Ensuring Trustworthiness of Industrial Devices

By Sid Snitkin

Category:
ARCView

Summary

Industrial managers place a lot of trust in the proper operation of their control systems.  Failed or compromised industrial devices can lead to safety and environmental incidents.  Costly equipment could also be damaged and lead to extended operational disruptions.  These risks can’t be eliminated, but companies can do things to mitigate them.     

Use of reliable suppliers, redundancy, and safety systems are common ways to reduce the risks of a control system problem.  But well-designed devices can fail or be damaged and the high cost of redundancy constrains how much it can be used.   Incidents like Triton/Trisis have shown that every device can also be compromised, even safety systems.  Growing use of unproven IoT devices is increasing all of these risks.     

Smart companies recognize that failures and cyber compromises can’t be eliminated.  They use predictive maintenance and cyber threat detection solutions to give their staffs early warning of pending failures, malfunctions and suspicious behavior.  But visibility gaps can still leave managers at risk of operating with untrustworthy control system components.     

Recently, ARC Advisory Group discussed the challenges of detecting untrustworthy industrial devices with executives from IXDen.  This company offers a new way of assessing device trustworthiness that can be used to close some of the gaps in other monitoring methods.    

Monitoring the Trustworthiness of Industrial Devices

Trustworthiness is a broad concept, used in myriad contexts.  We trust people who have demonstrated consistent behavior.  We trust information that makes sense and is consistent with other things we know.  We trust devices and systems that reliably operate in expected ways.  This trust gives companies the confidence to operate complex, costly industrial facilities.    

One would think that evaluating the trustworthiness of industrial systems would be easy, just compare readings and behaviors with expectations.  But some important aspects of industrial devices can’t be monitored and the validity of some measurements can be dependent on other factors.  Monitoring itself can be obfuscated by cyber attacks that falsify data or introduce fake devices. 

Common Approaches to Trustworthiness Monitoring

Limit checking of sensor readings is used throughout industrial systems.  The underlying idea is that we can trust values that are within normal ranges, while values outside suggest a failed or uncalibrated device.  But in-range devices can still be drifting and cyber attacks can send fake readings that hide real process excursions.  The value of limit checks is also undermined when users have to set wide ranges to accommodate significantly different operating states.      

Agents are commonly used to monitor the trustworthiness of industrial PCs and servers, but many legacy PCs and devices, like PLCs, can’t support agents.  The same is true for small footprint industrial IoT sensors.   Periodic monitoring of configuration and control programming can help with devices, like PLCs, but this won’t detect failures or compromises in lower level components, like I/O cards and field devices.     

Continuous network monitoring is another approach that can be used to detect suspicious industrial devices.  These solutions assess the trustworthiness of individual devices indirectly, by comparing their communication patterns and messages with learned “normal” patterns.  While this can detect some failures and cyber attacks, some device problems never appear in network traffic.  Conditions can also change what’s “normal,” creating an excess of false alerts that undermine confidence in the monitoring system itself.

All of these methods have merit and should be applied.  But companies still need to look for ways to address the gaps and weaknesses in these methods.  With control system complexity increasing and sophisticated cyber attacks growing, the importance of monitoring the trustworthiness of every industrial device has never been more important.   

Cross-validation Can Improve Resiliency and Sensitivity 

Spear phishing has raised awareness of the importance and value of cross-validation.   Prudent people consider a variety of factors in evaluating the trustworthiness of unsolicited emails, including the sender’s email address, recent interactions that might have prompted an email, reasons why the sender might be sending an attachment, and the validity of any sites they are encouraged to visit.  The trustworthiness of industrial devices should receive at least this much scrutiny.  

Device identifiers, like MAC address, configuration, and software certificates, can be used to check that a device is real and untampered.  Encryption can be used to check that data has not been compromised by a man-in-the-middle attack.  Readings can be checked against other readings to assess a device’s calibration.   Changes in readings can be consistency-checked against other related variables to detect failed or com-promised devices. 

