2018 RSA Conference observations and the dangerous lack of control system understanding by network security personnel

I attended the 2018 RSA Security Conference in San Francisco. The RSA Security Conference is a network cyber security conference and addresses the intersection of network security and control system networks. There was progress as there was an ICS Village, many vendors using the term ”OT”, and presentations on OT and control system/IOT cyber security  However, the RSA Conference did NOT address control system devices such as process sensors, actuators, and drives, other than in passing. The RSA ICS Village was, as Yogi Berra so eloquently phrased it, “déjà vu all over again”. The RSA ICS Village was almost the same as the 2017 Defcon ICS Village with many PLCs and HMIs, one process sensor and one valve. There was NO focus on either the sensor or the valve even though that is where process safety is directly affected.

From a control system perspective, the fundamental disconnect with the RSA Conference  can be demonstrated by conversations I had with a utility security engineer, a control system vendor network security engineer, and Cameron Camp’s ESET blog.

When discussing the lack of security in process sensors with the utility security engineer, I was focused on reliability and safety. The utility security engineer was focused on network vulnerabilities, not system impacts. If the network vulnerability cannot affect either reliability or safety, it is of minimal importance to anyone responsible for system operation. The utility security engineer mentioned that his control system/operations engineers didn’t seem very interested in security. 

I also had a discussion with the control system vendor security engineer (and the utility security engineer) on the definition of OT and the presentations on the convergence of IT and OT. Both viewed OT as everything that wasn’t IT. OT is the networking of control system networks. The demarcation between IT and OT is blurring. However, OT is NOT the process sensors, actuators, drives, analyzers, etc. Those are control systems and the people responsible for that equipment do not consider themselves to be OT.

Cameron Camp’s ESET April 19, 2018 blog was “Hacking the Grid”. I am providing different quotes that demonstrate the lack of understanding of what is important to maintain safe and reliable systems (I deliberately did not use the word “secure”). “Now that many critical infrastructure systems have become network-connected – sometimes kicking and screaming – we take a look at why their tech often seems mired in the Dark Ages, and what folks here at RSA think might help….The reason relates to legacy: The plant operators with the most practical knowledge of keeping the gears humming has a very high priority on high system availability vs confidentiality or integrity – the other two legs of the CIA triad frequently referenced in the IT world. In other words, if the systems keep running, no one calls, and uptimes of years are both very common and welcome for things like the power grid. That means the most senior (and therefore, well-paid) operators have little incentive to packetize anything or stay up late learning about subnets. For some, networks represent an uncomfortable scourge that only affects the sunset years of their career, and assign it a commensurate importance. Although many operators were loath to admit it, especially with co-workers present, they really knew very little about how networks operate at all…. Meanwhile, the slow ooze of senior workforce into retirement, and the commensurate influx of digital natives, will be most welcome. And while the digitally-nurtured newcomers will have their hands full gaining the experience to keep the plant running for decades without significant interruption, packetized systems won’t seem a strain to learn and implement in ways that make sense. Now, if we could take the ancient communication protocols used to control the systems and redesign them to have robust authentication and other security features baked in, our systems might stand a chance!”

This paragraph pretty well sums up the danger with the network security industry attempting to secure control systems:

- The CIA triad is an IT artifact. For control systems, the most important letter is missing – the letter S for safety! IT can’t kill people, control systems can and have.

-  In general, the network security community does not understand how facilities actually work and what safety means. Control system cyber security is not about data, it’s about the protecting the physics of the process.

-  The people responsible for the control system equipment are control system engineers who have had years of education, training, and experience on instrumentation and control systems. In most cases, network security people have not had this type of training.

- There are tens of millions of control systems devices that have no security or authentication and will continue to be used for at least the next 10-15 years. ISA99 has established a new working group on process sensors, actuators, and drives to address the lack of security of these devices and their networks. Where is the network security participation?

Unfortunately, the culture gap between the control system and network security communities is alive and well. Our systems might stand a chance when this culture gap is surmounted and both communities work together to maintain reliability and safety.

Joe Weiss

 

Show Comments
Hide Comments

Join the discussion

We welcome your thoughtful comments.
All comments will display your user name.

Want to participate in the discussion?

Register for free

Log in for complete access.

Comments

  • As a long time system engineer whose work included extensive experience with control systems I can say that Joe's observations are correct. Most operations and control system engineers think of security on a regular basis knowing that control systems are the intelligence that maintain system reliability and stability. I would be surprised that an operations or control systems engineer would say "that his control system/operations engineers didn’t seem very interested in security." since any compromise of control systems, programmable logic controllers, automation controllers, communication relays and sensors affect the stability and reliability of a power system. When it comes to power systems and infrastructure security we are vulnerable. I watched a meeting of the Senate Armed Services committee with General Mike Hayden(Retired U.S.A.F.), former CIA Director, James Clapper, Former Director of National Intelligence and Admiral James G. Stavridis(U.S. Navy) former Commander, United States European Command and in observing the Senators and panel participants it was clear they had no idea how to engage cyber attacks and cyber intrusions on power systems and infrastructure. The approaches they cited for engaging cyber attacks and intrusions were based on the tactics of conventional warfare. This lack of understanding of the cyber battlefield will allow for massive damage to the operation of the national grid.

    Reply

  • I agree most of Joe’s notes, one point I would like to add. Even though a security engineer works for a vendor organization doesn’t necessarily mean he/she has a process control background. New hires generally have an IT security background because people with a process control background are very difficult to find. Within the vendor organization the security team will not be very popular when they hire people from their service or engineering departments. For me I believe that understanding the inner workings of the systems and how and where they are used is essential knowledge every OT cyber security engineer should have. As such you might even wonder if a cyber engineer with a power background has sufficient knowledge to ass an ICS used in a refinery. Sub-systems differ often also use of communication protocols differ. Also the OT and IT separation was created by Gartner, an IT centric organization with limited knowledge of process control systems. This terminology mainly created confusion to assist the marketing organizations to target a new market. I think best is to talk about industrial control systems and define the cyber security scope as all assets below the firewall to the corporate network or any other external non-ICS system. This would include all systems from L0 upto the DMZ (L3.5) The consequence of Joe’s observation is that many cyber security and risk assessments are conducted by people that have no understanding of the system they investigate missing several serious issues. Some of them walk away after a one day discussion on back-ups, antivirus, firewall ... without collecting information, without investigating all these other functions in an ICS. Others are considered high cost because they want to do a thorough and complete job. It is very difficult for a plant to select the right service / partner ... and a SANS certification is not really a good measure because it also addresses a small part of the scope. I have seen reports of very respectable companies really missing the issue. For example going in auto mode if they find an OPC connection and advising a firewall, even if the OPC server has service wide setting for read / write access. Allowing actually writes to any tag / parameter after one tag/parameter has been allowed. Only OT specialists know the restrictions of OT applications and how to fix the vulnerabilities.

    Reply

RSS feed for comments on this page | RSS feed for all comments