Sensor Network Security: A Vulnerability Worse Than Log4j

Recently, Ankit Suthar, an ICS/OT network security expert, published an article titled “Are Your Smart Instruments Secure?” stating that over 3,000 smart instruments in a petrochemical facility were found to have no passwords set, even by default. Joe Weiss, a renowned automation expert and control system cybersecurity specialist, and managing partner of Applied Control Solutions, pointed out that this obvious vulnerability in sensors has consequences and impacts that far exceed the Log4j vulnerability. Malicious actors can simply insert their HART communication device to make changes as needed. This could lead to a series of adverse consequences such as blowing up refineries, bursting pipelines, releasing toxic chemicals, and taking over power transformers. Weiss believes that the cybersecurity of sensors needs constant checking and improvement. However, any network improvements must not come at the expense of the reliability or safety of control systems. Currently, industry or government standards or regulations have not addressed these issues.

Sensor Network Security: A Vulnerability Worse Than Log4j

The Overlooked Issue of Sensor Network Security

Anyone working in the field of cybersecurity knows the principle of zero trust, which is generally regarded as a core principle of cybersecurity. It is well known that process sensors have 100% trust in the control systems they support and the operator displays that use process sensor inputs. Not only are the sensors fully trusted, but there is no process measurement integrity index that can make facility operators feel better about this trust.

Joe Weiss, an internationally recognized control system cybersecurity expert, proposed the first law of control system cybersecurity: Process Measurement Integrity = Authorization + Authentication + Accuracy. Process measurement integrity ensures that any changes are made by authorized personnel (authorization), signals come from sensors (authentication), and sensor measurements consider deviations, whether unintentional or malicious (accuracy). Neither cybersecurity standards nor reliability and functional safety standards have addressed the integrity of process measurements.

All facilities (industrial, commercial, manufacturing, hospitals, buildings, military, etc.) use process sensors to measure pressure, level, flow, temperature, voltage, current, etc. Process sensors are integrated into control systems, functional safety systems, and control and functional safety system networks. These devices have been proven to have cybersecurity vulnerabilities, but no existing industry or government cybersecurity standards have addressed these issues.

Many in the operational technology (OT) cybersecurity community believe that networks are important, but process sensors are not. Typical examples include:

  • The American Water Works Association (AWWA) cybersecurity standards do not address process sensors.

  • The American Petroleum Institute (API) cybersecurity guidelines do not address process sensors.

  • The North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) standards do not include process sensors.

  • The Transportation Security Administration (TSA) pipeline cybersecurity requirements, as well as railway, airport, and aviation cybersecurity requirements, do not include process sensors.

  • The International Society of Automation (ISA)/International Electrotechnical Commission (IEC) 62443 series of control system cybersecurity standards currently do not address the unique issues of traditional process sensors or process measurement integrity.

Therefore, Weiss proposed the second law of control system cybersecurity: Garbage In, Garbage Out of Process Sensors, where “garbage” can be unintentional (e.g., sensor drift, technician errors, manufacturing defects, etc.) or malicious (physical or network).

Real Process Sensor Vulnerabilities

On December 29, 2021, Ankit Suthar published the article “Are Your Smart Instruments Secure?” https://www.linkedin.com/pulse/your-smart-instruments-secured-ankit-suthar/?trackingId=7r%2Bf25P7QXKo83zDDsPZkw%3D%3D. In that article, Ankit stated: “We have been debugging over 3,000 smart instruments (i.e., Foundation Fieldbus-FF, HART), which include loop checks, simulations, calibrations, and data sheet verifications, as well as the Asset Management System (AMS) configuration for each instrument. (HART – Highway Addressable Remote Transducer, is a hybrid analog and digital industrial automation open protocol. Wired HART communicates via a traditional 4-20mA analog instrument current loop using a 1200 baud modem). The project management consulting engineer inquired about the password configurations of all instruments. I began to delve into the manuals and data sheets of different vendors and found that most instruments had no passwords at all, even by default. You can simply insert your HART communication device to make changes as needed.”

Now imagine how this design flaw undermines the zero trust model. There is also an additional message that the passwords may not be relevant to many process sensors and other control system field devices.

There are no cybersecurity requirements in any industrial or government cybersecurity standards addressing process sensor network security. Regardless of the security of communications, if the process sensors that constitute any physical process are compromised or defective, there cannot be a safe, reliable, or optimized process.

