March 10, 2022, I gave a presentation to the US Air Force Cyber College on process sensor cyber security entitled: “Shields-Up” and Good Cyber Hygiene Don't Apply to Insecure Process Sensors”. There were approximately 100 attendees from DOD, government, industry, credit rating agencies, and others. An invitation was made to the attendees to join a joint Services project to address the process sensor cyber security issue.
Process sensors have no inherent cyber security and yet they have hardware backdoors directly to the Internet. Consequently, there are no air gaps of the kind many have long assumed would protect legacy, long-lived systems. The cyber security gap includes no capability for passwords, single-factor (much less multi-factor) authentication, encryption, keys, signed certificates, etc. Despite the lack of any cyber security, these devices are the 100% trusted input to OT networks and manual operation. Moreover, process sensors have no cyber forensics.
It was evident at the session that there are significant cultural and education gaps between the engineers responsible for the design and operation of equipment that do not consider cyber security of interest and the network security people who consider cyber security important but don’t consider process sensors or other engineering equipment important. That same engineering vs networking gap was evident in the March 22, 2022 CISA "Unclassified Broad Stakeholder Call to Address Impacts of the Russia-Ukraine Situation on the Homeland" even though the Russians have demonstrated the ability to compromise process sensors.
The evidence offered in the Cyber College presentation as well as in many blogs demonstrated that the lack of cyber security in process sensors is real and has caused catastrophic failures. In many cases, these incidents were not detectable as cyber-related incidents. A recent project demonstrated that even if process sensors are inoperable, the inoperable sensors may not be detectable from the HMI. This lack of identification can be both a quality and safety concern that can occur from either unintentional or malicious reasons.
Ironically on March 16, 2022 NIST issued NIST Special Publication 1800-10 Protecting Information and System Integrity in Industrial Control System Environments: Cybersecurity for the Manufacturing Sector. The NIST report states “In this project, the focus was on the engineering workstations and not on the manufacturing components. It is acknowledged that many of the device cybersecurity capabilities may not be available in modern sensors and actuators”
Network cyber threats such as vulnerabilities in Log4j, the Treck TCP/IP Stack, and ransomware make off-line monitoring (not connected to the Internet Protocol network) of process sensors more important than ever.
Those interested in the presentation or learning more about the lack of cyber security of process sensors and what can be done to improve cyber security, safety, reliability, and resilience can contact me at [email protected]
Joe Weiss