Earlier this week Jake Brodsky left a comment on my blog post about the Thursday batch of control system security advisories. It is not a long comment, but it is certainly worth reading. He makes the point that: “If you exploit FDT [fdtCONTAINER vulnerability] on an instrument to get it to execute arbitrary code, you can also get it to report incorrect values FROM THE INSTRUMENT.”
As a person that has spent thousands of hours monitoring chemical processes in a manufacturing environment for both safety and quality issues, I can tell you that the prospect of not being able to trust the numbers being provided by your control system was what scared me most about Stuxnet and caused my interest in control system cybersecurity.
Instrument level data is probably the most critical data used in an industrial control system. That is the data the software relies upon to make process decisions. Being able to manipulate that data means that you can effectively manipulate the process (with the caveat that you must understand the process and how the control system responds to various instrument inputs if you are going to be able to drive the process in a specific upset direction). If you are just trying to disrupt the process (shut it down or adversely affect product quality) then less process knowledge would be needed.
Jake also made the point that Joe Weiss has been harping on the vulnerability of sensors for quite some time now. I have talked to Joe about this on a couple of occasions and I agree with many of his concerns. But I also know that smart process engineers understand the criticality of sensor data, this is the reason that there are frequently multiple sensors measuring the same data with protocols in place to deal with disagreements in sensor data.
As a process chemist I spent a lot of my process-upset investigation time looking for sensor failures by examining other process indicators; changes in pressure when valves opened or closed, changes in tank levels when pumps started and the like. Perhaps it is time to start building such data checks into our process controls, especially when safety-critical process changes are involved.
Finally, it would be helpful if the people writing these
advisories were a little clearer about the processes that could be affected by
the vulnerabilities. I would be surprised if many security managers understood that
the fdtCONTAINER vulnerability had specific implications for process sensors.
Only a very close reading of the NCCIC-ICS advisory would point you at that
fact unless you were involved in process engineering (the key tell for non-engineers
like myself was the involvement of Emerson and the RTIS).
Posts
No comments:
Post a Comment