Little progress has been made on control system cyber security that impacts safety and reliability

I participated in the ISA Conference in Montreal October 16-17, 2018. This was ISA’s first Multi-Dimensional Automation Track Experience with sessions on Manufacturing Executions Systems, Industrie4.0, HMIs, Automation Control and Robotics, Communications, Pulp and Paper, Instrumentation/Process Measurement, Food Industry topics, Serialization, Construction and Design-Safety, and Cyber Security. These interdisciplinary sessions are important as instrumentation and controls issues are not unique to any industry.

There is still a prevailing view that cyber incidents need to be malicious attacks which may be true for IT but is not true for control systems. Unintentional control system cyber incidents have caused major damage and must also be addressed. When I helped start the control system cyber program for the electric utilities at EPRI in 2000, I wrote that security is a 3-legged stool: physical security- guns, gates, and guards; IT security – Windows which the IT community needs to address; and control systems which only the control systems community can address. Unfortunately, the focus has been on IT/OT security. While it is necessary to address IT and OT networks, that is not sufficient to secure control systems. However, the irony is that monitoring the raw process sensor signals may be one of the only ways to know if a man-in-the-middle cyber attack like Stuxnet has occurred because raw sensor signals are independent of any Ethernet/IP network. Consequently, it was disconcerting when the presentations on Industrie 4.0, IOT, and OT cyber security were network-focused without also addressing the field control devices. That is, they were focused on network anomaly detection not process anomaly detection. I was glad to see AutoSol’s David Blanco’s presentation where he stated there were two assumptions with ICS Cyber Security: data is correct and control is exclusive. That is, he stated what essentially all other presentations assumed – the sensors are uncompromised and correct – which is not necessarily correct. Except for Schneider’s Peter Martin’s keynote, none of the other presentations addressed the need to address sensors at the sensor layer. Effectively, this conference could have been the RSA Security Conference (all about networks) not ISA as far as not addressing the security and safety threats from unsecured Purdue Reference Model Level 0,1 devices.

October 16th, Andy Pascoe from SIGA and I gave a presentation on process sensor cyber security and safety to the Instrumentation and Process Measurement and Control Track (instrumentation not cyber security). There were several process sensor vendors at our session. They were not aware of the cyber vulnerability of their sensors. From my experience, there has been little progress in understanding/addressing process sensor cyber security and safety issues since I started identifying this as an issue several years ago. This even includes the Nuclear Regulatory Commission's proposed regulatory guide on nuclear plant cyber security.

The recent Columbia Gas natural gas over-pressurization event demonstrates the need for process anomaly detection as it was a “two rights make a wrong” scenario.  The sensors and the controllers did what they were designed to do but the “process was wrong”. In this case, there was no indication that the pipe was cut so that even though the sensors and controller functioned as designed, it created a dangerous, unsafe condition leading to the overpressure of the piping.

I will be addressing the need for engineering participation in cyber security including field device issues October 23rd in my EnergyTech keynote in Cleveland and at our session at the ISA Safety and Security Conference in Houston October 31st.

How many more Columbia Gas, Texas City, Three Mile Island, Buncefield tank farm, and other catastrophic sensor-related events will it take for people to understand the need for sensor/process anomaly monitoring?

Joe Weiss