Cybersecurity at the edge

Auto IT May-Jun fig 1
Purdue Reference Model Level 0,1 field devices cybersecurity risks

By Bill Lydon

I had a discussion with Joe Weiss, PE, voting member and managing director of the ISA99, Industrial Automation and Control Systems Security committee, who is bringing into focus major cybersecurity and safety issues. He is committed to standards and practices to achieve secure systems. Weiss is an ISA Fellow, a Certified Information Security Manager (CISM), and is Certified in Risk and Information Systems Control (CRISC). Cybersecurity is a big issue that can have serious consequences. We discussed cybersecurity and safety issues, and my questions and his responses follow:

What are the most serious issues that are gaps in cybersecurity thinking today?

The first issue is the use of the word "edge." To the information technology community, an "edge" device is a router, switch, hub, cell phone, tablet, laptop, etc. To a control system engineer, an "edge" device is a sensor, actuator, or drive, that is, a Purdue Reference Model Level 0,1 device.

The lack of cybersecurity in Level 0,1 devices, as described in the Purdue Model and ISA95, stands out as a major area of vulnerability that is not being adequately addressed. Attacks at this level can directly impact the reliability and safety of processes, manufacturing, material handling, and overall production. Level 0,1 devices are the fundamental elements that manipulate physical processes and production. Devices include process sensors, analyzers, actuators, motor controls, and related instrumentation. These are the fundamental "things" that make process control and manufacturing automation possible, reliable, safe, and effective.

There has been a significant emphasis on computer systems and networks, which are important, but essentially no strategy for Level 0,1 devices. The lack of cybersecurity focus on Level 0,1 devices provides a serious cybersecurity exposure. The lack of cybersecurity and authentication in Level 0,1 devices has not been a consideration for almost all users and vendors. There seems to be an assumption that these devices are within the operations, so they are inherently either protected or unable to be affected. This is the same line of logic that opened the door for cybersecurity attacks that "walked in" on USB sticks.

For those who don't think it is possible to hack process sensors, consider simply using the hand-held HART/Foundation Fieldbus field communicator to change the process sensor ID. This can be either a malicious cyberattack or an unintentional error, often with little chance to tell the difference. Regardless of why, with the ID changed, the sensor will no longer be able to communicate with the programmable logic controller or distributed control system. There may be an alert, but it may be too late to prevent a catastrophic failure. This is not just loss of view and loss of control, but a loss of safety.

Because the cybersecurity of Level 0,1 devices is not being addressed elsewhere, the ISA99, Industrial Automation and Control Systems Security committee has established a new task group to identify if Level 0,1 devices are adequately addressed in the existing IEC 62443 series of standards, particularly IEC 62443-4-2, Technical Security Requirements for IACS Components. After review of the document, it is clear that the existing IEC 62443 standards, and also Institute of Electrical and Electronics Engineers (IEEE) power industry standards, do not address the unique issues associated with Level 0,1 devices. Additionally, the definition of Level 0,1 needs to be reassessed in light of modern communication and instrumentation technologies.

Do Level 0,1 cybersecurity considerations  affect other ISA standards in addition to ISA99?

Yes, the considerations affect ISA18, Instrument Signals and Alarms; ISA50, Signal Compatibility of Electrical Instruments; ISA67, Nuclear Power Plant Standards; ISA77, Fossil Power Plant Standards; ISA75, Control Valve Standards; ISA84, Process Safety Standards; ISA-88, Batch Control; ISA95, Enterprise-Control Integration; ISA100, Wireless; ISA108, Intelligent Device Management; and ISA112, SCADA Systems.

Do Level 0,1 cybersecurity considerations affect other standards organizations?

Yes, including standards from the IEEE, the International Electrotechnical Commission (IEC), the American Society of Mechanical Engineers (ASME), and the American Institute of Chemical Engineers (AIChE), to name a few.

Is there coordination and cooperation between ISA and these other organizations?

To date, informal at best, though there is outreach.

Can Level 0,1 devices be compromised?

Yes. As there are currently no cyber-forensics at this level, it is generally not possible to determine if a problem is a sensor or actuator mechanical/electrical problem, a process anomaly, or a cyberattack. And, there have been many sensor-related cybersecurity catastrophic failures to date.

 subscribe now jpeg            

Fast Forward

  • Cybersecurity is not adequately addressed in Level 0,1 devices as described in the Purdue model and ISA95.
  • Not having cybersecurity protection or forensics for Level 0,1 devices invites unintended or malicious damage to production and people.
  • The ISA99, Industrial Automation and Control Systems Security, committee has established a new task group for Level 0,1 security issues.
 

About the Author

Bill LydonBill Lydon is InTech’s chief editor. He has more than 25 years of industry experience in building, industrial, and process automation, including product design, application engineering, and project management.

About Joe Weiss

Automation IT may-jun image 2Joe Weiss, PE is a voting member and managing director of the ISA99, Industrial Automation and Control Systems Security committee and managing partner at Applied Control Solutions, LLC (www.realtimeacs.com), which provides thought leadership to industry and government in control system cybersecurity and optimized control system performance. He has more than 40 years of industrial instrumentation controls and automation experience, coupled with over 18 years in industrial control systems cybersecurity. He has provided support to domestic and international utilities and other industrial companies, prepared white papers on actual control system cyberincidents supporting NIST SP 800-53, and supported the NRC on the regulatory guide for nuclear plant cybersecurity. Weiss co-authored a chapter on cybersecurity for Electric Power Substations Engineering (first and second editions) and a chapter in Securing Water and Wastewater Systems. He wrote the book, Protecting Industrial Control Systems from Electronic Threats and was featured in Richard Clarke and R.P. Eddy's book, Warnings - Finding Cassandras to Prevent Catastrophes. He has prepared two modules for the IEEE Education Society and is a U.S. expert to IEC TC65 WG10 and IEC TC45A.

Resources

 ISA99

The ISA99 standards development committee brings together industrial cybersecurity experts from across the globe to develop ISA standards on industrial automation and control systems security. This original and ongoing ISA99 work is being used by the International Electrotechnical Commission in producing the multistandard IEC 62443 series.

ISA Security Compliance Institute (ISCI)

ISCI is an operational group within ISA’s Automation Standards Compliance Institute. ASCI bylaws share the open constructs of ISA, while accounting for compliance organization requirements. Operating the ISA Security Compliance Institute within ASCI allows the organization to efficiently leverage the organizational infrastructure of ASCI. ISA provides professional management services to ASCI.

Reader Feedback

We want to hear from you! Please send us your comments and questions about this topic to InTechmagazine@isa.org.

 
 

z