ICSs were, and continue to be, designed to meet reliability, safety, and regulatory requirements. Cyber securing the ICS system consists not only of securing the OT networks but also the instrumentation, actuators, drives, analyzers, and controllers which often are serial-based before the conversion to Ethernet communications. Level 1 sensors, other field devices, and their communication protocols are generally not cyber secure. Additionally, it is often not possible to tell the difference between a malicious cyber compromise and an unintentional equipment failure. Moreover, the sensing/control loop will continue to operate even if the Ethernet network is not available. Consequently, there is a need to understand what is happening at the Level 1 layer in addition to what is happening with the OT networks.
When the Purdue reference model was developed there was a reasonably clean demarcation between the levels. With today’s blending of modern IT technologies into ICSs, it is getting harder to separate Levels 1, 2, and sometimes even 3. Incorporating a webserver directly into a controller or actuator begs the question – is it Level 1, 2, 3 or some new combination? Compromising Level 1 field devices also can be used to pivot to systems in Levels 2, 3, and 4 including the ERP systems. The five levels were defined in the June 15, 2015 blog- http://www.controlglobal.com/blogs/unfettered/the-need-to-address-the-cyber-security-of-field-controllers-and-sensors-level-1-devices/ :
- Level 0 — Physical process — Defines the actual physical processes.
- Level 1 — Intelligent devices — Sensing and manipulating the physical processes. Process *sensors, analyzers, actuators and related instrumentation.
- Level 2 — Control systems — Supervising, monitoring and controlling the physical processes. Real-time controls and software; DCS, human-machine interface (HMI); supervisory and data acquisition (SCADA) software.
- Level 3 — Manufacturing operations systems — Managing production work flow to produce the desired products. Batch management; manufacturing execution/operations management systems (MES/MOMS); laboratory, maintenance and plant performance management systems; data historians and related middleware. Time frame: shifts, hours, minutes, or seconds.
- Level 4 — Business logistics systems — Managing the business-related activities of the manufacturing operation. ERP is the primary system; establishes the basic plant production schedule, material use, shipping and inventory levels. Time frame: months, weeks, days, shifts
In far too many instances, the cyber security focus has been exclusively at the levels 2-4 because these levels generally use commercial-off-the-shelf (COTS) technology and Ethernet communications. This is the technology that most IT organizations (end-users and vendors) are familiar with and have available training and cyber security tools. The cyber impacts at the Level 2-4 levels are generally short-term denial-of-service events unless they are used to compromise the Level 1 devices or the Level 0 process. Conversely, Level 1 devices are well-known to the Operations and Maintenance staff but generally not to IT and security staffs or governmental policy makers.
Why are cyber security of level 1 devices an issue? Many Level 1 devices have the following characteristics:
- They use embedded systems with basic security (password protection) or have no cyber security.
- Field communication protocols such as wired and wireless HART, Profibus, Foundation Fieldbus, and others have been demonstrated to be cyber vulnerable.
- They rely on physical security such as Failsafe Jumpers (Write-Protected) as many of these devices will be located in hazardous zones. In case of incidents most people will be reticent to enter these areas. Consequently, Operations may introduce insecure ways/practices for connecting these devices.
- Many devices are now IP-based and/or have wireless capabilities.
- Many devices traverse multiple layers and write data back to systems in Levels 2, 3, or 4.
- Cyber threats can result in common cause failures that can defeat defense-in-depth strategies.
