This blog was originally requested from several oil/gas entities because of the lack of appropriate risk assessment methodology for field sensors and controllers (Level 1 devices). The recent June 1-5, 2015 International Atomic Energy Agency (IAEA) Nuclear Plant Cyber Security Conference primary focus was on the Human-Machine Interface (HMI) issues with few discussions addressing the field controllers and sensors. The lack of focus on the Level 1 devices has been a constant with most critical infrastructure protection articles, conferences, and personal discussions regardless of industry. Consequently, there is a need to better understand the security issues associated with these critical devices.
A comprehensive cyber security program is designed to identify what assets needs to be protected (asset identification), the threats to those assets (vulnerability assessment), what could happen to those assets (risk assessment), and recovery (resilience). The cyber security risk assessment provides management the tools necessary to prioritize mitigation and establish a recovery plan. The assets to be protected should be those that are critical to achieving the entity’s mission. For an industrial organization, it could be those assets necessary to generate, transmit, and/or generate power in a reliable, safe, and economic manner; for a pipeline it is those assets necessary to transport product in a reliable, safe, and economic manner, for a chemical plant it is those assets necessary to manufacture products in a reliable, safe, and economic manner, etc. As cyber threats can be different than previously analyzed threats, the risk assessment should identify all of the assets that could impact system reliability, availability, and safety.
The following have impacted securing the ICS environment:
- A commonly misunderstood security assumption is that the ICS environment is isolated from the business environment and therefore can be air-gapped and rely on “security by obscurity”.
- Control system cybersecurity policies and procedures often do not exist or are not very robust or comprehensive, particularly for Level 1 devices.
- Due to the long life cycle of ICSs, generally 15 to 20 years, it is not economically feasible to replace equipment with modern and better protected versions every three or four years, assuming these devices even exist.
- ICSs are typically 5-10 years behind the “IT security curve” (though with all of the IT security breaches one wonders what that means).
- The “Likelihood” step identified in the NIST SP 800-30, Risk Management Guide for Information Technology Systems risk assessment methodology is difficult to quantify for ICSs since there a minimal number of reported ICS cyber incidents.
For an industrial facility, the Purdue reference model identifies the layers in the enterprise:
- Level 4 — Business systems —The Enterprise Resource Planning (ERP) is the primary system. Time frame: shifts, days, weeks, months.
- Level 3 — Plant operations systems —Manufacturing execution/operations management systems (MES/MOMS); laboratory, maintenance and plant performance management systems; data historians. Time frame: minutes, hours, shifts.
- Level 2 — Control systems —Distributed Control System (DCS), human-machine interface (HMI); Supervisory Control and Data Acquisition (SCADA) software. Time frame: minutes, hours.
- Level 1 — Field devices —Process sensors, analyzers, actuators, relays, breakers, and related instrumentation. Time frame: milliseconds, seconds, minutes. (Level 1 devices are used in control and safety applications. For this blog, I am not attempting to discriminate between control and safety).
Many Level 1 devices have the following characteristics:
- Use embedded systems with basic security (password protection) or have no cyber security.
- Rely on physical security such as Failsafe Jumpers (Write-Protected) as most of these devices will be located in hazardous zones. In case of incidents most people will be reticent to enter these areas. Consequently, Operations may introduce insecure ways/practices for connecting these devices.
- Are now IP-based and/or have wireless capabilities.
- Traverse multiple layers and write data back to systems in Levels 3-4.
When the Purdue reference model was developed there was a reasonably clean demarcation between the levels. With today’s blending of modern IT technologies into ICSs, it is getting harder to separate Levels 1, 2, and sometimes even 3. Incorporating a webserver directly into a controller begs the question – is it Level 1, 2, 3 or some new combination? Compromising Level 1 field devices also can be used to pivot to systems in Levels 3 and 4 including the ERP systems.
In far too many instances, the cyber security focus has been exclusively at the levels 2-4 because these levels generally use commercial-off-the-shelf (COTS) technology. This is the technology that most IT organizations (end-users and vendors) are familiar with and have available training and cyber security tools. The cyber impacts at the Level 2-4 levels are generally short-term denial-of-service events unless they are used to compromise the Level 1 devices.
In the IT domain which focuses on traditional IP networks, security organizations would be expected to have extensive training in testing IT networks usually using some form of penetration testing. However, in an industrial environment with legacy control systems and field devices, many IT tools can, and have, caused upsets with Programmable Logic Controllers (PLCs), Remote Terminal Units (RTUs), variable frequency drives, etc. A good example of the focus on Level 2-3 is the article in April 2015 issue of Power Engineering magazine “Security in Real Life: Two Case Studies”. The article was on securing the Level 2-3 systems and segmenting them from the Level 4 environment. There was no mention of securing any of the Level 1 devices. Level 1 devices such as smart transmitters, chemical analyzers, variable frequency drives, etc generally utilize proprietary real time operating systems and proprietary communication protocols requiring their own cyber security approach (part of the rational for the ISA99 Cyber Security Standards – IEC-62443). Often, Level 1 devices have minimal to no security built-in.
Level 1 devices are well-known to the Operations and Maintenance staff but generally not to IT and security staffs or governmental policy makers. As an example, many of the attendees at the June 1-5, 2015 IAEA Cyber Security Conference, particularly security and policy makers, were not fully aware of the issues with Level 1 devices. Few technologies exist to test Level 1 devices for security considerations. However, compromising Level 1 devices, whether intentionally or unintentionally, can impact the physics of the process thereby causing physical damage and/or personal injury with long term consequences. For example, Stuxnet targeted the Level 1 PLCs to destroy the centrifuges. Many of the unintentional ICS cyber incidents that have damaged equipment and/or killed people were a direct result of the Level 1 devices being unintentionally or maliciously compromised.
There needs to be more focus on securing Level 1 devices which requires an understanding of the devices, their uses, and limitations. A better understanding Level 1 devices can help in the development of more appropriate government ICS cyber security policies as well as make facilities safer and more secure.
Joe Weiss