In 2017, ISA99 established a special working group to determine whether traditional control system devices such as process sensors could meet the component cybersecurity requirements of ISA/IEC 62443-4-2. Most major control system process instrumentation suppliers are members of this special working group. The conclusion was that traditional field devices do not meet the standards. This led to another special working group, this time within the Process Safety Committee, to assess sensor issues in more detail. The purpose of ISA84.09 (Process Safety/Cybersecurity) work is to determine the relative consistency and applicability of individual security requirements of the ISA 62443-4-2 component standard with legacy devices (both those being built today and those already installed). Finally, in early 2021, the ISA84.09 working group selected a state-of-the-art digital security pressure transmitter (the same sensor identified by Ankit) ecosystem, including transmitters, hosts, field calibrators, and local sensor networks, to determine what compensatory measures, if any, might be needed. The result was that 69 out of 138 individual cybersecurity requirements in ISA 62443-4-2 could not be met, including basic cybersecurity requirements such as passwords. This indicates that compensatory controls are necessary and that alternative standards/guidelines are needed to address the legacy equipment that will be in use for the next 10-15 years or longer.

CVE and CVSS Mechanisms Are Not Applicable in OT Scenarios

The Common Vulnerabilities and Exposures (CVE) system provides a reference method for tracking and rating the severity of publicly disclosed information security vulnerabilities and exposures. Log4j received the highest severity rating due to its ease of exploitation; the log4j (CVE-2021-44228) vulnerability is extremely severe, as millions of applications use Log4j for logging, and all an attacker needs to do is get the application to log a special string. Log4j’s Common Vulnerability Scoring System (CVSS) score is 10 because it is very common, easy to exploit, and allows for complete takeover of systems or applications.

The lack of cybersecurity and authentication, including the lack of password functionality in many process sensors, is a hardware design issue rather than a software vulnerability. Therefore, there needs to be a new category specifically for control system devices. Thus, Weiss’s third law of control system cybersecurity:

Common Sense Risk Index (CRI): If process measurement integrity is compromised and sensors may lead to or contribute to catastrophic failures, the risk is high and must be addressed promptly. This may seem new, but it is not. This is how nuclear safety issues were addressed, and it is also how the security issues of process sensors were first discovered.

Potential Impacts

Impact on Process Industries

Process sensors without basic cybersecurity features that use various sensor protocols in all applications. For example, there are over 40 million devices globally using HART. Many of these devices are used in safety applications where the failure of process sensors could lead to catastrophic failures in refineries, chemical plants, water treatment facilities, power plants, ships, etc.

In Ankit’s article, he describes a technician with field communication equipment (without cybersecurity but connected to the Internet) performing calibrations after obtaining permission. The instrument was re-ranged and restored for use. Another technician performed the same operation on the AMS without going to the field. Besides AMS and field communication devices, there are other interfaces that can access instrument parameters.

Ankit also pointed out that “attacks do not necessarily come from outside.” Sinclair Koelemij from Honeywell agreed with a blog post on May 24, 2020, about the OSI PI-ICSA-20-133-02 vulnerability, stating that although the announcement mentioned attacks from “local attackers,” local attackers could easily be replaced by malware. Thus, whether the threat is local or remote makes little difference. Since HART-IP essentially lacks local cybersecurity, the cybersecurity functionality depends on the system integrator or end-user. When an attacker accesses the OSI PI connector, other commands can be injected that affect field devices using HART-IP. These commands can lead to modifications of ranges, spans, engineering units, and/or damping values. Some field devices even allow the low range to be set above the high range value. This change would effectively reverse the control direction. If both the Basic Process Control System (BPCS) and Safety Instrumented System (SIS) field devices are connected to a common system, the situation could be worse. In this case, it is possible to launch attacks on both BPCS and SIS simultaneously, potentially crippling both systems, posing potentially devastating consequences for production equipment and personnel safety.

Impact on the Power Grid

Consider how leveraging vulnerable process sensors could affect the reliability, cybersecurity, and functional safety of the power grid. A combined cycle power plant in Florida experienced control system input errors due to voltage transformer (PT) failures, leading to oscillations that persisted until the plant operator manually shut down the unit. The oscillations quickly evolved from local forced oscillations (200MW load fluctuations) to interconnection-wide oscillations at approximately 0.25 Hz frequency, which propagated throughout the Eastern Interconnection, causing 50MW load fluctuations in New England.

