In response to my blog - https://www.controlglobal.com/blogs/unfettered/analog-device-vulnerability-is-a-major-threat-to-infrastructure-but-the-culture-gap-persists-which-could-be-an-existential-problem, I received the following response from Hugh Boyes on SCADASEC.
"When Joe refers to analogue devices, he is generally referring to ISA99 / IEC 62443 Level 0 devices, i.e. the sensors and actuators required in any cyber physical system. The vulnerability of these devices is often ignored as the security measures required to protect them are not purely technical but also involve physical and personnel security aspects along with process security (both of the metrology and processing by the device, as well as configuration management and control issues over the lifecycle of analogue devices). The security situation is not helped by the simplistic application of the triad of security goals (confidentiality, integrity and availability) to cyber physical systems.
In response to emerging concerns about the security and trustworthiness of analogue devices in a digital manufacturing environment I was commissioned to write a Publicly Accessible Specification (PAS) for the British Standards Institution (BSI): "PAS 7040:2019 Digital manufacturing. Trustworthiness and precision of networked sensors. Guide”. This document is currently available as a free PDF download from the BSI website - https://shop.bsigroup.com/ProductDetail?pid=000000000030389632
Whilst the focus of this document is on digital manufacturing the approach it sets out is equally applicable to process industries, national infrastructure and any automation of physical processes where an analogue device provides a measurement or sensing interface between real and digital domains.
Despite Joe’s efforts to raise awareness of this issue there is still a significant culture and understanding gap. Those of us who started our careers working with analogue devices learnt from experience that the digitisation process has plenty of pitfalls for the unwary, for example aliasing and quantisation errors. But for those who are used to simply processing digital data there may be ignorance of how the analogue to digital conversion (or vice versa) is implemented and the inherent vulnerabilities or sources of error.”
Addressing process sensor cyber security is complementary to monitoring the OT network and to network threat hunting. In fact, the process sensors are the basic input to every OT network. Why is there such pushback from the IT and OT network monitoring and threat hunting communities? There certainly isn’t that pushback from the attacker community.
Joe Weiss
