• Defense planning involves the development of strategies, policies, and doctrines to address security challenges and achieve national defense objectives

    FERC and NERC discussions to include process sensors as NERC CIP Cyber Assets

    April 22, 2025
    Including process sensors as cyber assets will be a welcome step toward making NERC CIP requirements more relevant to grid safety threats

    Process sensors are devices that respond to physical stimuli such as temperature, light, sound, pressure, magnetism, voltage, current, motion, time, etc. The physical stimuli are electronically converted to physical measurements such as temperature, volts, amps, pressure, level, flow, chemistry, etc. and provide trusted input to control systems, controllers, motors, protective relays, operational technology (OT) networks and operator displays. Situational awareness, the underpinning for security and safety, is based on process sensor input that is incorrectly assumed to be uncompromised, authenticated and correct.

    Process sensor cybersecurity gaps

    The electric grid is composed of hardware including process sensors, actuators, relays, transformers, turbines and motors, as well as OT networks. Process sensors have no cybersecurity, authentication, cyber forensics, yet are 100% trusted and often are remotely accessible. From my experience, there are a limited number of process sensor experts, particularly in the electric industry. There is a much smaller number that can be considered process sensor cybersecurity experts. From an acknowledged process industry sensor cybersecurity expert from the oil/gas industry:

    "I have spent years talking to brick walls and brick heads about the lack of security in field devices. Their response is typically that they are air-gapped and that everything is safe and secure. Irrational fantasy at best. I am not alone in this quest, but I am definitely in a minority.”

    Mar. 16, 2022, NIST issued NIST Special Publication 1800-10 “Protecting Information and System Integrity in Industrial Control System Environments: Cybersecurity for the Manufacturing Sector”. The NIST report states:

    “In this project, the focus was on the engineering workstations and not on the manufacturing components. It is acknowledged that many of the device cybersecurity capabilities may not be available in modern sensors and actuators.”

    The November 2022 IEEE Computer article “Using Machine Learning to Work Around the Operational and Cybersecurity Limitations of Legacy Process Sensors” demonstrated that Windows-based operator displays may not be able to detect process sensor anomalies whether malicious or unintentional.

    The International Society of Automation (ISA) ISA84.09 working group (the process safety/cybersecurity group specifically organized to address safety-cybersecurity as part of an integrated safety lifecycle) performed a thorough review of a generic state-of-the-art wired digital safety pressure transmitter for conformance to the ISA 62443-4-2 standard, Technical Security Requirements for IACS Components. (There was no participation from the electric or water sectors.) The pressure transmitter and its tools (e.g., calibrators) failed most of the cybersecurity requirements including the fundamental requirements. It is expected that other transmitter types such as differential pressure, temperature, level, flow, etc. will have similar cybersecurity issues.

    I reviewed the 2023 instrument data sheets on pressure transmitters from four major U.S. and international process sensor manufacturers. The data sheets were more than 70 pages. I did a word search on the following terms: “cyber”, “security”, “passwords”, “authentication” and “encryption”. The four vendors’ data sheets did not mention any of those terms. On the other hand, the term “remote” was used extensively as all four vendors support remote connectivity. The four vendors are actively involved in industry cybersecurity activities demonstrating the gap between engineering and cybersecurity organizations.

    NERC CIP process sensor gaps

    Because process sensors use non-routable protocols (contains only a device address and not a network address) before the sensor signals have been converted to Ethernet communications, process sensors have not met the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) standards to be considered NERC Cyber Assets, as the CIPs only address routable protocols (communications protocol that contains a network address and a device address – the routable protocol allows packets to be forwarded from one network to another, which is between the user's local network and the Internet). Depending on the situation, it only takes one compromised sensor (malicious or unintentional) at the serial layer to cause critical system impacts. This means grid cyber impacts can be caused by both non-routable and routable communications. Moreover, process sensors are not capable of providing information to Security Information and Event Management (SIEM) systems, etc. to meet NERC CIP monitoring requirements.

    Get your subscription to Control's tri-weekly newsletter.

    The existing set of CIP standards and NERC's Glossary of Terms, “require Bulk Electric Systems (BES) Cyber Assets perform real-time functions of monitoring or controlling the BES that would affect the reliable operation of the BES within 15 minutes of being impaired.” Monitoring or controlling the BES requires accurate and authenticated process sensor readings which don’t currently exist. The only mention of the term “sensors” in the NERC CIPs is under Physical Access Control Systems Project 2008-06 Cybersecurity Order 706 which states:

    “Cyber Assets that control, alert, or log access to the Physical Security Perimeter(s), exclusive of locally mounted hardware or devices at the Physical Security Perimeter such as motion sensors, electronic lock control mechanisms, and badge readers.”