As Ankit stated: “An attack on control systems could take one or more forms of deceiving field instruments to cause a device to shut down.” Current transformers (CT) and voltage transformers (VT/PT) make up most of the sensors in power system substations. CTs and PTs lack password security. Cyberattacks, including network attacks from deceptive signals, could adversely affect substation equipment, including transformers. If process sensors are compromised or sensor signals are deceived as Ankit described and sent to transformer equipment through backdoors, the integrity of the transformers is at risk.

Deceptive values could lead the control system to improperly operate its associated protection systems. According to preliminary investigations, it is highly unlikely that the operation could be determined to be caused by a cyberattack. However, new digital relays and control systems log sequences of events (SOE) and store logs in memory. Protection engineers can access SOE logs and replay individual control system values recorded, observing voltage and current phasors and their symmetrical components — this is physical rather than network forensics. With appropriate training, this deeper inspection enables protection engineers to notice anomalies that may indicate CT and PT input deception.

Impact on Building Controls

In September 2021, Oak Ridge National Laboratory (ORNL), Pacific Northwest National Laboratory (PNNL), and the National Renewable Energy Laboratory (NREL) released a report on building process sensor issues. The report concluded that cybersecurity threats are increasing, and thus sensor data transmission may be hacked. A typical scenario could involve sensor data being modified by hackers and sent to control loops, resulting in extreme control behaviors. To the best of the authors’ knowledge from ORNL, PNNL, and NREL, no such studies have examined this challenge.

Finally, Weiss expressed serious concerns. He believes that hostile nations have become aware of these vulnerabilities. A Russian security researcher remotely demonstrated an attack on the wired HART protocol through vulnerabilities in AMS at the ICS cybersecurity conference in Moscow in 2016 (considering what Ankit said). In October 2017, Weiss received a “like” from a representative from Iran on his LinkedIn account, stating in his Defcon presentation that process sensors lack cybersecurity. As previously mentioned, hardware backdoors in large transformers manufactured by certain countries enable the deception of process sensor signals to control transformers.

OT network security’s focus on networks is necessary, but not sufficient. In fact, it reflects a lack of awareness of the dangers. Control system cybersecurity needs to focus on process sensors (and other control system field devices) that are critical to safety, reliability, maintenance, and cybersecurity, especially since these devices lack cybersecurity, authentication, or network logging. This includes many process sensors that lack password protection features. The impact is not a potential harm like the Log4j vulnerability, but the ability to directly manipulate devices causing physical damage and endangering personnel safety. The cybersecurity of sensors requires constant checking and improvement. However, any network improvements must not come at the expense of the reliability or safety of control systems. Currently, industry or government standards or regulations have not addressed these issues. Where is the appropriate priority and urgency?

Reference Links:

https://www.controlglobal.com/blogs/unfettered/a-vulnerability-worse-than-log4j-and-it-can-blow-up-facilities-and-shut-down-the-grid/

Original Source: Cybersecurity Talk

“Submission Contact: Sun Zhonghao 010-82992251 [email protected]
Sensor Network Security: A Vulnerability Worse Than Log4j

Related posts

  1. Implementing Partial Screen Clear on LCD
  2. Understanding the Internet of Things (IoT)
  3. Indoor Distance Measurement Positioning Method Considering BLE Beacon Geometry Optimization
  4. Creating a Security Door System with Python on Raspberry Pi
  5. Developing More Versatile Tactile Sensors
  6. Beginner Friendly | Quick Steps to Achieve MQTT Communication with Cloud Platform
  7. Comprehensive Guide to IoT Communication Protocols
  8. Why IoT Devices Need Independent Communication Cards in Smart Water Projects
  9. UPM (Intel IoT): Python Driver Library for IoT Sensors
  10. Apple’s HomePod Review: Smart Home Version of AirPods
  11. Communication and Networking Technologies in Sensor Networks
  12. Optimizing Sensor Network Design for IoT
  13. How to Achieve Efficient Production in the Era of IoT
  14. Embedded Weekly Report #275: Security-Critical C Code Rules
  15. How to Solve the Miniaturization of ECG Monitors
  16. Emerging Professional Insights (Part 1) | Artificial Intelligence
  17. The Split Between LEDE and OpenWrt: A Technical Overview
  18. ESP32 Desktop Monitor: A Comprehensive Guide
  19. Choosing Between Java and Embedded Development in IT

Leave a Comment