A long-time reader and noted security researcher (I’ve
mentioned his name many times here) Chris Sistrunk left a valuable
comment on yesterday’s
post about Marina Krotofil’s presentation, Damned Vulnerable Chemical
Process (DVCP). Chris reminds us that an attack like Marina described will
take a great deal of time and multiple trips to your system before the actual
cyber-physical attack can be initiated. This provides plenty of opportunity to
detect and prevent the attack if you are paying close attention to your control
system (see his comment for more details).
But even before we start the kind of monitoring that
Chris describes we need to take the same kind of look at our control system as
we do the rest of our chemical process in our process hazard analysis (PHA).
This will help us to identify those controls that could place our facilities at
the most risk if/when a cyber-attack should take place.
In a well conducted PHA we look at each step in our
process in great detail to look at all of the things that could go wrong. We
look at each variable and ask question about what would happen if it were too
high, too low, too fast or too slow, etc. For those events that could have
catastrophic consequences (or were very likely to happen with lesser
consequences) we put compensating controls in place to help prevent those occurrences.
The more severe the consequence, the more compensating controls we put into
place.
Given the new cybersecurity environment, we should
now consider extending that process down to the controller level when we identify
high consequence vulnerabilities in our chemical processes. When we determine,
for instance, that a high temperature will lead to a catastrophic consequence
we need to take a detailed look at the sensors and controllers that directly
impact temperature control.
This detailed look would include the specific
vulnerabilities associated with those devices. For example, are these devices
that can have their programming changed by anyone with access to the device
(Dale’s unsecure by design PLCs)? If so, we would want to take special
precautions to limit access to that device.
Where process safety rules require multiple
mitigating measures we could use multiple sensors for instance with a ‘tell me
three times’ requirement familiar to rocket scientists. Or we could use
stand-alone safety systems, air-gapped from both the control and IT networks,
and provided with an uninterruptable power supply to provide the ultimate
control system protection.
We shouldn’t forget Chris’ monitoring requirements.
In fact, for those really sensitive portions of the process where the really
bad things can happen (the things that go boom in every process engineer’s
nightmares) we might want to ensure specific log checks for the most critical
devices controlling that portion of the process.
In short, we really want to make safety and security
two sides of the same coin. After all the goal of each is to keep chemical
processes within the narrow confines necessary to keep employees and the
community safe and healthy.
BTW: An anonymous commenter provided a YouTube link
for Marina’s talk (without the annoying 15 minute delay at the start) - https://www.youtube.com/watch?v=TPUzNMcFb4A