I had the privilege to attend the CDS-forum in Trondheim, Norway on October 15, 2019. The CDS-forum is a Norwegian Industry Forum for Cybersecurity of Industrial Automation and Control Systems. The forum is a co-operation between oil companies, engineering oil companies, consultants, vendors and researchers, with a special interest in cybersecurity and the relation to Industrial Automation and Control Systems (IACS). The participants meet twice a year for workshops, presentations and technical discussions.
The combination of presentations and workshops were very interesting. During the workshop the concept of a non-hackable system came up, basically a non-PLC based safety system, e.g. relay, solid state, or similar system that “cannot” be hacked as there is no engineering station connected to the system. The term came from a publication which was briefly discussed/reviewed as a conversation starter. Is that the solution against cyberattacks? Should we drop the progress we have made in the industry and return to the trusted hardwired systems? Some took exception to the term non-hackable; some took exception to the concept of using old technology that would not benefit from the latest technology developments.
As I was giving this some thought, I concluded that the non-hackable system is probably the easiest system to hack. Wait a minute, what?The non-hackable system is the easiest to hack, how do you hack a relay-based system, there is no operating system, application program, or engineering station involved. Was the jetlag getting too much into my head?
None of that. Think of it this way. In order to compromise for example a relay-based system, I can indeed not modify the application program. But the only thing I need to do is get into the maintenance management system and update the relay system’s proof test. If the proof test includes bypassing of the SIF, I will simply delete the last step, i.e. remove the bypass. If there is no bypass step, I will simply add it at the beginning. So, no special knowledge needed, I don’t even need to figure out a way to penetrate the control system network, the only thing needed is getting on the plant network and getting in the maintenance management system.
Could this approach be used for a hackable system, yes of course, but assuming the application program has been developed thoroughly there would be a notification and eventually an alarm telling the operator that a specific output has been bypassed beyond the specified bypass window. In order to change the bypass window in the application program, I will need to get onto the control system network/get access to the engineering station, thereby making it more difficult to hack the hackable system compared to the non-hackable system.
So, what do we learn? We need to realize that the concept of a non-hackable system simply does not exist. We need to understand the risks associated with each solution and implement applicable counter measures to ensure that the remaining risk for the chosen solution is tolerable. When you claim something is not possible, you are probably not thinking far enough out of the box.