What the lack of cyber security of process sensors means

01 - August 2018

ICS cyber security is Instrumentation & Control (I&C) system cyber security. I&C consists of measuring (sensors), analyzing (logic system that may include the HMI), and responding (actuators/drives). I&C systems are used throughout commercial, industrial, manufacturing, defense, transportation, automotive, etc. All parts of the I&C loop must meet reliability and safety requirements. ICS cyber security is important if it can affect reliability and safety requirements.

Dale Peterson wrote a blog: “Two Real Questions on the Weissian Crusade for Securing Process Sensors, Actuators and Drives” – https://dale-peterson.com/2018/07/31/two-real-questions-on-the-weissian-crusade-for-securing-process-sensors-actuators-and-drives/ .

Dale stated: “While we may disagree on how well the lack of security in sensors/actuators is known in the ICSsec community…”. The community that is responsible for sensors, actuators, and drives is engineering/operations. It is evident there continues to be a need to get the ICSsec and Engineer/Operations communities together to do what each does best.

1. What cyber related risk is being tacitly accepted by the insecure by design nature of sensors and actuators?

My response: The question is what reliability and safety requirements can be impacted by lack of cyber security of process sensors, actuators, and drives. If you can’t trust your measurements, you’re in trouble! Sensors, actuators, and drives are engineering systems, not network devices. They must meet design and operational requirements for processes to be safe and reliable. Cyber security is just one “threat” to meeting the design and operational requirements of the sensors. As an engineer, I am agnostic to the threats and only concerned that the sensors are operating within the design and operational specifications (engineering requirements).

Currently, process sensors, actuators, and drives do not have cyber security requirements. They have a variety of cyber weaknesses: the sensors themselves, the sensor networks, and the serial-to-Ethernet convertors (gateways). Existing process sensors may not be capable of incorporating even minimal cyber security protections. If the sensors are compromised (that is, the sensor values/settings are “incorrect” from either unintentional or malicious reasons) before the gateways convert the data to Ethernet packets, the PLC and HMIs would not be aware that the sensor values/settings have been compromised. There are a number of ways to electronically compromise sensors where the impacts can range from a denial–of-service to effectively removing safety systems by manipulating sensor setpoints. There currently are no cyber security process sensor forensics before they become Ethernet packets so it would not be evident if a sensor was compromised from either unintentional or malicious reasons. As an engineer, it should not matter. There have been many incidents where inaccurate sensors have caused catastrophic failures. Both analog and digital sensors can, and have, been compromised. There has been at least one incident where a sensor was maliciously hacked and the system was not able to perform its function.

2. What solution is possible to reduce these sensor/actuator cyber risks, and what risk reduction is achieved at what cost?

My response: Addressing the sensors reduces process risk (the cyber risk of insecure sensors is being a back door into the network). Addressing the sensors IMPROVES process reliability, availability, safety, productivity, and regulatory compliance by monitoring the ground truth of the process in real time. To date, I am aware of one vendor who is monitoring the electrical characteristics of the sensors before they become Ethernet packets – SIGA. The technology has been demonstrated in a water facility, power plant, chemical plant, and building control system in Israel and is currently installed in a water treatment plant outside of Chicago. The sensor monitoring technology can identify the validity of the sensors by cross-correlating “like” sensors at the physics level. The electrical characteristics are the sensor “process noise”. Noise analysis has been used for many years to monitor equipment performance (think vibration monitoring) where the sensors have been assumed to be working properly. An unintended consequence of using IP networks is the higher frequency “process noise” has effectively been filtered out by the gateways. The filtering is why network anomaly detection won’t work for monitoring the validity and authenticity of the “raw” sensor input. This physics approach is agnostic as to why the sensors are changing (or not changing). Consequently, it addresses cyber as well as non-cyber reasons as most cases are not malicious cyber events. This physics approach could have identified the Stuxnet attack as it is independent of the Windows HMI that was compromised and is monitoring the physics of the sensors which can’t be hacked.

I provided a detailed approach as to how to change the paradigm of control system cyber security by monitoring the sensors – https://www.controlglobal.com/blogs/unfettered/changing-the-paradigm-of-control-system-cyber-security/ . This approach requires that the sensor monitoring be in real time (continuous) and at the physics level (before the sensor signal becomes an Ethernet packet).

Because the lack of cyber security of process sensors affects essentially all engineering applications, I have reached out to the National Society of Professional Engineers (NSPE) and the National Academy of Engineering to help coordinate this huge, but necessary effort.

Joe Weiss

Leave a Reply

Your email address will not be published. Required fields are marked *