Critical infrastructures cannot be secured when process sensors are not secure
As process sensors do not contain any cybersecurity features, authentication or cyber logging capabilities and yet are the input to all OT networks, this should be recognized as a major cybersecurity, reliability and process safety gap.
Background
My interest in process sensor cybersecurity stemmed from work I did at the Electric Power Research Institute (EPRI) where we discovered a previously unidentified process sensor problem – a common cause, non-detectable failure in pressure, level and flow sensors in nuclear safety applications. As a result of this process sensor issue, I performed detailed Failure Modes and Effects Analyses (FMEAs) on each of the major nuclear safety pressure sensor vendors on what turned out to be a manufacturing flaw (supply chain) in nuclear safety pressure sensors. This flaw contributed to the Three Mile Island core melt.
I managed another project demonstrating the inherent drift in process sensors in a non-nuclear facility. My paper, “Challenges in Federal Facility Control System Cyber Security, Including Level 0 and 1 Devices” was published on the National Academies of Sciences website. The paper includes process sensors and the Industrial Internet of Things (IIOT) and the lessons it draws apply to all buildings including office buildings, data centers, laboratories, manufacturing facilities and others. It should be noted that in 2021, the United States Department of Energy (DOE)’s Oak Ridge National Laboratory, Pacific Northwest National Laboratory and National Renewable Energy Laboratory prepared a report on sensor issues in buildings. According to the DOE report, “cybersecurity threats are increasing, and sensor data delivery could be hacked as a result. How hacked sensor data affects building control performance must be understood. A typical situation could include sensor data being modified by hackers and sent to the control loops, resulting in extreme control actions. To the best of the authors’ knowledge, no such study has examined this challenge.”
I am not alone in my concern about the lack of cybersecurity in process sensors. As a colleague who is an acknowledged process industry instrumentation expert stated: "I have spent years talking to brick walls and brick heads about the lack of security in field devices. Their response is typically that they are air gapped and that everything is safe and secure. Irrational fantasy at best. I am not alone in this quest, but I am definitely in a minority.”
Process sensors
Process sensors measure pressure, level, flow, temperature, voltage, current, humidity, etc. Process sensors are the eyes, ears and noses of the control system “brain” and are used in every physical process in every facility, including electric power, water/wastewater, oil/gas/chemicals, pipelines, all forms of manufacturing, all forms of transportation, etc. Process sensors provide the 100% trusted input to the controllers and actuators in real time (microseconds to milli-seconds) and 100% trusted input to the Operational Technology (OT) networks, OT network monitoring systems and operator displays in the seconds-to-minutes time frame. Process sensors are designed, built, operated and maintained by engineering organizations and are out-of-scope for network security organizations. Process sensors directly affect reliability, availability, productivity, maintenance, cybersecurity and process safety. The process sensor ecosystem consists of process sensors, “low level” sensor networks, alarm management, device management, etc. Organizations involved in network security, Industry 4.0 and digital transformation assume the sensor ecosystem is uncompromised, authenticated and correct but have no way to validate the assumptions since the data that would provide that validation has been filtered out before the sensor signal becomes an Ethernet packet. As documented in the article from the November 2022 issue of IEEE Computer magazine, “Using Machine Learning to Work Around the Operational and Cybersecurity Limitations of Legacy Process Sensors”, process sensors are not as reliable or accurate as assumed.
Incidents
Hacking process sensors is not new – it was demonstrated by Russian and other researchers at the 2015 ICS Cyber Security Conference. Moreover, published work from the US Air Force Institute of Technology demonstrated how process sensors from three different process sensor manufacturers could be hacked and detected.
There have been hundreds of unintentional and malicious process sensor cyber-related incidents including refinery and chemical plant explosions (Texas City), tank farm explosions (Buncefield), pipeline ruptures (Merrimack Valley), ships disabled (Viking Sky), train crashes (Amtrak Sunset Limited), plane crashes (Max737’s, Air Bus), and even a nuclear plant core melt (Three Mile Island). The impacts from these process sensor cyber-related incidents are in the billions of dollars including deaths and injuries.
Process sensors not in scope
Cyber defenders and policy makers have not addressed process sensors as process sensors are out-of-scope for NERC CIP, EPA, and TSA cybersecurity requirements. Process sensors were not addressed in the March 2023 National Cybersecurity Strategy, the March 2023 CISA Resilient Investment Planning and Development Working Group (RIPDWG) White Paper, “Research, Development, and Innovation for Enhancing Resilience of Cyber-Physical Critical Infrastructure Needs and Strategic Action”, or either of the Solarium Commissions reports. The Department of Commerce IOT Advisory Committee has not addressed the process control issues nor has the Government Accountability Office. From an industry perspective, the process sensor cybersecurity issues have not been addressed in industry activities such as the Open Process Automation Federation (OPAF) or Advanced Physical Layer (APL) efforts.
