1. Home

March 10, 2022 presentation to the US Air Force Cyber College on process sensor cyber security

March 23, 2022
March 10, 2022, I gave a presentation to the US Air Force Cyber College on process sensor cyber security entitled: “Shields-Up” and Good Cyber Hygiene Don't Apply to Insecure Process Sensors”.  There were approximately 100 attendees from DOD, government, industry, credit rating agencies, and others. The reason for the title is process sensors have no capability for passwords, multi-factor authentication, encryption, keys, signed certificates, etc.  Despite the lack of any cyber security, these devices are the 100% trusted input to OT networks and manual operation. Moreover, process sensors have no cyber forensics. It was evident there are significant culture and education gaps between the engineers responsible for the design and operation of equipment that do not consider cyber security of interest and the network security people who consider cyber security important but don’t consider process sensors or other engineering equipment important. Ironically March 16, 2022 NIST issued NIST Special Publication 1800-10 Protecting Information and System Integrity in Industrial Control System Environments: Cybersecurity for the Manufacturing Sector. The NIST report states “It is acknowledged that many of the device cybersecurity capabilities may not be available in modern sensors and actuators.” Network cyber threats such as vulnerabilities in Log4j, the Treck TCP/IP Stack, and ransomware make off-line monitoring of process sensors more important than ever. Those interested in the presentation or learning more about the lack of cyber security of process sensors can contact me at [email protected]

March 10, 2022, I gave a presentation to the US Air Force Cyber College on process sensor cyber security entitled: “Shields-Up” and Good Cyber Hygiene Don't Apply to Insecure Process Sensors”.  There were approximately 100 attendees from DOD, government, industry, credit rating agencies, and others. An invitation was made to the attendees to join a joint Services project to address the process sensor cyber security issue.

Process sensors have no inherent cyber security and yet they have hardware backdoors directly to the Internet. Consequently, there are no air gaps of the kind many have long assumed would protect legacy, long-lived systems. The cyber security gap includes no capability for passwords, single-factor (much less multi-factor) authentication, encryption, keys, signed certificates, etc.  Despite the lack of any cyber security, these devices are the 100% trusted input to OT networks and manual operation. Moreover, process sensors have no cyber forensics

It was evident at the session that there are significant cultural and education gaps between the engineers responsible for the design and operation of equipment that do not consider cyber security of interest and the network security people who consider cyber security important but don’t consider process sensors or other engineering equipment important. That same engineering vs networking gap was evident in the March 22, 2022 CISA "Unclassified Broad Stakeholder Call to Address Impacts of the Russia-Ukraine Situation on the Homeland" even though the Russians have demonstrated the ability to compromise process sensors.

The evidence offered in the Cyber College presentation as well as in many blogs  demonstrated that the lack of cyber security in process sensors is real and has caused catastrophic failures. In many cases, these incidents were not detectable as cyber-related incidents. A recent project demonstrated that even if process sensors are inoperable, the inoperable sensors may not be detectable from the HMI. This lack of identification can be both a quality and safety concern that can occur from either unintentional or malicious reasons.

Ironically on March 16, 2022 NIST issued NIST Special Publication 1800-10 Protecting Information and System Integrity in Industrial Control System Environments: Cybersecurity for the Manufacturing Sector. The NIST report states “In this project, the focus was on the engineering workstations and not on the manufacturing components. It is acknowledged that many of the device cybersecurity capabilities may not be available in modern sensors and actuators

Network cyber threats such as vulnerabilities in Log4j, the Treck TCP/IP Stack, and ransomware make off-line monitoring (not connected to the Internet Protocol network) of process sensors more important than ever.

Those interested in the presentation or learning more about the lack of cyber security of process sensors and what can be done to improve cyber security, safety, reliability, and resilience can contact me at [email protected]

Joe Weiss

Continue Reading

Sponsored Recommendations

2024 Industry Trends | Oil & Gas

We sit down with our Industry Marketing Manager, Mark Thomas to find out what is trending in Oil & Gas in 2024. Not only that, but we discuss how Endress+Hau...

Level Measurement in Water and Waste Water Lift Stations

Condensation, build up, obstructions and silt can cause difficulties in making reliable level measurements in lift station wet wells. New trends in low cost radar units solve ...

Temperature Transmitters | The Perfect Fit for Your Measuring Point

Our video introduces you to the three most important selection criteria to help you choose the right temperature transmitter for your application. We also ta...

2024 Industry Trends | Gas & LNG

We sit down with our Industry Marketing Manager, Cesar Martinez, to find out what is trending in Gas & LNG in 2024. Not only that, but we discuss how Endress...

Latest from Home

Most Read

Sponsored