Attacks and Vulnerabilities
Control device security
Critical infrastructure
ISA/IEC 62443
IT/OT Collaboration
News
OT Network security
Regulation, Standards and Compliance

Deployment of smart instruments, process sensors not cyber secure in industrial environments

January 04, 2022
Deployment of smart instruments, process sensors prove unreliable in industrial environments

A cybersecurity expert emphasized that process sensors continuously need to be examined and improved, as cyber improvements cannot come at the expense of control system reliability or safety. 

Joe Weiss, Managing Partner at Applied Control Solutions
Joe Weiss, Managing Partner at Applied Control Solutions

Joe Weiss was reacting to a report that over 3,000 smart instruments in a petrochemical facility were found to have no passwords, even by default, which could potentially make industrial environments more vulnerable, in a situation even worse than the Log4j security flaws

Such gaping omissions can lead to a host of industrial mishaps, including blowing up of refineries, bursting of pipelines, the release of toxic chemicals, and the taking over of electric transformers by attackers, Weiss wrote in his latest blog post. He was following up on a revelation by Ankit Suthar, an analyst for ICS/OT at UL, a consultancy in Illinois.

Suthar had in December written in a LinkedIn post that while he was commissioning the FF (Foundation Fieldbus) Rosemount Vortex Flow transmitter on one of the largest offshore sites in Abu Dhabi, UAE, as part of his routine work as an ICS engineer. 

“While been doing the commissioning of more than 3000 smart instruments (i.e. FF, HART) which includes loop check, simulation, calibration, and datasheet verification, AMS (Asset management system) configuration for each instrument. Suddenly PMC (Project Management Consultant) Engineer asked about the Password configuration for all the instruments. Men!!!!!! we have already finished most of the instrument commissioning,” Suthar wrote in the post. 

“Of course, EPC wants to finish the commissioning as soon as possible. There was no checklist for the same as well to configure the password. I, as a MAC (Main Automation Contractor), there are a lot of conflicts around the work scope and need to balance every time there is a conflict,” according to Suthar. “EPC should have provided the details of all necessary documents related to the specification of password configuration. End-User should have been more proactive in deciding the guidelines for the same in the first place,” he added.

“But, here we come, I have started to dig into all the manuals and datasheets of different vendors. Found out that there is no password at all in most of the instruments, even not by default,” Suthar revealed in his post. “You simply plug in your HART communicator and change whatever the hell you want to change.” 

Extrapolating from Suthar’s experience, Weiss said that those who work in or around network cyber security are aware of the principle of zero trust. “It’s generally recognized as a core principle of network security. Meanwhile, process sensors have 100% trust by the control systems the sensors support and the operator displays that use the process sensor input. Not only are the sensors fully trusted, there is no process measurement integrity index that might enable facility operators to feel better about such trust,” he added.

He also pointed out that many in the operational technology (OT) cyber security community believe that the networks are important, but the process sensors are not. Examples include the American Water Works Association (AWWA) and the American Petroleum Institute (API) cyber security standards that do not address process sensors. He also pointed out that the North American Electric Reliability Corporation’s (NERC) Critical Infrastructure Protection (CIP) standards exclude process sensors. 

Weiss also mentioned that the U.S. Transportation Security Agency’s (TSA’s) pipeline cyber security requirements, rail, and airport and aviation cyber security requirements do not include process sensors. The International Society of Automation (ISA)/International Electrotechnical Commission (IEC) 62443 series of control system cyber security standards currently do not address the unique issues with legacy process sensors or process measurement integrity.

He also warned the community that unfriendly nations are aware of these vulnerabilities. 

OT cyber security’s focus on networks is necessary but it’s not sufficient. In fact, it is dangerously insufficient, according to Weiss. “Control system cyber security needs to focus on process sensors (and other control system field devices) which are critical for safety, reliability, maintenance, and cyber security, particularly as these devices have no cyber security, authentication, or cyber logging. That includes many process sensors with no password capability,” he added.

The impact is not a potential compromise of networks such as in the Log4j vulnerability but the ability to directly manipulate equipment causing physical damage and compromising personnel safety, he added. “Cyber security of sensors continuously needs to be examined and improved. However, any cyber improvements cannot come at the expense of control system reliability or safety. These issues currently are not being addressed by industry or government standards nor by government regulation,” Weiss pointed out. 

Anna Ribeiro

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
RMC
Risk Mitigation Consulting acquires Securicon, boosting cybersecurity and mission assurance offerings