SRI International recently led impactful research focused on understanding cybersecurity issues in industrial control system (ICS) safety instrumentation and management. This work was done in support of the Linking the Oil and Gas Industry to Improve Cybersecurity (LOGIIC) consortium and with the help of subject matter expert penetration testers.
LOGIIC is a public-private partnership between the U.S. Department of Homeland Security’s Science and Technology (DHS S&T) Directorate and multi-national member companies from the oil and gas (O&G) sector. SRI provides technical project leadership to LOGIIC through a contract with DHS S&T.
ICSs control the automated processes in manufacturing and industrial facilities and use safety instrumented systems (SISs) to monitor operations and take automated actions to maintain safety when potentially hazardous conditions arise. With SRI’s help, LOGIIC has conducted three projects focused on various aspects of safety systems. Two earlier projects focused on SIS controllers. The latest project focused on smart instruments, such as pressure sensors, that provide the inputs needed by the controller to make decisions and on the instrument management systems.
LOGIIC wanted to understand if and how attackers could use smart instruments to negatively impact safety and how to prevent such attacks. SRI worked with LOGIIC members to understand their concerns and to design a project to definitively answer their questions. SRI then worked with ICS and safety instrument penetration testing experts from Secrabus and Dragos to execute the project.
This was the most complex LOGIIC project to date. It was highly collaborative and conducted with full cooperation from multiple safety system and instrument vendors and LOGIIC safety systems experts. The project involved several independent assessments, each using multiple vendor products. Rules of engagement were designed to ensure that testing was consistent and rigorous across all assessments and that results were fully repeatable.
The assessment team uncovered numerous recurring problems that can all be attributed to common exploitable design weaknesses included in the MITRE Common Weakness Enumeration (CWE) database.
SRI worked with penetration testers and LOGIIC safety system experts to understand the potential impact of various attacks and recommend a comprehensive set of effective countermeasures to improve the overall security of safety systems for all ICS stakeholders. The project’s final report includes these detailed recommendations and suggests a vulnerability mitigation roadmap of short-, mid-, and long-term actions.
Ms. Laura Tinnel and Dr. Ulf Lindqvist briefed the project at Industrial Control Systems Joint Working Group (ICSJWG) Spring 2021. ICSJWG is hosted by the DHS Cybersecurity and Infrastructure Security Agency (CISA). The briefing may be viewed on the ICSJWG Spring 2021 Virtual Meeting site.
The full Project 12 report may be downloaded at www.logiic.org.
The work performed on this project by SRI International was funded by the U.S. DHS Science and Technology Directorate (DHS S&T) under Contract No. HSHQDC-16-C-00034. The opinions, findings, conclusions, and recommendations expressed in this material are those of the authors, do not necessarily reflect the views of DHS and should not be interpreted as necessarily representing the official policies or endorsements, either expressed or implied, of DHS or the U.S. government.