Transcription
A Current View of Gaps inOperational TechnologyCybersecurityJoe Weiss and Richard Ku
TREND MICRO LEGAL DISCLAIMERThe information provided herein is for general informationand educational purposes only. It is not intended andContentsshould not be construed to constitute legal advice. Theinformation contained herein may not be applicable to allsituations and may not reflect the most current situation.Nothing contained herein should be relied on or actedupon without the benefit of legal advice based on the5Cybersecurityparticular facts and circumstances presented and nothingherein should be construed otherwise. Trend Microreserves the right to modify the contents of this documentat any time without prior notice.Translations of any material into other languages areintended solely as a convenience. Translation accuracyis not guaranteed nor implied. If any questions ariserelated to the accuracy of a translation, please refer tothe original language official version of the document. Anydiscrepancies or differences created in the translation arenot binding and have no legal effect for compliance or6Control Systems9Control System Cybersecurityenforcement purposes.Although Trend Micro uses reasonable efforts to includeaccurate and up-to-date information herein, Trend Micromakes no warranties or representations of any kind asto its accuracy, currency, or completeness. You agreethat access to and use of and reliance on this documentand the content thereof is at your own risk. Trend Microdisclaims all warranties of any kind, express or implied.12The Need to Address theGrowing Gap Between IT/OT andEngineeringNeither Trend Micro nor any party involved in creating,producing, or delivering this document shall be liablefor any consequence, loss, or damage, including direct,indirect, special, consequential, loss of business profits,or special damages, whatsoever arising out of access to,use of, or inability to use, or in connection with the use of13Misconceptionsthis document, or any errors or omissions in the contentthereof. Use of this information constitutes acceptance foruse in an “as is” condition.Published by15Nature of ICS CyberthreatsTrend Micro ResearchWritten byJoe WeissApplied Control Solutions, LLCRichard Ku19Nature and History of ControlSystem Cyber IncidentsTrend Micro IncorporatedStock image used under license fromShutterstock.com24Cybersecurity Strategy andSecurity Controls
The purpose of control system cybersecurity is to protect the control systems and theprocesses they monitor and control from electronic threats — that is, to “keep lights onand water flowing.” Networks are a support function in the overall objective of safety,reliability, and productivity — that is, to optimize the processes. What makes control systemcybersecurity different from IT cybersecurity is the need to protect life and physical property.Because unintentional cyber incidents can be just as deadly and damaging as maliciousevents, both must be addressed.Monitoring and preventing compromise of data has been an IT function since the late 1980s,while control system cybersecurity has been a major issue since 1998, with the signing ofPresidential Decision Directive 63 in the US, which tackles critical infrastructure protection.1Before 9/11, cybersecurity was simply one of the risks that had to be considered whendesigning and implementing control systems, including those for seismic, environmental,fire, and reliability concerns. As these were all engineering considerations, control systemswere considered an engineering function. The intent was to ensure that the engineeringbasis of the design would be met regardless of the risk. Consequently, the engineeringorganization was in charge, and its function included cybersecurity. The focus was from the“bottom up.” The main consideration was whether the process could be affected, whichwas essentially process anomaly detection or, in other terms, mission assurance.After 9/11, cybersecurity became a matter of national security. It was at this time that thecybersecurity function for control systems was moved to the IT organization and engineeringwas no longer involved. Consequently, all cybersecurity monitoring and mitigation were atthe IP (Internet Protocol) network layer — network anomaly detection. As a result, controlsystem cybersecurity went from being mission assurance to information assurance.Since engineering systems are not within IT’s purview, control system devices — such asprocess sensors, actuators, and drives — still do not have capabilities for cybersecurity,authentication, or cyberlogging, nor can they be upgraded. Lower-level sensor networks —such as HART (Highway Addressable Remote Transducer),2 Profibus,3 and Fieldbus4 — alsohave no cybersecurity.The lack of focus on control system devices is still occurring. There is a need for cybersecurityto protect all the systems at all levels of the industrial control system (ICS) environmentas the old adage that a breach arises from the weakest link applies to control systems.Moreover, because of the continuing profusion of ransomware attacks, there has not beenthe same focus on cyberattacks that could cause physical damage.
