Inability to correlate network anomalies to process conditions leads to self-inflicted denial-of-service or worse

June 25, 2017

Given how sophisticated hackers are able to bypass cyber security protections such as CrashOverride, viewing the raw process becomes even more important.

Currently, many people equate network anomaly detection (malware) to cyber security. Moreover, many people associate network anomalies to physical process anomalies. However because of the lack of authenticated, secured process sensing (e.g., pressure, level, flow, temperature, voltage, current, radiation – see https://www.darkreading.com/vulnerabilities---threats/nuclear-plants-hospitals-at-risk-of-hacked-radiation-monitoring-devices/d/d-id/1329200 , etc.), it is not possible to correlate physical process anomalies (e.g., changes in boiler temperature, pipe pressure, tank level, voltage, etc.) to network anomaly detection (e.g., malware, network packet compromise, etc.). Since network monitoring programs can only interrogate network packets, any changes to process sensing before they become packets can NOT be detected by network monitoring solutions. The lack of correlating network anomalies to process anomalies has led to self-inflicted denial-of-service disruptions. Due to the malware WannaCry being found on the networks, Renault halted auto production at several sites including Sandouville in northwestern France. Renault-owned Dacia of Romania shut down their plants to prevent the spread of WannaCry in its systems. Nissan’s manufacturing plant in Sunderland, northeast England, was also affected by the cyber assault though “there has been no major impact on our business” a spokesman for the Japanese carmaker said. Honda stopped production at its Sayama plant after WannaCry made its way onto the automaker's network not because of alarms on the factory floor. The impact was substantial as the Honda plant produces approximately 1,000 vehicles per day. This is not to say the plants shouldn’t have been shut down. However, if the malware in the network does not impact the actual process, why shut the plants down until impacts appear imminent?

In order to address the glaring gap in control system cyber security due to insecure process sensing, I am working with technologies that detect changes in process sensing BEFORE the sensor information goes through the serial-to-Ethernet converters (these technologies have been installed in real process conditions). Issues caused by the compromise of the sensors before the serial-to-Ethernet converters would NOT be identified through network monitoring. This is important as it is possible to compromise the sensor output before the serial-to-Ethernet converters particularly as these converters have been hacked in the U.S. and Ukraine to deliver the Black Energy malware.

Possible impacts of compromised sensor data include the inability to reach a setpoint (e.g., safety valves or protective relays not opening damaging equipment), inadvertently reaching a setpoint (e.g., plant shutdowns or electric outages), providing misleading information to the HMI (e.g., having the operator take the wrong actions), or compromising controllers or actuators, etc. June 13, 2017, I gave a presentation on “The Implications of the Ukrainian Cyber Attacks to Nuclear Plants” to the American Nuclear Society in San Francisco which explicitly addressed these issues.

I believe that having an informed decision as to when to shut down a physical process occurs when you have a view of the actual process via the raw process sensing. This is because the raw process sensing will indicate a process change regardless if the change is from unintentional or malicious reasons. Moreover, viewing the raw process is independent of network cyber considerations. Given how sophisticated hackers are able to bypass cyber security protections such as CrashOverride, viewing the raw process becomes even more important.

Joe Weiss