In the late 1980s and early 90s while at EPRI researching sensor health monitoring and response time testing, I found common-cause, non-detectable failures in pressure, level, and flow sensors used in nuclear safety and other critical applications. I also found sensor validity issues with ultrasonic feedwater flow measurements, vertical-shaft pump vibration measurements, and pulverized coal flow measurements. The remote, on-line calibration used to detect some of these types of failures also can be cyber vulnerable. Compromising Level 1 devices, whether intentionally or unintentionally, can impact the physics of the process thereby causing physical damage and/or personal injury with attendant long term consequences. There have been a number of major disasters where issues with Level 1 field instrumentation played a significant role. In fact, many of the unintentional ICS cyber incidents that have damaged equipment and/or killed people were a direct result of the Level 1 devices being unintentionally or maliciously compromised. Examples of major Level 1 instrumentation-related catastrophes include the Taum Sauk reservoir/dam failure, the Texas City refinery explosion, and the Three Mile Island core melt. However, few technologies exist to monitor Level 1 devices for security considerations. Because of the lack of ICS cyber forensics, it may not be possible to know whether Level 1 failures are malicious or unintentional though the impacts could be the same. Consequently, there is a great need to understand the authenticity and validity of Level 1 field device input/response to the Level 2-4 controllers and HMIs.
This is not a new issue. The cyber security of field devices was specifically identified in my cyber security roadmap, presentations, and papers since 2000. Specifically, I wrote a paper on the ICS cyber security roadmap for the November 2000 issue of Power Engineering, “Electronic Security Technology Roadmap”.
The reasons for this blog on cyber security of Level 1 devices were the following:
- The March 21-22, 2017 Microsoft IOT conference in San Jose where Microsoft made it clear that sensors were assumed to be authenticated and secure. According to Microsoft, secure, authenticated sensors are the first part of assuring the IOT cloud would be secure. Unfortunately, many commercial and industrial process instrumentation, actuators and drives are neither authenticated nor secure, making cloud security questionable for ICS applications.
- The April 2017 Power Engineering article, “The Growing Cyber Threat to the Energy Sector”, by Claroty demonstrated the importance of situational awareness of the OT networks while simply assuming the sensor input was correct. The article used a power plant as an example to demonstrate that plant components could be damaged over time by modifying critical system setpoints. In the mid-1990s while at EPRI, I was researching the impact of calibration drift on power plant components. Consequently, I performed a study of fossil-fueled power plants examining the impact of pressure and temperature sensor calibration drift on heat rate and plant component lifetime. The study showed that pressure sensor variations may not have much impact, but temperature sensor drift could have a significant impact on plant heat rate (fuel use) and component lifetime. However, the 2017 Power Engineering article does not address the sensor accuracy/compromise issues, and assumes that the input signals are accurate.
- 3eTi held a March 30, 2017 webinar on deep packet inspection for OT networks. Their deep packet inspection for sensors was to determine if the reading was out of design range. However, as with Stuxnet the sensor readings can be within design range and still be used to damage the process. Additionally, Level 1 devices were out-of-scope for the 3eTI deep packet inspection program.
- The ExxonMobil OpenGroup Automation Initiative covers the entire control loop except for the Level 1 field devices. The Initiative assumes valid sensor input and valid actuator/drive response.
- Siga is addressing the validity (and possibly authentication) of Level 1 devices by examining the electrical signal characteristics over time. The approach of validating Level 1 devices by examining electrical signals addresses sensor anomalies whether malicious or unintentional. This approach is similar to noise analysis that has been used for years in root cause analyses. Additionally, by inspecting electrical signals rather than packets, cyber threats to the Level 1 situational awareness are eliminated. Siga’s system is currently installed in a major water utility and will soon be installed in a building control application as well as in some combustion turbine controls. Siga has a video showing the system being used to identify malicious and unintentional sensor issues. In the video, the malicious case was changing setpoints and the unintentional case was inadvertently opening a valve. As mentioned above, either case could be malicious or unintentional as forensics most likely cannot tell the difference but the impact is the same.
Failure or compromise of Level 1 devices can, and have, resulted in major catastrophic failures. Consequently, there needs to be more focus on securing and having situational awareness of Level 1 devices. Securing Level 1 devices requires an understanding of the devices and processes. A better understanding of Level 1 devices can help secure the IOT cloud as well as make facilities more reliable, safer, and secure.