Network anomaly detection can provide a false sense of security

ICS cyber security is still too ”IT-focused”. That is, currently ICS cyber security is all about the network. Dale Peterson in his DigitalBond blog identified 20+ vendors providing network anomaly detection for ICS networks. The assumption is that network anomaly detection is correlated to physical process anomaly detection. Why else would Operations care? However, this is not a correct assumption since network anomaly detection addresses packets not physical processes. The analogy would be how could a doctor make a diagnosis if he/she can’t trust the temperature and blood pressure readings? The physical process, eg, boiler pressure, pipeline flow, tank level, etc. is controlled by process sensor input. Currently, commercial/industrial process sensors, eg, pressure, level, flow, temperature, humidity, voltage, current, polarity, etc. lack authentication and cyber security. Consequently, it is not clear that the sensor packet input from the serial-to-Ethernet converters are correct and uncompromised since by the time the sensor signals reach the Ethernet network, the sensor value may already be compromised or inaccurate. Therefore, it is not possible to correlate cyber vulnerabilities to process system impact without a direct look into the “raw” process. This becomes even more important because serial-to Ethernet converters were compromised in the US electric grids in the 2014 timeframe and in the 2015 and 2016 Ukrainian cyber attacks. The focus on the compromise of the serial-to-Ethernet convertors were to use the convertors as a means of getting into the networks (“race to the top”) as opposed to using the convertors as a means of getting to the sensors (“race to the bottom”). This means that network anomaly detection can be providing a false sense of security because it cannot address potential sensor anomalies occurring before the serial-to-Ethernet convertors. This is critical because testing has demonstrated that control system devices can be compromised without any indication from network deep packet inspection. Other potential impacts that could not be found by deep packet inspection include preventing sensors from reaching their setpoints or causing sensors to spuriously reach setpoints shutting down processes. These scenarios have already occurred in nuclear plants and other critical applications.

Joe Weiss