I am preparing a March 10, 2022 presentation on the lack of cyber security in process sensors titled: “Shields Up and Good Cyber Hygiene Does Not Apply to Insecure Process Sensors”. Process sensors have no inherent cyber security and yet have hardware backdoors directly to the Internet. The cyber security gap includes no capability for passwords, single-factor (much less multi-factor) authentication, encryption, keys, signed certificates, etc. Despite the lack of any cyber security, these devices are the 100% trusted input to OT networks and manual operation. Moreover, process sensors have no cyber forensics.
The recent Senate cyber security reporting requirements require that critical infrastructure cyberattacks be reported within 72 hours. Expeditious reporting of control system cyber incidents is obviously important in preparing and responding to wide-spread possible cyberattacks.
However, there are two basic problems with control systems: First, cyberattacks are not always easily identifiable as such. They can be mistaken for accidents or malfunctions, and they might not be recognized at all. Second, with industrial systems, process sensors, which remain largely unsecured, can themselves be targets of attacks. These devices connect to the network, but they’re basic computationally modest endpoints which is what precludes the use of many cyber security technologies, and their cyber vulnerabilities can be different from the cyber vulnerabilities that affect networks.
Shields Up recommends conducting a test of manual controls to ensure that critical functions remain operable if the organization’s network is unavailable or untrusted. However, process sensors have no cyber security or authentication and are thus untrusted during all conditions.
Control systems are composed of OT networks and control system field devices such as process sensors, actuators, drives, and analyzers. Like IT networks, OT networks can be monitored to detect malicious cyber threats. Conceptually, OT network monitoring should be able to meet those requirements. However, IT networks were not able to identify cyberattacks such as SolarWinds, at least not at once. The Triton cyberattack of the petrochemical plant in Saudi Arabia in 2017 proved that it may not be possible to identify a cyberattack that shutdown a facility. The plant was shutdown in June 2017 from the malware in the Triconex engineer’s workstation and yet the shutdown was not initially identifiable as being cyber-related. Consequently, the plant restarted with the malware still in the system. It was not identified as being a cyberattack until the plant was shutdown again in August.
Control system field devices have neither cyber security nor cyber security forensic capabilities and therefore have no capability to meet the intent of the reporting requirements. There’s room for work here: perhaps the regulation would drive an improvement in the security capabilities of control system field devices.
Testing is currently being performed at an industrial facility to improve operational and maintenance performance by real time monitoring of the process sensors. This was not a cyber security project even though the sensor monitoring was also an input for cyber security. Because this project’s focus was operational, the culture gap between Operations and cyber security was overcome. That’s a major benefit unto itself.
What was found was unexpected. When state-of-the-art machine learning/AI was applied to the raw sensor data, the engineering company performing the analysis (JDS Energy and Mining) discovered that more than half of the sensors were not working for more than 10 hours. However, the HMI displays showed the process appeared to be working properly. The sensor “failures” could have been from either unintentional or malicious reasons. Regardless, the impact of the inoperable sensors was both a loss of quantity and quality of product which could have safety implications. Think of what this could mean in a drinking water or food manufacturing facility where critical sensors were not working or at least not working properly. Moreover, without this type of sensor monitoring and analysis, it is not possible to meet the cyber security reporting requirements. Additionally, it may not be possible to meet other reporting requirements such as for EPA, TSA, NERC, FDA, etc. It also demonstrates the gap in existing big data analytics of smart manufacturing, smart grid, smart…as well as OT network monitoring.
Summary
Process sensors are assumed to be uncompromised, working properly, and able to provide cyber forensics. However, that is often not the case. There is a need to develop training, recommendations, and standards for these critical, but unprotected devices. Using appropriate monitoring and analytics can help improve cyber security, process safety, product quality, and regulatory compliance.
Joe Weiss