    Not addressing process sensors is a glaring omission.

    FERC/NERC Conference

    Federal Energy Regulatory Commission (FERC) and NERC held a joint workshop on Mar. 20, 2025, focused on the “assessment” aspect of supply chain risk management (SCRM). Specifically, the workshop panelists discussed the proposed directive in the FERC’s Sept. 19, 2024, Notice of Proposed Rulemaking to require that entities establish steps in SCRM plans to validate the completeness and accuracy of information received from vendors during the procurement process to better inform the identification and assessment of supply chain risks associated with vendors’ software, hardware or services.

    Both FERC and NERC representatives acknowledged the exclusion of process sensors because of the non-routable communications and the “Electronic Security Perimeter” issue needs to change because compromise of process sensors can affect the reliable operation of the BES within 15 minutes of being impaired. FERC mentioned that sensors are becoming critical to extend the capabilities of the existing grid and asked NERC if they should be considered. NERC said anything on the system that could change the system or provide bad sensor data to the operator leading to bad operator decisions should be considered. Specifically, the following discussions occurred:

    • NERC stated: “Let's go specifically to sensors. If that information provided data to a dispatcher, that could within 15 minutes affect his decision, then it meets the definition of a cyber asset and as such, would fall under the standards”.
    • FERC responded: “And every sensor would matter. Because if you're spoofing one sensor, it's got problems there.”

    In support of FERC’s point of addressing every sensor, NERC had issued a Lessons Learned about the failure of one sensor in a mid-size power plant in Florida that caused the plant to swing load +/-200 MW. That load swing in the Florida plant caused a 50MW load swing in New England – one sensor causing a problem a thousand miles away!

    Compromised sensors can impact the operation of transformers not only affecting an individual transformer, but the interconnected grid. Compromised sensors can cause pipeline ruptures from either not identifying overpressure or causing valves to shut creating overpressure conditions. Process sensor vendors have identified counterfeit Chinese sensors in U.S. critical infrastructures. Presidential Executive Order (EO) 13920 was issued because of the hardware backdoors in large Chinese power transformers. The EO specifically addressed process sensors and other hardware and excluded networks and network devices. The concern was China sending spoofed sensor signals to take over the more than 550 large Chinese transformers in the U.S. transmission grid while bypassing network security. Russia and Iran also are aware of the gaps in process sensor cybersecurity and are currently exploiting these gaps. 

    Additionally, there have been hundreds of cases where malicious or unintentional process sensor issues have caused catastrophic failures in nuclear plants, refineries, tank farms, mining, transportation, water and hydro systems, etc.

    Recommendations

    Process sensor monitoring at the device/physics level should be implemented because process sensors are not cybersecure and have no authentication or cyber forensics. As a result, utilities cannot meet the requirement to identify bad sensor data that could affect the systems or lead to bad operator decisions. Process sensor cybersecurity training should be developed as it doesn’t exist, including from the national labs. Including process sensors as cyber assets will be a welcome “sea change” to make the NERC CIP requirements more relevant to the actual threats to grid safety and reliability. Hopefully, it can also stimulate process sensor vendors to produce cyber-secure process sensors.

    About the Author

    Joe Weiss | Cybersecurity Contributor

    Joe Weiss P.E., CISM, is managing partner of Applied Control Solutions, LLC, in Cupertino, CA. Formerly of KEMA and EPRI, Joe is an international authority on cybersecurity. You can contact him at [email protected]

    Email

    Continue Reading

    Sponsored Recommendations

    The tiny EZminiWiFi is a godsend for the plant maintenance engineers who need to make a minor modification to the HMI program or, for that matter, the PLC program. It's very easy...
    Discover the benefits of American-made automation products, including stable pricing, faster delivery, and innovative features tailored to real-world applications. With superior...
    Over the past 50 years, the automation technology landscape has changed dramatically, but many of the underlying industry needs remain unchanged. To learn more about what’s changed...
    Watch EZAutomation's recent feature on the popular FOX Network series "Manufacturing Marvels" and discover what makes them a force to be reckoned with in industrial automation...

    Latest from Unfettered Blog

    3d rendering energy storage system or battery container unit with blue sky background
    two businessmen on a road bridge that is breaking down and disconnecting
    Engineer control energy storage system or battery container unit with cityscape background

    Most Read

    Sponsored