None of these individual measures is foolproof.  Hackers could steal credentials from a remote device and create undetectable fake messages.  Devices could fail and still give reasonable readings.  But multiple trustworthiness measures make assessments resilient to these kinds of false positives.  Multiple factors can also improve the sensitivity of trustworthiness assessments.  For example, related factors can be used to select tight, context dependent ranges in sensor limit checking.  Combinations of multiple factors can also provide users with a measure of how much trust they should place in a device. 

Multiple Factors Can Extend Coverage in Legacy Systems

The trustworthiness of field sensors and actuators is a particularly important and challenging issue for industrial operations.  These devices are highly susceptible to damage and inadvertent problems caused by maintenance personnel working on related systems.  Remote controllers and devices are targets for malicious tampering and cyber compromises.    As we learned from the Ukrainian power system and Triton/Trisis incidents, attackers recognize and exploit the lack of monitoring in these areas and subsystems.

Suppliers understand the importance of monitoring field devices.  They appreciate that they are at risk of significant reputational damage if their products are associated with a serious industrial incident.  Modern process sensors and actuators have built-in diagnostics and fieldbus connections that push alert conditions to controllers and alarm systems.  But legacy devices connected to I/O cards provide little trustworthiness assessment information beyond sensor readings and setpoints. 

Combinations of related signals can be used to overcome this problem with an indirect measure of trustworthiness.  Identification of a specific failed device may not be possible, but operators can still be forewarned of abnormal situations that require attention.  

IXDen Software and Services

IXDen is a new entrant in the industrial device monitoring market.  The founders have extensive backgrounds in protecting financial institutions against fraudulent transactions.  Their offering for the industrial market leverages this experience in detecting anomalous behaviors in on-line payment systems.   

The IXDen offering for industrial devices uses a generalized multifactor method to assess the trustworthiness of industrial devices.  According to the company, their solution can integrate all methods mentioned in this report to detect devices with physical or software problems, fake devices, hijacked network communications, etc.

On-line payment security may seem unrelated to industrial device monitoring, but they share common traits that enable use of comparable approaches.  Similar approaches are already being used to detect behavioral anomalies in users of IT systems.  While there is no human interaction in industrial device use, a combination of device information, communications, and process parameters can be used as guides to the trustworthiness of the device and its readings.   IXDen also uses these multiple readings to create a unique and changing device fingerprint, to ensure that their approach is resilient to hackers stealing credentials and introducing fake devices. 

IXDen’s solution authenticates devices in a special way that leverages typology, artificial intelligence, statistical analysis and behavioral analysis methods.  Periodic creation of new multifactor fingerprints enables development of normal situations and detection of suspicious behaviors.  Questionable results are reported to users as a value of trustworthiness, IXDEN Grade.   The higher the value, the more likely the device is trustworthy.   The company claims that learning periods are short and false positive rates low.  The only requirement is that learning span a period that includes all different operating situations. 

industrial devices

The IXDen solution consists of an agent and a server.  The agent periodically collects data from the device and environment.   The server uses this information to develop fingerprints and evaluate the device’s trustworthiness.  Ideally the agent is placed in the device, but the company indicates that it also supports use of external agents for devices that cannot support agents.  This makes the approach applicable for monitoring the trustworthiness of legacy industrial devices. 

Conclusion

Failed or compromised industrial devices can impact the health and safety of workers, cause damage to costly equipment, release pollutants into the environment, and disrupt operations for extended periods.  Managing these risks is essential and requires continuous monitoring of the trustworthiness of every industrial device.  Various methods are available and should be used.  But none is failsafe, so companies need to continue to find new ways to fill the gaps and ensure that every industrial device is operating properly and providing accurate, trustworthy information. 

Users and suppliers of industrial devices have a shared interest in understanding the trustworthiness of their products. While many suppliers provide industrial devices equipped with security features, users are not paying enough attention to the possibility that security may be compromised during installation and use.  Prudent users and suppliers will recognize and address this serious situation by enabling continuous trustworthiness monitoring of all devices.  As the review of IXDen illustrates, technology is available to address this situation.    

 

ARC Advisory Group clients can view the complete report at ARC Client Portal  

If you would like to buy this report or obtain information about how to become a client, please Contact Us

 

Keywords: Industrial Cybersecurity, Digital Transformation, Trustworthiness, ARC Advisory Group.

Engage with ARC Advisory Group