Technical limitations
In 2017, ISA99 formed a special working group to determine if legacy control system devices such as process sensors could meet the requirements in ISA/IEC 62443-4-2, the component cybersecurity specification. Most of the major control system process instrumentation suppliers were members of this special working group. The conclusions were that the legacy field devices could not meet the standard. This led to another special working group, this time within the process safety committee, to evaluate the sensor issues in more detail. The intent of the ISA84.09 (Process Safety/Cybersecurity) effort was to determine the relative conformance and applicability of the ISA 62443-4-2 component specification’s individual security requirements to legacy (what is being built today as well those already installed in the field) process sensors. Consequently, in early 2021, the ISA84.09 working group selected a state-of-the-art digital safety pressure transmitter ecosystem including the transmitters, host computers, field calibrators, and local sensor networks to determine what, if any, compensating measures might be necessary. The results were that 69 of the 138 individual cybersecurity requirements in ISA 62443-4-2, including fundamental cybersecurity requirements such as passwords, could not be met. March 16, 2022, NIST Special Publication 1800-10, “Cybersecurity for the Manufacturing Sector”, stated that many device cybersecurity capabilities may not be available in modern sensors and actuators. This means that compensating controls are necessary and that alternate standards/recommendations are needed to address the legacy devices that will be in use for the next 10-15 years or longer. Consequently, my March 10, 2022 presentation to the US Air Force Cyber College was “Shields Up and Good Cyber Hygiene Don’t Apply to Legacy Process Sensors”.
I reviewed the 2023 instrument data sheets on pressure transmitters from four major US and international process sensor manufacturers. All four of the vendors are actively involved in industry cybersecurity activities. As the data sheets were more than 70 pages, I did a word search on the following terms: cyber, security, passwords, authentication, encryption. None of the data sheets mentioned any of those terms. On the other hand, all the vendors supported remote connectivity. Or as a colleague stated, engineers will pay extra for remote access without considering the cybersecurity issues associated with that capability. In one data sheet, Bluetooth was enabled by default. In 2021, more than 3,000 new smart instruments that had no passwords, even by default, were installed in a petrochemical facility. You can’t rip and replace these sensors as these new sensors were the “replace”.
Other issues
May 2019, Yokogawa issued an announcement that some of their North American customers were finding counterfeit process sensors – a hardware supply chain problem. It is evident that counterfeit devices or components can compromise sensor readings and/or settings. Consequently, there is a need to identify counterfeit sensors and sensor components.
“Low level” process sensor protocols such as Highway Addressable Remote Transmitter (HART) and Profibus are not cyber secure. In some cases, the protocol can allow the low setpoint to be set above the high level setpoint. This has already occurred and caused significant impacts. Systems based on Profibus and Foundation fieldbus generally are connected to gateways on the Local Area Network (LAN). Because most systems still use unauthenticated and unencrypted communication, these insecure transmitters become exposed.
Process sensor maintenance (calibration) equipment, whether hand-held or using mobile apps, have no cybersecurity. According to one of the process sensor mobile app provider’s advertisement, a key advantage of a mobile app solution over traditional handheld HART communicator is that you can use the mobile device you already own. In addition to already owning the main piece of hardware required, it is typically upgraded every couple of years for a very low cost (if not for free). You are continuously getting more features and more processing power without any effort. Additionally, there are Bluetooth-based HART modems that provide great convenience. Notice there is no mention of physical or cybersecurity.
January 2022, the Society of Automotive Engineers (SAE) held a session with MITRE to present the work of the MITRE Hardware (HW) special interest group identifying Common Weakness Enumeration (CWEs) for hardware to the SAE G32 Committee. MITRE stated that the CVE/CWE process was to identify mistakes in design or implementation. However, process sensors have no ability to use a token, a certificate, or signed firmware. An analog 4-20 milli-amp sensor has no capability to accomplish the requirement for a provable user identity. Even the chipsets used in state-of-the-art digital sensors have no capability to accomplish the requirement for a provable user identity. Yet process sensors are not addressed by either the CVEs or CWEs.
There is no cybersecurity training for the engineers or network personnel down to the process sensor level. As mentioned, the CVEs don’t address devices that have no security by design. There are no cybersecurity procurement specifications at this level. Additionally, there are no cyber certification programs for process sensors or actuators.
Why is the industry continuing to ignore cybersecurity of process sensors?
Summary
If you can't trust what you measure, there is no cybersecurity, resiliency, process safety, productivity, or predictive maintenance in any critical infrastructure or cyber-physical system. ISA, NIST, and the process sensor vendors have acknowledged there is no cybersecurity in process sensors. As process sensors are engineering not network devices, this is outside the scope of the CISO and the VP of engineering needs to be involved. While cyber defenders continue to consider process sensors to be out-of-scope, offensive cyber people understand these gaps and have exploited them. Policy makers need to wake up and understand that cyber secure process sensors are critical to cybersecurity, safety, and resilience.
Leaders relevant to this article: