Still little understanding of cyber security of process sensors and this is more important than Stuxnet

I participated in the Spring 2018 DHS ICSJWG meeting in Albuquerque (agenda is at https://ics-cert.us-cert.gov/sites/default/files/ICSJWG-Archive/S2018/ICSJWG_2018_Spring_Meeting_Agenda_S508C.pdf).

The focus of most presentations was on cyber vulnerabilities to the exclusion of physical impacts. Many of the attendees also assumed they would be able to distinguish between a cyber attack versus a malfunction or system upset which is wrong from several points of view. First is you often can’t tell the difference between malicious vs. intentional incidents and secondly the impacts can be the same. There was a focus on malware detection to the exclusion of process physics such as Aurora. There was the lack of understanding of the control systems themselves and the tendency to call everything “SCADA”. Definitions are still a concern including the term “industrial” control systems. There also was a lack of actual ICS cyber incidents that were used in many of the discussions. Consequently, they did not address some very significant cyber incidents.

Other than my presentation, there was a lack of addressing the sensors at the analog layer before the data became Ethernet packets. That is, most assumed the Ethernet packet was “golden” and the focus was on protecting the packet. There were numerous presentations on situational awareness. How can there be situational awareness if you don’t have confidence in your sensor measurements? Unfortunately, protecting compromised sensor input can be a “garbage in-garbage out” scenario.

I gave a presentation on Level 0,1 devices. My abstract is included here:

“Purdue Reference Model Level 0,1 devices are process sensors, actuators, and drives. They are the initial input to all controllers and HMIs and are the final output to safely and reliably control a process. However, there is no security or authentication in these devices. Yet, all network anomaly detection systems assume process sensors provide secure, authenticated input and final control elements will function as designed. Because of the lack of security of Level 0,1 devices, ISA99 initiated a working group to make a recommendation as to whether the existing IEC62443 standards address Level 0,1 devices or if these standards could be modified to address Level 0,1 devices. The recommendation from the working group is that the existing IEC62443 do not, and cannot, address Level 0,1 devices without compromising the ICS networks these standards were designed to address. Not only are Level 0,1 devices not adequately addressed for cyber security, they are also not adequately addressed for process safety. An additional finding is that the existing level 0,1 definitions do not adequately reflect current control system field device and networking technologies. The intersection of level 0,1 devices, new technologies, and cyber threats have required a reassessment of how these devices are designed, configured, implemented, and connected. These are not idle considerations as there have been multiple catastrophic failures from process sensor-related incidents.”

It was evident from questions during and after the presentation this was new material. INL gave a presentation on Hatman/Triton that demonstrated the complexity of hacking safety systems. This hack required substantial resources and was specific to the Triconex system. The intent of Hatman was to prevent the safety system from actuating when called upon. However, the safety system doesn’t actuate until process sensors reach a setpoint. If the sensors don’t reach a setpoint, the safety system doesn’t actuate. Consequently, why bother with the complexity of hacking a safety system when all you have to do is prevent the sensors, that have no security or authentication, from reaching their setpoint and the safety system doesn’t actuate? This applies to any vendor’s safety system regardless of application. This is why hacking process sensors is a much bigger issue than Stuxnet.  Specific session questions included:

-        Is there a need for separation for control and safety? I believe the answer is yes. This is particularly true when the basic process control system shares sensors or HMIs with the safety system. It has been shown that serial-to-Ethernet converters, hand-held transmitter calibrators, and asset managers can be cyber vulnerable. Why subject the safety systems to these potential cyber threats?

-        How can sensors be hacked? I think it will take some demonstrations to prove that process sensors can be cyber-vulnerable. These demonstrations are being prepared.

-        Is redundancy adequate? From a cyber perspective, not necessarily. There have been numerous control system cyber cases where voting logic would not have been successful.

It will be interesting to see if the RSA Conference next week does a better job of addressing these Level 0,1 issues than most of the presentations at ICSJWG. Considering my abstract on cyber security of Level 0,1 devices was not accepted for RSA (even though Iran found my Defcon presentation of interest), I am not holding my breath.

Joe Weiss