September 12th, 2017 I participated in a cyber security panel at the WaTech Water Technology Conference in Tel Aviv, Israel. One of the focuses of the conference was the “digitization” of water. Consequently, cyber security was of great interest. The panel was entitled: Securing our Future: Water Industry Embracing Cyber Technologies. Panel participants included Yair Cohen, ex Commander of Unit 8200; Loïc Fauchon, CEO of Société des Eaux de Marseille, Rami Erfati from Fermitas Security Solutions, Mati Epstein from Check Point, Gal Joss Manager of Water Sector from Israel Export & International Cooperation Institute, Danny Lacker Manager of Water Security & Emergency Division of Israel Water Authority, Yanir Laubstein from PwC, and myself. There were many discussions about what it would take to move ICS cyber security along including insurance as a driver. As with almost all cyber security panels the focus was on the networks assuming the sensor values were correct. Yair questioned why there were just recommendations in the 2013 Executive Order on Cybersecurity/Presidential Policy Directive on Critical Infrastructure Security and Resilience. The US government approach is to provide guidance not requirements including the Cyber Security Framework (exceptions are the NERC CIPs and nuclear plant cyber security requirements). What surprised the panel was the NERC CIPs can be a roadmap for hackers as the NERC CIP specifically identifies what is excluded from scope.
September 13th, 2017 I gave a presentation at the DHS ICSJWG conference on the lack of cyber security and authentication in process sensors. The topic was new to many as most other presentations focused on cyber security of the network. The sensor values are the basic input to all network monitoring. Consequently, if you don’t have confidence in the basic input, it can become a “garbage in/garbage out” scenario. In order to know if the sensors are correct and uncompromised, the monitoring must be done BEFORE the sensor output is converted into an Ethernet packet as the sensor value can be “changed” before it becomes an Ethernet packet. One of the questions from the presentation was what can be done as there are so many sensors (more coming with IOT). There is no direct hardware replacement for existing sensors that don’t include security or authentication as they currently are not being made. Consequently, a detailed risk assessment is necessary to understand which sensors are critical and to monitor them before the signals before they become Ethernet packets. There is technology for monitoring the electrical characteristics of the sensor signals before they become Ethernet packets. To demonstrate that “compromised” sensors is not hypothetical, one of my slides provides a sample list of sensor-related cyber incidents including some that resulted in catastrophic events (contact me at firstname.lastname@example.org if you are interested in the slides).
What was common to both conferences was the focus on networks and the lack of appreciation for the need to address the insecurity of process sensors.