If you can’t trust what you measure, there is no cyber security, resiliency, process safety, productivity, or predictive maintenance in any critical infrastructure or cyber-physical system. Process sensors have no cyber security or authentication yet use remote access extensively as documented in the process sensor vendors’ specifications. ISA and NIST have identified there is no cyber security in process sensors. However, the CVE process ignores process sensor cyber issues. While cyber defenders continue to consider process sensors to be out-of-scope, offensive cyber organizations have exploited these gaps. Unintentional (e.g., manufacturing flaws or technician errors) and malicious compromise of process sensors (e.g., Stuxnet) have caused catastrophic failures without any cyber indications. As process sensors are engineering and not network devices, process sensors are outside the scope of the CISO, and the VP of engineering needs to be involved. Policy makers need to wake up and understand that cyber secure process sensors are critical to cyber security, safety, and resilience.
