“Mother Nature” is analog, and all process sensor readings start with some form of physical impact from the environment. Those impacts are then electronically converted into readings of pressure, temperature, flow, vibration, current, voltage, etc., which are then converted into Ethernet packets as input to the Windows operator displays and OT monitoring systems. The serial-to-Ethernet conversion process can be susceptible to cyberattacks like the Ukrainian 2015 grid cyberattack. Industry4.0, digital transformation, Smart Grid, and all of those emerging families of technology utilize process sensor readings and Industrial Internet of things (IIOT) devices as input for the advanced analytics. These advanced technologies assume that the raw sensor data are uncompromised, authenticated and correct. This may be why process sensor cyber security is generally ignored by the IT and OT cyber security communities. This can be seen in many OT/ICS articles and cyber security conference presentations. It can also be seen in the tendency of many federal government cyber security initiatives to focus on network sensors and ignore process sensors.
October 25th, Dale Peterson’s Tuesday blog was “The Weissian Level 0/1 Issue.” Dale’s blog asked if we have an issue with Level 0,1 sensors recording and sending accurate data with the required precision. He then asked if the lack of authentication in Level 0/1 communication is a security risk that needs to be prioritized and addressed in the next 1-3 years. Dale stated: “I have no idea on the answer to question 1. My answer to question 2 is and has been no.”
My response to both of Dale’s questions is different. The first question can be found from my blog https://www.controlglobal.com/blogs/unfettered/windows-based-hmis-are-too-slow-for-monitoring-process-sensors-or-plant-equipment-anomalies and the IEEE paper described below. Inaccurate (misleading) process sensor readings have directly contributed to a nuclear plant core melt and other nuclear plant safety issues, explosions in refineries and oil storage tanks, pipeline ruptures, train crashes, airplane crashes, and more. The concern with lack of process sensor authentication can be seen from the following two example cases. In the first example, an engineer in Abu Dhabi wrote: “There are no passwords at all in most of the instruments, even by default. You simply plug in your HART communicator (which has no cyber security or authentication) and change whatever you want.” This should be a clarion call to address the sensor issue. In the second example, hardware backdoors have been installed in equipment in various industries including electric and pharmaceuticals that bypass the OT networks. Without authentication, you don’t know if the process sensor data providing direct control of the equipment and information to the operators is coming from the process sensors or from operators in Beijing. I don’t believe you can wait for 3 years to address these types of vulnerabilities that are already prepositioned and ready for use. Neither network monitoring nor threat hunting can address the sensor issues, though compromised sensor readings can affect OT networks and the conclusions from threat hunting.
The lack of understanding about process sensor cyber security also extends to the engineering community. An acknowledged process industry instrumentation cyber security expert stated: "I have spent years talking to brick walls and brick heads about the lack of security in field devices. Their response is typically that they are air gapped and that everything is safe and secure. Irrational fantasy at best. I am not alone in this quest, but I am definitely in a minority.”
November 1st, Steve King, Managing Director of CyberTheory, published results that indicated between January and September of 2021, there was a 2,204% increase in adversarial reconnaissance activity targeting port 502 – Modbus. Modbus was introduced in 1979 and lacks basic security features, which gives attackers a pathway into connected ICS or IoT systems. In many cases, the SCADA Modbus port 502 can be accessed directly over the open internet. Lack of authentication and transmission of messages in plain text are some additional characteristics of Modbus that make it the poster child for “how to screw up security.” Modbus has minimal value for stealing information. Modbus is for control of devices and systems. Consequently, this lends even more importance of having a means of monitoring the process independent of any cyber vulnerable communication protocols as outlined below.
Given these misconceptions, the publishing of our article in the November issue of IEEE Computer: “Using Machine Learning to Work Around the Operational and Cybersecurity Limitations of Legacy Process Sensors” (https://www.computer.org/csdl/magazine/co/2022/11/09928204/1HJuIVVEBWM) is very timely. The paper is based on the results of a project performed at a large industrial facility. It addresses the operational and cybersecurity limitations of legacy process sensors and how machine learning has been used to work around those limitations. The benefits of monitoring the raw, unfiltered sensor signals are addressed in terms of improved productivity and cyber security. The raw, unfiltered sensor signals (the 4-20 milli-amp electrical currents) were collected on a local network, not connected to the OT network, and sent to a data acquisition to perform the machine learning. As such, the sensor monitoring system was not susceptible to IT or OT network malware or ransomware as it was isolated from OT networks. That is, “you can’t hack physics.” This means a sensor monitoring approach that is performed BEFORE the sensor data is converted to Ethernet packets can provide a technical justification for continued operation when the OT network is lost, whether from malicious or unintentional reasons. Moreover, as the raw sensor data is “ground truth,” this approach can provide an independent validation of the integrity of the OT monitoring system. If the OT network monitoring doesn’t match the raw sensor data within a small (as yet undefined) factor, then the OT monitoring system is wrong for whatever reason. As an example, one of the key findings of the plant analysis was that more than half of the process sensors were either inoperable or out of calibration and the feed pumps were having performance issues, but the Windows-based SCADA did not identify any of these issues. Another benefit of this approach was overcoming the cultural barrier between IT/OT and engineering as neither organization can address the sensor monitoring and cyber security aspects alone. Finally, a detailed financial analysis of the impact of the erroneous sensor and pump readings was performed. The calculated impact was a negative impact of on the order of 3% of net productivity, which, depending on the size of the facility, could be tens of millions of dollars in direct return on investment where cyber security “came along for the ride.” There were many other benefits that accrued by being able to monitor devices, systems and processes at this lowest level.
November 1st, I gave an invited Defense Energy Seminar to the Energy Academic Group at the Naval Postgraduate School (NPS) where the sensor issues were discussed. The IEEE paper, which was co-authored by an NPS professor, was provided to the attendees. Suffice it to say, there were many questions about an issue which was new to most.
Summary
Level 0,1 sensors recording and sending accurate data with the required precision is critical for both product quality, safety and cyber security. It is important to know if the data source can be trusted - knowing the process sensor data coming is from the sensor and not Beijing is not trivial. The Modbus protocol has minimal value for stealing information. Rather, Modbus is for control of devices and systems. With a 2,204% increase in adversarial reconnaissance activity targeting port 502 – Modbus, this lends even more importance to have a means to directly monitor the process independent of cyber vulnerable communication protocols and networks.
Joe Weiss
