Network security is of course important, whether for IT or OT networks. But the security, safety, and availability of industrial systems rests ultimately on the reliability and accuracy of data delivered to those networks at the sensor level. Ignoring sensor-level security could be, literally, a fatal oversight.
Dale Peterson has written and held podcasts on the lack of importance of Level 0,1 devices. Because Dale is so well known in the OT security community, I felt it was important to respond to what I take to be his mischaracterization of the Level 0,1 issues. I’ll run through some examples that show how we ought to understand those issues.
Dale’s stance
Dale’s March 23 and March 30, 2021 blogs on Level 0,1 devices minimized the cyber and safety risk from Level 0,1 devices (https://www.linkedin.com/pulse/recommended-security-controls-level-0-1-dale-peterson/). This theme continued in Dale’s February 15, 2022 weekly article, “Pivot to Process Anomaly Detection”. As Dale states, “They are doing a bit of that with the gathered data, it is a much bigger market if you don't care where the data is coming from, and historian/server data does not require deploying a second network.” According to Dale, the biggest problem with this pivot is mindshare. The OT detection space overwhelmed the market with incessant and quality (usually) messaging over a five-year period. It got to the point that a CISO better have an answer when executives or the board asked what they were doing vis-a-vis this product category. The SBOM / composition analysis market has the wind at its back with the focus on supply chain and US Government mandates. The same could be said for “zero trust”, although this is harder in OT where there is typically no trust required in control commands … the opposite of zero trust.”
Dale couldn’t be more wrong in this – there is 100% trust in the commands. “Could a vendor, or even better a group of vendors, push the message of process variable anomaly detection from existing and accessible process data? I don’t know. I do know it is a pathway to a large market, and Level 0/1 monitoring is not.” Dale is right about market potential in the network monitoring space. The person responsible for sensors is the VP of Operations/Engineering not the CISO and the VP of Operations/Engineering is generally not part of the cyber security program.
Level 0,1
Control systems are composed of field devices with their lower-level networks under the purview of engineering. Internet Protocols (generally Ethernet) networks and Human-Machine Interfaces (HMI’s) are under the purview of network experts. There is a popular belief which Dale and many others in the networking community espouse, that control system cyber security is fundamentally a network issue. Securing IT and OT networks is necessary to maintain cyber security of IT and OT networks (though this does not directly affect process safety). However, network security is sufficient neither for control system cyber security nor for process safety if you haven’t addressed the Level 0,1 engineering devices. Those Level 0,1 devices include process sensors, actuators, and drives.
Level 0,1 devices are often at the root of the technical and organizational issues between the networking and engineering communities as Level 0,1 devices are directly used in safety, control, maintenance, and operations, often with different requirements, different users, and different organizational cultures than for networking applications. Cyber security technology, training, and forensics exists at the Ethernet layer and OT network specialists consider cyber security part of their job. The same cannot be said at the device and facility equipment level as cyber security technology, training, and forensics currently do not exist at this level and many engineers do not recognize that cyber security is part of their job (https://www.controlglobal.com/blogs/unfettered/engineering-operations-and-maintenance-often-do-not-view-cyber-security-as-their-problem).
Sensor security deficiencies
Dale stated: “…if you don't care where the data is coming from.” Unfortunately, it is critically important where the data comes from, and whether the data is reliable. The validity of the sensor signal needs to be established before it is converted to an Ethernet packet with an IP address. This is because sensor data and sensor characteristics can be altered unintentionally or maliciously before the data is converted to Ethernet packets.
ISA 84.09 conducted an exercise to determine the relative conformance and applicability of the ISA 62443-4-2 Component Specification’s individual security requirements to the legacy (what is being built today as well those already installed in the field) sensors. We selected a digital safety pressure transmitter and its ecosystem including the transmitters, host computers, field calibrators, and local sensor networks to determine what, if any, compensating measures might be necessary. The results were that 69 of the 138 individual requirements, including the fundamental requirements, could not be met. That is, the sensors all had hardware backdoors that could not be bypassed. Moreover, the sensor calibration tools have no security but also have direct connections to the Internet. There are also no criteria for field device cyber certification.
December 29, 2021, Ankit Suthar published the article “Are your smart instruments secured?” https://www.linkedin.com/pulse/your-smart-instruments-secured-ankit-suthar/?trackingId=7r%2Bf25P7QXKo83zDDsPZkw%3D%3D. That paper validated the ISA84.09 exercise. Ankit states: “We have been doing the commissioning of more than 3,000 smart instruments (i.e., Foundation Fieldbus-FF, HART) which includes loop check, simulation, calibration, and datasheet verification, Asset Management System (AMS) configuration for each instrument. I started to dig into all the manuals and datasheets of different vendors and found out that there is no password at all in most of the instruments, even by default. You simply plug in your HART communicator and change whatever you want.
