Lack of applicability of NIST Special Publication 1800-32 to process sensors

Feb. 9, 2022
As there is still confusion about the cyber security of process sensors and other Purdue Reference Model Level 0,1 field devices, I was asked to review NIST Special Publication (SP) 1800-32 “Securing Distributed Energy Resources: An Example of Industrial Internet of Things Cybersecurity” for applicability to legacy process sensors. The title of SP 1800-32 is misleading as the Distributed Energy Resources use case is for securing residential and small business connections for rooftop solar, and not for an IIOT use case. Either NIST SP1800-32 should be renamed to IOT (not IIOT) or use a different use case that is germane to IIOT. Either way, efforts are underway to address the cyber security gap in process sensors that affect the safety and security in every sector that uses process sensors.

As there is still confusion about the cyber security of process sensors and other Purdue Reference Model Level 0,1 field devices, I was asked to review NIST Special Publication (SP) 1800-32 “Securing Distributed Energy Resources: An Example of Industrial Internet of Things Cybersecurity” for applicability to legacy process sensors (e.g., pressure, level, flow, temperature, voltage, current, etc.).

The title of SP 1800-32 is misleading as the Distributed Energy Resources use case is for securing residential and small business connections for rooftop solar, and not for an Industrial Internet of Things (IIOT) use case. SP 1800-32 makes the following misleading assumptions:

- The Industrial Internet of Things (IIOT) components and devices used in the project are trustworthy (i.e., there are no supply chain cybersecurity concerns) on initial connection to the lab environment.

- The Chapter 5 Security Characteristic Analysis section discusses the results of a security evaluation of the reference architecture and how it supports the Cybersecurity Framework. The report assumed that the IT infrastructure used in the example solution is configured securely and properly managed. Testing this infrastructure would reveal only weaknesses in implementation that would not be relevant to those adopting this reference architecture.

-  Appendix C assumes process sensors have the capability for Authorization, Authentication, etc.

That is, the report does not address the lack of cyber security in the field devices. The assumptions are so broad they almost amount to defining away the problem.

However, as noted in https://www.controlglobal.com/blogs/unfettered/the-ot-paradigm-is-broken-technically-and-culturally-it-must-be-fixed, process sensors have no capability to incorporate passwords, signed certificates, tokens, cyber logging, anti-malware, etc. Furthermore, as noted in the January 5th standards meeting (https://www.controlglobal.com/blogs/unfettered/cross-industry-meeting-to-address-the-gap-in-process-sensor-cyber-security-and-process-safety), none of the industry standards organizations (e.g., IEEE, ISA, ASME, AWWA, API, AGA, SAE, NFPA, American Bureau of Shipping, etc.) address the cyber security of legacy field devices.

Recommendations

Either NIST SP1800-32 should be renamed to IOT (not IIOT) or use a different use case that is germane to IIOT. Either way, efforts are underway to address the cyber security gap in process sensors that affect the safety and security in every sector that uses process sensors.

Joe Weiss

Sponsored Recommendations

IEC 62443 4-1 Cyber Certification – Why ML 3 is So Important

The IEC 62443 Security for Industrial Automation and Control Systems - Part 4-1: Secure Product Development Lifecycle Requirements help increase resilience for control systems...

Multi-Server SCADA Maintenance Made Easy

See how the intuitive VTScada Services Page ensures your multi-server SCADA application remains operational and resilient, even when performing regular server maintenance.

Your Industrial Historical Database Should be Designed for SCADA

VTScada's Chief Software Architect discusses how VTScada's purpose-built SCADA historian has created a paradigm shift in industry expectations for industrial redundancy and performance...

Linux and SCADA – What You May Not Have Considered

There’s a lot to keep in mind when considering the Linux® Operating System for critical SCADA systems. See how the Linux security model compares to Windows® and Mac OS®.