Tag: security

Spectre and Meltdown: “The cure may be worse than the disease”

There are two new serious security vulnerabilities out in the wild that affect everyone reading this article. You can read the background on Spectre (affects almost all semiconductors made by Intel, AMD, and others) and Meltdown (Intel, Qualcomm, and one type of ARM chip) but the big question for industrial users is how it will impact operations.

The short answer is: No one knows for sure. In theory, Meltdown allows “deep access” to kernel operations, which could affect everything from gateways to cloud servers. Spectre could afflict “all modern processors capable of keeping many instructions in flight” including smartphones. So far, no attacks have been observed in the wild, but we all know how that story goes. It’s only a matter of time before the baddies exploit the vulnerabilities.

In the meantime, industrial vendors have started to issue advisories and patches, especially for Meltdown (Spectre requires a complete redesign of the chip’s architecture, and fixes are apparently limited). Security Week has a rundown of statements and advisories from Rockwell, Siemens, Schneider Electric, ABB, and BD. Other patches and advisories include:

One of the biggest concerns about the fixes is the performance hit, widely reported to be 30% based on benchmarks. Industrial security expert and PPR regular Joe Weiss summed up the problem for industrial users:       

“We have a lot of older systems and a lot of these older systems are very resource constrained. When you’re talking about possibly a 30 percent hit on performance, that can actually shut down many of our older legacy control systems. The cure could be much worse than the disease.”    

Endpoint: Meltdown and Spectre are serious security vulnerabilities whose impact will be felt for many years to come. Reduced performance can take some older systems offline, a prospect that may force some users to upgrade their own systems. Infrastructure vendors know this, and will surely play up the FUD element to boost sales and maintenance contracts.

Joe Weiss on industrial security standards: “This is about facilities being destroyed and people being killed”

PPR interviewed Joe Weiss, managing partner of Applied Control Solutions and the author of Protecting Industrial Control Systems from Electronic Threats, on a new initiative by the ISA99 committee of the International Society of Automation to create security standards for industrial sensors, actuators, and drives. In the ISA-95 reference architecture, these devices and their controllers correspond to level 0 and level 1. The interview has been edited for clarity.   

PPR: What’s the implication of billions of IoT devices coming online in industrial settings?

Weiss: I have some problems with the estimates. They’re mixing fitbits and refrigerators with industrial process sensors and controllers. A process sensor in a power plant or a pipeline is very different than a home sensor. The vast majority of new sensors are not for industrial applications, and that’s getting lost.

There’s certainly a big number, but it’s not the billions that many IoT think tanks keep mentioning.

PPR: Is Mirai a sign of what’s to come in the future, or do you think that companies and governments have a good handle on IoT security?

Weiss: They don’t. ISA99 is starting a new working group on what’s called Level 0-Level 1, because none of our major industrial vendors makes secure, authenticated process sensors, actuators, or drives.

PPR: But the standards are in place, aren’t they?

Weiss: No! That’s exactly why we’re starting the ISA99 Working Group. What’s happened is very simple: IT has led cyber security. So cyber security has been all about the networks, as that’s what IT knows. The process sensors actuators and drives are engineering systems. Consequently, they have not been given security consideration.

We’re talking pipelines, power plants including nuclear, trains, manufacturing, water systems, and buildings. Security hasn’t reached what you measure and what you control. In other words, the things that actually cause control to happen, such as a motor or a valve or a damper, doesn’t yet have security or authentication.

PPR: When you hear vendors talking about their security, actually what they’re talking about is IT security, then.

Weiss: What they’re talking about is the network. And the things you keep hearing about are IT/OT convergence. But that doesn’t include the sensors, actuators, or the drives (Level 0,1). Yet, it’s the level 0,1 devices that are most critical for safety.

PPR: Why has it taken so long for ISA or other organizations to turn to the specific problems you’re talking about?

Weiss: Because Level 0,1 is engineering not networking. And the engineering/IT divergence goes back to 9/11 as I mentioned in my December 11th blog on a brief history of ICS cyber security.

The turning point was 9/11, because before 9/11, the organization that owned these systems also “owned” cyber security of those systems. However, on 9/12, the day after 9/11, cyber security became national security and cyber security moved to IT. As IT generally does not understand ICS, we’ve been suffering with their view of cyber security since.

