Lack of security at Level 0/1: problem of awareness or unwillingness to change priorities?

To be honest I was planning to write about unintentional cyber incidents in critical infrastructure and the need to pull away some of our attention from the sexy topic of cyber-attacks and cyber kill-chains.  I changed my mind when I read Dale Peterson’s informative article on Awareness Of Purdue Level 0 and 1 (In)Security” and decided to write this first. The topic is of interest to me since 2017 when I served on an International Society for Automation (ISA) Committee 99 task group to look into the issue of Level 0/1 device security*.

Dale begins by making a very good point- Solving a problem typically begins with awareness that there is a problem.  He points out that one industry opinion leader has been conducting a “content blitz” on the lack of security in Level 0/1 devices and the engineering communities’ apparent lack of awareness.  Dale points out the results of a survey that indicates that yes, the engineering community is fully aware and supports his belief that this is “common knowledge in the ICSsec community and the only disagreements are the prioritization” amongst a list of other concerns.  The sense I get from this is that some in the community are saying yeah L0/1 is not secure, so what?

I think Joe Weiss and Dale Peterson represent two opposite poles.  Mr. Weiss on one side seems to see a long dark tunnel ahead while Mr. Peterson sees the light at the end of it.  Mr. Peterson’s view seems most attractive for it supports the view of a “silver lining” that things are getting better.  On the other hand, I am confronted with examples, which tell me that something from the dark side is slipping by the “see a silver lining” approach.

Awareness of a problem is not very useful if one does nothing about it.  The motivation to do nothing can come in part from concerns for the added time and costs involved in designing, buying and installing ICS that has security built into it.  It is hard for someone who is aware and concerned to convince a decision maker who can approve an expensive procurement that this must be bought when things are running well enough as they are.   This in my mind is asking for trouble.  In terms of patching and updating ICS I have heard from more than one plant engineer that “patching is an unacceptable industrial risk” or “we do not patch since all our ICS is behind a sturdy firewall”.  This kind of awareness lacks imagination and may lead to a dead end in terms of addressing the dynamic nature of cyberspace.

The word “cyberg” comes to mind.  It comes from two words “cyber” and “iceberg”. There is a website dedicated to this word.  There are several definitions provided and the one I like best seems to describe how awareness of a problem leads to no action.  I think of the captain of the H.M.S Titanic who perhaps because of the interests of the owners for a successful first voyage chose for some reason to ignore the warnings of fellow ship captains in the area who reported icebergs in their path and will stop sailing for the night.  This seems to apply to the security debate on Level 0/1.  If there is an awareness of the danger at Level 0/1 then something should be done about it rather than say there are other more pressing priorities.  Sensors are important to industrial operations and they are the point of contact where data from a physical process is sent to the ICS.  If intentionally compromised, the consequences can be fatal to people, property and the environment.  The same applies to the case of an unintentional sensor failure, which the Boeing 737 Max crashes tragically illustrate.  Sadly, it was only after a tragic accident when action was taken to correct the problem.

I would propose that we heed the warnings of Joe Weiss and proceed with Dale Peterson’s optimism in seeking a timely (without delay) and appropriate solution before a cyberg event forces the recognition on us that the problem needs to be moved up the priority list.

  • Our task group concluded that there were serious cybersecurity issues at Level 0/1. It gets even more complicated. Remember very well one plant engineer pointing out that adding a security feature to an installed device will harm (slow down) its signaling. One of our recommendations to the workgroup was : the need to provide guidance for how new devices with the capability of meeting 62443 standard requirements should interface with legacy devices that cannot meet those requirements.

NOTE: The views expressed within this blog entry are the authors’ and do not represent the official view of any institution or organization affiliated thereof. Vytautas Butrimas has been working in information technology and security policy for over 30 years. Mr. Butrimas has participated in several NATO cybersecurity exercises, contributed to various international reports and trade journals, published numerous articles and has been a speaker at conferences and trainings on industrial cybersecurity and policy issues. Has also conducted cyber risk studies of the control systems used in industrial operations. He also collaborates with the International Society of Automation (ISA) and is member of ISA 99 Workgroup 13 that is developing Micro Learning Modules on the ISA 62443 Industrial Automation and Control System Security Standard and Workgroup 14 on security profiles for substations.

Related posts