GlossaryThe following are a few terms used in control system cybersecurity and their corresponding definitions.The terms IT, OT, IT/OT convergence, and IoT come from the ISA TS12 Industrial Networking and Securitycourse.Information technology (IT): This refers to the study or use of systems (especially computers andtelecommunications) for storing, retrieving, and sending information.Operational technology (OT): This refers to hardware and software that detects or causes a change,through the direct monitoring and/or control of industrial equipment, assets, processes, and events.5 OTis not the pumps, the valves, or other hardware, nor does it include the engineers and the techniciansresponsible for the equipment.IT/OT convergence: This refers to the integration of IT with OT systems.Internet of things (IoT): This refers to the internetworking of physical devices (also referred to as“connected devices” or “smart devices”) and other items embedded with electronics, software, sensors,and network connectivity, which enable these objects to collect and exchange data. The term mostlyrefers to consumer devices such as smart watches, smart printers, and smart cars.Cyber incident: The de facto IT definition of a cyber incident is when a computer system is connectedto the internet and is running Windows, and data is maliciously being manipulated or stolen. It is aboutprivacy. The definition by the National Institute of Standards and Technology (NIST) is an occurrence thatactually or potentially jeopardizes the confidentiality, integrity, or availability (CIA) of an information systemor the information the system processes, stores, or transmits, or that constitutes a violation or imminentthreat of violation of security policies, security procedures, or acceptable use policies. Incidents may beintentional or unintentional.6 It should be noted that there is no mention of “malicious” or safety. It shouldalso be noted that for control systems, I and A are much more important than C.Smart: When applied to things such as cities, grids, sensors, and manufacturing, this refers to two-waycommunications and programmability, and includes Industry 4.0 and industrial internet of things (IIoT). Allof these technologies are cyber-vulnerable.4 A Current View of Gaps in Operational Technology Cybersecurity
CybersecurityCybersecurity became an IT issue after the first virus or worm was identified in the late 1980s. TheMorris worm of Nov. 2, 1988 — usually considered the first computer worm and certainly the first to gainsignificant mainstream media attention — was distributed via the internet. This worm resulted in the firstconviction in the US under the 1986 Computer Fraud and Abuse Act. IT cyberattacks have continuedunabated, leading to widespread attention and legislation. IT cybersecurity threats have also led to thedevelopment of the cybersecurity industry — with companies like Trend Micro, McAfee, and Symantec— and cybersecurity policies — starting with ISO/IEC27000, which is part of a growing family of ISO/IECinformation security management systems (ISMS) standards within the field of information and IT security.Standards include general methods, management system requirements, techniques, and guidelines foraddressing both information security and privacy. However, these standards are IT-focused and do notaddress the unique issues associated with control systems, including reliability and safety. This has led tothe establishment of ISA99, which is developing the suite of IEC 62443 series of automation and controlsystem cybersecurity standards specific to automation and control systems, as illustrated in Figure 1.7And as digital transformation happens across many verticals and industries, other standards will alsoneed to be updated to ensure that they can meet the cybersecurity challenges of these fast changingComponentSystemPolicies andproceduresGeneralverticals and -3ISA-TR62443-1-4Terminology, concepts, andmodelsMaster glossary of termsand abbreviationsSystem security compliancemetricsIACS security life cycle anduse -62443-2-4Requirements for an IACSsecurity managementsystemImplementation guidancefor an IACS securitymanagement systemPatch management in theIACS environmentInstallation andmaintenance requirementsfor IACS Security technologies forIACSSecurity levels for zonesand conduitsSystem securityrequirements and securitylevelsISA-62443-4-1ISA-62443-4-2Product developmentrequirementsTechnical securityrequirements for IACScomponentsFigure 1. ISA/IEC 62443 control system cybersecurity standards5 A Current View of Gaps in Operational Technology Cybersecurity