Potential impacts
Dale’s assumption is that the only impact compromising a sensor might have is to modify the sensor value, of which the modified value can be found by many forms of monitoring. This is not correct. Dale also assumes that only one sensor is compromised. However, the AMSs collect all sensor data and unfortunately are not secure. This was shown by the Russian Project Corsair demonstration (mentioned later) where the Russians had access to all of the sensors in AMS.
There are more insidious possibilities including compromising the validity of the sensor settings and calibration results. Changing sensor settings such as span, range, and damping can prevent the sensors from performing their functions as expected. Sensor settings can be reconfigured using insecure field calibrators or analog HART input cards.
Device-level protocols have either no cyber security or the existing security continues to have new cyber issues identified. Sensor protocols include HART, Fieldbus, and Profinet.
HART comes in several wired and wireless “flavors”. Wired HART is based on 1200 baud modems. There are more than 60 million HART devices in the field, including those in Ankit’s project.
Profinet is a device-level protocol for Siemens and other European venders. A cyber vulnerability disclosure was recently issued for Profinet Discovery and Configuration Protocol (DCP) - https://www.cisa.gov/uscert/ics/advisories/ICSA-17-129-02. Every Profinet device uses DCP. IO-Link is a point-to-point connection from a sensor to a controller where it connects to Profinet. There are more than 21 million IO-Link devices.
Here, for example, is an advertisement for a HART Sensor Calibrator
- A key advantage of a mobile app solution over traditional handheld HART communicator is that you can use the mobile device you already own. In addition to already owning the main piece of hardware required, it is typically upgraded every couple of years for a very low cost (if not for free). You are continuously getting more features and more processing power without any effort.
- In the past it was difficult to use a handheld or even a PC-based HART communicator in hard-to-reach places. Carrying a laptop up a ladder is dangerous. However, now there are Bluetooth-based HART modems that provide great convenience. Connect the Bluetooth HART modem in the hard-to-reach location, and then climb back down to safety and use your mobile app-based HART communicator safely from the ground.
It should be obvious that a number of cyber vulnerabilities can be identified that could be exploited before the sensor signal ever gets to the PLC, HMI, or historian.
Digital sensors generally come with hardware jumpers to prevent the sensors settings from being electronically changed. However, there are no standards stating that hardware jumpers should be installed during operation. This is similar to the Triton attack where the Triconex Workstation was in the program mode with the key in during operation. Moreover, changes to sensor settings will not be detected by network monitoring or historians. A study in Japan found that a significant percentage of the “nuisance” alarms in a refinery were from reranaged sensors. The assumptions were that changes were unintentional and did not affect safety. Neither assumption may be correct.
As an example of the impacts, changing sensor damping can “brick” any PLC with no indication of a problem. That is, the PLC will stop working and the HMI will be unaware. The Top 20 Secure PLC Coding Practices does not address this eventuality as it PLC is getting valid sensor data from a valid source, but effectively causing a denial-of-service.
Temperature is very important as a stand-alone measurement as well as an input to many other measurements as they need to be “temperature compensated” to be accurate. This is particularly true in flow measurements. As an example, ultrasonic flow sensors measure the speed of sound which depends on temperature compensation. Using the wrong thermocouple (e.g., Type, C, J, K, etc.) or the wrong wiring will provide inaccurate measurements. This might be detected at the HMI but too late as the sensor measurements are provided in real time to the PLC and other field devices such as valves and motors. Yet, like all other measurements, there is no cyber security.
As mentioned by Ankit, “An attack on a control system could take the form of one or more field instruments being spoofed to induce a shutdown of a piece of equipment.”
These existing wired and wireless digital and analog pressure transmitters and their associated device level protocols and cyber security limitations are expected to continue to be produced and used for at least the next 10-15 years. Consequently, “Rip and Replace” is not a realistic option.
Selected Actual cases
Catastrophic process sensor cyber incidents include the Max 737 crashes, the Rio-Paris Airbus crash, the Texas City refinery explosion, and the Buncefield tank farm explosions.
Adversaries know
Russia, China, and Iran are aware of the lack of cyber security in process sensors. Additionally, they have access to these sensors.
In 2016, a Russian security research gave a presentation to the ICS Cyber Security Conference by webinar from Moscow. The demonstration called Project Corsair Moscow demonstrating the compromise of process sensors using the asset management system and HART. At the same conference, a separate presentation was made on hacking three different vendors’ wired-HART transmitters. Additionally, a presentation was made at the 2017 ICS Cyber Security Conference on hacking wireless-HART transmitters and digital valves.
In 2017, I gave a presentation at Defcon presentation that was acknowledged by Iran on Linked-in.
In 2019, Chinese transformers were found with hardware backdoors that could be accessed by spoofed sensor signals.
Summary
The culture gap between engineering and networking can almost be summed up with Dale’s statement that there is no trust in control commands. Regardless of how well networks and communications are secured, if the process sensors that constitute the ground truth of physical processes are compromised or defective, it will not be possible to have a safe, secure, reliable, or optimized process. If the people that understand the Level 0,1 devices and operation are not involved, there is no chance control systems and processes will be either secure or safe.
Joe Weiss