If you can’t trust your process sensor measurements (e.g., pressure, level, flow, temperature, voltage, current, etc.), you have no cyber security, process safety, or resilience, along with very significant incremental risk. Yet, there is no cyber security, authentication, or cyber logging in process sensors, sensor networks, sensor protocols, sensor calibration maintenance tools, etc.
Like the protective relay issues with the Aurora vulnerability that is a gap in protection of the electric grid, process sensors have not been designed to account for potential vulnerabilities that can be exploited by, and for, cyber means. Specifically, comprehensive system engineering analyses have not been performed to understand what design features can be compromised, whether accidentally or maliciously, that can lead to unacceptable performance issues. The cultural gap between the engineering organizations and the computer security organizations is a major culture gap starting at the university level that needs to be addressed before any of the infrastructures can be secured and reliability and safety maintained.
There have been numerous “discussions” about whether there is a need to monitor process sensors as many in the OT cyber network monitoring community feel the only way to get access to the sensors is through the OT network. That is a dangerously wrong perception as can be seen by this discussion as well as the blog on counterfeit sensors that can be used to deliver malware behind every OT firewall -https://www.controlglobal.com/blogs/unfettered/the-ultimate-control-system-cyber-security-nightmare-using-process-transmitters-as-trojan-horses/.
Process plant and electric substation equipment such as transformers and other large electro-mechanical equipment rely on process sensing for control and safety systems. Control loops can act in milliseconds when sensor measurements change. Depending on the process, the attack described below can cause damage before an operator would know. As this vulnerability impacts common analog components, this could be a common cause failure defeating redundancy and safety.
The vulnerability of ANALOG signal amplifiers was identified by University of Michigan and University of Louisiana-Lafayette researchers in the paper, “Trick or Heat? Manipulating Critical Temperature-Based Control Systems Using Rectification Attacks”. Process sensors use analog amplifiers to convert the raw analog measurements to voltage or current signals that are used in process sensor and HMI displays. The attack scenario developed by the researchers affects the general signal conditioning path of a process sensor by changing the amplifier output. The attack exploits an unintended rectification effect in the analog amplifiers that can be induced by injecting ElectroMagnetic Interference (EMI) at a certain wavelength through, in this case, the temperature sensors. EMI “attacks” affecting process control equipment are not new. My book is titled Protecting Industrial Control Systems from Electronic Threats because at the 2003 ICS Cyber Security Conference, the US Navy provided examples of electromagnetic spectrum events. Specifically, a Navy destroyer was performing pulsed radar testing off the coast of San Diego. The radar should have been shut down before the ship pulled into port. However, it was not shut down and the radar pulse was strong enough (on the order of several MWs/pulse) to shut down the San Diego Gas and Electric and San Diego Water Authority’s SCADA systems. That is, the electromagnetic spectrum can impact physical devices and processes, whether unintentional or malicious, and not be detected by network monitoring.
The university researchers found that analog temperature sensors such as thermocouples, thermistors, and resistance temperature detectors (RTDs) are susceptible to EMI attacks even if they are shielded. The attack scenario bypassed conventional noise filtering and generated a controllable DC voltage offset at the Analog-to Digital Converter (ADC) input. Effectively, the process sensor, whether analog or digital, had been compromised without any indication. As an example, the resistance in a RTD is proportional to temperature. This signal goes through the analog amplifier to be converted into a signal for the meter. In this example case, the resistance should be converted to a value of 75o. However, if the ADC offset is changed, the same resistance can have an indicated value of 70o or 80o either of which are still “valid” values within the design operating range but are not correct. However, the Controller and HMI take actions assuming the value is correct. As this conversion occurs before the signal becomes an Ethernet packet the erroneous offset cannot be detected by network monitoring. Furthermore, the paper shows how the exploit of this hardware-level vulnerability could affect different classes of analog sensors that share similar signal conditioning processes such as pressure and pH sensors. The researchers demonstrated an adversary could remotely manipulate the temperature sensor measurements without tampering with the targeted system or triggering automatic temperature alarms. As stated by the researchers, “from meters away or an adjacent room, an attacker could trick the internal control system of an infant incubator to heat or cool to unsafe temperatures.” The scope of this phenomena affects process sensors whether used for operator information, process control, or process safety. Think of what this scenario could have meant for the Triton Triconex safety system cyber attack if the process sensors feeding the safety systems could have been compromised. This type of attack can be a common-cause failure which can overcome the use of redundant sensors as a safety mechanism. As stated, the problem extends from baby incubators to process plant safety systems to building control systems, etc.
To identify this type of spectrum attack, there is a need for analog anomaly detectors that can identify malicious EMI interference in the vulnerable frequency range. An effective defense for sensor-based systems that maintains the reliability of the sensor data should account for the frequencies that can induce a rectification effect in the amplifier output signal. Based on the frequency analysis, manufacturers can modify the design of their system to detect and react to attacks in the frequency bands of the signals. None of this can be done from an OT network that has filtered the sensor input to the HMI’s. The need to monitor process sensors for anomalous conditions, whether intentional or unintentional, extend beyond this scenario and require appropriate process sensor monitoring at the raw signal layer. It should be evident that monitoring process sensors requires engineering expertise coupled with network monitoring experts to ensure a complete solution.
These are engineering issues that, when exploited, can have cyber and safety consequences. The attack scenarios are very insidious as they appear, when even seen, as being malfunctions not cyber attacks. Additionally, there is a lack of cyber forensics and training for the domain experts. These types of attack scenarios also challenge existing definitions of defense-in-depth, redundancy, diversity, risk, etc. How many other issues like this are there? What is being done to find and address them?
Joe Weiss
