1. Home

Cyber security of sensors are not being addressed and vulnerabilities are not correlated to system impacts

July 9, 2018
Juan Lopez from ORNL and I gave a presentation June 27th at the 2018 ISA Power Industry Division (POWID) Conference in Knoxville on cyber security of process sensors. As ISA POWID is an Instrumentation & Control conference, the lack of sensor discussions demonstrates the continuing gap between cyber security and operations. The lack of combining sessions that affect both cyber security and reliability/safety continues to foster the culture gap.

Juan Lopez from the Oak Ridge National Laboratory and I gave a presentation June 27th at the 2018 ISA Power Industry Division (POWID) Conference in Knoxville, TN. The presentation was entitled “The Gap in ICS Cyber Security and Safety – Level 0,1 Devices”. The Conference agenda can be found at file:///C:/Users/ACS/Downloads/2018%20POWID%20Onsite%20Program.pdf .

The specific issues that arose from our session included:

- All of the presentations other than ours focused on networks and malware. As this was a cybersecurity session, there were discussions about time between patches (30 days). However, there was no mention of instrument calibration intervals (from my earlier work, sensors can drift even with 30 day calibration intervals) or issues with sensor inaccuracies. As ISA POWID is an Instrumentation & Control conference, the lack of sensor discussions demonstrates the continuing gap between cyber security and operations. The lack of combining sessions that affect both cyber security and reliability/safety continues to foster the culture gap.

- There was a discussion about the lack of correlation between cyber vulnerabilities and plant equipment status. The attendees acknowledged there is no direct correlation between a cyber vulnerability or malware with the operability of pumps, valves, motors, turbines, relays, etc. This is consistent with the ICS-CERT vulnerability disclosures. The severity of the vulnerability is not related to the impact on the actual systems. Consequently, as a control systems engineer, what is the value of the disclosure severity?

- As there is no security in Level 0,1 devices, vulnerability assessments are not relevant for these devices. Consequently, there needs to be appropriate risk assessments. As a result of these discussions, I received a request to participate in the October EPRI Technical Assessment Methodology (TAG) Workshop.

Ironically, my interview on the sensor issues, “Cybersecurity at the Edge” (https://www.isa.org/intech/20180605/) was in the May/June issue of Intech magazine that was available to the conference attendees.

Joe Weiss

Continue Reading

Sponsored Recommendations

2024 Industry Trends | Oil & Gas

We sit down with our Industry Marketing Manager, Mark Thomas to find out what is trending in Oil & Gas in 2024. Not only that, but we discuss how Endress+Hau...

Level Measurement in Water and Waste Water Lift Stations

Condensation, build up, obstructions and silt can cause difficulties in making reliable level measurements in lift station wet wells. New trends in low cost radar units solve ...

Temperature Transmitters | The Perfect Fit for Your Measuring Point

Our video introduces you to the three most important selection criteria to help you choose the right temperature transmitter for your application. We also ta...

2024 Industry Trends | Gas & LNG

We sit down with our Industry Marketing Manager, Cesar Martinez, to find out what is trending in Gas & LNG in 2024. Not only that, but we discuss how Endress...

Latest from Home

Source: Trihedral

Most Read

Sponsored