I participated in the 2018 Air Force Cyber Strategy Conference at Maxwell Air Force Base’s Air University (http://www.airuniversity.af.mil/Portals/10/CyberCollege/documents/Conference/AF%20Cyber%20Strategy%20Conference%20Agenda.pdf). I gave a presentation on control system cyber security with a focus on the lack of security in process sensors, actuators, and drives. Following my presentation, I was on a panel with JD Work from Columbia University and retired Major General Brett Williams.
It was an interesting conference that was DOD-focused. However, when it comes to control system cyber security, it was similar to many other cyber security conferences – the focus was on IT not control systems. Independently, the AFCEA Defensive Cyber Operations Symposium in Baltimore, Maryland asked the question “Are DOD’s cyber forces too focused on the networks?” (https://www.fifthdomain.com/dod/cybercom/2018/05/23/are-dods-cyber-forces-too-focused-on-the-network/). It should be evident from my observations that, from the perspective of control systems, the Air University Conference was too focused on the IT networks.
Observations:
- This was a policy conference but there was little control system community participation. How can you make cyber policy if you don’t have appropriate input from the control system community? This is a continuing problem at most cyber policy meetings and conferences.
- The traditional mantra is the vast majority of critical infrastructure is owned by private industry, but DOD is still a major owner/operator of control system equipment. Consequently, DOD should have a direct interest in securing control systems.
- Because it was essentially an IT Conference, the focus was on cyber vulnerabilities not system impacts. The term SCADA was used but often without an understanding of the term. Infrastructure was viewed as routers, switches, and firewalls, not process sensors, actuators, and drives.
- There is a difference in how cyber security personnel view control system cyber security as opposed to how control system personnel view control system security. From a control system perspective, cyber security is only an issue if it affects safety, reliability, or regulatory compliance. Consequently, it isn’t the vulnerability that is important, it is the system impact. Therefore, the focus should be on the sensors/process. Because process sensors, actuators, and drives have no cyber security or authentication and can be compromised before the signal becomes an Ethernet packet, monitoring must be done at that level to assure the integrity and validity of the signal before it becomes an Ethernet packet. Benefits of monitoring the electrical characteristics of process sensors before they become Ethernet packets include cyber and operational benefits:
- Sensor monitoring of the electrical characteristics of the sensor is independent of the Windows HMI providing independence and resilience
- Cross-correlating the pre-packet sensor data with network anomaly detection gives a complete view (true situational awareness) and a justification of when a vulnerability becomes important to operation
- Any supply chain issues that could actually impact the process would be identified in real time as the monitoring is agnostic to why the problem is occurring
- Real time sensor/process monitoring provides a justification to extend maintenance/testing intervals which can improve predictive maintenance programs
- Within hours of my presentation on the lack of security in process sensors, actuators, and drives, I had an e-mail asking about a possible DOD demonstration project.
- In my breakout session there were very interesting discussions on definitions that apply everywhere: What is cyber? What is cyber security? What is a cyber weapon? How is a cyber weapon different than electronic warfare? There was also a question asked that I found very interesting. Legally, was Stuxnet an act of war?
As an aside, Air University is using my book, “Protecting Industrial Control Systems from Electronic Threats”.
Joe Weiss