Control SystemsThe Purdue Reference Model, shown in Figure 2,8 was developed in the 1990s to identify informationflows in control systems. Cybersecurity was not an issue for the reference model. The Purdue ReferenceModel was also based on the existing technology, which made discriminating between sensors,controllers, process control networks, and others straightforward as their capabilities were limited. Withthe microprocessor and communication revolution, the process reference model levels are no longer sostraightforward as the technologies enable process sensors to also have programmable logic controller(PLC) capabilities and even communication gateway capabilities.The Level 0,1 devices used in critical infrastructures are not cyber-secure. In fact, many instrumentationand low-level instrumentation networks may not be able to be secured. Levels 2 and 3 are critical to secureas they generally use traditional networking architectures to communicate with other control systemswithin the facility and can also communicate with the cloud.The cloud level was not considered when the model was developed. It is currently being lumped withinLevel 5. Consideration should be given to creating a new level specifically for the cloud. This is especiallyimportant for verticals like manufacturing, healthcare, and retail as these are industries that seem to adoptcloud and virtualization faster than other industries like oil, gas, and power.This is in contrast to the International Standards Organization (ISO) seven-layer model that was developedfor network communications and security.9 The ISO model divides network communication into Layers 1 –4, which are considered the lower layers and mostly concern themselves with moving data around. Layers5 – 7, called the upper layers, contain application-level data. Networks operate on one basic principle:“Pass it on.” Each layer takes care of a very specific job and then passes the data onto the next layer. Thisis exactly what occurs at the Purdue Reference Model 2 – 3 networks.6 A Current View of Gaps in Operational Technology Cybersecurity
Level 6Depending on how the device iscommunicating with the cloud, it couldbe from seconds to minutes The cloudLevel 5Days to Enterprise networkEmail, internet, etc.Level 4EnterprisesecurityzoneSite business planning and logistics networkHours to daysFirewallRemote gatewayservicesPatchmanagementLevel 3SiteoperationsFactoryTalkapplicationserverLevel 2AreasupervisorycontrolFactoryTalkclientLevel 1BasiccontrolLevel 0ProcessApplicationmirrorAVserverWeb PDrivecontrolDrivesIndustrialdemilitarizedzone (DMZ)DMZ tuatorsMinutes to hoursSeconds to minutesCell/Areazone(s)RobotsMilliseconds to secondsReal time to millisecondsFigure 2. The Purdue Reference ModelA typical control system is composed of Level 0,1 devices (sensors, actuators, and drives) connectedto Level 2 controllers that are connected to process control networks and human-machine interfaces(HMIs), also known as operator displays, at Level 3, which are connected to long-term databases andoff-site facilities including the internet at Level 4. Level 3 – 4 have the capabilities for cybersecurity andcyberlogging, and generally use IP networks, as shown in Figure 2. The sensors and the actuators operatealmost exclusively in near-real time (microseconds to milliseconds), whereas the HMIs provide operatorinformation on the order of seconds to minutes. The sensors and the actuators can operate — and inmost cases were designed to function — without the IP network.Figure 2 provides a representation of the equipment and the information flows in a typical process systemfrom the process (Purdue Reference Model Level 0) to the enterprise resource planning (ERP) systems(Purdue Reference Model Level 4). Generally, the demilitarized zone (DMZ) server would reside at Level3.5. However, as technology has moved the intelligence further down to the lower-level devices, modernsmart sensors can act not only as sensors but also as PLCs and gateways since they are equipped withEthernet ports that allow direct communication with the cloud or the internet, bypassing the Level 3.5DMZ. This capability, which provides improved productivity, also introduces a very significant cyber risk7 A Current View of Gaps in Operational Technology Cybersecurity
as the digital sensors have built-in backdoors to allow for calibration and other maintenance activitieswithout a firewall or authorization.As organizations transform their businesses with the adoption of the cloud and virtualization to helpprovide better visibility and improve productivity and efficiency, we believe there is a new level, Level 6:the cloud, which needs to be considered for cybersecurity.Figure 3 shows how business risk and cyberthreats are directly connected, and we have seen this riskmodel proved to be correct over that last several decades across the several big transformations —from client/server architecture, to LAN/WAN architecture, to the internet architecture to the cloud/SaaS/container architecture, and now to the convergence of IT/OT and the OT digital transformation architecture.HighIndustry 4.0onAutomation ConnectivityatihoprskecaticistIndustry 3.0 Increased automation Increased connectivity Increased complexityAt yIndustry 2.0gsinitlexpm cosophisticationreaIncIncreased attacker Industry 1.0LowLowHighBusiness and operational riskEnvironmental complexityFigure 3. Evolution of industrial cyber risk8 A Current View of Gaps in Operational Technology CybersecurityIncreasedRISK
