Editor's Note: As we wind down Cybersecurity Awareness Month, ISAGCA continues to provide a collaborative forum to advance cybersecurity awareness, education, readiness, and knowledge sharing. A critical part of this awareness is that it allows organizations to focus in on and understand the intersection of safety with cybersecurity. The following work from LOGIIC work reinforces this relationship in their report "Project 12 Safety Instrumentation."
The Linking the Oil and Gas (O&G) Industry to Improve Cybersecurity (LOGIIC) consortium was established in partnership with the U.S. Department of Homeland Security (DHS) Science and Technology (S&T) Directorate to review and study cybersecurity issues in industrial control systems (ICS) that impact safety and business performance as they pertain to the O&G sector. Project 12 was conducted during 2020 and focused on the security and management of safety instrumentation. The project revealed numerous consequential and recurring findings that indicate a pervasive industry-wide security problem in safety systems. This report documents key findings and recommendations for asset owners, vendors, and standards bodies.
ICSs use safety instrumented systems (SISs) to monitor operations and take automated actions to maintain a safe state when abnormal conditions occur. Instruments such as transmitters, valve controls, and fire and gas detectors provide critical inputs and controls to safety system function. In recent years, instruments have been modernized to provide smart features such as partial stroke testing for valves.
Smart instruments are typically connected to the SIS using direct cabling and communicate via analog signals. Smart data is superimposed over analog communications using the Highway Addressable Remote Transducer (HART) protocol. This protocol enables systems to read data from instruments and modify their configurations and states as part of normal operations. HART data can be accessed by local handheld devices, through pass-through SIS I/O cards, or with a HART data multiplexer (MUX). In the latter two cases, an instrument or asset management system (IMS/AMS) can interact with and configure safety instruments using the HART protocol over an internet protocol (IP)-based network using HART-IP or SIS proprietary protocols. While the earlier LOGIIC Project 5 focused on wireless HART and handheld devices, Project 12 focused exclusively on wired HART, HART-IP, SIS proprietary protocols, and the use of an IMS/AMS.
The lack of built-in security features in the HART protocol necessitates the use of alternative methods to protect devices from unauthorized modifications. Protections considered under Project 12 included a hardware write-protect switch on the instrument, a software-based write-protect password or pin code on the instrument, password on the IMS/AMS (or its underlying operating system platform) that remotely manages the instrument, and a variety of disparate protections provided by various SIS solutions.
Project 12 defined and used a threat model in which the attacker sought to compromise an IMS/AMS and use that platform to make unauthorized changes to the configuration of safety instruments. Unauthorized changes considered by Project 12 were those that could result in unsafe operating conditions, render the instruments inoperable or unable to perform safety functions, and/or take instrument control away from asset owners. These attacker goals were examined in the context of two architectures: 1) the IMS/AMS controls instruments through a MUX and 2) the IMS/AMS controls instruments through an SIS.
Four individual assessments were planned based on the threat model, industry protection mechanisms and architectures, and a sampling of vendor products typically found in O&G sector operations. Attack avenues considered included malicious and unwitting insiders and supply chain attacks. Each assessment was conducted as a partial-knowledge test with full cooperation from the vendors.
Concerted adversaries have ample time and resources to analyze vendor products, which enables them to discover undocumented commands and vulnerabilities that can be used in attacks. In contrast, Project 12 was limited in both time and scope. Each assessment was conducted over the course of a few months using publicly available information and several weeks of hands-on testing and was constrained by defined rules of engagement (RoE). Even with these limitations, Project 12 uncovered numerous consequential and recurring exploitable weaknesses across individual assessments that indicate a systemic and pervasive industry-wide problem. This issue is mainly a consequence of four critical findings: 1) some safety system designs allow unchecked HART passthrough, 2) the current HART and HART-IP protocols have no built-in security, 3) devices do not authenticate the sources of received HART commands and many have bypassable write-protections, and 4) the industry uses unverified 3rd party software downloaded from the Internet.
Successfully demonstrated attacks used a number of commonly available attacker tools and exploited common-knowledge architectural weaknesses that were present in all four assessments. These attacks required a low to moderate level of effort to exploit and included effects that can significantly impact device safety function.
Project 12 also exposed the risks associated with the two architectures and determined the circumstances under which each architecture poses the least risk. Key findings include:
Critically, Project 12 concluded that the safety environment is vulnerable to malicious attacks that may be undetectable in practice and that extreme caution should be taken before installing any software, which could introduce malware into the process control network (PCN). We cannot sufficiently emphasize the severity of this vulnerability.
LOGIIC recommends a roadmap of mitigations to reduce risk to asset owners over the short-, mid-, and long- terms (Figure 1.) Safety system owners should immediately:
Based on Project 12 findings, these mitigations will substantially reduce the risk to safety systems. In the midterm, LOGIIC recommends that safety system owners:
Longer term fixes should address larger issues that require vendor product and industry-level changes. These include implementing the secure HART-IP protocol that was included in the HART Network Management Specification published July 2020.
The full report includes additional findings and recommendations for asset owners, product vendors, and standards bodies. By providing these project outputs, LOGIIC hopes to help improve the overall security posture of all ICS stakeholders.