Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
versions of Modbus, DNP3, and BACnet do include cybersecurity features, but there are questions about interoperability and impacts on reliability from the security enhancements. A recent functional safety protocol under consideration at the International Electrotechnical Commission (IEC) Technical Committee 65 (TC 65) did not address cybersecurity features. The SolarWinds attack perpetrated by a Russian hacker group and the Microsoft Exchange server hack attributed to the Chinese government (Jibilian and Canales 2021; Tucker 2021) were able to bypass top-notch network cybersecurity technologies, including multi-factor authentication and signed certificate software upgrades. Worse yet, these attacks were not recognized as cyberattacks were not identified until months later. How, then, do we secure control systems? This question necessitates a new paradigm for control system cybersecurity. CULTURE AND EDUCATION GAPS As noted above, there is a culture gap between IT and control system and OT security, a gap that sometimes leaves these communities with conflicting priorities. This culture gap is driven, in part, by the dearth of cybersecurity organizations that address Level 0 and Level 1 devices which results in open holes in otherwise well-protected IP networks, and is also a result of the differing and sometimes conflicting priorities between the IT (preventing data loss) and OT operators and asset owners (ensuring safety, reliability, and productivity). It is further exacerbated by failures within organizations to guide and increase cross-functional collaboration between these teams to help foster understanding (Weiss 2021c). Moreover, organizational challenges in the IT realm differ from those that fall within the facilities engineering purview. Both groups manage divergent problem spaces with unique objectives and strategies. Despite these stark differences, both networking (IT and OT) and engineering communities share a disconcerting lack of cybersecurity awareness for control systems. Both the February 10, 2021, presentation by Applied Control Solutions to the Federal Facilities Councilâs (FFC) Standing Committee on Cyber and Physical Security and Hazard Mitigation, as well as Joel Rakowâs presentation in an August 10, 2021, FFC workshop, focused on the need to have facilities personnel, engineers, and system integrators involved in control systems cybersecurity (refer to Appendix B). The National Society of Professional Engineers (NSPE) published an article in the May/June 2020 issue of PE magazine that addresses this culture gap (Weiss 2020). Specifically, IT and engineering organizations have different priorities. IT departments are primarily concerned with network and data security. Facilities and engineering groups focus on process reliability, process safety, and facility operations. As a result, these teams are more concerned about the impact of a cyber-incident than whether or not it is malicious or unintentional. By contrast, IT and networking organizations focus on network availability, data breaches, and other malicious attacks, as addressed in some companion blog posts (Weiss 2021c, 2021d). Currently, almost all cyber policy organizations are led by a Chief Information Security Officer (CISO). The CISO is typically not an engineer, nor would they generally be aware of the operational needs of the facilities and engineering communities. Because few cyber policy organizations include senior representatives from engineering or facilities organizations, IT network security technologies, testing, and updates have frequently negatively impacted control systems or plant operations. Fred Gordy of Intelligent Buildings presented a case in which over 6,000 controllers were shut down as a result of a particularly rigorous cybersecurity scan the night before occupants were to move into a new building. The scan sent thousands of requests to control systems, overloading them and shutting them down. Some of the systems were not restored until two weeks later, negatively impacting occupant move-in. Gordy also discussed another instance in which an IT update to computers in a healthcare organization knocked a building maintenance system computer offline. Without this computer, the organization was unable to monitor airflow in its operating rooms and had to cancel an estimated 1,600 surgeries. Moreover, OT systems such as building management systems are typically not addressed in data center cybersecurity assessments (Weiss 2021a). Federal Facilities Council Control System Security White Paper 4
Another example was given by Lucian Niemeyer, who stated that approximately ten percent of an organizationâs IT budget should be spent on security (Niemeyer 2021). However, engineering organizations typically do not participate in cybersecurity discussions, and this metric is specific to the IT budget. If organizations stick to this guideline, facilities and engineering communities at vendor or end- user organizations may not receive adequate appropriations from the security budget. The result would be a continued lack of cybersecurity in control system products. Until this culture gap is closed, there is little chance of adequately cyber securing facilities or any other critical infrastructures, because control systems will continue to be open and insecure. In addition, the two communities use different standards. IT organizations generally rely on the ISO27000 series of standards, whereas facilities and engineering communities generally use the International Society of Automation (ISA) 62443 series of standards. Other available standards also reflect the divisions in user organizations. For instance, cybersecurity standards (e.g., ISA99) exclude functional system safety, while functional safety standards (e.g., ISA84) do not address the unique issues of cybersecurity but rather defer to ISA99. Additionally, many device safety manuals fail to mention cybersecurity, just as many cybersecurity manuals do not address safety. The ISASecure certification program Component Security Assurance (CSA) focuses on the cybersecurity of software applications, embedded devices, host devices, and network devices (ISASecure undated). To date, no process sensors have been certified to ISASecure because of multiple technical gaps, discussed below. Moreover, the International Electrotechnical Commission (IEC) 62443 standards do not include cyber requirements for process measurement integrity. ISA84.09 is a joint effort between process safety and cybersecurity experts to bridge this gap in standards. First, the committee conducted a study to better understand the cybersecurity (or lack thereof) of state-of-the-art process sensors. Consequently, the ISA 84.09 effort determined the relative conformance and applicability of the ISA 62443-4-2 Technical Security Requirements for IACS Components individual security requirements to the legacy digital safety pressure transmitter ecosystem, including the transmitters, host computers, field calibrators, and local sensor networks. These findings enabled the experts to determine what, if any, compensating measures might be necessary. The results indicated that most of the requirements in ISA 62443-4-2, including the fundamental requirements, could not be met. A few examples of these cybersecurity deficiencies in the transmitters include lack of device cyber forensics (no ability to determine what has been changed and by whom); lack of cyber logging (no ability for long-term storage of information as data is overwritten); no capability for implementing antivirus software; lack of patching capabilities; and the use of insecure communication protocols, such as FTP, Modbus, and Bluetooth. Compensating controls are therefore necessary, and alternate standards or recommendations need to be developed to address the legacy devices that will be in use for the next 10-15 years or perhaps longer. Compensating controls can be developed to meet some, though not necessarily all, of the pressure transmitter cybersecurity deficiencies; the ISA84.09 is actively exploring these measures. This work includes the continuation of this use case that is part of a broader case study to illustrate practical activities within the overall integrated safety and security lifecycle. As these efforts continue, it is hoped that some discussions with various manufacturers will help to improve the initial transmitter study, as well as to begin formalizing potential compensating countermeasures. The outcomes of this exercise, as they pertain to safety measures, will provide better guidance for security manuals. In a possible sign of progress, a meeting with multiple standards and industry organizations was held on January 5, 2022, to address the gaps in cybersecurity of process sensors (Weiss 2022a). The meeting was motivated by the fact that process sensors have no cybersecurity, not even passwords (Weiss 2022b). The culture gap between the networking organizations and facilities and engineering organizations actually begins in college, where cybersecurity is taught as part of the computer science curriculum and, in many cases, without any required introductory control systems engineering courses. Engineering disciplines, for their part, do not require an introductory course in cybersecurity (Weiss 2010). Figure 1 illustrates this concept: networking and control systems engineering organizations and the corresponding educational curricula fail to overlap, yet control systems security sits at the intersection of these two fields. The good news is that the educational gap between these two disciplines is being explored by Brad Federal Facilities Council Control System Security White Paper 5
Sims at Capital University, Glenn Dietrich at University of Texas-San Antonio, George Markowsky at University of Missouri Science and Technology, Sean McBride at Idaho State University, and faculty at Everett Community College. Recent developments in this area are encouraging. A Level 0 or 1 process sensor monitoring project is being carried out at a large industrial facility for productivity and predictive maintenance (the identity of the company is intentionally not being disclosed). Cybersecurity is an important consideration, but not the primary motivation for the project, which is efficiency and productivity improvement. As a result, initially, some of the business and IT organizations that would be involved in cybersecurity table-top exercises, incident response, etc., were not involved, but they were, fortunately included later. The project includes technical specialists from top-level management to operational actors across a wide array of departments: FIGURE 1 The gap between networking and engineering education and organizations. Control system security experts sit at the junction of computer science information assurance (i.e., IP network security) and engineering mission assurance (i.e., control systems and OT), but the respective computer science and engineering curricula and organizations do not overlap in this area. SOURCE: Courtesy of J. Weiss, Applied Control Solutions LLC. ⢠Continuous Improvement ⢠Cybersecurity ⢠Electrical and Instrumentation Engineering ⢠Electrical Coordination ⢠Electrical Engineer ⢠Electrical Safety ⢠Enterprise Solutions Architecture ⢠Global Information Technology ⢠Information Technology ⢠Maintenance ⢠Metallurgy ⢠Networks Federal Facilities Council Control System Security White Paper 6
