Sensor and process anomaly detection is an engineering function that requires detailed knowledge of the systems and the process. It also has a direct impact on process safety. Consequently, the new ISA Working Group on Level 0,1 is an engineering, not IT/OT effort. Yet Dale Peterson of Digital Bond stated: “…this process variable anomaly detection is trying to detect when the data the process is getting is not accurate (see this past S4xEurope session: https://youtu.be/b4lut5uWs2w ) Could be a non-malicious cause such as instrument error or automation engineering error. Or it could be malicious in an attacker modifying the process and sending back recorded or created data. Where this is really interesting is when there are non-obvious correlations spread across multiple Level 1 devices (so an attacker can’t record and reply a single Level 1 device to hide).”
Independent of cyber security, I spent many years working on process sensor health monitoring and process anomaly detection. As part of this work, I did detailed Failure Modes and Affects Analyses (FMEAs) on pressure and temperature sensors for nuclear safety applications and frequency analysis on flow-induced vibration problems. I also have many case histories of sensor-related cyber incidents that have caused catastrophic failures. As a result of this knowledge, I believe it may be very difficult for network anomaly detection to identify many of the sensor-unique process anomalies as these indications often occur BEFORE the sensor data is converted to Ethernet packets. Jason Larson’s S4 triangle presentation does not address these issues. Additionally, the Sentryo S4 presentation mentioned by Dale did not address actual ICS implementations, as it appeared to be looking at the sensor data after they became Ethernet packets, assuming that cyber attacks can be unambiguously detected. I do not believe this is true. There is at least one company (SIGA) that is working on process/sensor anomaly detection by monitoring the electrical characteristics of the sensor output BEFORE it is converted to Ethernet packets. The SIGA system has been installed in several different industrial applications and has shown great promise. Unlike the Sentryo claim that it can detect cyber attacks, it may not be possible to discriminate between a process anomaly and a cyber event. However, to the operator it doesn’t matter. One of the more interesting outcomes of the SIGA implementation in an actual water facility was the SIGA system continued to work even when SCADA was unavailable. Considering that Windows-based HMI has been the target of most ICS cyber attacks, this approach can provide much-needed cyber and operational resilience, or provide secondary data for ascertaining any future or would-be cyber attacks.
I will be giving the January 25th keynote to the Texas A&M Instrumentation and Automation Symposium focusing on the lack of Level 0,1 device security and potential impacts on process safety.