My analogy of, ‘if you’re a doctor and you can’t trust your temperature or your blood pressure readings, how can you make a diagnosis?’ describes the culture problem that continues to exist. All of IT cybersecurity is about making the diagnosis. Almost nobody is asking, can we even trust the sensors which is at the heart of IoT. Yet IoT is all about more sensors using high-powered data analytics. If you can’t trust your sensors, what does that mean about IoT?

PPR: Who will be participating in the Level 0-Level 1 initiative?

Weiss: As of this morning’s (December 14th) call,  we had vendors, end –users, consultants, and even a government representative – from Germany. But basically Level 0,1 devices are not in the “sweet spot” for most cybersecurity firms. What cyber security organizations have done up till now is assume that whatever the sensors are telling you must be correct. And what the cyber security organizations have done is spend their efforts on the networks.

PPR: Could you name some of the vendors that are participating?

Weiss: Today was the initial call and we had representatives from Siemens, Schneider, Honeywell, GE, and Cisco participating. I would hope all of the ICS vendors and cyber security practitioners will eventually participate as the lack of Level 0,1 security is a risk issue for everyone in this space.

And let me give you a scary story. I gave a presentation at the this year’s DEFCON conference on the lack of level 0,1 security. On October 24th as I was getting ready to give the state of the state presentation at the Security Week ICS Cyber Security Conference, I happen to look at my LinkedIn account.  I had a ‘like’ from that Defcon presentation and it turned out to be from a senior engineer in Iran – they know! Think about that as today Fireeye identified a safety system being hacked in Saudi Arabia and I think it is safe assumption to say it was from Iran.

The lack of Level 0,1 security hits at the heart of IIoT. It also hits at the heart of the industrial cloud because every cloud vendor assumes that all sensor input is secure and authenticated.

PPR: So let’s assume that ISA 99 kickoff meeting goes well, and there’s an initiative to establish standards for these different types of things.

Weiss: The first task is to review the existing standards and identify gaps with respect to Level 0,1 devices. Additionally, Level 0,1 device issues are not just cyber security but also affect process safety. Level 0,1 devices are what the network cyber security doesn’t adequately address. Yet, this is where facility and personal safety are at risk.

PPR: Now as you know an initiative like this is going to take many years to actually start getting somewhere.

Weiss: You’ve got to start somewhere. I had identified the Level 0,1 issue as far back as 2000 when I helped start the cyber security program for the electric utilities. And it’s kind of a damning statement to say it’s now almost 2018 and we haven’t even started.

The lack of Level 0,1 cyber security is a major risk which has nothing to do with somebody stealing data. This is about facilities being destroyed and people being killed. So I would expect the vendors are going to actively involved because they are at risk too. I believe they want to know what’s the right thing to do. This is not a me vs. them situation. This is, ‘whoops, we forgot something.’

PPR: In the meantime, what does a manager of a power plant or a factory do?

Weiss: We’ve got to educate people to even look under the rock. What they do now, is they pick up their feet and step over the rock. This means understanding the unique issues with ICS cyber security starting at Level 0,1. We also need technologies to monitor Level 0,1 devices BEFORE they become Ethernet packets. So far, there is at least one company working in this area.

What they assumed was it’s the Internet that’s the problem. The Internet is a problem with the network. Therefore, that’s where people went.

PPR: Many industries consider themselves to be vertically oriented.

Weiss: No. The same Rockwell programmable logic controller used in power plants are also used in water, oil, gas, chemicals, manufacturing, railroads, amusement parks, breweries, ships, and buses. Consequently, the approach ISA 99 took is develop cyber security standards and recommended practices that would be applicable for pipelines, etc. There is no difference! Consequently, the concern with the revelation today about the cyber attack of the Triconex PLC because this device is used in many industries including nuclear plants, refineries, chemical plants, water systems, etc.

PPR: Is the Government going to have anyone there?

Weiss: My co-chair is from the Oak Ridge National Laboratory. Other than my co-chair, the only government representative on today’s call was from Germany.

Weiss writes about industrial security at the Unfettered Blog.

