Can We Trust Control Systems Networks?

Deputy National Security Advisor for Cyber and Emerging Technology, Anne Neuberger, was quoted by Adam Mazmanian in FCW on April 8, 2021 saying

“We picked control systems because those are the systems that control water systems, power systems, chemical systems, across the U.S. And we’re seeking to have visibility on those networks to detect anomalous cyber behavior and block anomalous cyber behavior…”

She was further quoted in the article with

“Today, we cannot trust those systems because we don’t have the visibility into those systems,[…]And we need the visibility of those systems because of the significant consequences if they fail, or if they’re degraded. So that’s the threshold of success we seek from a cyber perspective, and there are many efforts that we’ll need to do to get there.”

First, Who is this “We” that Ms. Neuberger speaks of? Is it the National Security Council? Is it the Department of Homeland Security Cyber Security and Infrastructure Agency? Is it a SOC at the company? Or perhaps it’s merely an OT office at a company that is obligated to make reports to some Federal Entity?

No matter who it is, I need to challenge all the people who say “We Lack Visibility” with “If you had visibility, what would you do with it?” and “How will you protect these networks from the fallible systems that may be there to “secure” these networks?” Are you going use your powers of clairvoyance, put on a superhero costume and swoop on to the plant to save the hapless Operations staff from Dr. Eva Hacker?

Let me back up and give you gentle readers a bit of a reminder of what already exists: Most PLC hardware have network bandwidth monitoring built in. These are conveyed to registers or tags inside the PLC to enable the automation to recognize when it has a degraded network. They can also be sent to an HMI, though most system designers do not bother to do so. If there is no requirement, it doesn’t happen, and even if they did this work for free, the chance that operators would act what they’re seeing with this information are slim to none. They need training and instructions on what to do. Right now, there is no mandate for this. Like many such ideas, unless it’s part of a requirement from someone in authority or some agency, it isn’t going to happen.

We could specify certain features to add to a PLC for additional monitoring. We could also insert extra scanning equipment in to a control system network that would tattle on exactly what is going on. But there is a problem. Would anyone outside the operations staff understand what they’re seeing?

I will further point out that because the equipment is powered at various cabinets next to the process, if the process power is turned off, the equipment itself will be powered off. This is perfectly fine. The thing that is being controlled isn’t there, so why bother keeping the controllers live?

Most of my regular readers are also familiar with the question of “if a PLC goes in to program mode, is it malicious or not?” and also, “how do the keys get to the PLC or RTU, and how can we trust those keys? And that there are no other keys?”

This frustrates many Security people who come from the IT world because they feel they’re missing something huge. Well, in truth, they are. It’s called ENGINEERING!

Engineers can tell you if that power going down is normal or not. The Superintendents, Engineers, and Operators know who is working where and can tell you if that Program mode is expected or not. And only Engineers and Operators can tell you what’s going on if the state estimator, mass balance model, or instrumentation cross checks don’t add up.

Many shutdowns occur due to routine problems such as excessive vibration, clogged valves, low lubricant levels, failed instruments, and so forth. This has ramifications to the lower layer networks.

The point is that if you want the story about why you see what happens on those PLC and I/O networks, you’d better be ready to talk to the plant, transmission, or distribution staff. This isn’t some isolated static network. It is part of a much larger, living industrial process. You cannot separate the two.

So Ms. Neuberger, the issue isn’t whether you trust the networks at the PLC layers and below. It is whether you trust the Superintendent, Engineers, and Operators. If you feel there is a need to see what’s going on in those lower layers, you’d better include these people, the training requirements, and the reporting framework, or you won’t have enough information for it to make any sense.

That’s why you can’t trust those networks.

(Hat Tip to Marc Ayala for posting the FCW article on LinkedIn)

Postscript: the FCW article can be found here: and the actual interview is at after the 26 minute mark for the quotes cited by this blog.

With more than 30 years experience at a large water/wastewater utility and extensive experience with control systems, substation design, SCADA, RF and microwave telecommunications, and work with various standards committees, Jake still feels like one of those proverbial blind men discovering an elephant. Jake is a Registered Professional Engineer of Control Systems. Note that this blog is Jake's opinion ONLY. No Employers, past or present were ever consulted with regard to these posts. These are Jake's notions. Don't blame anyone else for them.