PPR interviewed Joe Weiss, managing partner of Applied Control Solutions and the author of Protecting Industrial Control Systems from Electronic Threats, on a new initiative by the ISA99 committee of the International Society of Automation to create security standards for industrial sensors, actuators, and drives. In the ISA-95 reference architecture, these devices and their controllers correspond to level 0 and level 1. The interview has been edited for clarity.
PPR: What’s the implication of billions of IoT devices coming online in industrial settings?
Weiss: I have some problems with the estimates. They’re mixing fitbits and refrigerators with industrial process sensors and controllers. A process sensor in a power plant or a pipeline is very different than a home sensor. The vast majority of new sensors are not for industrial applications, and that’s getting lost.
There’s certainly a big number, but it’s not the billions that many IoT think tanks keep mentioning.
PPR: Is Mirai a sign of what’s to come in the future, or do you think that companies and governments have a good handle on IoT security?
Weiss: They don’t. ISA99 is starting a new working group on what’s called Level 0-Level 1, because none of our major industrial vendors makes secure, authenticated process sensors, actuators, or drives.
PPR: But the standards are in place, aren’t they?
Weiss: No! That’s exactly why we’re starting the ISA99 Working Group. What’s happened is very simple: IT has led cyber security. So cyber security has been all about the networks, as that’s what IT knows. The process sensors actuators and drives are engineering systems. Consequently, they have not been given security consideration.
We’re talking pipelines, power plants including nuclear, trains, manufacturing, water systems, and buildings. Security hasn’t reached what you measure and what you control. In other words, the things that actually cause control to happen, such as a motor or a valve or a damper, doesn’t yet have security or authentication.
PPR: When you hear vendors talking about their security, actually what they’re talking about is IT security, then.
Weiss: What they’re talking about is the network. And the things you keep hearing about are IT/OT convergence. But that doesn’t include the sensors, actuators, or the drives (Level 0,1). Yet, it’s the level 0,1 devices that are most critical for safety.
PPR: Why has it taken so long for ISA or other organizations to turn to the specific problems you’re talking about?
Weiss: Because Level 0,1 is engineering not networking. And the engineering/IT divergence goes back to 9/11 as I mentioned in my December 11th blog on a brief history of ICS cyber security.
The turning point was 9/11, because before 9/11, the organization that owned these systems also “owned” cyber security of those systems. However, on 9/12, the day after 9/11, cyber security became national security and cyber security moved to IT. As IT generally does not understand ICS, we’ve been suffering with their view of cyber security since.
My analogy of, ‘if you’re a doctor and you can’t trust your temperature or your blood pressure readings, how can you make a diagnosis?’ describes the culture problem that continues to exist. All of IT cybersecurity is about making the diagnosis. Almost nobody is asking, can we even trust the sensors which is at the heart of IoT. Yet IoT is all about more sensors using high-powered data analytics. If you can’t trust your sensors, what does that mean about IoT?
PPR: Who will be participating in the Level 0-Level 1 initiative?
Weiss: As of this morning’s (December 14th) call, we had vendors, end –users, consultants, and even a government representative – from Germany. But basically Level 0,1 devices are not in the “sweet spot” for most cybersecurity firms. What cyber security organizations have done up till now is assume that whatever the sensors are telling you must be correct. And what the cyber security organizations have done is spend their efforts on the networks.
PPR: Could you name some of the vendors that are participating?
Weiss: Today was the initial call and we had representatives from Siemens, Schneider, Honeywell, GE, and Cisco participating. I would hope all of the ICS vendors and cyber security practitioners will eventually participate as the lack of Level 0,1 security is a risk issue for everyone in this space.
And let me give you a scary story. I gave a presentation at the this year’s DEFCON conference on the lack of level 0,1 security. On October 24th as I was getting ready to give the state of the state presentation at the Security Week ICS Cyber Security Conference, I happen to look at my LinkedIn account. I had a ‘like’ from that Defcon presentation and it turned out to be from a senior engineer in Iran – they know! Think about that as today Fireeye identified a safety system being hacked in Saudi Arabia and I think it is safe assumption to say it was from Iran.
The lack of Level 0,1 security hits at the heart of IIoT. It also hits at the heart of the industrial cloud because every cloud vendor assumes that all sensor input is secure and authenticated.
PPR: So let’s assume that ISA 99 kickoff meeting goes well, and there’s an initiative to establish standards for these different types of things.
Weiss: The first task is to review the existing standards and identify gaps with respect to Level 0,1 devices. Additionally, Level 0,1 device issues are not just cyber security but also affect process safety. Level 0,1 devices are what the network cyber security doesn’t adequately address. Yet, this is where facility and personal safety are at risk.
PPR: Now as you know an initiative like this is going to take many years to actually start getting somewhere.
Weiss: You’ve got to start somewhere. I had identified the Level 0,1 issue as far back as 2000 when I helped start the cyber security program for the electric utilities. And it’s kind of a damning statement to say it’s now almost 2018 and we haven’t even started.
The lack of Level 0,1 cyber security is a major risk which has nothing to do with somebody stealing data. This is about facilities being destroyed and people being killed. So I would expect the vendors are going to actively involved because they are at risk too. I believe they want to know what’s the right thing to do. This is not a me vs. them situation. This is, ‘whoops, we forgot something.’
PPR: In the meantime, what does a manager of a power plant or a factory do?
Weiss: We’ve got to educate people to even look under the rock. What they do now, is they pick up their feet and step over the rock. This means understanding the unique issues with ICS cyber security starting at Level 0,1. We also need technologies to monitor Level 0,1 devices BEFORE they become Ethernet packets. So far, there is at least one company working in this area.
What they assumed was it’s the Internet that’s the problem. The Internet is a problem with the network. Therefore, that’s where people went.
PPR: Many industries consider themselves to be vertically oriented.
Weiss: No. The same Rockwell programmable logic controller used in power plants are also used in water, oil, gas, chemicals, manufacturing, railroads, amusement parks, breweries, ships, and buses. Consequently, the approach ISA 99 took is develop cyber security standards and recommended practices that would be applicable for pipelines, etc. There is no difference! Consequently, the concern with the revelation today about the cyber attack of the Triconex PLC because this device is used in many industries including nuclear plants, refineries, chemical plants, water systems, etc.
PPR: Is the Government going to have anyone there?
Weiss: My co-chair is from the Oak Ridge National Laboratory. Other than my co-chair, the only government representative on today’s call was from Germany.
Weiss writes about industrial security at the Unfettered Blog.This is an excerpt from a previous edition of the Priority Payload Report (PPR) newsletter.