October 31,, 2018 I participated in the ISA Safety and Security Conference in Houston. This was an important conference because it was a mix of safety engineers and network security personnel. As with every conference I have attended, our session on sensors was one of the only ones not focusing on some form of Operational Technology (OT) and/or IT network monitoring. The sensor discussions began with Paul Gruhn’s keynote on a retrospective of the Bhopal disaster. Process sensors played a role when pump failures caused erratic temperature readings resulting in site personnel disabling the high temperature alarms. Additionally, the pressure sensor information on new valves was not accurate continuing the distrust of the sensor readings.
Andy Pascoe from SIGA and I gave a presentation on security and safety implications of process sensors. As a prelude to the discussion on sensors, I discussed the on-going confusion in the terms “endpoint” and “OT”. The IT discussions of endpoints are network edge devices such as routers. The IT discussions do not address control system edge devices also known as Purdue Reference Model Level 0,1 devices (sensors, actuators, and drives). OT is generally viewed as the control system networks not the sensors, actuators, and drives which are engineering systems. ISA99 has established Task Group 7 to determine if the existing ISA IEC 62443 standards adequately address legacy Level 0,1 devices – they do not. It was the first time many of the attendees heard about the lack of cyber security and authentication in process sensors, actuators, and drives (representatives from NIST attended). Following our presentation, there was an open discussion session and issues with Purdue Reference Model Level 0,1 devices were a significant topic of discussion.
In addition to the conference, another sensor-related event occurred half a world away. The preliminary assessment of the October 29th LionAir crash in Indonesia of a new Boeing 737 Max8 is focusing on the airspeed indicators and the angle of attack sensors. A team of experts is trying to determine whether the fault in the air speed indicator was in the sensor, the computer system, or the display. The U.S. Federal Aviation Administration (FAA) on November 7, 2018 issued an emergency airworthiness directive on about 250 Boeing 737 Max aircraft after Boeing sent a bulletin to carriers in the aftermath of a deadly Lion Air flight. The FAA said the order is effective immediately and covers 45 aircraft in the United States and addresses erroneous angle of attack inputs. The directive orders operators to revise the airplane flight manual to give the flight crew horizontal stabilizer trim procedures to follow under some conditions (this is not fixing the sensors). One can only wonder why sensor-related problems such the known at the time pitot tube failures with AirBus were not addressed before the June 2009 Air France crash in the South Atlantic killing 228.
November 5th, I had a discussion with the NIST Smart Grid Program. My concern was the lack of appropriate focus on legacy sensors with no security. I was told to review NISTR 8228, Table 1 “Security Considerations for Sensors”. There were two issues – Table 1 was not applicable to legacy process sensors which will be around for the next 10-15 years and there was no discussion about the validity of the sensor measurements. That is, are the sensor readings uncompromised and correct? I was told that NISTR 8228 didn’t address legacy sensors but would be addressed by another group at NIST working on cyber-physical systems. However, June 12th, I had a discussion with the NIST cyber-physical program concerning sensor validity at the physics layer. This wasn’t being addressed in that program either. What does lack of cyber security of process sensors, actuators, and drives mean to the NIST Smart Grid Program, the NIST Smart Manufacturing Program, the NIST Cyber Physical Systems Program, and the NIST Risk Management Framework (RMF) if the measurements can’t be trusted?
The lack of cyber security of sensors are a real, but unaddressed problem. There is an approach that can directly address reliability, safety, quality, and productivity. What does it take to wake people up before further catastrophic sensor-related failures occur?