2018 RSA Conference observations and the dangerous lack of control system understanding by network security personnel

I attended the 2018 RSA Security Conference in San Francisco. The RSA Security Conference is a network cyber security conference and addresses the intersection of network security and control system networks. There was progress as there was an ICS Village, many vendors using the term ”OT”, and presentations on OT and control system/IOT cyber security  However, the RSA Conference did NOT address control system devices such as process sensors, actuators, and drives, other than in passing. The RSA ICS Village was, as Yogi Berra so eloquently phrased it, “déjà vu all over again”. The RSA ICS Village was almost the same as the 2017 Defcon ICS Village with many PLCs and HMIs, one process sensor and one valve. There was NO focus on either the sensor or the valve even though that is where process safety is directly affected.

From a control system perspective, the fundamental disconnect with the RSA Conference  can be demonstrated by conversations I had with a utility security engineer, a control system vendor network security engineer, and Cameron Camp’s ESET blog.

When discussing the lack of security in process sensors with the utility security engineer, I was focused on reliability and safety. The utility security engineer was focused on network vulnerabilities, not system impacts. If the network vulnerability cannot affect either reliability or safety, it is of minimal importance to anyone responsible for system operation. The utility security engineer mentioned that his control system/operations engineers didn’t seem very interested in security. 

I also had a discussion with the control system vendor security engineer (and the utility security engineer) on the definition of OT and the presentations on the convergence of IT and OT. Both viewed OT as everything that wasn’t IT. OT is the networking of control system networks. The demarcation between IT and OT is blurring. However, OT is NOT the process sensors, actuators, drives, analyzers, etc. Those are control systems and the people responsible for that equipment do not consider themselves to be OT.

Cameron Camp’s ESET April 19, 2018 blog was “Hacking the Grid”. I am providing different quotes that demonstrate the lack of understanding of what is important to maintain safe and reliable systems (I deliberately did not use the word “secure”). “Now that many critical infrastructure systems have become network-connected – sometimes kicking and screaming – we take a look at why their tech often seems mired in the Dark Ages, and what folks here at RSA think might help….The reason relates to legacy: The plant operators with the most practical knowledge of keeping the gears humming has a very high priority on high system availability vs confidentiality or integrity – the other two legs of the CIA triad frequently referenced in the IT world. In other words, if the systems keep running, no one calls, and uptimes of years are both very common and welcome for things like the power grid. That means the most senior (and therefore, well-paid) operators have little incentive to packetize anything or stay up late learning about subnets. For some, networks represent an uncomfortable scourge that only affects the sunset years of their career, and assign it a commensurate importance. Although many operators were loath to admit it, especially with co-workers present, they really knew very little about how networks operate at all…. Meanwhile, the slow ooze of senior workforce into retirement, and the commensurate influx of digital natives, will be most welcome. And while the digitally-nurtured newcomers will have their hands full gaining the experience to keep the plant running for decades without significant interruption, packetized systems won’t seem a strain to learn and implement in ways that make sense. Now, if we could take the ancient communication protocols used to control the systems and redesign them to have robust authentication and other security features baked in, our systems might stand a chance!”

This paragraph pretty well sums up the danger with the network security industry attempting to secure control systems:

- The CIA triad is an IT artifact. For control systems, the most important letter is missing – the letter S for safety! IT can’t kill people, control systems can and have.

-  In general, the network security community does not understand how facilities actually work and what safety means. Control system cyber security is not about data, it’s about the protecting the physics of the process.

-  The people responsible for the control system equipment are control system engineers who have had years of education, training, and experience on instrumentation and control systems. In most cases, network security people have not had this type of training.

- There are tens of millions of control systems devices that have no security or authentication and will continue to be used for at least the next 10-15 years. ISA99 has established a new working group on process sensors, actuators, and drives to address the lack of security of these devices and their networks. Where is the network security participation?

Unfortunately, the culture gap between the control system and network security communities is alive and well. Our systems might stand a chance when this culture gap is surmounted and both communities work together to maintain reliability and safety.

Joe Weiss