A poignant reminder this week that Safety products and SIL ratings to not consider malicious attacks or even accidental spurious data. The CoDeSys development system is SIL2 certified, and they produce something called CoDeSys Safety that is SIL3 certified. Feel safer?
DHS’s ICSJWG (still hard to believe that acronym) is holding their Spring Meeting May 6-9 in Phoenix. The Call for Papers/Abstracts is open now until Feb 22nd. It’s a good event, free, and something you should attend about once every two years.
Wired named Eugene Kaspersky as the 8th most dangerous person in the world. The reason, he “systematically identified each of Washington’s malware projects — and in so doing, rendered the Stuxnet, Flame, and Duqu espionage programs useless.” Followed by the real controversial statement “All of which now has Western intelligence services scratching their heads. Did Kaspersky’s researchers operate on their own when they outed all that anti-Iran malware? Or did they pull it off with some Kremlin help?”
The University of Notre Dame included “Hacking Into Medical Devices” in their first annual List of Emerging Ethical Dilemmas and Policy Issues in Science and Technology. They use Barnaby Jack’s shocking pacemaker hack as the example.
President Obama released the National Strategy for Information Sharing and Safeguarding Information (pdf). Many believe this is a key or even the key to making progress in ICS security, but loyal blog readers know I believe information sharing efforts are a sideshow or will have a minor impact at best. Jump straight to the objectives on pages 14, 15 and decide for yourself if this document and strategy has value.
FERC officially revised the bulk electric system definition, which is what they regulate. Pull quote: “While speed is relative, it is worth noting that in about two years, we have moved from Order No. 743, which directed NERC to revise its definition of bulk electric system, to today’s Final Rule”.
Tweet of the Week
Don’t forget to subscribe to this blog RSS feed and follow @digitalbond.com on twitter.
Worth Reading Articles
- Felix FX Linder’s Targeted Industrial Control Systems Attacks (He says Stuxnet is a showcase in good engineering)
- US Army War College Breaking The Status Quo: Information and the Future Force
Critical Intelligence’s ICS Security Event Calendar Updates
Nothing new this week
Critical Intelligence provides reports and other information products on Cyber Situational Awareness and Threat Intelligence services for Industrial Control System Owner/Operators, Vendors and Government stakeholders.
Image by dannynorodo
I think you misunderstand the intent of SIL and PFD calculations, and suggest reading IEC 61508 when you have a chance (though it is some pretty dry reading!!!).
Is it equally cause for panic if you can just walk up and disconnect power to an SIS causing it to malfunction???
The beauty of SIL calculations within an implemented SIF when following IEC 61511 is that it looks at the “complete loop” including all connected components (sensors, logic solver, actuators, engineering functions, etc.). That is why it has been difficult to find vulnerabilities with SIS to date … thought I am not saying that it is impossible.
This is one reason I endorse IEC 62443 (formerly ISA 99) and creation of Security Assurance Levels (SAL) applied to Security Zones and Conduits. This step will shift those from looking at individual components (and in turn trying to secure individual components) to the “overall system” in which those systems are integrated and interconnected (and therefore security these Zones and Conduits) – because this is what we are trying to secure in the first place!
Merry Christmas and a Safe and Secure New Year!
Joel – ISA99 has been struggling mightily with the SAL. They were pursued because of the success of SIL in the safety world. Everyone likes the idea that you can say my system needs SAL x and buy and deploy a system at the level. The SAL has to deal with threat / malicious intent that is very difficult to do with any rigor if you don’t have good data. Even with data it would be difficult.
We have had some good SIL/SAL presentations at S4 from Bryan Singer, Dennis Holstein and others. At the last S4, Dennis Holstein expressed doubt that a SAL would be accomplished by ISA 99 in any meaningful way. (see
http://vimeopro.com/s42012/s4-2012/video/41086403) This was quite shocking to me because Dennis has been one of the major proponents of SAL, has actually tried to accomplish it by writing multiple drafts of text in the relevant ISA99 standard, and is about as wired into ISA/IEC as anyone.
All that said, SAL is a hard but worthwhile effort. Even something less than perfect would be a major accomplishment.
I have to disagree with your comment that safety systems are more secure. The main reason you haven’t seen more published vulns is it is harder for researchers who publish to get their hands on these, and the fact that safety systems are separate from DCS/SCADA and other ICS is less well known by the researchers.
