Tag Archives: IIoT

Some thoughts on „A Cyberattack on the U.S. Power Grid“ by Robert K. Knake

15 April 2017

The Contingency Planning Memorandum No. 31 „A Cyberattack on the U.S. Power Grid“, published by Robert K. Knake at the Council on Foreign Relations (CFR) in April 2017, illustrates very clearly how vulnerable critical infrastructures like the U.S. power grid are. This memorandum is really worth reading.

Ultimately, for effective protection of the society in the case of a breakdown of the power grid we need something like a nation wide operated ISMS, with hundreds of stakeholders from the private and public sector. This is a Herculean task in the U.S., and needs a miracle in Europe.

But the discussion of attack vectors is characterized by the traditional ISA 95 paradigm:

Regardless of which part of the power grid is targeted, attackers would need to conduct extensive research, gain initial access to utility business networks (likely through spearphishing), work to move through the business networks to gain access to control systems, and then identify targeted systems and develop the capability to disable them.

In the era of the IIoT, the network perimeter with all its high sophisticated security controls is no longer existent. For example, a lot of Industrial Control Systems are already connected directly to the internet today. With this, the effort for attacking critical infrastructures is decreasing, as well as the likelihood of detection.

From my point of view, it is of crucial need to take this paradigm change into account in risk management.

Happy Easter!

IIoT is killing ISA 95!?

12 February 2017

At the end of his great post ‘IIoT is killing ISA 95 !! …a.k.a. the operators that talked to the CEO‘, Antonio Buendia, Head of Manufacturing Process Control at Novartis, asks 3 questions:

What do you think?

(1) Do you think that ISA 95 is dead, and we are going to have a series of devices each of them talking to each other? And those devices will be able to digest and process the information by themselves?

(2) Do you think that the IIoT will bring enhanced communication capabilities, but we still need to establish a hierarchy, a set of common rules for orchestration, but a new model has to be created?

(3) Or do you think that ISA 95, with some minor tweaks, is still the model of reference for the IIoT?”

There is no simple answer to this question. In my opinion the answer depends strongly on the issues one is going to solve with IIoT devices.

Even in the age of IIoT ISA 95 will still be a reference model in production. Let me be quite clear: For just the execution of a manufacturing order the ISA 95 model will fit more or less well even in the age of the IIoT.

For other production related issues the ISA model may possible not fit. Let me make this clear with an example:

For the execution of a huge production order it would be helpful to know in advance of the likelihood of equipment breakdowns during the execution time. IIoT devices like smart pumps or smart valves are able to gather operational data. This data can be used for the prediction of the remaining run time of the devices. If the remaining run times of all devices are known, it is easy to predict whether a production order can be executed without major delays.

This is one possible added value we create from IIoT devices. Currently only few manufacturers are collecting these data. The Industrie 4.0 concept goes far beyond the local collection and analysis of operational data. If the data is sent to the equipment manufacturer for further analysis, we can create more value from the data because the device vendor may correlate the data with the data from thousands of similar devices. With this, remaining run times can be estimated more accurately.

From my point of view, it is not necessary that an individual device contacts the vendors database to get details about its remaining run time. It is enough if the device management system does this job. I don’t think that the ERP system must be involved at least during this analysis phase in this communication.

With this, my answer is: ISA 95 is still a reference model for manufacturing in the age of IIoT. But we have to develop other models or extent the ISA 95 model if we are going to turn the capabilities of the IIoT into EBIT.

Have a good week.

Unsecured IIoT devices in untrusted networks

28 January 2017

I am currently reviewing a draft of the German Federal Office for Information Security (BSI) about Operational and Control Technology. The goal of the paper is to define suitable requirements for IT security in OT.

IIoT devices, e.g. moderns sensors like the Schneider Electric PowerLogic ION7650 power meter, offer many communication options, including an optional Ethernet port:

PowerLogic ION 7650 communication options

Schneider Electric PowerLogic ION7650 communication options

With the Ethernet port activated the power meter behaves like a standard web server which provides standard internet communication options for access, e.g. ftp via port 21, http via ports 80, 81 and 443.

The BSI paper introduces the concept of ‘required connections‘ to communication partners outside the production network. This concept is based on the idea that production networks are isolated from a company’s office network as well as from the internet through security devices. The number of required connections, e.g. a connection from the ERP system to the Manufacturing Executions system (MES), should be kept as low as possible. In addition, required connections and the related communication endpoints must be specially protected to prevent misuse.

Lots of the PowerLogic ION7650 power meters are not operated in a production network. They are directly attached to the internet through an internet router, thus directly attackable by all internet users.

With this, each power meter creates its own production network, and every connection becomes a required connection. The major difference to the classic production network is that the power meter is far short of the protection capabilities a classic production network provides.

Thus, special attention has to be paid to the secure configuration of the devices and the attached internet routers during commissioning. Unfortunately, neither the service personnel setting up the device nor the operators seem to be aware of the dangers which result from this limited protection options because lots of unsecured devices are directly attached to the internet.

It is not very likely that a single compromised power meter has an impact on the national power grid. But if an attacker is able to compromise hundreds or thousands of devices …

The BSI paper provides a comprehensive set of technical and organizational measures to OT organizations to deal effectively with IT security issues in production environments.

Nevertheless, I recommend to the operators to review the configuration of and secure their devices. Besides financial loss due to malfunctions unsecured devices can be hijacked and included into bot nets.

