On Thursday May 14th, 2020 Simon Clarke, Herman Storey, and I presented “Annex H Smart Field Devices – Digital Interface Security” to about 40 members of the joint ISA84 (process safety- Safety Instrumented Systems-SIS)/ISA99 (control system cyber security) working group for their review. An SIS is made up of one or more safety instrumented functions (SIF). An SIF consists of process sensor(s), logic solver and final element(s). Annex H addressed digital smart sensors and sensing systems used in SISs, although recognizing that analog sensors can also be cyber vulnerable. Smart process sensors include measurements of pressure, level, flow, temperature, chemical composition, etc. as well as their diagnostics and are the input to process control systems and SISs. A key takeaway from Annex H is that smart digital sensors have built-in back doors that cannot be secured. The back doors in these digital sensors are required for normal work processes. They are allowed by current standards and installed by manufacturers in all devices on the market. However, these same back doors can be exploited by malicious actors. Whether unintentional or malicious, “exploiting” the back doors can lead to bad consequences. In addition, the lower level sensing networks are insecure. This makes securing SISs problematic at best.
Presidential Executive Order 13920 was issued May 1, 2020 because of back doors installed on large electrical equipment manufactured in China and installed in the US bulk electric system https://www.controlglobal.com/blogs/unfettered/emergency-executive-order-13920-response-to-a-real-nation-state-cyberattack-against-the-us-grid. The Executive Order specifically included SISs. Additionally, I had written a blog about counterfeit pressure and differential pressure sensors manufactured in China that could be used in SISs and resulted in the declaration of a grid emergency at the 2019 Cyber War Games at the US Naval War College https://www.controlglobal.com/blogs/unfettered/the-ultimate-control-system-cyber-security-nightmare-using-process-transmitters-as-trojan-horses/. Moreover, process sensors and large transformers are out-of-scope for the NERC Critical Infrastructure Protection (CIP) cyber security standards and NERC supply chain requirements.
So what does this mean? Our process sensing systems including those used in safety systems have backdoors. Meanwhile the Operational Technology (OT) cyber security community, including the NERC Critical Infrastructure Protection (CIP) cyber security standards effectively ignore these devices as they aren’t on Internet Protocol routable networks. However, these devices are connected via potentially insecure communication protocols. No wonder this is where the Chinese have chosen to install their backdoors. A very interesting web we weave.
As an aside, May 20, 2020, CSO Online issued an article on the Presidential Executive Order that provides more details - https://www.csoonline.com/article/3544299/executive-order-boots-foreign-adversaries-from-us-electric-grid-over-security-concerns.html?upd=1590003105464
Joe Weiss
