InTech

MAY-JUN 2018

Issue link: http://intechdigitalxp.isa.org/i/989516

Contents of this Issue

Navigation

Page 31 of 53

FAST FORWARD l Cybersecurity is not adequately addressed in Level 0,1 devices as described in the Purdue model and ISA95. l Not having cybersecurity protection or forensics for Level 0,1 devices invites unintended or malicious damage to production and people. l The ISA99, Industrial Automation and Control Systems Security, committee has established a new task group for Level 0,1 security issues. 32 INTECH MAY/JUNE 2018 WWW.ISA.ORG By Bill Lydon I had a discussion with Joe Weiss, PE, vot- ing member and managing director of the ISA99, Industrial Automation and Control Systems Security committee, who is bringing into focus major cybersecurity and safety is sues. He is committed to standards and practices to achieve secure systems. Weiss is an ISA Fel - low, a Certified Information Security Manager (CISM), and is Certified in Risk and Information Systems Control (CRISC). Cybersecurity is a big issue that can have serious consequences. We discussed cybersecurity and safety issues, and my questions and his responses follow: What are the most serious issues that are gaps in cybersecurity thinking today? The first issue is the use of the word "edge." To the information technology community, an "edge" device is a router, switch, hub, cell phone, tab- let, laptop, etc. To a control system engineer, an "edge" device is a sensor, actuator, or drive, that is, a Purdue Reference Model Level 0,1 device. The lack of cybersecurity in Level 0,1 devices, as described in the Purdue Model and ISA95, stands out as a major area of vulnerability that is not being adequately addressed. Attacks at this level can directly impact the reliability and safe- ty of processes, manufacturing, material han- dling, and overall production. Level 0,1 devices are the fundamental elements that manipulate physical processes and production. Devices include process sensors, analyzers, actuators, motor controls, and related instrumentation. These are the fundamental "things" that make process control and manufacturing automation possible, reliable, safe, and effective. There has been a significant emphasis on computer systems and networks, which are im - portant, but essentially no strategy for Level 0,1 devices. The lack of cybersecurity focus on Level 0,1 devices provides a serious cybersecurity ex - posure. The lack of cybersecurity and authenti- cation in Level 0,1 devices has not been a consid- eration for almost all users and vendors. There seems to be an assumption that these devices are within the operations, so they are inherently either protected or unable to be affected. This is the same line of logic that opened the door for cybersecurity attacks that "walked in" on USB sticks. For those who don't think it is possible to hack process sensors, consider simply using the hand-held HART/Foundation Fieldbus field communicator to change the process sen- sor ID. This can be either a malicious cyberat- tack or an unintentional error, often with little chance to tell the difference. Regardless of why, Cybersecurity at the edge Purdue Reference Model Level 0,1 field devices cybersecurity risks

Articles in this issue

Links on this page

Archives of this issue

view archives of InTech - MAY-JUN 2018