The application of IP network guidance has harmed the control system field devices and legacy control systems


Cybersecurity issues for OT control system field devices are different from those affecting Internet Protocol (IP) networks. These differences should be understood by all organizations developing OT/ICS cybersecurity policies or recommendations. Too often, government and industry advice given for OT cybersecurity focuses on the IP network and assumes that the advice will apply to all OT, including legacy field devices and ICS control systems. From a cybersecurity perspective, legacy control systems are not just older pneumatics and 4-20 milliamp analog sensors, but also “modern” digital devices. Essentially, all control system field devices currently shipped are legacy systems with little or no cyber security. Additionally, the lack of senior engineering leadership involvement in cybersecurity policy development, as documented in my article in the May/June 2020 issue of PE Magazine “For Decision Makers: Cybersecurity is more than a computer problem,” continues unabated.

The U.S. Government Accountability Office (GAO) report GAO-19-332 states:

“To compound the risk associated with increasing the attack surface, many legacy industrial control systems were not designed with cybersecurity protections because they were not intended to be connected to networks, such as than the Internet. For example, many legacy devices are unable to authenticate commands to ensure they were sent by a valid user and may not be able to run modern encryption protocols. Additionally, some legacy devices lack the ability to log commands sent to devices, making it more difficult to detect malicious activity. Additionally, even in the case of more modern devices, the security and efficiency objectives of the network and supporting industrial control systems may conflict with the objective of security in the design and operation of the control systems. industrial controls. According to an analysis by the Idaho National Laboratory, network owners and operators are not always able to quickly identify vulnerabilities in industrial control systems. Vulnerability scanning is often used in computer systems to validate correct system configuration and to identify vulnerabilities that may be present. However, conventional computer vulnerability scanning can disable or shut down power distribution systems, and testing may not always detect vulnerabilities deep within industrial control system software. In addition, even if owners and operators are able to identify industrial control system cybersecurity vulnerabilities, they may not be able to address these vulnerabilities in a timely manner because some industrial control system devices may have high availability requirements to support network operations. These devices typically need to be taken offline to apply patches to fix cybersecurity vulnerabilities. Additionally, network owners and operators should rigorously test patches before applying them. Security patches are usually tested by vendors, but they can degrade or alter the functionality of industrial control systems, which can have serious consequences for network operations.

There have been numerous documented cases where the application of IP network mitigations has caused very significant issues to control systems and control system field devices, as mentioned in the GAO report.

Examples include:

  • IT patches have compromised control systems, even causing security issues. This included a fix for a turbine control system that was not coordinated by OT (square stake) and engineering (round hole) even though the fix was tested by the networking organization before being released. sent to the customer. The untested system interaction resulted in the loss of view of the turbine control station and the need to shut down the turbine. However, unintended system interactions of the “untested” patch prevented the engineer from being able to shut down the turbine from the engineer’s workstation – a major security issue.
  • Computer penetration tests on control system networks have caused outages or damage to control systems and control system communications. In one instance, a utility’s IT security group (square picket) was scanning data center assets using IP network scanning software and then extending the scan to large sub-systems. electrical stations (round hole). The security group had no previous experience of scanning substations. Following the scans, the relays showed problems, but SCADA was unaware of the problems. The port scan of this new tool caused the real-time protocol to stop working and hang from CPU-level relays (two different relay vendors) and left DNP/non-real-time operations alone – the worst possible circumstance. In order to eliminate the problem, each relay had to be cut and restarted, to restore operation. Several hundred relays were affected. All devices in each substation were affected at the same time in all cases. Without knowing that a security scan had been initiated, it looked like a Distributed Denial of Service (DDOS) attack causing the equipment to malfunction. A network disrupted by the unavailability of high voltage relays could have caused a major outage across the region, damaging many large transformers and customer equipment. In another case, the IT department (square peg) performed a penetration test and caused a denial of service on 6,000 devices in the control system (round hole). It took 15 days in total to reset each device in the control system.
  • Network mapping tools can impact control system field devices. In another case, variable speed drives were connected to the network. Network mapping tools (square peg) caused a buffer overflow that caused disk hardware failure requiring power down and hardware damage requiring replacement of configuration modules (round hole).
  • The application of antivirus software (square peg) to many legacy Distributed Control Systems – DCS (round hole) has caused denial of service conditions.
  • System hardening applies to Microsoft Windows-based devices (square peg). However, most legacy control system (round hole) field devices do not use Windows.

These cases, and many others, demonstrate that IT security technology (square peg) that works well in a constrained IT environment may not work in an unconstrained (round hole) OT/control system environment, especially with control system devices and legacy communication protocols. There are network security tools specifically designed for use in well-functioning control system environments. However, even these should be tested before being used with older legacy control systems.

I continue to be very concerned that private sector and public sector (square-peg) policy-making organizations simply do not have the technical depth of the cybersecurity control system to make decisions about cybersecurity of control systems (round hole). It’s not just an American problem. Recently, for example, the German cybersecurity policy organization (square picket) conducted table-top exercises focusing on power generation without any input from power generation engineering organizations (round hole ). Control system cybersecurity training that includes unique issues such as process sensors, system interactions, and common cause failures is necessary to educate both the workforce and decision makers.

These issues of “square-peg networks” vs “round-hole engineering” will be the subject of my presentation on October 26 in Minneapolis (

Joe Weiss

Source link