Hacking Level 0,1 devices can be more significant than Stuxnet

Last week, the cyber security focus was on the four natural gas pipeline companies that had their electronic data interfaces, not control systems, hacked. However, from a control and safety system perspective, I believe the more important disclosure was the ICS CERT vulnerability disclosure of the Moxa serial-to-Ethernet convertors (gateways). This is because these types of gateways are pathways directly to the Level 0,1 process sensors, actuators, and drives which have no security and which can directly lead to loss of safety. These gateways (there have been numerous DHS ICS-CERT vulnerability disclosures on various vendors’ gateways) are often directly connected to the Internet. As stated by the May/June 2015 DHS Monitor, “if you’re connected, you’re likely infected”. The Moxa gateways were compromised and “bricked” in the 2015 Ukrainian cyber attack.

I am providing two examples of the lack of understanding about Level 0,1 device security and safety. The June 2017 issue of AutomationWorld had a cover article entitled “Internet-Ready Actuators in a World in Motion”. The article not only does not mention cyber security but provides the wrong guidance. There is a need for segmentation and preventing information flowing from lower security level devices to higher security level devices. However, as seen below, the article states that two-way data exchange is good without considering the security ramifications. The article states that actuators are dependent on the use of unauthenticated, insecure sensors.

Specifically, the article, with input from major actuator suppliers, states the following:

- “…by using actuators with the ability to connect to the Internet, it is easier to see how an individual device is operating from outside the production systems…” (see DHS Monitor note above)

- “…If an actuator is compatible with the Internet, it may be able to have its own IP address, so data can be viewed on a web page…”

- “…These devices also have an Ethernet-based protocol that makes it easier to connect them to a network or the cloud…”

- “...One of the advantages of IOT-ready controllers is two-way data exchange. This allows you to share data to a SCADA system or the cloud, but it also makes it easier to push data down to electric or pneumatic devices for parameterization or configuration…”

- “…Makers of pneumatic systems are getting around the size barrier by using sensors as a bridge to access data….Sensor allow us to manipulate data…”

Rafal Selega from ABB UK wrote an article for the March 2018 issue of ChemicalProcessing: "Consider the Impact of Industry4.0 on Safety Instrumented Systems". It is a "scary" article because of Rafal's liberal use of the Internet and cloud along with the assumption (unwritten) that sensors and final actuators are secure. There is small section on cyber security but it doesn't say anything other than a cyber criminal could cause real problems. I received the following response from ABB on my comments about the article: “Thank you for your feedback and insight. I agree that the article didn’t cover cyber security to the level that it deserves in any Industry 4.0 implementation but at the same time please understand the perspective of the author was primarily Functional Safety. Both subjects Functional Safety and Cyber Security need industry awareness and we’ll continue to work on improving how we cover the topic in the future.”

There has recently been testing (not yet public) demonstrating that Level 0,1 process sensors can be hacked and neither the PLC nor the HMI can detect the compromise. The testing demonstrated the ability to mislead the operator, manipulate processes, or both without being detected by network monitoring and can thus be a security and/or safety issue. The cyber vulnerability of the gateways makes this threat even more important to address as they can be pathways directly into the sensors. As such, there is a need to monitor the sensors before they become Ethernet packets. Because there is no security or authentication in process sensors, this threat is independent of vendor, industry, region, or application and therefore can be even more significant than Stuxnet.

The new ISA99 Task Group on Level 0,1 Devices is reviewing the adequacy of IEC62443-3-3 System Security Requirements and Security Levels and IEC62443-4-2 Technical Security Requirements for IACS Components for Level 0,1 devices. I will be presenting on the Level 0,1 technical issues and the new ISA99 Level 0,1 Task Group April 11th in Albuquerque at the DHS ICSJWG Conference.  

Joe Weiss