Dragos Collaboration with LOGIIC Delivers Final Report on Sensor Cybersecurity
Back in March 2019, Dragos and other security researchers were recruited by LOGIIC to support a new research project (aka Project 12) to help the industry understand the vulnerabilities and risks associated with the instrumentation used in safety critical systems. Midway through the project, Dragos released a blog providing some background and early insight into project 12. While the research was partially delayed due to COVID-19, the work is now complete, and the final report has now been released by LOGIIC and can be accessed here: https://www.isa.org/standards-and-publications/isa-standards/logiic
LOGIIC is a consortium that is Linking the Oil and Gas Industry to Improve Cybersecurity. This represents a public-private partnership between the U.S. Department of Homeland Security’s Science and Technology Directorate and member organizations that represent international organizations in the oil and gas sector.
As part of Project 12, Dragos security researchers examined the risk posture of manipulating sensors and transmitters from various vendors to determine if it’s possible to compromise the integrity of the data being interpreted by safety instrumented systems (SISs) and to further understand the level of sophistication required and the consequences on the overall process & safety.
The focus of Project 12 was on researching vulnerabilities with intelligent sensors and transmitters that specifically support the Highway Addressable Remote Transducer (HART) protocol (serial data signals superimposed over analog signals). HART instruments are often configured and managed by an Instrument Maintenance System (IMS) or Asset Management System (AMS), which are typically accessible via TCP/IP networks. The specific threat profile defined for this exercise was based on what impact an adversary could cause on field sensors and SISs via compromising an IMS/AMS.
Some of the key observations include:
- Instruments allow several essential modifications which are required by the standard. These modifications can blind operators, and more importantly, safety systems, to the state of the process.
- Instruments that implement security, such as passwords, use proprietary mechanisms, which can be brute-forced and then abused to lock legitimate users out of instrument configuration.
- Instrument vendors often implement critical safety-relevant features using proprietary commands, and it can be challenging to determine what changes are made without vendor-provided documentation.
- If a physical write-protect switch or jumper is present on an instrument, its use is the end user’s best defense against malicious changes identified during our investigation.
The report concludes that safety systems are vulnerable to “malicious attacks and that extreme caution should be taken before introducing any software or hardware, including device type managers (DTMs), that could introduce malware into the process control network (PCN). Safety system owners should immediately verify the pedigree and integrity of all DTMs currently in use. We cannot sufficiently emphasize the severity of this vulnerability to end users.”
The report is intended to guide end-users to fully understand the risks associated with HART-based instrumentation operating in their environment, provide mitigation advice to minimize risks, and provide vendors with suggestions on how they can improve instrumentation technology to address some of the underlying vulnerabilities by incorporating functions such as hardware write-protection mechanisms.
This report further underscores the value of increased visibility and monitoring of critical ICS networks. Many issues identified in the report represent design challenges in the HART protocol where blocking attacks is impossible, but monitoring for suspicious or malicious changes can be achieved.
Ready to put your insights into action?
Take the next steps and contact our team today.