BPCS & SIS
Cybersecurity in the process industries is a growing concern due to the increasing number of cyber attacks against industrial control systems (ICS) and the presence of a large number of legacy devices that are not designed to be resilient to modern threats.
In many industrial environments there are a heavy presence of legacy systems. Many of these systems have debugging features and remote access enabled but are poorly controlled.
Most of the OT systems used in industrial environments were never designed to be connected to the Internet. This means that they are particularly exposed to cyber-attacks.
Basic Process Control Systems and Safety Instrumented System Devices
The design of a secure and safe ICS system depends on the ability to assess the security of each component, such as Basic Process Control Systems (BPCS) and safety instrumented system (SIS) devices.
Basic Process Control Systems (BPCS) receive input signals directly from the process through sensors and instruments, and generate output signals to control the process and its associated systems to operate in the proper way.
BPCS implements multiple functions, including the management of process variables, alerting and monitoring, and the provisioning of an interface for monitoring and control through the Human-Machine interface.
BPCS does have some built-in security functionality as it is considered the first layer of prevention in the protection of the processes.
A safety instrumented system (SIS) is composed of hardware and software components used to control processes in critical process systems (i.e. processes in refineries, chemical, nuclear).
SIS devices are systems responsible for facility operating safety, they have to control emergency procedures in case of anomalies bringing the process to a safe state.
There are deep differences between the cyber security implementation for SIS and BPCS systems.
A cyberattack against a critical environment, such as a refinery or a nuclear plant, could cause severe damages, including the losses of human lives. Normally these systems are designed to work in the case of failures, even the ones resulted from a cyberattack.
A cyber-attack could corrupt or alter the settings of SIS systems leading to failure in the device or other process safety systems under the specific conditions.
In December 2017, a malicious code tracked as Triton malware (aka Trisis) was discovered by researchers at FireEye. The malware was specifically designed to target industrial control systems (ICS) systems. Security experts at CyberX who analyzed samples of the malware provided further details on the attack, revealing that Triton was likely developed by Iran and used to target an organization in Saudi Arabia.
The Triton malware was designed to target Schneider Electric’s Triconex Safety Instrumented System (SIS) controllers that are used in industrial environments.
TRITON is designed to communicate using the proprietary TriStation protocol which is not publicly documented, this implies that the attackers reverse engineered the protocol to carry out the attack.
Initial analysis conducted by Schneider excluded that hackers may have leveraged any vulnerabilities in the target products, but later the vendor admitted that Triton malware exploited a flaw in older versions of the Triconex Tricon system.
Schneider confirmed the presence of a flaw only in a small number of older versions, but pointed out that the root cause of the success of the Triton malware is that victims failed in implementing best practices and security procedures.
In October 2018, FireEye experts discovered a link between the Triton malware, tracked by the company as TEMP.Veles, and the Central Scientific Research Institute of Chemistry and Mechanics (CNIIHM), that is a Russian government research institute in Moscow.
In 2019, the security firm Dragos confirmed that the group behind Triton malware, tracked as Xenotime, was targeting electric utilities in the United States and the Asia-Pacific (APAC) region.
Xenotime has been active since at least 2014, its activity was discovered in 2017 after it caused a shutdown at a critical infrastructure organization somewhere in Saudi Arabia.
Dragos experts revealed that the attacks against entities in the United States and the APAC region were similar to ones that targeted organizations in the oil and gas sector. The good news is that all the attacks carried out by the Xenotime group failed into breaching the targeted organization.
The safety of a process is achieved implementing multiple independent protection layers, including the adoption of the SIS that would prevent incidents in case of failure of the BPCS.
Of course the failure of the BPCS to control the industrial process should not interfere with the behavior of the SIS devices. This means that even if a cyber attack will compromise the BPCS, it should have no impact on the SIS.
The main purpose of the BPCS is to ensure a continuous control of the variables of the process under control and maintain safe operating. On the other hand, SIS systems remain passive until a condition that could threaten the safety of the system occurs, then the SIS operates to bring the process to a safe state.
The fact that SIS systems remain inactive since the verification of specific conditions makes them less exposed to cyber-attacks compared with BPCS.
From an attacker perspective it is easier to target BPCS because their behavior could be always observed and analysed, while SIS operations are often unknown to threat actors without specific knowledge.
Another element to consider when analysing the security of BPCS systems is the number of data points. The BPCS has tens of thousands of data points (reads and writes) while the SIS normally has a few hundred data points, mostly reads with a limited number of writes.
BPCS makes multiple “Reads” to acquire the SIS status while Writes from BPCS to SIS are normally not allowed for security reasons. A secure design for SIS systems could limit writes to specific memory locations.
One of the most valuable cybersecurity standards for SIS is the second edition of IEC 61511-1 titled “Functional safety – Safety instrumented systems for the process industry sector”.
The IEC standard 61511 technical standard explicitly recommends operators to conduct security risk assessment of the SIS to identify cyber security issues that could be exploited by threat actors.
The changes introduced in the second edition of the standard aimed at recognizing that a functional safety cyber security lifecycle process must also be implemented by SIS operators.
Other standards for the security of Industrial Control Systems were redacted by the ISA 99 committee, such as the ANSI/ISA/IEC-62443-1-1, “Security for Industrial Automation and Control Systems Part 1-1: Terminology, Concepts and Models.” The ISA84 committee focused on cybersecurity aspects for the protection of control systems.
In order to protect SIS systems against cyberattacks it is necessary to prevent unauthorized changes that can interfere with the safety of the processes they control. To do this, operators have to identify any inbound/outbound connections to SIS systems and secure these accesses.
