identify plant issues such as pump cavitation until it is too late. The same can be said of piping issues such as water hammer. The Sayano Shushenskaya Russian dam failure was a non-malicious failure caused by physics – running on a resonant frequency. This event also could have been caused maliciously. Without sensor monitoring, it is NOT possible to see the precursor to these kinds of conditions until it is too late. As these examples include both unintentional incidents as well as cyber attacks, the impacts are the same but you cannot tell the difference!

One question that arose at my talk was the use of historian data as a back-up. However, the historian data is comprised of sensor data. Consequently, if the sensors are compromised, the historian data is also compromised.  I did not address specific solutions, but there are some companies working on sensor monitoring before the sensor data becomes an Ethernet packet.

As an aside, Dale Peterson had asked me to participate in a panel at S4 2018 on an Aurora retrospective. Aurora is a physics problem. When I offered to address the sensor issues, Dale said it was not necessary as his S4 attendees were well aware. From my personal interactions including at Defcon, this is not true.

The examples show that ICS cyber threats are morphing from malware/insecure-by-design issues that can be found by network monitoring to compromise of system or component functionality which can be very difficult to detect, can cause significant physical damage and injuries, and probably cannot be found by network monitoring.

Joe Weiss

Show Comments
Hide Comments

Join the discussion

We welcome your thoughtful comments.
All comments will display your user name.

Want to participate in the discussion?

Register for free

Log in for complete access.

Comments

  • Joe - It is my sincere hope that the S4 attendee is more experience with ICS, ICS Security, OT, Engineering ... than the typical Defcon attendee. We put together the program to specifically avoid 101 level information, and I'd put the fact that Level 0 lacks any security (let alone that we are just starting to see security on Level 1) is known by the advanced ICS security professional by now. That said, there is great value in spreading this information in the IT security events that reach different communities that may be able to help, as well as to the ICS security events that try to expose those new to ICS security to the basics. Marina's water system demo is telling in light of our discussion last week on Aurora. She is essentially showing the basic point of Aurora, that access to the control system can cause physical damage, 10 years after Aurora. And it is still considered newsworthy. This is not a slight on Marina or the work. The fact that it garnered press and surprise is ipso facto it is still needed. Dale Peterson Digital Bond, Inc. s4x18.com

    Reply

  • 'Consequently, if the sensors are compromised, the historian data is also compromised.' In clarification, engineering and scientific methods include a healthy distrust of instrumentation. Let's face it there is a lot that can go wrong and it frequently does. Data analysis with historical trends is often quite effective in identifying errant sensors. But what about intelligent tampering with a signal? Triangle fun aside, Jason Larsen's "Going Small When Attacking A Process" is indeed kind of spooky. Defensive methods need to step up to identify an intelligently faked signal. Redundant sensing is a classic approach. A redundant sensor on separate IO but still within the same PLC or Controller doesn't substantially increase the effort needed to fake both signals. Redundancy strategies with more diversity are likely to raise the bar. Similarly more advanced controls make use of historian data to generate 1st principle, stochastic models, and 'soft' sensors. It's fair to suggest that substantially more effort is required to generate fake signals to defeat these kind of models. In short, industry deals with Garbage IN - Garbage OUT all the time. Given that faked signals are more like toxic waste, important to safety systems should address potential sensing issues using all available means. Today, this will likely include models generated with historian data.

    Reply

  • There are really simple method where you can access anyone twitter account without having any problem. You just visit our website twthack.net and get an online twitter account hacker completely free of cost.

    Reply

  • free game stop gift code generator game stop gift code generator website

    Reply

RSS feed for comments on this page | RSS feed for all comments