Control system intelligent control and communication capabilities are moving further down into the end devices—process sensors, actuators and drives. From a cybersecurity perspective, this is moving the security responsibilities closer to the end user/system integrator. From a cybersecurity perspective, it's also blurring the lines between a master station (DCS or SCADA), a data aggregator (asset manager or remote terminal unit), and field device (smart transmitter or intelligent electronic device, i.e. smart relay/breaker).
This movement in technology impacts the definitions of Purdue Reference Model level 0,1 devices. The fundamental question is, what is a sensor? A sensor can simply be two pieces of wire—a thermocouple. On the other hand, a sensor can be a smart transmitter that includes the sensor(s) and fully configurable electronics that effectively provide PLC capabilities. Smart transmitters generally have analog inputs that can provide safety input, and also have Ethernet ports to go directly to the cloud/Internet—within same device.
I have been analyzing a specific state-of-the-art smart transmitter (hopefully the detailed assessment will become a formal paper). The transmitter is cyber vulnerable because of the design features, similar to the Siemens systems in Stuxnet. One design feature is that USB can be used to extract configuration files directly from the transmitter (not a Siemens device). However, there is no capability to lock down the USB port.
Capability-wise, this transmitter is a PLC. However, because the device is considered a transmitter, not a PLC, the Stuxnet “fixes” of monitoring firmware changes, precluding configuration/logic changes, USB control, etc. have not been included. The transmitter can directly communicate with the cloud, Internet, etc., yet there is no DMZ because it is a transmitter, not a server.
There is a move toward embedding web servers directly into the field devices. This started many years ago with some distribution transformers because that would provide the transformer temperature to whomever needed it (specious reasoning). After all of the discussions about keeping control systems, especially those devices with no security off the Internet, why do this?
In my “Unfettered” blog, I have provided numerous examples where the “good guys” have demonstrated a lack of imagination as to cyber threats. Here is another example to add to the list. These examples also beg the question: Shouldn’t there be a safety assessment before new capabilities/features are added to control systems, particularly those with no cyber security capabilities?
Joe Weiss, P.E.
Applied Control Solutions LLC