Experts suggest the adoption of intrusion detection systems that could be used to monitor any anomalous behaviour in the network and to monitor for changes in applications and critical parameters.
A cyber security assessment on SIS systems should be coordinated with the one performed on the BPCSs in order to identify and address any vulnerability in the overall industrial systems.
Another important aspect in the management of the ICS systems is the definition of an incident response plan that should be put into place immediately after a cyber-attack to recover operations.
When dealing with the design of SIS systems it is essential to implement independence, separation, diversity, control of the accesses. The design of the overall architecture has to consider the presence of legacy SIS devices that must be adequately protected from cyber threats.
Independence aims at keeping the safety functionality separate from the control functionality, this could be achieved by physically separate SIS hardware and isolating the SISs into zones. The diversity implies the use of different hardware for SIS and BPCS, it is a good practice to use components provided by different manufacturers to reduce common cause failures and makes it harder for an attacker to compromise the different system in the same attack.
The security of SIS devices depends on the resilience of multiple connected components, such as Calibration tools.
Usually digital SIS field devices communicate with a database or AMS system that run a Windows OS and are connected to the site enterprise network. The presence of vulnerabilities could be exploited by threat actors to manipulate the calibration database and corrupt the calibration processes for safety transmitters.
A possible mitigation is represented by a backup of the calibration database that could be restored in case of anomalies.
It is important to understand that implementing cyber security for SIS systems is not easy, for this reason it is essential to conduct periodic assessments searching for vulnerabilities and evaluate the effects of their exploitation.
The use of “zones” could help operators to analyze each component and the way they interact with each other through a well-documented interface.
To implement a system resilient to cyber-attacks it is possible to ensure that suppliers of SIS and BPCS devices have had their solutions tested and compliant to the IEC 62443/S-99 standard. Operators should request that the compliance to these standards is a prerequisite for their acceptance of suppliers’ products in SIS and BPCS.
Experts pointed out that a gap analysis to the IEC standards is easy to conduct and allows organizations to determine whether the current installation is affected by vulnerabilities exploitable in cyber-attacks.
The end-user would then implement mitigations for the discovered issues to reduce the risk of a cyber-attack.
Is the risk of attacks against SIS systems concrete?
Unfortunately, the response is positive as confirmed recently by the US authorities. In July, the U.S. National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) issued an alert warning of cyber-attacks targeting critical infrastructure across the U.S.
“Over recent months, cyber-actors have demonstrated their continued willingness to conduct malicious cyber-activity against critical infrastructure (CI) by exploiting internet-accessible operational technology (OT) assets,” states the joint advisory published by the NSA/CISA, released on Thursday. “Due to the increase in adversary capabilities and activity, the criticality to U.S. national security and way of life and the vulnerability of OT systems, civilian infrastructure makes attractive targets for foreign powers attempting to do harm to U.S. interests or retaliate for perceived U.S. aggression.”
The US agencies urge owners and operators of critical infrastructure to adopt the necessary measures to improve the resilience and safety of U.S. systems used in critical environments. The NSA along with the CISA recommends that all DoD, NSS, DIB, and U.S. critical infrastructure facilities take immediate actions to secure their OT assets.
Attackers are targeting specific equipment, Triconex TriStation and Triconex Tricon Communication Module broadly adopted in industrial environments, such as power plants, factories, oil, and gas refineries.
In a separate security advisory, the ICS-CERT warned of a critical security bug in the Schneider Electric Triconex TriStation and Tricon Communication Module.
Experts from CISA and NSA observed a mix of techniques used to target these systems in US critical infrastructures. The attack chain starts with spear-phishing messages, once the attackers gain access to the organization’s IT network, they attempt lateral movements to target the OT network.
Below a list of recently observed Tactics, Techniques, and Procedures provided in the advisory:
- Spear phishing [T1192] to obtain initial access to the organization’s information technology (IT) network before pivoting to the OT network.
- Deployment of commodity ransomware to Encrypt Data for Impact [T1486] on both networks.
- Connecting to Internet Accessible PLCs [T883] requires no authentication for initial access.
- Utilizing Commonly Used Ports [T885] and Standard Application Layer Protocols [T869], to communicate with controllers and download modified control logic.
- Use of vendor engineering software and Program Downloads [T843].
- Modifying Control Logic [T833] and Parameters [T836] on PLCs.
One of the bugs detailed in the NSA/CISA alert is a critical vulnerability in Triconex SIS, tracked as CVE-2020-7491, which was rated 10 on the CvSS vulnerability-severity scale.
The CVE-2020-7491 flaw is an improper access control flaw.
“A legacy debug port account in TCMs installed in Tricon system Versions 10.2.0 through 10.5.3 is visible on the network and could allow inappropriate access.” reads the advisory.
A successful attack on these safety instrumented system (SIS) controllers can allow an attacker to view clear text data on the network, trigger a denial-of-service condition, or allow improper access.
The vulnerabilities listed in the advisory impact TriStation 1131, v1.0.0 to v4.9.0, v4.10.0, and 4.12.0, operating on Windows NT, Windows XP or Windows 7; and Tricon Communications Module (TCM) Models 4351, 4352, 4351A/B, and 4352A/B installed in Tricon v10.0 to v10.5.3 systems.
The good news is that more recent versions of these SIS are not impacted by these vulnerabilities.
“OT assets are critical to the Department of Defense (DoD) mission and underpin essential National Security Systems (NSS) and services, as well as the Defense Industrial Base (DIB) and other critical infrastructure,” concludes the joint alert. “At this time of heightened tensions, it is critical that asset owners and operators of critical infrastructure take the following immediate steps to ensure resilience and safety of U.S. systems should a time of crisis emerge in the near term.”