Lack of authentication of process sensors does not appear to bother people

March 16, 2021
According to Dale Pederson, his poll showed 97% of the ICS security audience knew that Purdue Reference Model Level 0 sensors and actuators had no authentication. So according to Dale, awareness in this audience is not a problem. Who are these people that responded and how many understand cyber security of process sensors and other Purdue Reference Model Level 0,1 devices? How many understand the safety significance of lack of authentication of process sensors and actuators? How many realize this could be a backdoor for the Chinese to enter the compromised transformer? How many realize the Chinese have provided counterfeit pressure and differential pressure transmitters which are significant safety and reliability concerns? My guess is not many. What does it take to educate people?

According to Dale Pederson, his poll showed 97% of the ICS security audience knew that Purdue Reference Model Level 0 sensors and actuators had no authentication. So according to Dale, awareness in this audience is not a problem. Who are these people that responded and how many understand cyber security of process sensors and other Purdue Reference Model Level 0,1 devices? How many understand the safety significance of lack of authentication of process sensors and actuators? How many realize this could be a backdoor for the Chinese to enter the compromised transformer? How many realize the Chinese have provided counterfeit pressure and differential pressure transmitters which are significant safety and reliability concerns?  My guess is not many.

If IT and OT view authentication as critical to being cyber secure, how can the starting point of all control and safety system applications, which is the process sensor input, not be authenticated and yet people still be OK with this situation? Because, if there is no authentication of the Level 0,1 sensor input, than OT monitoring is questionable as it is based on untrusted input. I don’t think many of the 97% appreciate that distinction.

There are efforts in several control system standards and industry organizations working on process sensor cyber security for control and safety applications. These are engineering-based not network-based discussions. I don’t believe many of the respondents are aware of these efforts.

 As a colleague of mine who has spent more than 40 years working on Level 0,1 issues stated: “I have spent years talking to brick walls and brick heads about the lack of security in field devices. Their response is typically that they are air gapped and that everything is safe and secure. Irrational fantasy at best. I am not alone in this quest, but I am definitely in a minority.”

I will be presenting along with a colleague from one of the national labs March 31 at the Texas A&M Instrumentation & Automation Symposium process sensor control system cyber security to process and safety systems experts. I wonder how many of the responders to the poll will attend?

Joe Weiss

Sponsored Recommendations

Make Effortless HMI and PLC Modifications from Anywhere

The tiny EZminiWiFi is a godsend for the plant maintenance engineers who need to make a minor modification to the HMI program or, for that matter, the PLC program. It's very easy...

The Benefits of Using American-Made Automation Products

Discover the benefits of American-made automation products, including stable pricing, faster delivery, and innovative features tailored to real-world applications. With superior...

50 Years of Automation Innovation and What to Expect Next

Over the past 50 years, the automation technology landscape has changed dramatically, but many of the underlying industry needs remain unchanged. To learn more about what’s changed...

Manufacturing Marvels Highlights Why EZAutomation Is a Force to Be Reckoned With

Watch EZAutomation's recent feature on the popular FOX Network series "Manufacturing Marvels" and discover what makes them a force to be reckoned with in industrial automation...