Have a good weekend.

Software failures are systematic. Stop all patching?

22 January 2017

In the past days I reviewed the draft of the NAMUR Worksheet NA 163 “IT Risk Assessment for Safety Instrument Systems”. In the age of the IIoT even Safety Instrument Systems (SIS) are equipped with embedded IT components and attached to the production or company network. With this, the safety systems become the target of IT threats, which may result in a malfunction of the SIS in the worst case.

Process safety engineers are often unaware of this new threats. IEC 61511 “Functional safety – Safety instrumented systems for the process industry sector” requires an IT risk assessment for SIS, but makes no recommendations about the details of the assessment.

The aim of Worksheet NA 163 is to provide a practicable risk assessment method to safety engineers, supplemented by a checklist on possible mitigation measures.

On Thursday I watched a video recording of a lecture on ‘Safety-Critcial Systems’ given by Martyn Thomas, Livery Company Professor of Information Technology at the Gresham College.

Software failures are systematic. Slide 18 of 'Safety-Critical Systems - when software is a matter of life and death' by Martyn Thomas CBE FREng, Livery Company Professor of Information Technology, Gresham College

Software failures are systematic. Slide 18 of ‘Safety-Critical Systems – when software is a matter of life and death’ by Martyn Thomas CBE FREng, Livery Company Professor of Information Technology, Gresham College

Professor Thomas makes clear, that “Software failures are systematic. They occur whenever the triggering conditions arise”. I highly recommend to watch the entire lecture because one can gain new insights on software testing and reliability. For a link to the video, the PowerPoint presentation and the Word transcript please see below.

NA 163 recommends to patch all SIS systems components including the supporting systems like the engineering stations or the HMI on a regular basis.

But will continuous patching really increase the reliability of the software components?

Will continuous patching really decrease the risk of a cyber-attack?

How many new systematic defects are built in a software system during continuous patching?

Remember the seemingly endless number of critical vulnerabilities fixed in Adobe Flash Player in the past years…

Let me be clear: I do not call to stop all patching. From my point of view we must focus on the right and important system components, vulnerabilities and patches. With this we can escape from the patch treadmill and focus on the really important issues, e.g. how to build and configure industrial control system networks that are less susceptible to cyber-attacks.

Have a good weekend!

Safety-Critical Systems – when software is a matter of life and death

Martyn Thomas CBE FREng, Livery Company Professor of Information Technology, Gresham College, 10 January 2017

Word Transcript | PowerPoint Presentation | YouTube Video

IIoT Security is the result of close collaboration between Vendors, Contractors, and Operators

18 December 2016

In the past days, I prepared a key-note speech for the kick-off meeting of a new working group in the Committee for Operating Safety of the German Federal Ministry for Work and Social Affairs.

IIOT: Impact of Digital World on Physical World

Impact of Digital World on Physical World in IIoT

The working group deals with the impact of the Industrial Internet of Things (IIoT) issues on functional safety. In the world of Cyber Physical Productions Systems (CPPS) or the IIoT this becomes very important. A CPPS is a system which combines physical objects (through sensors or actuators) and processes with digital (virtual) objects and processes across information networks and the internet. In the IIoT the digital word acts upon the physical world. With this we have to be prepare for safety issues.

Cyber Cyber Physical Production System Structure

Cyber Physical Production System Structure

Safety engineers have long lasting experience in managing the risk created by classic vulnerabilities of safety devices like power or compressed air malfunction, corrosion or operator errors.

With the embedded system and its connection to the internet thousands of easy exploitable IT vulnerabilities enter the safety domain.

The main difference is that these IT vulnerabilities are exploitable by

  • any internet user
  • from any location and
  • at any time.

If the safety device is not properly designed this may have a negative impact on the safety function, thus on people or the environment.

Inspection engineers have in general only few experience in managing the risks which arise from the IT vulnerabilities. Objectives of the working group are to create awareness for these new kind of IT risks and to provide working materials for support of the inspection engineers.

During preparation, I focused on the easy exploitable weakness CWE-16 (Configuration), in particular Default Passwords.  Lots of process control systems (PCS) are attached to the Internet. And lots of them are accessible with default passwords for the administrator and guest account. Although the vendors strongly recommend to change the passwords during startup, neither the engineering teams nor the operators performed their duties.

Vendors started to deal with the default password issue and introduced individual passwords for PCS. Rockwell for example uses the serial number of the system as individual password:

The Configuration pages (Device Identity, Network Configuration and Device Services) are password protected. By default they can be accessed with:

  • Username = administrator
  • Password = the adapter’s serial number (listed on the adapter’s home page)

Generally, this is a good idea. But if the engineering team does not remove the password from the systems homepage or change the password this will create no security. The same applies to the operators. At least before commissioning they must check whether basic security best practice is implemented. Since the power plants I found during my research are operated from some years now, the operators checked this definitely not.

With this it is required that Vendors, Vontractors, and Operators

  • introduce Security-by-Design and Cyber Risk Management in their design standards
  • introduce Security Gates in their design processes
  • enhance handover and acceptance procedures by security requirements

to make sure that at least basic security requirements are met, thus the safety of the systems is not compromised by IT vulnerabilities.

That’s it for today, and for this year. I will take a Christmas break.

A merry Christmas to you all
and the best wishes
for health, happiness and prosperity
in the New Year.

Christmas Trees