Dale Peterson had a twitter poll on DigitalBond.com asking what people think about the availability of security in sensors, actuators, instruments (Purdue Model Level 0 devices) considering process sensor vendors do not include authentication or security in their sensors. Of the 77 replies to Dale’s survey, 83% said no Encryption or Authentication was available, 5% said Authentication was available, 3% said Authentication and Encryption was available, and 9% said I don’t know. I find several interesting aspects to the answers:
- Why did 5% think Authentication was included and 3% say Authentication and Encryption was included when neither exists?
- If 83% recognize that process sensors have no Authentication or Encryption (security), why isn’t there more being done about security at that level as it affects all of ICS cyber security?
When I talked to Dale about the results, he said the survey results validate that people who attend S4 recognized there was no security at Level 0. Serial-to-Ethernet converters have been shown to be cyber vulnerable enabling a path into the sensors. In fact, the cyber vulnerability of the serial-to-Ethernet converters was the vehicle for inserting BlackEnergy into the US and Ukrainian grids. Yet, there is little being done even though process sensors (before the serial-to-Ethernet converter) are:
- the view into the actual process (process anomaly detection),
- the basic input to not only control, but safety (neither security or safety standards have addressed the lack of sensor security issue)
- the basis for network anomaly detection (though there is no discussion about the validity of the original sensor input and no direct connection to the process),
- the basis for historian data (though there is no discussion about the validity of the original sensor input)
- the basis for the industrial cloud (sensors are assumed to be secure and authenticated),
- unable to tell the difference between unintentional vs cyber attacks because of lack of cyber forensics (network anomaly detection cannot detect many process sensing anomalies), and
- at least a contributing cause of many catastrophic incidents (see below).
I will be taping an interview on August 15th for the Seattle National Public Radio (NPR) affiliate on a retrospective of the Bellingham, WA Olympic Pipeline rupture. That event killed 3, resulted in several people going to jail, and directly led to the bankruptcy of the Olympic Pipeline Company. The pipeline rupture incident was both SCADA and process sensor-related. When the SCADA system became unresponsive, the sensors were automatically set to average values. Consequently, SCADA was inoperable and the sensors could not provide real input on the increasing pressure that led to the pipe rupture. I encourage people to read my blog providing further examples of catastrophic sensor-related ICS cyber incidents - http://www.controlglobal.com/blogs/unfettered/process-sensor-cyber-issues-have-contributed-to-catastrophic-events/
Given all of this information, how can the lack of security and authentication of process sensors be acceptable?