Before 9/11, securing control systems was very much an engineering problem. This is why, when Joe Weiss started the ICS Control Systems Cyber Security Conference in 2002, it was for the control system engineers. Unfortunately, following 9/11, the engineering issues got superseded by the network community’s laser focus on networks leading to a gaping hole in the understanding of control system cyber security and safety. This engineering gap is reinforced in almost every OT security organization and ICS cyber security conference.
Control systems consists of field devices which have minimal to no cyber security and authentication. Protective relays often have cyber security but depend on the unauthenticated sensors for actuation. Control systems directly affect facility reliability and safety.
Whenever process safety systems or protective relays are targeted, the objective is the physical destruction of equipment. These types of attacks may not be detectable from network monitoring nor would network vulnerabilities and malware directly translate into impacts on actual control system equipment and processes. Without understanding the impacts on the physical process, network threat hunting and anomaly detection can leave a significant gap in understanding of the event.
The gap between OT networking experts and control system experts was exposed by Stuxnet. Symantec discovered the zero days but had no idea of the actual goal of the malware. Many of the engineering community couldn’t understand why a PLC database would be targeted rather than the archival database. It took Ralph Langer who understood the control systems to realize the real intent – damage to the centrifuges.
A safety system such as Triconex cannot change plant conditions to cause the unsafe condition that would call for the safety system to operate. That comes from the plant distributed control system (DCS). Yet I have seen little discussion of the DCS installed at the plant. Specifically for the Triton attack, the OT engineer in the plant affected by Triton (Process Safety System) didn’t detect the malware that shut the plant down in June 2017 until it was “identified” in the August 2017 shutdown. The lack of consideration of the DCS comes from a lack of understanding, outside of control system and protection engineers, of the unique design of these systems and their operation.
System considerations are understood by engineering but generally not the OT and network threat hunting communities.
While there has been significant progress over the last 2 years, there’s a long way to go in ensuring the right teams understand the design of the OT systems and securing assets from outside influences.\
Adapted from Joe Weiss’ blog on OT Networking Personnel, to see the complete blog, visit controlglobal.com.
Contact us for more information about SIGA or how we can help you protect your critical assets.