Have a private discussion with the Wurldtech guys sometime on safety controllers. They have tested a lot of them, and to their credit a number of vendors have made corrections and gotten Achilles certification. Most of the safety systems also have the insecure by design problems of the control system PLCs.
Dale, I believe we all know that security and safety, though they work toward the same ends, are different creatures. Just because a controller is rated for SIL applications does not imply a damned thing about how secure it may be.
I was very vocal and open about my objection to the whole Security Assurance Level concept. The attack profiles against security systems are NOT random. We are not dealing with reliability here, we’re dealing with methods of attack.
We can not assure anything with security. We can attest a defense against some form of attack. This becomes a layer, not a level. We are dealing with Security Attestation Layers. Furthermore, there are dimensions to this concept. There are dimensions from a network perspective, from a programming perspective, from a physical perspective, and I’m sure we could think of a few more if we tried.
The existing approach by 62443 is, in my opinion, a concept so broken that it would have been better that they threw out the SAL effort and started over. That is why I voted against it. I didn’t make any friends with that approach, but it had to be said. I am not one to admire the Emperor’s New Clothes. If a concept is devoid of a viable framework I’ll speak my mind.
Maybe some day they’ll morph toward my way of thinking, but that will take a long time. In the meantime, people purchasing secure devices will continue to be very puzzled as to why they continue to be hacked.
Jake – You say we all know, but there is a big push to integrate control and safety systems by some vendors, consultants, owner/operators … Sometimes this integration is even using the same backplane in a PLC.
I’m not sure that everyone who does this really understands that the SIL does not deal with directed attacks intentionally attempting to affect the availability and integrity of the safety component or system.
LOGIIC did an investigation and report on control and safety integration but they chose to not make serious recommendations and just show some different models and discuss risk.
The control / safety interconnection has value in sharing safety system status with the control center, and this is an ideal place for a one-way device that allows this sharing without putting the safety system at risk.
I’ve seen that push even before 2000, Dale; and I fight it tooth and nail every step of the way. I thought such integration was a foolish idea from the start and it hasn’t gotten any better with age.
First, I am not a fan of active safety systems. Most processes have ways of doing passive safety and that’s usually the way I go.
Second, where active safety systems are warranted, I am VERY conservative about the components I choose. Using a PLC to effect active safety is not my idea of simplicity.
Third, if someone is so cavalier about safety that they would attach a network or use the same back-plane as that safety PLC, game over. I walk out with my PE stamp in hand. I will not approve such stupidity.
The point of a safety system, particularly an active safety system, is that it should be independent of all other things. It should send a watchdog timer contact closure to you to let you know that all is well.
I have a saying: Designs with sharp pencils break just as easily. Going cheap on safety is almost never a good idea.
SIL is not just a measure of the reliability of a controller (SIS), but rather the overall situation such that it does not place the plant under control in an unpredictable or unsafe state in the event of a failure. This means that the controller’s primary objective is to make sure that (a) the device is capable of performing its safety functions when called upon, and (b) the outputs are placed in a fail-safe mode in the event of failure. The probabilistic calculations of whether or not this occurs is what drives the SIL of the device. Again, the logic solver is only one part of the overall calculation that determines the SIF’s SIL as implemented and installed. This is why you can spend tens of thousands of dollars on some SIS’s (those that possess features of high-availability along with fail-safe functionality) and just a couple thousand dollars on others (those that provide sufficient diagnostic coverage but do little for the availability of the system). Different clients have different needs, and that is why there is such a wide range of equipment available.
I have been involved in the discussions of “integrated” versus “interfaced” versus “consolidated” BPCS and SIS discussions for what … about 15 years now. One thing you must remember is that it is END-USERS that have driven this technology development, and these end-users are responsible for implementing their own overall risk management strategy.
Dow Chemical is one of the leading companies in both ISA SP99 and SP84, and also one of ABB’s leading users. ABB was also one of the first companies to offer their clients a TUV certified common hardware platform that can host SIS and BPCS functions which was heavily influenced by Dow (http://www.controlglobal.com/industrynews/2009/075.html and http://www.abb.com/cawp/seitp202/275AC9A14F5C6F69C1256FA90060650B.aspx). To ABB’s credit, they also offer their customers a choice of an SIS that can be implemented in a standalone manner or simply “interfaced” to the overall ICS.