Control System CybersecurityIn order to understand the cybersecurity status of an organization’s OT and control system environment,an example of which is shown in Figure 4, there is a need to understand how the control systems interactwith the different threat vectors that could potentially affect their OT environment.No cybersecuritySensorsHMIs(operator displays)Control valvesHMIMotor controlsPLCsI/ORemoteCommsMasterMetersSensorsField irelessSCADAServerHMIEMSDCSField devicesInternetControl centerFigure 4. A typical organization’s OT and control system environmentThe Level 0,1 sensors are like the feelings on our fingers and toes. They provide the stimuli to our brains,which are the control system. If the sensing input to our brains are wrong for any reason, the actions ofthe brain will not be correct. For example, if our fingers are insensitive to a flame near our fingers, the brainwill not react to pull our fingers away from the flame. In the physical world, sensors measure pressure,level, flow, temperature, voltage, current, strain, color, humidity, vibration, volume, chemistry, and otherparameters. The measurements are input to control systems such as PLCs and electrical breakers,which are programmed to maintain systems within physical constraints based on sensor readings. Thesensor readings are assumed to be stable and accurate. Consequently, calibration intervals are generallyscheduled every 1 to 3 years to “recorrect” the sensor readings as they “drift” over time.9 A Current View of Gaps in Operational Technology Cybersecurity
In the 1970s through the mid-1990s, sensors and control systems were isolated systems not connectedto the outside world. They were entirely within the purview of the engineers who designed, operated, andmaintained these systems. Consequently, the design and operational requirements were for performanceand safety, not cybersecurity. The “dumb” sensors and control systems that provided engineeringdata was useful only to the engineers. What changed was not the internet but the microprocessor. Themicroprocessor allowed for the calculation and conversion capability to take 1s and 0s that were notuseful to anyone but that the engineers could convert to information that could be used by multipleorganizations outside the engineering organization. It was the availability of this useful information thatled to the desire to be able to share this information within and outside the immediate engineeringfacility. This enabled productivity improvements like “just-in-time” operation by sharing data with multipleorganizations. The internet and modern networking technologies were the vehicles for disseminating thisvaluable information.Modern communication technologies with improved analytics that are now employed at the smart devicelevel enable Industry 4.0, the IIoT, transactive energy, and others, but at the price of significant cybervulnerabilities that could affect the entire process. What is common among all these modern technologiesthat provide improved productivity is the dependence on reliable, accurate, and secure sensors, controls,and actuators. But what is missing? Cyber-secure sensors, controls, and actuators.Figure 5 and Table 1 show some of the potential threat vectors to a control system environment. In somecases, the adversary is able to compromise the OT network from the IT environment. In other cases, theattacks come from physical attacks on the field network devices or software attacks injecting malware intothe system during patches or firmware or software updates. There appears to be a lack of understandingabout the number of potential attackers as well as the ease of attacking OT networks.InternetBusinessnetwork10 A Current View of Gaps in Operational Technology CybersecurityControl systemnetworkField devicenetwork
PrimaryhistorianSoftware attackServer attackData rEngineeringworkstationsControl system networkRemote networkrouterCommunicationprotocol attackField device eldcontrollerWireless attackField devicesSafesystemPhysical attackFigure 5. ICS attack vectorsVector/Attack surface/CategorySecurity issueOperational issueLocal area networks for collectingand locally processing data fromconnected ICS objectsLack of authentication and securityin process sensorsTransmission of data to the cloudvia gatewayLack of security protocols andgatewaysProcessing and storage of data inthe cloud by appropriate platformsand specific algorithms such as bigdataLack of data securityCompromised data could lead toequipment damage, regulatoryissues, and personal safetyhazards.Interfacing between platforms andend users for monitoringLack of secure communicationprotocolsUse of the cloud could lead tounforeseen operation concerns.Device/Control systemLack of security in the developmentlife cycle, which introducesvulnerabilities and unsecurepasswordsCompromised devices could leadto their use in botnet attacks ormanipulation of equipment forperforming harmful activities.Table 1. Security challenges for OT environments11 A Current View of Gaps in Operational Technology Cybersecurity
