Control system cyber security organizations are still not focusing on what is most important –the process

Sept. 24, 2019

According to Siemens (https://www.arabianbusiness.com/technology/428319-the-biggest-oil-gas-threat-isnt-drones-its-cyber), “cyber security breaches in the Middle East region are widespread and frequently undetected, with 30% of attacks targeting operational technology (OT), according to a study by Siemens and Ponemon Institute. Two-thirds of respondents in the study’s survey experienced at least one security compromise resulting in unrestricted information loss or operational disruption in the OT environment in the past year.”  

These findings are similar to other surveys on cyber security of control and safety systems. They are about the OT networks and associated network impacts.  The impacts on the process such as equipment failures and plant shutdowns are not addressed. However, the process is what is most germane to the corporate bottom line. That is, the production and distribution of physical products such as electricity, water, oil/gas, manufactured goods, etc. The process can work without the OT networks but not in an optimal manner. However, the process cannot work without the control systems working. As an example, following the 2015 cyber attacks, the Ukraine operated their grids for months without the OT networks because they couldn’t trust the networks were ”clean”. Yet, the process is effectively being ignored by the OT cyber security community. The irony is that the control system vendors have extensive expertise on the process but the culture gap all too often has prevented them from participating in cyber security activities. This culture/governance gap has to change.

Specifically, Siemens suggests the following. It should be noted these four steps are similar to other control system vendors.  My comments are in bold.

- Intrusion detection: Siemens uses artificial intelligence and unsupervised machine learning to create a baseline for normal behavior of the network’s communication. The company then passively monitors the entire network and determines anomalies in real time, without configuration or pre-set conditions. This works for network anomaly detection but not for process anomaly detection. The intrusion detection approach does not address the actual plant equipment nor does it address the process sensors, actuators, and drives at the raw analog level. Essentially, the equipment that goes “boom in the night” is not being addressed. There is a gap between security and Operations.

 - Assessment: Siemens inspects and monitors the asset to determine weaknesses or threat gaps within the OT network and among its component systems. This works for the network but does not address the actual plant equipment nor does it address the process sensors, actuators, drives, and sensor networks that have no cyber security or authentication. There is a gap between security and Operations.

- Automation: Siemens makes sure the latest software and hardware updates are available and installed for the entire automation system. This could have identified the PLC logic changes with Stuxnet. However, there have been instances with various control system vendors’ systems where the security software and hardware updates have impacted facility operations. Consequently, there is a need to ensure the security upgrades will not impact operations making it imperative that engineering and security work together.

- Finally, Siemens ensures that in the case of any security incident, there is a plan in place to get the plant back online as soon as possible. There is no mention of how Siemens determines an incident is a cyber incident, an unintentional “glitch” or a cyber attack meant to look like a glitch. Recall that with Stuxnet, the centrifuges were being destroyed for a year before it was determined it was a cyber attack. This is not a Siemens issue. The Triton attack of the Schneider Triconex safety system in Saudi Arabia was not identified as a cyber attack when it shut the plant down in June 2017. There is a need for security and Operations to be trained to recognize what could be a cyber attack.

For industrial and manufacturing companies, organizations such as credit rating agencies and insurance companies are concerned about the risk to the enterprise not just the networks. The OT security community needs to recognize the most important risks to the organization are the process not the networks. This will require changing the governance model to require teaming with engineering and security with engineering taking the lead.

Joe Weiss