Reaction to Triconex breach: “We have to isolate safety from all other systems”

In the wake of a serious security breach involving Schneider Electric’s Triconex industrial safety system at a “critical infrastructure” facility overseas, Priority Payload Report talked with Joe Weiss, managing partner of Applied Control Solutions and the author of Protecting Industrial Control Systems from Electronic Threats. Weiss has decades of experience in the energy industry and serves on the ISA99 committee of the International Society of Automation

PPR: Why is the incident involving Schneider Electric’s Triconex safety system such a big deal?

Weiss: Triconex and Siemens have a large segment of the safety systems worldwide and Triconex also happens to be used in many U.S. nuclear power plants as Triconex has been certified by NRC for nuclear safety applications. Schneider for years has said you can’t hack Triconex because it’s triple-redundant. Triple-redundant improves reliability but does not address cyber security.

PPR: What is a typical industrial scenario that would require the triple-redundant PLC?

Weiss: In a refinery, you would use this to make sure that the safety valves would open if the pressure got too high, so a pipe doesn’t burst. Safety systems are used to make sure that you don’t have a pipe break, or a valve releasing toxic chemicals, prevent trains from crashing, etc.

PPR: So this isn’t about IT security, but facility integrity and human life at risk.

Weiss: Safety systems are to protect facility integrity and human life, not for data.

PPR: We don’t know all of the details of the incident, but is this a situation in which air-gapping that particular PLC could have prevented the breach?

Weiss: We have to isolate or air gap safety from all other systems. Today, non-nuclear safety standards allow safety to talk to non-safety. Nuclear does not allow safety systems to mix with non-safety. The nuclear plant approach must be extended to non-nuclear safety systems.

PPR: If a manager or engineer at a power plant came to you and said, ‘I just heard about this incident involving Triconex, which we have implemented in our facilities. What should I be doing now?’

Weiss: The very first thing is make sure safety doesn’t touch non-safety including basic process control systems much less the business network..

PPR: So other than nuclear, there’s no there’s no requirements to have this kind of separation.

Weiss: No, that’s part of what we’re going to have to address in the new ISA Level 0, Level 1 Task Force.

Weiss has also blogged about the Triconex events and associated safety issues at Implications of the Triconex safety system hack – Stuxnet part 2?

Long-distance shipping: A weak link in #IoTsecurity

Last week I read a post by Pen Test Partners about how container ships could be hacked via the container load plan (aka ship planning system or stowage plan) which determines where containers are placed on oceangoing vessels. By messing with the computer models, an attacker could delay unloading of certain containers by days or weeks or even cause a ship to capsize.

Container Cargo freight ship with working crane loading bridge in shipyard at dusk for Logistic Import Export

For the container ships, there are multiple attack vectors, including the fact that the weight data is transferred by USB and email. But it wasn’t hard to imagine how compromised IoT could lead to similar disasters.

Imagine weight sensors on a ship being set to randomly over or underreport containers’ combined weight. You could end up with one side of the ship grossly overweight, and the crew being unaware of the problem until it’s too late.

Or, in cargo vessels carrying chemicals, fuel, or LNG, what would happen if temperature, pressure, and leakage sensors were compromised? Scary.

Similar exploits can be applied to other types of cargo-carrying vehicles, from airplanes to tanker trucks. And we know that hacking IoT sensors can (and will) happen, thanks to Mirai.

There are other dimensions to the IoT security picture when it comes to cargo:

  • The trend toward autonomous vehicles — many factories and mining operations already use them, and Tesla’s futuristic big rig shows what might be coming down the road in a few years’ time.
  • It’s difficult to monitor a cargo ship in the middle of the ocean or a truck on a remote stretch of highway, let alone apply patches in an emergency situation.
  • Spending on IoT security lags compared to other other enterprise/industrial investments in IoT.

Added up, these trends are cause for worry. No major incidents have happened yet (that we know about, at least) but it’s inevitable unless managers and manufacturers take steps to secure transport-associated IoT.


In the transportation/cargo space, IoT vulnerabilities may have a far greater impact beyond the entities victimized by a hack. And it’s not just the transportation industry that has to deal with the security implications of an IoT hack. Basically, if your company has vehicles with sensors and connectivity, including forklift or fleet vehicles, they need to be evaluated, secured, monitored, and patched just like any piece of IT hardware or expensive metal on the factory floor.

Image source: Depositphotos