Earlier this week Jake Brodsky left
a comment on my blog
post about the Thursday batch of control system security advisories. It is
not a long comment, but it is certainly worth reading. He makes the point that:
“If you exploit FDT [fdtCONTAINER vulnerability]
on an instrument to get it to execute arbitrary code, you can also get it to
report incorrect values FROM THE INSTRUMENT.”
As a person that has spent thousands of hours monitoring
chemical processes in a manufacturing environment for both safety and quality
issues, I can tell you that the prospect of not being able to trust the numbers
being provided by your control system was what scared me most about Stuxnet and
caused my interest in control system cybersecurity.
Instrument level data is probably the most critical data
used in an industrial control system. That is the data the software relies upon
to make process decisions. Being able to manipulate that data means that you
can effectively manipulate the process (with the caveat that you must
understand the process and how the control system responds to various instrument
inputs if you are going to be able to drive the process in a specific upset
direction). If you are just trying to disrupt the process (shut it down or
adversely affect product quality) then less process knowledge would be needed.
Jake also made the point that Joe Weiss has been harping on
the vulnerability of sensors for quite some time now. I have talked to Joe
about this on a couple of occasions and I agree with many of his concerns. But
I also know that smart process engineers understand the criticality of sensor
data, this is the reason that there are frequently multiple sensors measuring
the same data with protocols in place to deal with disagreements in sensor
As a process chemist I spent a lot of my process-upset
investigation time looking for sensor failures by examining other process
indicators; changes in pressure when valves opened or closed, changes in tank
levels when pumps started and the like. Perhaps it is time to start building
such data checks into our process controls, especially when safety-critical
process changes are involved.
Finally, it would be helpful if the people writing these
advisories were a little clearer about the processes that could be affected by
the vulnerabilities. I would be surprised if many security managers understood that
the fdtCONTAINER vulnerability had specific implications for process sensors.
Only a very close reading of the NCCIC-ICS advisory would point you at that
fact unless you were involved in process engineering (the key tell for non-engineers
like myself was the involvement of Emerson and the RTIS).