On January 26, 2022. it became evident from multiple sources, both anecdotally and scientifically, that the OT paradigm is broken.
Cyber security began as a business IT problem. The original BS7799 standards and the subsequent ISO 27000 series of standards were purely IT network focused.
Control systems are comprised of field devices (process sensors, actuators, drives, analyzers, etc.), networks, HMI’s, and historians. What makes a control system different from IT or Operational Technology (OT) networks are the control system devices which are designed, operated, and maintained by engineers. Control system devices generally have no cyber security, no authentication, no encryption, no cyber logging. As mentioned in https://www.controlglobal.com/blogs/unfettered/a-vulnerability-worse-than-log4j-and-it-can-blow-up-facilities-and-shut-down-the-grid/, more than 3,000 new smart instruments in a petrochemical facility had no passwords, even by default.
Network issues are under the purview of the CISOs, but network security does not address the unique issues associated with control system field devices that directly affect safety, reliability, etc. It was this singular IT network focus that stimulated the International Society of Automation (ISA) to start the ISA99 Committee in 2002 to develop the ISA99, now ISA/IEC-62443, Industrial Automation and Control Systems (IACS) family of control system cyber security standards. Unfortunately, ISA99 chose to use the existing IT terminology even though many definitions did not represent the unique aspects of control system field devices and their associated impacts. As a result, there is continuing confusion even with basic terms such as cyber incidents and cyber impacts. Terms that are more germane to control system field devices such as functional safety are not in the cyber security lexicon.
The disparity between Networking and Engineering
According to NIST, “a vulnerability assessment is a systematic examination of an information system or product to determine the adequacy of security and privacy measures, identify security and privacy deficiencies, provide from which to predict the effectiveness of proposed security and privacy measures, and confirm, the adequacy of such measures after implementation.” The NIST definition does not address safety. ISA 62443-2-1 refers to the need to assess vulnerabilities but does not include a formal definition of a “vulnerability assessment”. ISA84 (process safety) defines a vulnerability assessment as the process of identifying, quantifying, and prioritizing (or ranking) the vulnerabilities in a system. Vulnerability is from the perspective of disaster management means assessing the threats from potential hazards to the population and to infrastructure (ISA- TR84.00.09, 3rd Edition). The ISA 84 definition does not address network/information systems issues including privacy.
According to NIST, “an information system is a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information”. The NIST definition does not address safety or reliability. Meanwhile, a control system field device’s primary function is as a real-time engineering device to provide data to support monitoring, control, and safety of physical processes. ISA does not address privacy as it is not a consideration for process sensors, while safety and reliability are critical.
Even the IT triad of Confidentiality, Integrity, and Availability (CIA) does not represent the engineering concerns of safety, reliability, resilience, productivity, etc.
The fallacy of IT/OT convergence
There is too much focus on the IT/OT network convergence issues and not enough on the critical control system devices that remain unprotected by cyber security.
Marthe Kassouf from Hydro Quebec identified gaps in IT/OT convergence:
“Some security solutions can be obtained using an extension of widespread IT security mechanisms such as user authentication through username/password combinations, message encryption and the use of firewalls. However, such solutions are not sufficient to guarantee the security of field devices because they cannot compensate for threats created by intruders employing advanced IT/OT attack vectors to compromise not only the information and communication characteristics of these devices but also their operational characteristics and their interactions with the underlying physical process. In certain situations, the attack cannot be detected by relying either on the IT security mechanisms employed for PLC user access authentication or those implemented to secure the communication links between the PLC and the upper control and operations management levels. Furthermore, the mitigation of this attack and the restoration of normal PLC operations would typically require manual operator’s intervention and the replacement of the infected hardware component. We conclude from this example that more comprehensive security solutions require the integration of IT and OT networks with engineering systems at all the stages of the solution development and implementation in the power grid.
It is important to note that reading and acting on field device parameters may not be always doable by only relying on communication networks and information systems. Physical inspections for the field devices (like sensors and actuators) and the underlying electrical process might be very useful for operators to have a more complete perception and comprehension, and hence, a better situational awareness of the power grid status. Commercial constraints seem to make equipment vendors reluctant to adopt a standard IT/OT and engineering convergence definition because of the marketing restrictions that would follow in terms of the obligation to meet new implementation requirements and to ensure compliance with potential new standards.”
On January 25, 2022, Aleksandra Scalco, Ph.D. (c) at Colorado State University (CSU) gave a presentation to the Chesapeake chapter of INCOSE on her doctoral research directed by CSU Professor Steve Simske about the misalignment among professions and different organizations involved with control system cyber security that leads to vulnerability in control systems. The analytical model drives through correlation to assess disagreement, misalignment and vulnerability. The majority of the respondents to the survey tool that provided the input to her study had cyber security training. However, the research showed significant gaps in understanding between groups of professions such as engineers and technicians on key aspects of control systems cyber security which leads to misalignment greater than vulnerability innately in the system. Aleksandra’s analytic model and methodology can help explain the lack of agreement among professionals which leads to misalignment and lack of coordination between people and organizations within the general category of cybersecurity for OT that leads to vulnerability greater than the innate system vulnerability.
