In his presentation at the October 2013 ICS Cyber Security Conference, a DOD researcher called ICS cyber warfare a “race to the bottom.” Of course, he wasn’t commenting on the morality of cyberwarfare. He was referring to the soft underbelly of ICS: the Level 1 field devices in the lexicon of the Purdue Enterprise Reference Architecture which is a 1990s reference model for enterprise architecture, developed by members of the Industry-Purdue University Consortium for Computer Integrated Manufacturing.
- Level 0 — The physical process — The actual physical process.
- Level 1 — Intelligent devices — Sensing and manipulating the physical processes. Process sensors, analyzers, actuators and related instrumentation. Time frame: milliseconds to seconds.
- Level 2 — Control systems — Supervising, monitoring and controlling the physical processes. Real-time controls and software; DCS, human-machine interface (HMI); supervisory and data acquisition (SCADA) software. Time Frame: minutes
- Level 3 — Manufacturing operations systems — Managing production work flow to produce the desired products. Batch management; manufacturing execution/operations management systems (MES/MOMS); laboratory, maintenance and plant performance management systems; data historians and related middleware. Time frame: shifts, hours, minutes, seconds.
- Level 4 — Business logistics systems — Managing the business-related activities of the manufacturing operation. Enterprise Resource Planning (ERP – e.g., SAP, Oracle) is the primary system; establishes the basic plant production schedule, material use, shipping and inventory levels. Time frame: months, weeks, days, shifts.
The Level 1 process sensors can, in real time and without operator intervention, monitor physical process parameters (pressure, temperature, flow, voltage, current, chemical composition, radiation, among others) and cause preprogrammed changes to the Level 0 physical processes via Level 1 actuators, drives, motor-operated valves, etc. This is where process safety is paramount.
Many such monitoring and control devices used in industrial applications now use the HART (Highway Addressable Remote Transducer) communications protocol, in either its wired or wireless form. In essence, HART enables the overlay of a digital signal on top of the sensor’s traditional 4-20ma serial signal. Security researchers have given HART considerable attention in recent years. In 2014, Russian security researchers identified cyber vulnerabilities in wired-HART systems. In January 2016, Applied Risk researchers identified cyber vulnerability issues with WirelessHART systems.
It is important that we understand the proper message and draw the right conclusions about these security studies. The message and conclusions are certainly not limited to HART or HART-enabled devices and systems. For example, similar vulnerabilities have been, or will be, documented in systems using Foundation Fieldbus, Profibus, and Modbus protocols as these protocols also were designed without adequate concern for cybersecurity. The real lesson relates to the cyber threats from the digital integration of Level 1 equipment, and especially integration with human-machine interfaces in Level 2 and 3 operating systems.
Cyber vulnerabilities from integration lurk everywhere, from the bottom up: the sensors (including the microprocessor which makes the device a transmitter – sensor/transmitter); the sensor/transmitter transmission protocols; the asset management software; and beyond. Daisy-chaining enterprise levels has made the entire system exponentially more cyber vulnerable—and dangerous.
Sensor communication systems have evolved from analog to digital to facilitate integration with HMI and other aspects of higher level control systems which use Windows and other commercial operating systems. Sensor/transmitters are now directly connected to the final end devices (drives, valves, actuators, etc) so that real time monitoring and control can be accomplished at the device level and provide the information back to the HMIs. Unfortunately, sensor/transmitters and other field devices have not evolved to match the enhanced cybersecurity risks posed by the digital communication capabilities including the continued lack of authentication. In general, there are no commonly accepted standards for key management in a control system environment. The Applied Risk researchers defeated WirelessHART digital keys and cryptography management by compromising the security manager. There are also insufficient safeguards to protect or validate data integrity at this level. Sensor/transmitters and other Level 1 devices have accordingly become vectors for cyber-physical attacks.
Above the field devices is the Level 2 asset management software. This software can be installed on the control system PC and its operator interface can be used to monitor the data from HART or other digitally-enabled field devices. The asset management software provides the operator with access to both the primary variables, many secondary variables and other information transmitted by the field devices. An operator (or a potential attacker) can check the field device measurement output, calibration logs, and error alerts and can reconfigure the sensor/transmitter or control device. Reconfiguration can include changes to variables, limits, alarm ranges, and so forth, and even reflash and write to Electrically Erasable Programmable Read-Only Memory (EEPROM).
The networking of Level 2 and 1 devices are also subject to compromise. The strategic importance of such vulnerabilities cannot be underestimated. An attacker could manipulate the operation of industrial processes, with consequences generally obvious to all. The attacker could also affect the maintenance of industrial equipment, because asset management software is used for predictive equipment maintenance. As demonstrated by the Aurora vulnerability, it is not always clear how a cyber compromise affecting equipment lifetime could be detected. As with Stuxnet, the input data often would be accepted by the controllers without question if the data remains within an acceptable operating range—either the original range or the attacker’s revised range.
Generally speaking, HART security researchers have shown any number of potentially disastrous outcomes, from the compromise of a single device to the use of the compromised device to compromise other devices on the HART highway, or to alter the industrial processes controlled by the asset management software. Of course, an attacker interested in financial manipulation could also use the asset management software as a backdoor into the ERP system. The security researcher that found the wired-HART vulnerability was an ERP security expert focused on gaining unauthorized access to the ERP.
The digital integration of field devices has occurred with the best of intentions: Human, real-time interface with sensor data facilitates the equivalent of “just-in-time” control. (How wonderful to be able to adjust your wind turbines remotely based on the current weather update.) But we can’t keep ignoring the cyber vulnerabilities introduced by having remote monitoring and control capabilities.
Do all critical systems need to go “back to the future” with nothing but 4-20ma point-to-point serial? Not necessarily. But we do need to think things through. Do operators and analysts really need control system data within milliseconds? How do you perform risk assessments of systems and devices with almost no security? Should safety and control systems be integrated? Should field device integration approaches such as FDT which standardizes the communication and configuration interface between all field devices and host systems using HART, Fieldbus, Profibus, or Modbus be more secure before it is used in critical control system applications? And so forth.