A 2018 retrospective on control system cyber security – we aren’t as far along as many people think

Jan. 2, 2019
During 2018, Operational Technology (OT) cyber security and threat hunting vendors flourished. There also were many control system cyber vulnerabilities, multiple unintentional control system cyber incidents, multiple control system cyber attacks. What is still missing is adequately addressing the control system field devices.

During 2018, Operational Technology (OT) cyber security and threat hunting vendors flourished. There also were many control system cyber security items of note including many control system cyber vulnerabilities identified from multiple control system and cyber security vendors, multiple unintentional control system cyber incidents, and multiple control system cyber attacks. There was the rising tide of OT cyber security and threat hunting vendors, some of which have never seen an actual control system device. The insurance industry is getting more involved in offering cyber insurance without understanding the unique issues with control system cyber security nor the lack of adequate control system cyber security metrics.

I have documented more than 20 control system cyber incidents that occurred in 2018 (this is conservative as there were more than one control system end user affected by Wannacry, NotPetya, and GPS attacks and multiple newspaper publishers affected by what has been thought to be ransomware attacks). Some of the significant control system cyber incidents include:

Malicious attacks:

-        A US utility cyber attack resulting in loss of power to thousands of customers

-        Shutdown of a major US data center

-        Long-term Russian infiltration of a US utility preventing remote control of substation equipment

-        NotPetya impacts on control systems (see above)

-        Wannacry impacts on control systems (see above)

-        Reprogrammed robots

-        GPS hacks affecting ships (see above)

-        Printing presses hacked (see above)

Unintentional control system cyber incidents

-        Boeing 737 LionAir crash (189 died)

-        Multiple unintentional control system cyber incidents with multiple US utilities resulting in loss of view and control (no mention of the term “cyber”)

-        the Andover, MA natural gas pipeline ruptures

Control systems consist of Ethernet-based (Internet Protocol) control system networks and control system field devices (e.g., process sensors, actuators, drives, power supplies, analyzers, and controllers). Control system network cyber security is monitoring of the control system OT networks and commercial-off-the-shelf operating systems for malware and other network anomalies. It also includes device identification and threat identification. There have been many OT cyber security technologies from control system and OT vendors, many new entrants into the control system cyber security space, legislation meant to address grid and IOT cyber security, numerous ICS cyber security conferences, articles, interviews, etc. The vast focus of control system cyber security was on OT networks.

Control system field devices perform real-time monitoring and control. They are often analog systems, use proprietary rather than commercial-off-the-shelf operating systems, and utilize device level networks. The device level networks are often serial with minimal cyber security capabilities. Consequently, ISA99 established a Task Group to assess the applicability of the existing IEC62443 standards to legacy field devices and lower level sensor networks. The results were the existing standards did not adequately address legacy field devices and networks and further work is needed. Moreover, cyber security requirements in the electric industry (NERC CIPS) consider field devices and lower level networks out-of-scope. Currently, sensors are being addressed at the Ethernet IP layer ASSUMING the sensor signal is authenticated, correct, and uncompromised rather than at the raw signal level which is the only way to determine if those assumptions are valid.

The IT cyber security mantra is you are only secure as your weakest link. Unfortunately, that has not been true of control systems. As mentioned, OT networks are being addressed. However, field devices which are the input to the OT networks are worse than insecure- there is NO cyber security. Yet they are being ignored by the OT cyber security community – if you are not monitoring the raw sensor signal, field devices are effectively being ignored. As process sensors and other field devices are the basic input to SCADA, Distributed Control Systems (DCSs), and PLCs, it is not possible to have a secure SCADA, DCS or PLC. What happened to the mantra – “you are only secure as your weakest link”?

Attached is my assessment on 2018 OT and field device cyber security. The categories include people, process, and technology.  

The people issues include coordination between engineering and network (IT/OT) organizations as well as cyber security and process safety organizations. This is important because the network organizations understand network considerations but generally not physics or process safety issues which can lead to long-term physical damage. Stuxnet, Aurora, and the data center damage by compromising power supplies are examples of using cyber to cause physics issues without using malware. Field device cyber security issues were presented at the following conferences - it was new to most of the attendees:

-        IEEE Power Engineering Society (substation standards don’t address sensors)

-        IEEE Product Safety Engineering Society

-        ISA Power Industry Conference (POWID)

-        ISA Safety and Security Conference

-        ISA Water/Wastewater Conference

-        Texas A&M Instrumentation and Automation Symposium

-        Air Force Cyber Policy Conference

-        Cyber Endeavor 2018

-        EnergyTech

-        RealComm

Additionally, process safety standards (ISA84), Digital Factory (TC65), February Cyber Mutual Aid Workshop, March 2008 DOE Cybersecurity Roadmap, 2018 President’s National Infrastructure Advisory Council (NIAC) report “Surviving a Catastrophic Power Outage – How to Strengthen the Capabilities of the Nation”, and other reports have not addressed process sensor cyber security issues, physics issues such as Aurora, etc. In fact, new sensor designs include built-in web servers, analog valves are being upgraded to communicate with the web, etc.

Process issues include information sharing, training, supply chain management, and procurement. Most of the training being offered is for OT networks not system impacts (I am not aware of training being offered at the raw sensor layer). The Triton malware shut down the plant multiple times before it was recognized this may have been a cyber attack. Control of the supply chain for control systems, particularly field devices, is still a major open item. There is at least one control system vendor that does have control of the supply chain as they have relationships with their chip and OS suppliers (Bedrock Automation). Procurement language for cyber security is focused on OT networks not field devices and this hasn’t really changed since the Idaho National Laboratory first issued their procurement guidelines more than 10 years ago.

Technology includes network monitoring - network anomaly detection - and control system device level monitoring - process anomaly detection (I am only aware of one vendor doing this).  The need for monitoring is to “keep lights on and water flowing” whether the networks are available or not. The vast majority of control system incidents will not be malicious but they are still critical to monitor for reliability and safety. Because of the lack of control system cyber forensics and training, it may not be possible to know whether an incident is a malicious cyber attack or not which is why process anomaly detection is so important.

Category

Control System Networks (OT)

Field Device/Device Networks

Network Monitoring

Good

Poor

Threat Hunting

Good

Poor

Network Training

Good

Poor

Process/Safety Training

Poor

Poor

Standards

Good

Poor

IT/OT convergence

Good

Poor

IT/OT/Engineering convergence

Poor

Poor

Vulnerability sharing

Good

Poor

Incident sharing

Poor

Poor

Procurement

Good

Poor

Risk/Vulnerability assessments

Good

Poor

This retrospective provides a basis for assessing the potential impact of the 2019 expert prognostications. It is 2019 yet there has been little movement/understanding on field devices since I first got involved in control system cyber security in 2000 while at the Electric Power Research Institute (EPRI). The irony is cyber security exists where you have short-term glitches, but there is no cyber security where you go “boom in the night” and can have months to years of down time. As Smart Grid, IOT, IIOT, Industry4.0, and digital transformation are all about “lots of sensors” and big data analytics, if you can’t trust your measurements, it is “garbage in-garbage out”. I am aware that some of the “bad guys” understand these vulnerabilities. Wake up before it is too late.

Joe Weiss