It appears that Internet Protocol (IP) network hacks and ransomware may not be able to be stopped. That includes cyberattacks against control system vendors who offer “cyber secure systems” and cybersecurity services. Control system vendors provide systems globally including to China, and some also have design and manufacturing facilities in China.
The Johnson Controls and Bently-Nevada cases are not the first time control system vendors have been attacked or control system device vulnerabilities have been identified. Cyber vulnerabilities in vibration monitoring systems were identified when I helped start the EPRI control system cybersecurity program for the electric utilities in 2000 and cyberattacks against control system vendor remote support have been documented since 2012. The fact that these, and other, control system vendors have had their control systems compromised makes identifying control system incidents as being cyber-related even more important.
There are several reasons for having remote access: remote monitoring, firmware upgrades, big data analytics, etc. In the 2000 timeframe, Foxboro (now Schneider) was offering a performance improvement guarantee if it could have remote access into the control system for remote monitoring and control. Vendors of combustion turbines require remote access to monitor and control the combustion turbine to maintain its warranty. This remote access is a direct vendor link independent of the end-users’ networks. There have been several instances where remote access issues have resulted in inadvertent combustion turbine shutdowns.
Legacy control systems generally were designed without cyber considerations. Consider a recent warning from the NSA and FBI to the effect that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently hop around the corporate networks of U.S. and Japanese companies. As Cisco pointed out, installing compromised software by first downgrading to older firmware only affects legacy devices and is not allowed in modern Cisco routers that support secure boot. However, many legacy and even modern control systems and devices do not support secure boot. Consequently, adding remote access capabilities to these legacy systems may introduce unintended cyber or operational considerations.
It is evident that the recently identified Johnson Controls cyberattack and the Bently-Nevada cyber vulnerability can result in impacts on facilities’ reliable and safe operation as vendor backdoors and remote access support can be a route into the control systems and affect their reliable and safe operation.
My non-public control system cyber incident database includes a significant number of cases where remote access was involved. These cases, as well other vendors’ cases, raise the question as to whether the trade-offs between the need for remote access and cyber risk from remote access has been adequately addressed.
It is unclear what data and information were compromised in the Johnson Controls case. Control system vendors not only have customer account information, but they often have detailed customer facility information as well as direct connections with their customers for remote equipment monitoring and support. Like other vendors, Johnson Controls provides remote access capabilities to critical facilities.
The Johnson Controls case has similarities to what occurred in 2012 when the Chinese hacked Telvent (now owned by Schneider). Telvent provided software and services to remotely administer and monitor large sections of the energy industry. Digital fingerprints left behind by attackers pointed to a Chinese hacking group. In letters sent to customers, Telvent Canada Ltd. said that on Sept. 10, 2012, it learned of a breach of its internal firewall and security systems. Telvent said the attacker(s) installed malicious software and stole project files related to one of its core offerings — OASyS SCADA, a product that helps energy firms mesh older IT assets with more advanced “smart grid” technologies. The firm said it had disconnected the usual data links between clients and affected portions of its internal networks.
In order to be able to continue to provide remote support services to our customers in a secure manner, Telvent established new procedures to be followed until such time as we are sure that there are no further intrusions into the Telvent network and that all virus or malware files have been eliminated. Telvent’s statement at that time reflects what continues to be said today: “Although we do not have any reason to believe that the intruder(s) acquired any information that would enable them to gain access to a customer system or that any of the compromised computers have been connected to a customer system, as a further precautionary measure, we indefinitely terminated any customer system access by Telvent.” It is unclear if Johnson Controls is taking the same approach.
Bently-Nevada’s (and other vendors’) vibration monitoring systems are used in nuclear and non-nuclear power plants, oil/gas, manufacturing, wastewater and other industrial and defense applications for monitoring non-safety and safety-related rotating equipment such as turbines, compressors, pumps, valves, motors, transformers, etc. Vibration monitoring systems provide alarms and trips when vibration readings exceed preset thresholds to prevent equipment damage and are an integral part of equipment predictive maintenance programs.
There have been numerous cases when vibration monitoring systems did not operate as planned, whether because of issues with the vibration monitoring system or because of inappropriate operator response. These cases have resulted in significant equipment damage such as turbine damage, steam generator damage, nuclear reactor main coolant pump damage, etc. The economic impacts of rotating equipment damage have been in the tens to hundreds of millions of dollars. Given the cyber risk, why do Bently-Nevada and other vibration monitoring system vendors have remote access when the vibration monitoring data can be fed into off-line systems for further analysis without the cyber risk?
What is needed
- Evaluate the cyber/physical risk trade-off between use of remote access or when local access is sufficient.
- Provide control system cybersecurity (more than just OT) training for engineers and network security staff to identify whether control system incidents are cyber-related.
- Monitor the physics of the process sensors to ensure process sensor signals are correct and authenticated which also is an independent check of the OT networks.
- Include OSI Layer 2 security (IP Cloaking) to provide point-to-point security over OT networks and protect access to those networks with access authentication and packet/frame authenticity checks.