Real cybersecurity may require revisiting how we verify integrity at the sensor

If we don't monitor the health and accuracy of sensor signals, we leave ourselves open to hackers who can spoof the control and security systems.

By Paul Studebaker

For the past six months, I’ve spent a good chunk of my spare time bringing back to life a 1963 Studebaker Avanti that spent 20 years in a garage in Tulsa, Okla. This machine is not unfamiliar, as it once belonged to my father and I drove it in my youth, but I'd forgotten just how much more mechanical cars were 50 years ago than they are today. Along with vacuum and centrifugal spark timing systems, Bourdon-tube oil pressure and manifold vacuum gauges, thermostatic heat riser and choke systems, etc., the engine has a vacuum-modulated idle speed controller; if it slows too much when the transmission is put in gear or the A/C compressor is engaged (assuming it ever works again), the resulting drop in vacuum releases a “throttle kicker” to correct the idle speed.

Functions that in today’s cars are handled invisibly by sensors and control modules over CAN bus were harnessed at the source: to measure RPM, use centrifugal weights and springs; for temperature, a bimetal; for vacuum or pressure, a diaphragm or coiled tube. The signals are translated directly into actuation with no wires, no networks and certainly no way to hack them or put them on the Industrial Internet of Things (IIoT).

If we don't monitor the health and accuracy of sensor signals, we leave ourselves open to hackers who can spoof the control and security systems.

Many proponents of connecting the plant floor to the cloud say security can be handled with familiar IT firewalls; zone, conduit and access controls; and special-purpose industrial firewalls and security devices, as described by Bill Mostia. Others say it’s safer, cheaper and easier to bypass the control system, and go directly to the cloud with IIoT alternatives, as you can see in detail in this month’s cover story.

But cybersecurity expert Joe Weiss maintains that if we don’t monitor the health and accuracy of sensor signals, we leave ourselves open to hackers, who can spoof the control and security systems into thinking they’re getting healthy, accurate signals when they are not. They can even fool deep packet inspection (DPI), which Mostia describes as “an advanced packet filter method that examines the data or payload of the transaction in the application context as it passes into an inspection point, and searches using defined criteria to decide whether the packet may pass.” Sort of like a TSA agent for data.

Weiss is one of the “Cassandras” in the new book, "Warnings: Finding Cassandras to Stop Catastrophes," by Richard Clark and R.P. Eddy, both eminently qualified to handle the topic. Amazon says, “In Greek mythology, Cassandra foresaw calamities, but was cursed by the gods to be ignored. Modern-day Cassandras clearly predicted the disasters of Katrina, Fukushima, the Great Recession, the rise of ISIS, and many more. Like the mythological Cassandra, they were ignored. There are others right now warning of impending disasters, but how do we know which warnings are likely to be right?” My copy is on its way.

Weiss says we won’t be safe until we revisit how we evaluate signals at the source. “By the time  the sensor signals reach the Ethernet network, the sensor value may already be compromised or inaccurate,” he says. “Testing has demonstrated that control system devices can be compromised without any indication from network deep packet inspection. Other potential impacts that could not be found by deep packet inspection include preventing sensors from reaching their setpoints or causing sensors to spuriously reach setpoints, shutting down processes. These scenarios have already occurred in nuclear plants and other critical applications.”

Like the smell of unburned hydrocarbons from a four-barrel carburetor, cybersecurity concerns like these make me nostalgic for the old days of pneumatic and mechanical controls. That Avanti’s automatic transmission does a pretty good job of understanding my intentions and shifting appropriately using just well-engineered hydraulics, a pressure regulator linked to the gas pedal, and governor on the tailshaft. Not a wire in sight.