The Weissian Level 0/1 Issue

The Weissian Level 0/1 Issue

ICS security industry pioneer and legend Joe Weiss PE CISM CRISC ISA Fellow has been on a crusade to raise awareness on Purdue Level 0/1 security and reliability issues. It’s generally focused on the integrity and accuracy of sensor data that is communicated from the sensor, through a PLC/controller/Level 1 device, and to the operator or program at Level 2 and above.

From a security standpoint, there is almost always no logical security in the Level 0 to Level 1 communication. It lacks authentication. It is insecure by design. If an attacker can gain access to either side of this communication or the communication channel itself, they can spoof or alter the data. Most in the ICS security community know this, but Joe correctly points out that executives and others outside the community don’t know this. They are often shocked when they learn this.

To the degree this Level 0/1 communication is rarely using Ethernet or IP, or any other commonly routable protocol, it has some physical security. An attacker needs physical access to the endpoint or communications channel. If the attacker has physical access to the PLC, or logical access via an Ethernet port connecting from Level 2, then they don’t need to bother with altering or spoofing the Level 0/1 communication.?

This is why my focus, my annoying drumbeat, is to get security into the PLC/controller/Level 1 device. Signed firmware, signed logic/application changes, authentication of commands through ICS protocol security, and other controls. In a perfect world, we would have security down to the sensor or actuator. In terms of risk reduction achieved for resources required (efficient risk reduction criteria), this Level 0/1 security is far down the list of possible risk reduction activities. This will change some, but not a lot, as we deploy more sensors and actuators with IP addresses.

Joe and I have had a friendly disagreement on the importance of addressing the Level 0 security issue. Recent presentations and calls have led me to reframe Joe’s issue, and it seems to be much broader than security. To be fair, Joe has always said this and frequently points to the NIST definition of a cyber incident. Bad decisions and actions based on bad sensor data is what I hear him saying now.

Joe has given me multiple examples where a closer look at the accuracy of sensor data has shown it to be inaccurate by measures that could lead and have led to incidents. None of this bad sensor data was due to a cyber attack. It was a sensor failure. He claims this is a larger problem then most in the community realize. This is well outside my area of expertise, or even basic knowledge. Is it true? How widespread is this problem? I would believe the accuracy and precision required by sensor data is a well worn subject, and there have been examples where well worn subjects have led to unfounded confidence.

The issue of the accuracy and precision of sensor measurements will not be solved by security. Even if the Level 0/1 communication was authenticated. Even if all ICS communication was authenticated. We would only have false sensor readings sent without modification through the system.

When I hear Joe Weiss communicate about Level 0/1 I now break it into two issues. 1. Do we have an issue with Level 0 sensors recording and sending accurate data with the required precision? 2. Is the lack of authentication in Level 0/1 communication a security risk that needs to be prioritized and addressed in the next 1 to 3 years? I have no idea on the answer to question 1. My answer to question 2 is and has been no.

Joe Weiss PE CISM CRISC ISA Fellow

Managing Partner at Applied Control Solutions, LLC Emeritus Managing Director ISA99 ICS Cyber Security Pioneer, Keynote Speaker Process Automation Hall of Fame

2 年

The article, “Using Machine Learning to Work Around the Operational and Cybersecurity Limitations of Legacy Process Sensors” is now available in the November issue of IEEE Computer: The paper provides a case study providing detailed quantitative results of the unseen deficiencies in many process sensors. It also responds to Dale's blog. The IEEE paper quantifies the impact of inaccurate sensors while the blog identifies catastrophic failures from inaccurate sensors. It is important to know if the data source can be trusted - knowing the process sensor data coming is from the sensor and not Beijing is not trivial. Additionally, November 1st, Steve King, Managing Director of CyberTheory, published results that indicated between January and September of 2021, there was a 2,204% increase in adversarial reconnaissance activity targeting port 502 – Modbus. Raw sensor monitoring provides an independent view of the process regardless of what is occurring with cyber vulnerable communication protocols or OT network availability. https://www.controlglobal.com/blogs/unfettered/blog/21437429/ieee-paper-on-process-sensor-monitoring-what-you-need-to-know-about-process-sensor-cyber-security ?

回复
Ilan Sosnovitch

Business Development Manager

2 年

Important discussion that's part of our day-to-day work. Here at SIGA, we call it "Level 0 Resilience" for those reasons precisely - false reporting of a sensor can come from various reasons: cyberattacks, mis-calibration or sensor failure. If the entire "chain of command" of the SCADA system relies on true data coming from sensor level while that same data does not represent true values, its an issue that should bother us and should be prioritized. The notion that Level 0 authentication and sensor/process validation is cumbersome/costly/intrusive, is not necessarily correct and on the contrary, may help avoid system failures and unplanned shutdowns. I invite anyone who wants to learn more about it for a demo and discussion. (www.sigasec.com)

Rick Welsh

CEO Killara Cyber

2 年

Thank you Dale for helping to make a very technical subject more digestible for us non-technical mortals! These things matter for insurance and capital distribution and Joe too has been very patient in helping to point out to us these security fallibilities.

Eyal Asila

Global Cybersecurity Executive | CISO | AI & Quantum Security Strategist | $400M+ Cyber Consulting Leader | Risk & Compliance Expert (NIST, ISO 27001, GDPR) | Board & C-Level Advisor | Founder @CyberLion Advisory

2 年

As usual - to the point

回复

I for one am glad to see the increased disambiguation of this issue, as this is how we'll get closer to improving aspects of it. What did Einstein say he'd do if given an hour to solve a problem...?

回复

要查看或添加评论,请登录

Dale Peterson的更多文章

社区洞察

其他会员也浏览了