18 December 2016
In the past days, I prepared a key-note speech for the kick-off meeting of a new working group in the Committee for Operating Safety of the German Federal Ministry for Work and Social Affairs.
The working group deals with the impact of the Industrial Internet of Things (IIoT) issues on functional safety. In the world of Cyber Physical Productions Systems (CPPS) or the IIoT this becomes very important. A CPPS is a system which combines physical objects (through sensors or actuators) and processes with digital (virtual) objects and processes across information networks and the internet. In the IIoT the digital word acts upon the physical world. With this we have to be prepare for safety issues.
Safety engineers have long lasting experience in managing the risk created by classic vulnerabilities of safety devices like power or compressed air malfunction, corrosion or operator errors.
With the embedded system and its connection to the internet thousands of easy exploitable IT vulnerabilities enter the safety domain.
The main difference is that these IT vulnerabilities are exploitable by
- any internet user
- from any location and
- at any time.
If the safety device is not properly designed this may have a negative impact on the safety function, thus on people or the environment.
Inspection engineers have in general only few experience in managing the risks which arise from the IT vulnerabilities. Objectives of the working group are to create awareness for these new kind of IT risks and to provide working materials for support of the inspection engineers.
During preparation, I focused on the easy exploitable weakness CWE-16 (Configuration), in particular Default Passwords. Lots of process control systems (PCS) are attached to the Internet. And lots of them are accessible with default passwords for the administrator and guest account. Although the vendors strongly recommend to change the passwords during startup, neither the engineering teams nor the operators performed their duties.
Vendors started to deal with the default password issue and introduced individual passwords for PCS. Rockwell for example uses the serial number of the system as individual password:
The Configuration pages (Device Identity, Network Configuration and Device Services) are password protected. By default they can be accessed with:
- Username = administrator
- Password = the adapter’s serial number (listed on the adapter’s home page)
Generally, this is a good idea. But if the engineering team does not remove the password from the systems homepage or change the password this will create no security. The same applies to the operators. At least before commissioning they must check whether basic security best practice is implemented. Since the power plants I found during my research are operated from some years now, the operators checked this definitely not.
With this it is required that Vendors, Vontractors, and Operators
- introduce Security-by-Design and Cyber Risk Management in their design standards
- introduce Security Gates in their design processes
- enhance handover and acceptance procedures by security requirements
to make sure that at least basic security requirements are met, thus the safety of the systems is not compromised by IT vulnerabilities.
That’s it for today, and for this year. I will take a Christmas break.
A merry Christmas to you all
and the best wishes
for health, happiness and prosperity
in the New Year.