I am being featured in the September issue of Top Cyber News Magazine regarding critical infrastructure cyber security. Process sensors and other control system field devices continued to be ignored by the IT and OT cyber security communities. Consequently, in preparation for the magazine issue, I had a discussion with an OT cyber security expert about my concerns with process sensor cyber security. I stated that because of my nuclear safety background, I have been very concerned about process sensors and other field devices. Unfortunately, as I have mentioned all too frequently, the field devices have no cyber security or authentication and are generally overlooked because they have been assumed to be uncompromised and correct. The OT expert told me that recently two people died in an oil and gas facility because process sensors were not working correctly. It’s not that either the accident or the fatalities are concealed, but their origin as a cyber incident is systematically overlooked. The systematic gap in identifying safety incidents as being cyber-related is prevalent throughout process safety journals and accident investigations. It is not just the process industry as the systematic gap also is prevalent throughout the electric industry as identified in https://www.controlglobal.com/blogs/unfettered/utilitydoe-data-indicates-sophisticated-hackers-have-compromised-us-electric-control-centers
I am also using this blog to respond to questions/criticisms of earlier blogs about my database of control system cyber incidents and the lack of cyber security and authentication in process sensors.
Control system cyber security incident database
My database (now at more than 11 million control system cyber incidents) seemingly increases each time I issue a blog. That is because I have found previously unidentified control system cyber incidents (at least for me). This blog is about a case I was made aware of on August 22, 2022. Because the information was given to me in confidence, it will remain so and is also why the database is not public. OT cyber security training and OT network forensics can identify cyber incidents at the Internet Protocol layer network where OT network cyber security technologies and training exist which explains why there are so many ransomware cases being identified. However, there are no cyber forensics or cyber security training at the control system field device level which is why so many of the cases in my database have not been publicly identified as being cyber-related. This is also evident from the previous blog- https://www.controlglobal.com/blogs/unfettered/windows-based-hmis-are-too-slow-for-monitoring-process-sensors-or-plant-equipment-anomalies
Process sensors have no cyber security or authentication
Process sensors are an ecosystem consisting of the actual sensor devices, process sensor protocols, maintenance tools, and host devices. As pointed out by Joel Langill, some process sensor protocols such as ISA100 and HART 7 have cyber security and authentication. However, the sensor devices themselves do not have cyber security or authentication. This was identified in the ISA 84.09 effort to determine the relative conformance and applicability of the ISA 62443-4-2 Component Specification’s individual security requirements to the legacy digital safety pressure transmitter ecosystem which includes the transmitters, host computers, field calibrators, and local sensor networks to determine what compensating measures might be necessary. The results showed that many of the fundamental requirements could not be met. The lack of cyber security in legacy process sensors has also been identified by others in industry, government, and academia. The previous blog demonstrated that if the process sensors are not correct (whether from unintentional or malicious reasons), the process is not cyber secure, safe, reliable, or resilient and the facility will experience a productivity hit. Again, another opportunity for appropriate OT training and forensics.
Conclusions
Process sensors and other control system field devices continued to be ignored by the IT and OT cyber security communities. Fatal incidents continue to occur, but they are not identified as cyber-related. There is a need for appropriate training, development of control system field device cyber forensics, and the use of machine learning of raw unfiltered sensor data such as demonstrated by JDS Operational Technologies to identify cyber incidents that cannot be identified from the Windows-based HMI or other network security monitoring.
Joe Weiss