The Need to Address theGrowing Gap Between IT/OTand EngineeringThere has been a trend of highly integrated industrial automation sharing more constructs with IT (knownas IT/OT convergence). As opposed to IT security, control system cybersecurity is still a developing area.Control system cybersecurity is an interdisciplinary field encompassing computer science, networking,public policy, and engineering control system theory and applications. Unfortunately, today’s computerscience curriculum often does not address the unique aspects of control systems, as shown in Figure6. Correspondingly, electrical engineering, chemical engineering, mechanical engineering, nuclearengineering, and industrial engineering curricula do not address computer security. Consequently, thereis a need to form joint interdisciplinary programs for control system cybersecurity both in the universitysetting and in the industry.10 The cultural gap between the cybersecurity and engineering organizations isalive and well, and starts at the university level. The impact of this gap is felt in the disparity between theengineering systems and cybersecurity product designs, as they are diverging rather than converging.Computer scienceControl systemsecurity ProcessknowledgeLack of understandingextends to both IT/OTand engineeringFigure 6. IT/OT vs. engineering – Packets vs. process12 A Current View of Gaps in Operational Technology Cybersecurity
MisconceptionsThe prevailing view is that control system information is not publicly available. There are a limited numberof control system suppliers, which supply control systems to all industries globally. Control systeminformation often includes common passwords that cross industries and continents. There are a limitednumber of major system integrators who also work on multiple industries worldwide. The control systemvendor users’ groups are open with multiple various information-sharing portals and other channels.Consequently, there is sharing of universal control system knowledge that is accessible by both defendersand attackers.Another prevailing view is that network monitoring can detect all anomalies. However, it cannot detectcommunications from hardware backdoors. Some transformers have been known to include hardwarebackdoors, which allow attackers to remotely compromise the transformer control devices, including theload tap changer and protective relays, and consequently damage the transformers.There is also a prevailing assumption that supervisory control and data acquisition (SCADA) systems orHMIs (master station) are used in all control systems. This is not true. For example, cruise control is acontrol system yet there is no operator display specific to cruise control — just on or off. Many peopleassume that SCADA is needed to keep lights on or water flowing. SCADA is for process optimization andview. There has been a US utility that had its SCADA system hacked and lost for 2 weeks, but there was noloss of power and therefore no disclosure to the authorities. Many people also assume that the operatorcan prevent damage by using the HMI. The HMI responds in many seconds to minutes. A compromise ofa system can occur in milliseconds, which is too fast for any operator. This does not mean, however, thatan organization does not need to secure its SCADA systems or HMIs. It still needs to do so because lackof visibility and control into these systems could result in operation downtime and costly business impact.Many people assume that control system devices can be accessed only from Ethernet networks. Thisis also not true. In fact, this assumption is key to the Maginot Line, where all cybersecurity monitoringand mitigation assumes that all communications must go through the Ethernet networks. Monitoring theEthernet networks is necessary, but it alone is not sufficient.OT network security vendors and consultants assume the Level 0,1 process sensors or field devices areuncompromised, authenticated, and correct, and therefore the packet is all that needs to be monitored.13 A Current View of Gaps in Operational Technology Cybersecurity
