CT-Update-Sample-400
CT-Update-Sample-400
CT-Update-Sample-400
CT-Update-Sample-400
CT-Update-Sample-400

Network anomaly detection can provide a false sense of security

June 6, 2017

The assumption that network anomaly detection is correlated to physical process anomalies is only true if there is a direct look into the “raw” process. However, network anomaly detection cannot address potential sensor anomalies that occur before the serial-to-Ethernet convertors leading to a false sense of security.

ICS cyber security is still too ”IT-focused”. That is, currently ICS cyber security is all about the network. Dale Peterson in his DigitalBond blog identified 20+ vendors providing network anomaly detection for ICS networks. The assumption is that network anomaly detection is correlated to physical process anomaly detection. Why else would Operations care? However, this is not a correct assumption since network anomaly detection addresses packets not physical processes. The analogy would be how could a doctor make a diagnosis if he/she can’t trust the temperature and blood pressure readings? The physical process, eg, boiler pressure, pipeline flow, tank level, etc. is controlled by process sensor input. Currently, commercial/industrial process sensors, eg, pressure, level, flow, temperature, humidity, voltage, current, polarity, etc. lack authentication and cyber security. Consequently, it is not clear that the sensor packet input from the serial-to-Ethernet converters are correct and uncompromised since by the time the sensor signals reach the Ethernet network, the sensor value may already be compromised or inaccurate. Therefore, it is not possible to correlate cyber vulnerabilities to process system impact without a direct look into the “raw” process. This becomes even more important because serial-to Ethernet converters were compromised in the US electric grids in the 2014 timeframe and in the 2015 and 2016 Ukrainian cyber attacks. The focus on the compromise of the serial-to-Ethernet convertors were to use the convertors as a means of getting into the networks (“race to the top”) as opposed to using the convertors as a means of getting to the sensors (“race to the bottom”). This means that network anomaly detection can be providing a false sense of security because it cannot address potential sensor anomalies occurring before the serial-to-Ethernet convertors. This is critical because testing has demonstrated that control system devices can be compromised without any indication from network deep packet inspection. Other potential impacts that could not be found by deep packet inspection include preventing sensors from reaching their setpoints or causing sensors to spuriously reach setpoints shutting down processes. These scenarios have already occurred in nuclear plants and other critical applications.

Joe Weiss

Like this blog post? Sign up for the Control Update newsletter and get posts like this delivered right to your inbox.