OT “experts” do not understand the engineering impacts of control system cyber vulnerabilities – and that can be existential

Dec. 4, 2019
It is evident engineering aspects of control system cyber security such as the Aurora vulnerability and process sensor issues are still not understood or appreciated by Dragos and other OT “experts”. These vulnerabilities are a subset of non-network-based vulnerabilities that, if not addressed, can lead to existential threats to entire industries or even countries. Nation-state adversaries are aware of these issues. It would be valuable to have roundtable discussions with Dragos and/or other OT “experts” on control system cyber security engineering issues to fill these holes. I am still waiting for that to happen.

Dragos published their report, “Stuxnet to CrashOverride to TRISIS: Evaluating the history and future on integrity-based attacks on industrial environments” - https://dragos.com/wp-content/uploads/Past-and-Future-of-Integrity-Based-ICS-Attacks.pdf. The gaps in understanding in the Dragos report are common to all OT network security vendors in all industries. That is, OT vendors focus on the OT networks, not the control system field devices nor physics-based issues that are not network malware-based. However, the paper’s title “Integrity-based attacks” can be more than just IP network vulnerabilities and network malware. Vulnerabilities such as Aurora and process sensors also can be viewed as integrity-based attacks. However, neither can be identified by Ethernet network monitoring and both have been summarily dismissed by Dragos. Consequently, I will address the Dragos report’s (and many others) misunderstanding of the Aurora vulnerability and process sensor cyber vulnerabilities. These two vulnerabilities are a subset of non-network-based vulnerabilities that, if not addressed, can lead to existential threats to entire industries or even countries.

According to the Dragos report, “While direct communication to breakers to open and close them (similar to breaker manipulation used in transmission operations in CRASHOVERRIDE) can immediately create circumstances for an Aurora-like effect, this attack vector has multiple problems rendering it likely immaterial if not outright irrelevant. First, direct manipulation of breakers and related equipment introduces noticeable lag in responsiveness between attacker-initiated action and physical response of actual breaker equipment. Thus, direct manipulation of equipment to achieve an Aurora-like impact is either extremely difficult, or outright impossible.”

I supported DOD on the Aurora mitigation project. As such, I have written and spoken extensively on the Aurora vulnerability. This is because there is so little accurate information on the March 2007 INL Aurora test and how Aurora is a gap in protection of the electric grid. In addition, I supported the Federal Energy Regulatory Commission (FERC) to attempt to understand why the utility industry has been so reticent to address this existential gap to the electric grid. My Waterfall podcast on Aurora was meant to bring clarity to this subject and also the need for engineering expertise - https://www.controlglobal.com/blogs/unfettered/waterfall-security-podcast-on-aurora-and-the-need-for-engineers/. After reading the Dragos report, it was evident to me Aurora is still misunderstood. However, I wanted independent confirmation of my concerns with the Dragos statements. Consequently, I contacted three people that were directly involved in the 2007 Aurora test and the Aurora hardware mitigation efforts to review Dragos’ statements (As an aside, Mike Assante and I were both concerned about the misinformation on Aurora). The three experts were very disappointed there is still such fundamental misunderstandings about Aurora (https://www.controlglobal.com/blogs/unfettered/physics-issues-such-as-aurora-are-not-understood-by-many-ics-cyber-security-experts-this-can-be-an-existential-miss /). I pointed out in early 2016 that the Ukrainian cyber attacks could have been Aurora events if the attackers chose to do so (remotely reconnect breakers out-of-phase with the grid). Direct manipulation of relay equipment has already occurred. Moreover, there have been actual Aurora incidents that have caused damage. Considering in 2015 DHS inadvertently declassified more than 800 pages on Aurora that ended up on hacker websites, how can Dragos ignore Aurora?

According to Dragos, “While some voices might posit that circumstances demand defense and monitoring down to the level of individual sensor inputs within a process environment to ensure continued integrity and viable defense, the overall threat environment to date does not support such an exaggerated response. Although future scenarios may incorporate such fundamental, layer 0-type impacts, at present adversaries have all the required capability necessary to cause damage while working largely in a Windows-based environment with some understanding of control system logic and process interconnection. Based on what is actually occurring in real-world scenarios, asset owners and operators must focus attention on the problems of today and the near future, which thankfully can be solved through better analysis and use of existing data while fusing IT security knowledge with ICS process expertise.”

I am surprised that Dragos continues to repeat this misconception after my 11/12/19 blog responding to Joe Slowik’s blog on this subject- https://www.controlglobal.com/blogs/unfettered/sensors-and-sensibility-dragos-and-other-ot-experts-lack-expertise-on-process-sensors/. As of 12/3/19, there have been more than 11,500 views of this blog on my Linked-in site. I did a podcast for Momenta Partners podcast on sensors (this was done before the concerns about counterfeit transmitters arose) - https://www.controlglobal.com/blogs/unfettered/podcast-control-systems-cybersecurity-a-grim-gap-a-conversation-with-joe-weiss/. Considering that Iran, Russia, and China are aware of the lack of cyber security in process sensors (Russia demonstrated compromising process sensor cyber vulnerabilities with Operation Corsair), how can Dragos ignore the lack of cyber security of these devices?

It is evident engineering aspects of control system cyber security such as the Aurora vulnerability and process sensor issues are still not understood or appreciated by Dragos and other OT “experts”. These vulnerabilities are a subset of non-network-based vulnerabilities that, if not addressed, can lead to existential threats to entire industries or even countries. Nation-state adversaries are aware of these issues. It would be valuable to have roundtable discussions with Dragos and/or other OT “experts” on control system cyber security engineering issues to fill these holes. I am still waiting for that to happen.

Joe Weiss