I am preparing a presentation on the lack of cyber security in process sensors titled: “Shields Up and Good Cyber Hygiene Does Not Apply to Insecure Process Sensors” for a March 10, 2022 seminar. Process sensors have no inherent cyber security and yet have hardware backdoors directly to the Internet. The cyber security gap includes no capability for passwords, single-factor (much less multi-factor) authentication, encryption, keys, signed certificates, etc. Despite the lack of any cyber security, these devices are the 100% trusted input to OT networks and manual operation. Moreover, process sensors have no cyber forensics.
Shields Up recommends conducting a test of manual controls to ensure that critical functions remain operable if the organization’s network is unavailable or untrusted. However, process sensors have no cyber security or authentication and are thus untrusted during all conditions. Recently, a sensor monitoring project discovered that process sensors were not working yet the HMI displays showed the process appeared to be working properly.
The impact of the inoperable sensors was both a loss of quantity and quality of the product which could have safety implications. Consequently, there is a need to develop training, recommendations, and standards for these critical, but unprotected devices. Using appropriate monitoring and analytics can help improve cyber security, process safety, product quality, and regulatory compliance.