IEEE (www.IEEE.org) is one of the most influential professional engineering societies in the world. It is well-regarded and has played an important role in the development of many control system standards.
On December 14, 2021, I was honored to give an IEEE Tech Talk to the Seattle Chapter of the IEEE Power and Energy Society on control system cyber security. The link to the recording is at https://www.youtube.com/watch?v=eZqkCC6wqcE
The theme of the presentation was:
- Focus of cyber security is IT malware and ransomware not addressing physical damage and injuries
- All physical infrastructures (“critical” or not) are monitored and controlled using instrumentation and control systems
- Measurements are the input, but instrumentation is ignored
- Control systems are used to control physics, but physics is ignored
- Cyber forensics and attribution do not exist for control system devices
- Cyber security training generally not available for control system engineers
- Control system cyber security is about 5-10 years behind IT cyber security
- Culture is broken between Engineering and IT/OT
In the QA session following my presentation, it was mentioned that IEEE-USA issued a position paper on cyber security and control systems were not addressed. According to the representative from IEEE-USA, this a major hole that needs to be addressed (around the 1:15:00 time frame on the tape). Addressing this gap will require collaboration between the International Society of Automation (ISA), IEEE, and other industry organizations. It will also require CISA (including TSA), DOE, FERC, NRC, and other government organizations to address the control systems gap. The continuing singular focus on networks is making the US very vulnerable to extended outages, equipment damage, and deaths.
Gaps in Standards
Even the most sophisticated engineering associations can suffer from blind spots when it comes to the complex interactions of multi-level systems. This is especially true when situations like cyber security bring together organizations with different goals, nomenclature, etc. In this case, networking and engineering attempting to secure engineering networks have not addressed the Level 0,1 engineering devices (process sensors, actuators, drives, etc.). Examples where gaps occur include:
- Electric – NERC CIP excludes Level 0,1 devices
- Water/wastewater – AWWA doesn’t address Level 0,1 devices
- IEC TC57 – Doesn’t address Level 0,1 devices
- Food – FSMA doesn’t address control system cyber security
- TSA Pipelines – Doesn’t address control system pipeline issues
- TSA Transportation – Doesn’t address control system issues
- ISA 62443 – Doesn’t address process sensor integrity
- NIST 800-53, 800-82, 160 doesn’t address Level 0,1
- NIST Cyber Security Framework – Can’t “detect”
- IEC TC65 - Functional safety communication protocols do not address cyber security
Why Level 0,1 matters
It is not possible to cyber secure, or assure safety, of the physical infrastructures when the Level 0,1 devices have no cyber security, authentication, or cyber logging. Yet, cyber security of Level 0,1 devices continues to be ignored by the IT and OT networking communities. The following examples from multiple sectors illustrate why we are at such high risk from insecure process sensors:
- The Oak Ridge National Laboratory (ORNL), Pacific Northwest National Laboratory PNNL), and National Renewable Energy Laboratory (NREL) issued a report on sensor issues in Buildings. A typical situation could include sensor data being modified by hackers and sent to the control loops, resulting in extreme control actions. To the best of the authors’ knowledge, no such study has examined this challenge.
- “We have several temperature, pressure and flow sensors on a new medical-device cleaning skid that we are developing. These instruments are connected to a PLC as 4-20 mA inputs, and there is also a 4-20 mA output used to control a pump motor speed. A recent failure of a flow sensor brought the process skid instrumentation to my company’s quality manager’s attention. He asked how do we know that the temperatures, pressures, and flow are accurate, and how do we know that we are cleaning properly?” FDA has not addressed these issues.
- Process sensors not reliable or safe in refinery operation. Almost 50% of the nuisance alarms were reranged sensors (sensors that had their settings changed so they could not reach their safety set points). Because this was from insiders, it was assumed the reranged sensors were unintentional.
- One sensor failure in combined cycle plant in Florida caused a 200MW load swing at the plant that rippled across the Eastern Interconnect causing a 50MW load swing in New England.
- Russia, China, and Iran are aware of the gap in cyber security of process sensors, and, in some cases, are already exploiting this gap.
Moreover, monitoring the electrical characteristics of the process sensors (sensor health monitoring) provides benefits beyond cyber security. As the process sensors are the “eyes of the process”, sensor health monitoring provides a predictive maintenance capability, improved performance and productivity, and improved safety. Additionally, sensor monitoring becomes a check of the network monitoring systems. If the sensor health monitoring does not directly match the network monitoring, the network monitoring needs to be examined.
The presentation included actual control system cyber incidents including pipeline ruptures that are not addressed by the TSA pipeline cyber security directive and train crashes not covered by the TSA rail cyber security directive. What makes critical infrastructures different than retail and other IT-centric organizations are the control system devices. It is also what makes them dangerous. So, why is TSA ignoring the control system devices?
The lack of addressing control system issues can be seen by the government and industry’s response to the Log4j (Apache open-source software) vulnerability disclosed December 10, 2021. It is similar to the government and industry’s response to SolarWinds with the entire focus on the networks to the exclusion of control systems.
The 2004 ICS Cyber Security Conference in Idaho Falls was held in conjunction with the ribbon cutting for the INL SCADA Testbed. As part of the Conference, INL did a cyberattack demonstration that exploited a zero-day (it wasn’t called zero-day in 2004) buffer overflow in Apache open-source software. The attack sent exploited code from the Sandia National Laboratory (SNL) business network to the INL business network to the INL SCADA Testbed network. The firewalls did not block the compromised scripts. The attack demonstration
- Remotely opened and closed a relay (Aurora)
- Remotely opened and closed multiple relays (2015 Ukrainian cyberattack)
- Remotely opened a relay but without indication the relay was open (2003 NE outage)
- Relay not changed, but the status indication was changed (Stuxnet)
The Apache Log4j vulnerability could potentially cause the same issues, yet control systems are being ignored in the government and industry guidance currently issued. Off-line monitoring of the sensors would not be affected by ransomware or the Log4j types of vulnerabilities.
Recommendations
Each Society has to put together a section call out the other just like what was done for the NEC (National Electric Code – Power) The NEC added a whole section 800 on communications a few years back. IEEE has to at least recognize IT Networking in their IEEE SCADA/Control Systems and ISA has to recognize the existing of power/Physics IEEE. The same can be said for ASME, AICHE, ASCE, SAE, INCOSE, API, and other industry Societies. The IT networking societies should not be making recommendations for securing control systems without assuring that recommendations for IT will not cause harm to control systems as has happened in the past.
As an aside, Nadine Miller and Rob Stephens from JDS Energy and Mining and myself will have a paper in the January issue of IEEE Computer magazine titled: “Control System Cyber Incidents Are Real—and Current Prevention and Mitigation Strategies Are Not Working”.
Joe Weiss
