The DHS CISA Cybersecurity Advisory Committee held a conference call Thursday, March 31, 2022 that discussed current CISA Cybersecurity Advisory Committee activities and the Government's ongoing cybersecurity initiatives. The meeting was for the Committee members to hear updates and discuss progress as it relates to the CISA Cybersecurity Advisory Committee's six subcommittees: (1) Transforming the Cyber Workforce Subcommittee; (2) Turning the Corner on Cyber Hygiene Subcommittee; (3) Igniting the Hacker Community Subcommittee; (4) Protecting Critical Infrastructure from Misinformation and Disinformation Subcommittee; (5) Building Resilience and Reducing Systemic Risk to Critical Infrastructure Subcommittee; and (6) Strategic Communications Subcommittee. The summary can be found at https://www.cisa.gov/news/2022/03/31/readout-cisas-second-cybersecurity-advisory-committee-meeting. Members of the public were invited to provide comments on issues that will be considered by the Committee. As a result, I submitted comments (provided below) which turned out to be the only public comments. As can be seen, my comments apply to many of the Subcommittees. They also apply internationally.
CISA Subcommittee discussions
(1) Transforming the Cyber Workforce Subcommittee: From the Subcommittee discussions, it appeared that work force issues were focused on training personnel for network cyber security. However, the engineers who work on potentially cyber-vulnerable equipment were not addressed. The engineering/operational management that should be contributing to the workforce discussions do not appear to be involved. This is a common problem as demonstrated at the recent SINET Conference ( https://www.controlglobal.com/blogs/unfettered/sinet-silicon-valley-conference-cisos-and-engineering-often-dont-mix). Network security is important, but it’s equally important not to overlook the engineers (OT network personnel are not the same as the engineers).
(2) Turning the Corner on Cyber Hygiene Subcommittee: From the control system (OT) perspective, cyber hygiene is relevant to the OT networks. However, control system devices have no passwords, authentication, cyber logging, etc. (https://www.controlglobal.com/blogs/unfettered/it-is-not-possible-to-meet-senate-cyber-disclosure-requirements-or-cisa-ot-recommendations/). As such, the Subcommittee discussions that focused on passwords and multi-factor authentication which are relevant to the OT networks but not to the control system devices.
(3) Igniting the Hacker Community Subcommittee: There were discussions about cyber vulnerability disclosures. However, there were minimal discussions about cyber incident disclosures. From my experience, most cyber security training and cyber protections are based on Internet Protocol (IP) network attacks. I have identified millions of actual control system incidents (unintentional and malicious) that were not emanating from the IP networks. That means much of the cyber security training, cyber security products, and table tops exercises are not addressing these real control system cyber incidents.
(4) Protecting Critical Infrastructure from Misinformation and Disinformation Subcommittee: This was primarily for elections and so, of course, is not directly relevant to control system devices or OT networks.
(5) Building Resilience and Reducing Systemic Risk to Critical Infrastructure Subcommittee: The control system devises (process sensors, actuators, drives, etc.) are common to all infrastructures but are not being adequately addressed. This is the subcommittee that needs engineering participation. An example of the need for expertise is the lack of cyber security in process sensors. Subcommittee 2 is assuming that authentication, encryption, and signed software will be available. Though some of these requirements could be met with today’s technology, many require more processing power than available in current process sensors. More powerful processors require more power for the field device. However, there is a need to limit power because power is an issue when these devices are installed in environments with explosive vapors. The chemical and oil and gas industry require intrinsically safe field devices which limits the power and the resulting processing power of the device. This is an example where cyber security and process safety are at odds and process safety must prevail.
(6) Strategic Communications Subcommittee: This was generally not relevant for securing physical infrastructures. However, there is an assumption that a cyberattack will be recognizable. The 2017 Russian cyberattack against the Saudi Arabian petrochemical plant (Triton) make this assumption questionable. That is, one of the largest petrochemical plants in the world was shutdown by malware yet the shutdown was not identified as being cyber-related. Consequently, the plant restarted with the malware still installed.
My thoughts
The subcommittees primarily addressed IT network-associated considerations assuming they would apply to Operational Technology (OT) systems. For IT and OT networks, network security is necessary and sufficient; the discussions were relevant. However, for control systems, network security is necessary but NOT sufficient. This is because control system devices often have lesser communication and security capabilities than IT and OT network technologies and it is those limitations that are not being addressed. The process sensor processor issue is a good example. Because process sensors are used in every sector, these deficiencies can affect our entire economy. Moreover, IT network security policies based on the ISO27000 standards are not directly applicable to many control system applications. Consequently, the International Society of Automation (ISA) has been developing the ISA62443 suite of Industrial Automation and Control Systems (IACS) cyber security standards. These standards are now “horizontal standards” meaning they are applicable to all sectors. Without the detailed understanding of control system device limitations, it is not possible to know if the Committee’s recommendations apply to control system devices or could possibly do harm such as with process sensors.
My prepared remarks:
Process sensors and OT networks are used in every physical infrastructure. Securing OT networks is necessary but it’s not sufficient. Compromising process sensors can damage any process, yet neither the sensor compromise nor the system damage may be identifiable by the OT networks.
March 10th, I gave a seminar to the US Air Force Cyber College on the lack of cyber security in process sensors entitled: “Shields Up and Good Cyber Hygiene Do Not Apply to Insecure Process Sensors” as process sensors have no inherent cyber security yet have direct connections to the Internet and are the 100% trusted input to OT networks. The cyber security gap includes no capability for passwords, authentication, encryption, or cyber forensics. Moreover, there are no government or industry standards to address the lack of cyber security in process sensors. “Shields Up” recommends conducting a test of manual controls to ensure that critical functions remain operable if the organization’s network is unavailable or untrusted. Good cyber hygiene requires strong passwords. However, insecure process sensors have no passwords and are untrusted during all conditions.
There have been more than 11 million control system cyber incidents, many of them process sensor-related, directly resulting in more than 1,500 deaths. The vast majority were not identified as being cyber-related as there are no control system cyber forensics at the process sensor layer. There is effectively no cyber security training for the control and safety system engineers and technicians even though cyber security training is available for the OT network personnel. Adversaries such as Russia, China, and Iran are aware of these deficiencies.
It is not possible to be cyber secure, resilient, or safe if you cannot trust your process measurements. These are the paths for moving forward:
Short Term:
- Get engineers involved
- Use sensor monitoring and analytics at the physics, not network packet layer, to improve cyber security, process safety, product quality, resilience, and regulatory compliance that cannot be done by monitoring the OT networks alone
- Develop process sensor cyber forensics
- Develop training, recommendations, and standards for process sensors
Long Term:
- Develop new secure process sensors
CISA Response to my Comments
CISA’s Eric Goldstein responded that sensors were indeed important. He mentioned the thousands of OT vulnerability disclosures and the severity of some of those disclosures based on the CVE criteria. However, none of the disclosures were for process sensors. Moreover, the CVE criteria do not apply to process sensors yet these devices have no cyber security. (https://www.controlglobal.com/blogs/unfettered/a-vulnerability-worse-than-log4j-and-it-can-blow-up-facilities-and-shut-down-the-grid/)
Recommendations
Add a person with engineering expertise to Subcommittee 5 on critical infrastructure. Coordinate with the other subcommittees on control system-unique considerations. Without the detailed understanding of control system device limitations, it is not possible to know if the Committee’s recommendations apply to control system devices or could possibly do harm as the process sensor example demonstrates.
Joe Weiss