1. Home

Lack of authentication of process sensors does not appear to bother people

March 16, 2021
According to Dale Pederson, his poll showed 97% of the ICS security audience knew that Purdue Reference Model Level 0 sensors and actuators had no authentication. So according to Dale, awareness in this audience is not a problem. Who are these people that responded and how many understand cyber security of process sensors and other Purdue Reference Model Level 0,1 devices? How many understand the safety significance of lack of authentication of process sensors and actuators? How many realize this could be a backdoor for the Chinese to enter the compromised transformer? How many realize the Chinese have provided counterfeit pressure and differential pressure transmitters which are significant safety and reliability concerns? My guess is not many. What does it take to educate people?

According to Dale Pederson, his poll showed 97% of the ICS security audience knew that Purdue Reference Model Level 0 sensors and actuators had no authentication. So according to Dale, awareness in this audience is not a problem. Who are these people that responded and how many understand cyber security of process sensors and other Purdue Reference Model Level 0,1 devices? How many understand the safety significance of lack of authentication of process sensors and actuators? How many realize this could be a backdoor for the Chinese to enter the compromised transformer? How many realize the Chinese have provided counterfeit pressure and differential pressure transmitters which are significant safety and reliability concerns?  My guess is not many.

If IT and OT view authentication as critical to being cyber secure, how can the starting point of all control and safety system applications, which is the process sensor input, not be authenticated and yet people still be OK with this situation? Because, if there is no authentication of the Level 0,1 sensor input, than OT monitoring is questionable as it is based on untrusted input. I don’t think many of the 97% appreciate that distinction.

There are efforts in several control system standards and industry organizations working on process sensor cyber security for control and safety applications. These are engineering-based not network-based discussions. I don’t believe many of the respondents are aware of these efforts.

 As a colleague of mine who has spent more than 40 years working on Level 0,1 issues stated: “I have spent years talking to brick walls and brick heads about the lack of security in field devices. Their response is typically that they are air gapped and that everything is safe and secure. Irrational fantasy at best. I am not alone in this quest, but I am definitely in a minority.”

I will be presenting along with a colleague from one of the national labs March 31 at the Texas A&M Instrumentation & Automation Symposium process sensor control system cyber security to process and safety systems experts. I wonder how many of the responders to the poll will attend?

Joe Weiss

Continue Reading

Sponsored Recommendations

Latest from Home

Most Read

Sponsored