Are your smart Instruments secured?
I was commissioning the FF (Foundation Fieldbus) Rosemount Vortex Flow transmitter somewhere in middle east. (Normally, as an ICSS - Integrated control and safety System engineer, you would have to perform all parameter checks as per the datasheet in the DCS (Distributed Control System) and configure the instruments accordingly and a lot more things!!! which we will not discuss today!)
We have been doing the commissioning of more than 3000 smart instruments (i.e. FF, HART) which includes loop check, simulation, calibration, and datasheet verification, AMS (Asset management system) configuration for each instrument. Suddenly PMC (Project Management Consultant) Engineer asked about the Password configuration for all the instruments. Ohh Man!!! We have already finished most of the instrument commissioning.
Of course, EPC wants to finish the commissioning as soon as possible. There was no checklist for the same as well to configure the password. I, as a MAC (Main Automation Contractor), there are a lot of conflicts around the work scope and need to balance every time there is a conflict. EPC should have provided the details of all necessary documents related to the specification of password configuration. End-User should have been more proactive in deciding the guidelines for the same in the first place.
But, here we come, I have started to dig into all the manuals and datasheets of different vendors. Found out that there is no password at all in most of the instruments, even not by default. You simply plug in your HART communicator and change whatever the hell you want to change. I was quite irritated by this password request earlier, but once I have realized what could have been the reason behind this, we have started working day and night to make sure all the instruments are password protected.
But why!!!! There is a procedure in place such as a work permit to work on any instruments. Why would anybody attempt to change the parameters without having the permit and requirement? There is a bigger picture of this and let me explain...
It is the integrity of the instrument, to have the integrity of your ICS.
Let me explain the scenario of field instrument range modification. One technician with a Field communicator is going to the field and performing the activity after getting all clearance such as maintenance override, ready permit, etc. The instrument is re-ranged and all good to be back in service.
There is one more technician who is doing the same from the AMS (Asset management system) without going into the field. He/She may open the DTM (Device type management, a software interface to view and access all the parameters of the instrument). while using the Field communicator, you can plug and scan the bus. Select the instrument and retrieve the parameter in real-time. In AMS, there is already a database of all instruments if your plant is commissioned, but you need to upload the parameters latest from the instrument in order to get the correct details. Vice versa, you can download the parameter from AMS using the DTM. Either way (AMS or Field communicator) it is the same thing, the problem appears when you find out the parameters are different for the same instrument in AMS and Field Communicator. The reason is the interface of DCS is either not equalized with AMS or AMS is not recently updated for that instrument (Uploading of a parameter after changing it from Field). It is also very important to note that there are way more interfaces to access the parameters of the single instrument. (Not only AMS and Field Communicator. Most of the general parameters can be modified by your DCS, PLC and a lot more confusion it will create if it is not in sync with your AMS)
I have realized that it is not only the password, but it is the procedure that must be followed in order to have the integrity of the instrument and its readings. Password will definitely help secure access to the instrument (Who will have the access to the passwords must be defined and should have centralized access). There is still a scope of a lot of improvements from Instruments vendors such as DTM enhancements for a better understanding of the Password mechanism for Maintenance Personnel.
Remember !! An attack on a control system could take the form of one or more field instruments being spoofed to induce a shutdown of a piece of equipment.
Also remember, an attack does not be necessarily from outside.
领英推荐
There are no hard and fast rules to be implemented for all. But if you want the defense-in-depth (which you should), based on the Automation solution installed in the facility the end-user should define the process of maintaining and securing the field instruments.
Thanks for reading this :)
Ankit
Assistant Manager at Deloitte | ISA/IEC 62443 CFS | OT/ICS Security Researcher
2 年An Interesting and nice read Ankit Suthar !! Would like to read and learn from blogs like this, in the future.
Manager OT Cybersecurity @ Johnson & Johnson | ICS/OT/SCADA/IIoT Cybersecurity | Scrum Master | Ex- EY | Ex-Emerson
3 年Wonderful article, Ankit Suthar and expert comments. Worth reading and understand Level 0 security constraints which are still unaddressed in most of the OEM products and Operational environment across the OT verticals. One of the basic security controls we see is the DIP switch settings to avoid any R/W operations, again this requires an adversary to be an C&I expert to understand such modes. Though all this information is quite outdated and easily available on internet. FF, HART, PF and SMART devices have to be more authentication oriented to avoid such mishaps.
Sr. Electrical Engineering Technician at City of Healdsburg | Sec+ |
3 年Ankit Suthar, wonderful article and very timely. I am wondering if the electrical sector has a dog in this fight? The HART protocol seems to tend to the refinery/oil gas space. I can't think of relays or SCADA/RTU systems that utilize HART hardware? Thx.