Cybersecurity at the edge
Purdue Reference Model Level 0,1 field devices cybersecurity risks
By Bill Lydon
I had a discussion with Joe Weiss, PE, voting member and managing director of the ISA99, Industrial Automation and Control Systems Security committee, who is bringing into focus major cybersecurity and safety issues. He is committed to standards and practices to achieve secure systems. Weiss is an ISA Fellow, a Certified Information Security Manager (CISM), and is Certified in Risk and Information Systems Control (CRISC). Cybersecurity is a big issue that can have serious consequences. We discussed cybersecurity and safety issues, and my questions and his responses follow:
What are the most serious issues that are gaps in cybersecurity thinking today?
The first issue is the use of the word "edge." To the information technology community, an "edge" device is a router, switch, hub, cell phone, tablet, laptop, etc. To a control system engineer, an "edge" device is a sensor, actuator, or drive, that is, a Purdue Reference Model Level 0,1 device.
The lack of cybersecurity in Level 0,1 devices, as described in the Purdue Model and ISA95, stands out as a major area of vulnerability that is not being adequately addressed. Attacks at this level can directly impact the reliability and safety of processes, manufacturing, material handling, and overall production. Level 0,1 devices are the fundamental elements that manipulate physical processes and production. Devices include process sensors, analyzers, actuators, motor controls, and related instrumentation. These are the fundamental "things" that make process control and manufacturing automation possible, reliable, safe, and effective.
There has been a significant emphasis on computer systems and networks, which are important, but essentially no strategy for Level 0,1 devices. The lack of cybersecurity focus on Level 0,1 devices provides a serious cybersecurity exposure. The lack of cybersecurity and authentication in Level 0,1 devices has not been a consideration for almost all users and vendors. There seems to be an assumption that these devices are within the operations, so they are inherently either protected or unable to be affected. This is the same line of logic that opened the door for cybersecurity attacks that "walked in" on USB sticks.
For those who don't think it is possible to hack process sensors, consider simply using the hand-held HART/Foundation Fieldbus field communicator to change the process sensor ID. This can be either a malicious cyberattack or an unintentional error, often with little chance to tell the difference. Regardless of why, with the ID changed, the sensor will no longer be able to communicate with the programmable logic controller or distributed control system. There may be an alert, but it may be too late to prevent a catastrophic failure. This is not just loss of view and loss of control, but a loss of safety.
Because the cybersecurity of Level 0,1 devices is not being addressed elsewhere, the ISA99, Industrial Automation and Control Systems Security committee has established a new task group to identify if Level 0,1 devices are adequately addressed in the existing IEC 62443 series of standards, particularly IEC 62443-4-2, Technical Security Requirements for IACS Components. After review of the document, it is clear that the existing IEC 62443 standards, and also Institute of Electrical and Electronics Engineers (IEEE) power industry standards, do not address the unique issues associated with Level 0,1 devices. Additionally, the definition of Level 0,1 needs to be reassessed in light of modern communication and instrumentation technologies.
Do Level 0,1 cybersecurity considerations affect other ISA standards in addition to ISA99?
Yes, the considerations affect ISA18, Instrument Signals and Alarms; ISA50, Signal Compatibility of Electrical Instruments; ISA67, Nuclear Power Plant Standards; ISA77, Fossil Power Plant Standards; ISA75, Control Valve Standards; ISA84, Process Safety Standards; ISA-88, Batch Control; ISA95, Enterprise-Control Integration; ISA100, Wireless; ISA108, Intelligent Device Management; and ISA112, SCADA Systems.
Do Level 0,1 cybersecurity considerations affect other standards organizations?
Yes, including standards from the IEEE, the International Electrotechnical Commission (IEC), the American Society of Mechanical Engineers (ASME), and the American Institute of Chemical Engineers (AIChE), to name a few.
Is there coordination and cooperation between ISA and these other organizations?
To date, informal at best, though there is outreach.
Can Level 0,1 devices be compromised?
Yes. As there are currently no cyber-forensics at this level, it is generally not possible to determine if a problem is a sensor or actuator mechanical/electrical problem, a process anomaly, or a cyberattack. And, there have been many sensor-related cybersecurity catastrophic failures to date.