However, there is no cybersecurity, authentication, or cyberlogging at Level 0,1. Sensors have beendemonstrated to drift, which is why they need to be recalibrated. Sensor configurations such as span,range, and damping cannot be monitored from the Ethernet networks, yet they can be compromised. TheCorsair demonstrations from Moscow, Russia, at the ICS Cyber Security Conference in 2014 showed howLevel 0,1 vulnerabilities could be exploited.11Many people assume that network vulnerabilities correspond to physical system impact. They do not. Itis generally not possible to correlate the severity of a network vulnerability with the potential for hardwareimpact. It is also not possible to correlate a network vulnerability with specific equipment such as pumps,motors, or protective relays. Consequently, the question is: What should engineers do when they areapprised of cyber vulnerabilities?Many people equate cybersecurity to safety. They are related but not the same. A process can be cybersecure but not safe, since there are other features besides cybersecurity that can make the processunsafe. Conversely, a process can be safe but not cyber-secure if devices that are independent of anynetwork are used for process safety.The gap between networking (whether IT or OT) and engineering is summarized in Table 2.IT/OT (Networking)EngineeringZero trust100% trustPart of cybersecurity teamsGenerally not part of any cybersecurity teamWorried about vulnerabilitiesWorried about process and equipmentIP networks with securityLower-level non-IP networks without securityAssume all comms go through IP networkCan get to Level 0,1 without IP networkVulnerability assessments requiredLevel 0,1 not applicableNondeterministicDeterministicWorried about advanced persistent threatsDesign features with no securityFocus on malicious attacksFocus on reliability/safetyTable 2. Differences between networking and engineeringAs can be seen in Table 2, networking and engineering are, in many cases, fundamentally different. Issuessuch as zero trust versus 100% trust fundamentally affect architecture, training, and policies. The differencebetween networking systems that are nondeterministic and control systems that are deterministic directlyaffects technology and testing. This difference has resulted in control systems having been shut down oreven damaged because of the use of inappropriate network technology or testing tools.14 A Current View of Gaps in Operational Technology Cybersecurity
Nature of ICS CyberthreatsBecause of the potential damage that cyberattacks could have on businesses, the economy, and thedefense industry, control system cybersecurity should be a top-level national security concern and a priorityfor every business. However, this is not the case. Arguably the greatest hindrance to critical infrastructurecybersecurity is the refusal to acknowledge the problem. Neither the Solarium Commission Report northe CyberMoonShot program, for example, addressed the unique issues with control systems.12 And in anarticle titled “Dismissing Cyber Catastrophe,” James Andrew Lewis, a senior vice president and director ofthe Strategic Technologies Program at the Center for Strategic and International Studies (CSIS), says thata cyber catastrophe captures our imagination, but in the final analysis, it remains entirely imaginary andis of dubious value as a basis for policymaking. According to Lewis, there has never been a catastrophiccyberattack. These statements are obviously not true. Consequently, despite recent attempts to addressthe problem, public policy prescriptions, although helpful, are far from sufficient. In fact, articles such asLewis’ can dissuade organizations from focusing their attention on control system cybersecurity.13ICS honeypots have demonstrated that control system networks and devices are being targeted. In 2013,Trend Micro published research on a honeypot for a water system that mimicked a real system, includingan HMI and other components of an ICS environment. In that research, there were 12 targeted attacks outof 39 total attacks. From March to June 2013, Trend Micro observed attacks originating in 16 countries,accounting for a total of 74 attacks on seven honeypots within the honeynet. Out of these 74 attacks, 11were considered “critical.” Some were even able to compromise the entire operation of an ICS device.14In 2015, Trend Micro released research around the Guardian AST monitoring system using a honeypotcalled GasPot, which simulated a gas tank monitoring system.15 The purpose of this honeypot was todeploy multiple unique systems that did not look the same but nonetheless responded like real deployedsystems. Trend Micro evolved the ICS honeypot
After 9/11, cybersecurity became a matter of national security. It was at this time that the cybersecurity function for control systems was moved to the IT organization and engineering was no longer involved. Consequently, all cybersecurity monitoring and mitigation were at the IP (Internet Protocol) network