On January 26, 2022, Vytautas Butrimas gave an on-line presentation to the Meeting of Council of European Energy Regulators on “Cybersecurity of Critical Energy Infrastructure for Regulators”. In his presentation, Vytautas stated under the title: Network code for cybersecurity- room for improvement? There is too much focus on cybersecurity of “office” Information and Communication Technology (ICT) and not on ICS. Even though ICT does not cover energy operation process control and safety, ICT is listed 96 times. Meanwhile bulk power equipment, sensors, and protective relays which provide energy operation process control and safety were not mentioned at all.
CVE vs ICS considerations
January 21, 2022, the Society of Automotive Engineers (SAE) held a session with MITRE to present the work of the MITRE Hardware (HW) special interest group identifying Common Weakness Enumeration (CWEs) for hardware to the SAE G32 Committee. Suffice it say, after my blog stating there was no comparable approach to CVEs for sensors and hardware, I was interested to see what I was missing. Apparently, I wasn’t missing anything as MITRE stated the CWEs were focused on chip-related cyber issues and haven’t really addressed IOT or ICS. Specifically, I asked MITRE how the CWE process would address process sensors that had no passwords, no authentication, no encryption, no cyber logging, no antivirus protection, etc. by design. MITRE stated that the CVE/CWE process was to identify mistakes in design or implementation. As an example, they mentioned CWE 306 is for missing authentication which states: “The software does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.” Process sensors have no ability to use a token, a certificate, or signed firmware. An analog 4-20 milli-amp sensor has no capability to accomplish the requirement for a provable user identity. Even the chipsets used in state-of-the-art digital sensors have no capability to accomplish the requirement for a provable user identity. Yet process sensors are not addressed by either the CVEs or CWEs.
In 2017, ISA99 formed a special working group to determine if legacy control system devices such as process sensors could meet the requirements in ISA/IEC 62443-4-2, the component cyber security specification. Most of the major control system process instrumentation suppliers were members of this special working group. The conclusions were that the legacy field devices could not meet the standard. This led to another special working group, this time within the process safety committee, to evaluate the sensor issues in more detail. The intent of the ISA84.09 (Process Safety/Cyber Security) effort was to determine the relative conformance and applicability of the ISA 62443-4-2 component specification’s individual security requirements to legacy (what is being built today as well those already installed in the field) process sensors. Consequently, in early 2021, the ISA84.09 working group selected a state-of-the-art digital safety pressure transmitter ecosystem including the transmitters, host computers, field calibrators, and local sensor networks so as to determine what, if any, compensating measures might be necessary. The results were that 69 of the 138 individual cyber security requirements in ISA 62443-4-2, including fundamental cyber security requirements such as passwords, could not be met. This means that compensating controls are necessary and that alternate standards/recommendations are needed to address the legacy devices that will be in use for the next 10-15 years or longer. Yet, CISA’s standard recommendations are to use good cyber hygiene and don’t directly connect control systems to the Internet. This guidance is meaningless for field devices that have no password capabilities and yet have built-in backdoors directly accessible to the Internet!
Changes are possible
It should be evident that the OT systems community has tried too hard to put the square peg of control system devices into the round hole of IT cyber security, but this simply does not work.
It doesn’t have to be this way. A Level 0, 1 process sensor monitoring project is being performed for a large industrial facility for productivity and predictive maintenance. The project spans multiple parts of the organization from corporate, plant engineering, operations, maintenance, safety, and cyber security. Cybersecurity is an important consideration, but not the primary motivation, which is efficiency and productivity improvement. This type of project can address the misalignment identified by Aleksandra.
The acknowledgment that none of the consensus standards organizations or industry bodies were addressing the unique cyber security issues associated with process sensors led to the January 5th, 2022 meeting (https://www.controlglobal.com/blogs/unfettered/cross-industry-meeting-to-address-the-gap-in-process-sensor-cyber-security-and-process-safety). Hopefully, this effort can lead to developing standards that are germane to existing sensor and field device technology.
NIST, CISA, DOE, MITRE, ENISA, and the IT/OT cyber security community need to acknowledge that control system field devices are different from information systems and cannot be addressed the same way. This includes relevant definitions and terminology, appropriate training, and standards that recognize the limitations of field devices and having the relevant senior management (e.g., VP Engineering, Operations, etc.), not the CISO, being in charge of control system cyber security.