When safety instrument control goes rogue

The Linking the Oil and Gas Industry to Improve Cybersecurity (LOGIIC)
consortium works in partnership with the U.S. Department of Homeland Security (DHS) Science and Technology (S&T) Directorate to study cybersecurity issues in Industrial Control Systems (ICS) that could impact safety and business performance in the oil and gas sector. LOGIIC Project 12 was conducted during 2020 and focused on safety systems instrumentation and the management of that instrumentation. The project revealed numerous consequential and recurring findings that are indicative of a pervasive industry-wide security problem in safety systems.

ICSs use safety instrumented systems (SISs) to monitor operations and take automated actions to maintain a safe state when abnormal occur. Instruments such as transmitters, valve controls, and fire and gas detectors provide critical inputs and controls to safety system function. In recent years, instruments have been to provide smart features such as plugged sense-line detection for transmitters and partial stroke testing for valves.

Smart instruments are typically connected to the SIS using direct cable and communicate via analog signals. Smart data is superimposed over analog communications using the HART protocol, which supports the ability to read data from instruments and modify their configurations states as part of normal operations. HART data can be accessed by local handheld devices, through pass-through SIS I/O cards, or with a HART data multiplexer. In the latter two cases, an Instrument Maintenance System (IMS) or an Asset Management System (AMS) can interact with and configure safety instruments using the HART protocol over an IP-based network. While the earlier LOGIIC Project 5 focused on wireless HART and handheld devices, Project 12 focused exclusively wired HART-IP and the use of an IMS or AMS for instrument management.

Because the HART protocol has no inherent security features, the industry uses alternative methods to protect devices from unauthorized modifications. Protections considered under Project 12 were a hardware write-protect switch on the instrument, a write-protect password or code on the instrument, password on the IMS/AMS (or its underlying operating system platform) that remotely manages the instrument, and a variety of disparate protections provided by various SIS solutions.

Project 12 defined and used a threat model wherein the attacker sought to compromise an IMS or AMS and use that platform to make unauthorized changes to the configuration of safety instruments. Unauthorized changes considered by Project 12 were those that could result in unsafe operating conditions, render the instruments inoperable or unable to perform safety functions, and/or take instrument control away from asset owners. These attacker goals were examined in the context of two architectures: 1) the IMS/AMS controls instruments through a multiplexer (or MUX) and 2) the IMS/AMS control instruments through an SIS.

Using the threat model and industry protection mechanisms and architectures, four individual assessments were planned using a sampling of vendor products typically found in oil and gas sector operations. Attack avenues considered included malicious and unwitting insiders and supply chain attacks. Each assessment was conducted as a partial-knowledge test with full cooperation from the vendors.

Concerted adversaries have ample time and resources to analyze target vendor products, which enables them to discover undocumented commands and vulnerabilities that may be used in attacks. In contrast, Project 12 was limited in both time and scope. Each assessment was conducted over the course of a few months, with several weeks of hands on testing, and bound by defined rules of engagement. Even with the limited time and scope, Project 12 discovered numerous consequential and recurring findings across the individual assessments that are indicative of a pervasive industry-wide security problem. In addition, Project 12 exposed the risks associated with the two architectures and determined the circumstances under which each architecture poses the least risk.

This talk at the DHS CISA sponsored Industrial Control Systems Joint Working Group (ICSJWG) in Spring 2021 presented Project 12’s key findings, recommendations, and takeaways for asset owners, vendors, and standards bodies. By providing these project outputs, LOGIIC hopes help improve the overall security posture of all ICS stakeholders.

At SRI, we’re inventing a better future together.

Subscribe to SRI’s newsletter at: https://www.sri.com

Connect with SRI:
Be the first to comment