1660243951063 Ctupdatesample400
  1. Home

Network anomaly detection can provide a false sense of security

June 6, 2017

The assumption that network anomaly detection is correlated to physical process anomalies is only true if there is a direct look into the “raw” process. However, network anomaly detection cannot address potential sensor anomalies that occur before the serial-to-Ethernet convertors leading to a false sense of security.

ICS cyber security is still too ”IT-focused”. That is, currently ICS cyber security is all about the network. Dale Peterson in his DigitalBond blog identified 20+ vendors providing network anomaly detection for ICS networks. The assumption is that network anomaly detection is correlated to physical process anomaly detection. Why else would Operations care? However, this is not a correct assumption since network anomaly detection addresses packets not physical processes. The analogy would be how could a doctor make a diagnosis if he/she can’t trust the temperature and blood pressure readings? The physical process, eg, boiler pressure, pipeline flow, tank level, etc. is controlled by process sensor input. Currently, commercial/industrial process sensors, eg, pressure, level, flow, temperature, humidity, voltage, current, polarity, etc. lack authentication and cyber security. Consequently, it is not clear that the sensor packet input from the serial-to-Ethernet converters are correct and uncompromised since by the time the sensor signals reach the Ethernet network, the sensor value may already be compromised or inaccurate. Therefore, it is not possible to correlate cyber vulnerabilities to process system impact without a direct look into the “raw” process. This becomes even more important because serial-to Ethernet converters were compromised in the US electric grids in the 2014 timeframe and in the 2015 and 2016 Ukrainian cyber attacks. The focus on the compromise of the serial-to-Ethernet convertors were to use the convertors as a means of getting into the networks (“race to the top”) as opposed to using the convertors as a means of getting to the sensors (“race to the bottom”). This means that network anomaly detection can be providing a false sense of security because it cannot address potential sensor anomalies occurring before the serial-to-Ethernet convertors. This is critical because testing has demonstrated that control system devices can be compromised without any indication from network deep packet inspection. Other potential impacts that could not be found by deep packet inspection include preventing sensors from reaching their setpoints or causing sensors to spuriously reach setpoints shutting down processes. These scenarios have already occurred in nuclear plants and other critical applications.

Joe Weiss

Like this blog post? Sign up for the Control Update newsletter and get posts like this delivered right to your inbox.
CT-Update-Sample-400

Continue Reading

Sponsored Recommendations

Make Effortless HMI and PLC Modifications from Anywhere

The tiny EZminiWiFi is a godsend for the plant maintenance engineers who need to make a minor modification to the HMI program or, for that matter, the PLC program. It's very easy...

The Benefits of Using American-Made Automation Products

Discover the benefits of American-made automation products, including stable pricing, faster delivery, and innovative features tailored to real-world applications. With superior...

50 Years of Automation Innovation and What to Expect Next

Over the past 50 years, the automation technology landscape has changed dramatically, but many of the underlying industry needs remain unchanged. To learn more about what’s changed...

Manufacturing Marvels Highlights Why EZAutomation Is a Force to Be Reckoned With

Watch EZAutomation's recent feature on the popular FOX Network series "Manufacturing Marvels" and discover what makes them a force to be reckoned with in industrial automation...

Latest from Home

shutterstock_2407457999
shutterstock_2366137569
shutterstock_1830740018

Most Read

Sponsored