A long-time reader and noted security researcher (I’ve mentioned his name many times here) Chris Sistrunk left a valuable comment on yesterday’s post about Marina Krotofil’s presentation, Damned Vulnerable Chemical Process (DVCP). Chris reminds us that an attack like Marina described will take a great deal of time and multiple trips to your system before the actual cyber-physical attack can be initiated. This provides plenty of opportunity to detect and prevent the attack if you are paying close attention to your control system (see his comment for more details).
But even before we start the kind of monitoring that Chris describes we need to take the same kind of look at our control system as we do the rest of our chemical process in our process hazard analysis (PHA). This will help us to identify those controls that could place our facilities at the most risk if/when a cyber-attack should take place.
In a well conducted PHA we look at each step in our process in great detail to look at all of the things that could go wrong. We look at each variable and ask question about what would happen if it were too high, too low, too fast or too slow, etc. For those events that could have catastrophic consequences (or were very likely to happen with lesser consequences) we put compensating controls in place to help prevent those occurrences. The more severe the consequence, the more compensating controls we put into place.
Given the new cybersecurity environment, we should now consider extending that process down to the controller level when we identify high consequence vulnerabilities in our chemical processes. When we determine, for instance, that a high temperature will lead to a catastrophic consequence we need to take a detailed look at the sensors and controllers that directly impact temperature control.
This detailed look would include the specific vulnerabilities associated with those devices. For example, are these devices that can have their programming changed by anyone with access to the device (Dale’s unsecure by design PLCs)? If so, we would want to take special precautions to limit access to that device.
Where process safety rules require multiple mitigating measures we could use multiple sensors for instance with a ‘tell me three times’ requirement familiar to rocket scientists. Or we could use stand-alone safety systems, air-gapped from both the control and IT networks, and provided with an uninterruptable power supply to provide the ultimate control system protection.
We shouldn’t forget Chris’ monitoring requirements. In fact, for those really sensitive portions of the process where the really bad things can happen (the things that go boom in every process engineer’s nightmares) we might want to ensure specific log checks for the most critical devices controlling that portion of the process.
In short, we really want to make safety and security two sides of the same coin. After all the goal of each is to keep chemical processes within the narrow confines necessary to keep employees and the community safe and healthy.
BTW: An anonymous commenter provided a YouTube link for Marina’s talk (without the annoying 15 minute delay at the start) - https://www.youtube.com/watch?v=TPUzNMcFb4A