Observations from May 2018 Air Force Cyber Strategy Conference and the importance of monitoring process sensors

May 27, 2018
I participated in the 2018 Air Force Cyber Strategy Conference at Maxwell Air Force Base’s Air University giving a presentation on control system cyber security with a focus on the lack of security in process sensors, actuators, and drives. Following my presentation, I was on a panel with JD Work from Columbia University and retired Major General Brett Williams. As with other conferences, the focus was on IT network security not control systems.

I participated in the 2018 Air Force Cyber Strategy Conference at Maxwell Air Force Base’s Air University (http://www.airuniversity.af.mil/Portals/10/CyberCollege/documents/Conference/AF%20Cyber%20Strategy%20Conference%20Agenda.pdf). I gave a presentation on control system cyber security with a focus on the lack of security in process sensors, actuators, and drives. Following my presentation, I was on a panel with JD Work from Columbia University and retired Major General Brett Williams.

It was an interesting conference that was DOD-focused. However, when it comes to control system cyber security, it was similar to many other cyber security conferences – the focus was on IT not control systems. Independently, the AFCEA Defensive Cyber Operations Symposium in Baltimore, Maryland asked the question “Are DOD’s cyber forces too focused on the networks?” (https://www.fifthdomain.com/dod/cybercom/2018/05/23/are-dods-cyber-forces-too-focused-on-the-network/). It should be evident from my observations that, from the perspective of control systems, the Air University Conference was too focused on the IT networks.

Observations:

- This was a policy conference but there was little control system community participation. How can you make cyber policy if you don’t have appropriate input from the control system community? This is a continuing problem at most cyber policy meetings and conferences.

- The traditional mantra is the vast majority of critical infrastructure is owned by private industry, but DOD is still a major owner/operator of control system equipment. Consequently, DOD should have a direct interest in securing control systems.

- Because it was essentially an IT Conference, the focus was on cyber vulnerabilities not system impacts. The term SCADA was used but often without an understanding of the term. Infrastructure was viewed as routers, switches, and firewalls, not process sensors, actuators, and drives.

- There is a difference in how cyber security personnel view control system cyber security as opposed to how control system personnel view control system security. From a control system perspective, cyber security is only an issue if it affects safety, reliability, or regulatory compliance. Consequently, it isn’t the vulnerability that is important, it is the system impact. Therefore, the focus should be on the sensors/process. Because process sensors, actuators, and drives have no cyber security or authentication and can be compromised before the signal becomes an Ethernet packet, monitoring must be done at that level to assure the integrity and validity of the signal before it becomes an Ethernet packet. Benefits of monitoring the electrical characteristics of process sensors before they become Ethernet packets include cyber and operational benefits:

- Sensor monitoring of the electrical characteristics of the sensor is independent of the Windows HMI providing independence and resilience

- Cross-correlating the pre-packet sensor data with network anomaly detection gives a complete view (true situational awareness) and a justification of when a vulnerability becomes important to operation

- Any supply chain issues that could actually impact the process would be identified in real time as the monitoring is agnostic to why the problem is occurring

- Real time sensor/process monitoring provides a justification to extend maintenance/testing intervals which can improve predictive maintenance programs

- Within hours of my presentation on the lack of security in process sensors, actuators, and drives, I had an e-mail asking about a possible DOD demonstration project.

- In my breakout session there were very interesting discussions on definitions that apply everywhere: What is cyber? What is cyber security? What is a cyber weapon? How is a cyber weapon different than electronic warfare? There was also a question asked that I found very interesting. Legally, was Stuxnet an act of war?

As an aside, Air University is using my book, “Protecting Industrial Control Systems from Electronic Threats”.

Joe Weiss

Sponsored Recommendations

Make Effortless HMI and PLC Modifications from Anywhere

The tiny EZminiWiFi is a godsend for the plant maintenance engineers who need to make a minor modification to the HMI program or, for that matter, the PLC program. It's very easy...

The Benefits of Using American-Made Automation Products

Discover the benefits of American-made automation products, including stable pricing, faster delivery, and innovative features tailored to real-world applications. With superior...

50 Years of Automation Innovation and What to Expect Next

Over the past 50 years, the automation technology landscape has changed dramatically, but many of the underlying industry needs remain unchanged. To learn more about what’s changed...

Manufacturing Marvels Highlights Why EZAutomation Is a Force to Be Reckoned With

Watch EZAutomation's recent feature on the popular FOX Network series "Manufacturing Marvels" and discover what makes them a force to be reckoned with in industrial automation...