Attacks on analog sensors in OT
In its purest definition, a sensor is a device, module or subsystem capable of detecting physical or chemical quantities, known as instrumentation variables, and transforming them into readable electrical signals. This last step is done by using a transducer, a device capable of converting a certain manifestation of input energy into a different one at the output. The main characteristics of a sensor are accuracy, precision, operating range or sensitivity, among others.
In industrial automation, sensors are essential in the production process, since they are responsible for transmitting stimuli from the outside to the central system that processes the information. It could be seen as an analogy with the human senses and the brain processing such information.
There’s a wide variety of sensors available for virtually any industrial application or size, such as:
- temperature,
- pressure,
- MEMS (Micro-electro-mechanical) acceleration,
- proximity,
- humidity,
- flux,
- flow and
- angular or linear position.
Shortcomings of analog sensors in ICS
Securing the control systems consists of securing the OT networks, as well as the devices that are part of the field control systems, such as sensors, actuators, robots, drives, etc. Currently, there are several tools and good practices whose goal is increasing security levels in OT networks. These include the segmentation of networks, the definition of zones and conduits, the separation of IT and OT networks, the execution of a remote access control and the active or passive monitoring of industrial traffic. However, there is an attack vector that has largely gone unnoticed over the years and yet is capable of affecting the operations of a productive system without any monitoring device or OT firewall being able to detect it. It consists of attacks on analog sensors, which involve a hole in both the technology of these devices and the existing industrial cyber security culture.
At present, there aren’t specific cybersecurity measures in the sensors, their networks, protocols or calibration tools, so it’s harder to trust their measurements.
Electromagnetic interference in the sensors
As discussed in the introduction, sensors are electronic devices designed to perform relatively simple tasks. However, they may be susceptible to electromagnetic interference, like any other electronic device, which could alter their operation.
Researchers from the University of Michigan and the University of Louisiana-Lafayette, identified in the article “Trick or Heat? Manipulating Critical Temperature-Based Control Systems Using Rectification Attacks”, a vulnerability in the analog signal amplifiers. Process sensors often use these components in the process of converting read analogue measurements into voltage or current signals used by HMIs and PLCs.
The attack scenario proposed by the researchers affects the general conditioning of the signal within a sensor, in other words, the process of adapting the information directly received by the sensor so that it can be easily read and used by the circuit. This process includes steps that seek to clean the signal by removing noise and interference, both unwanted components affecting signal readability, as well as other filtering and amplification elements. Specifically, this attack seeks to modify the amplifier output. In this case, the attack exploits an unintended modification effect on the amplifiers that can be induced by injecting an electromagnetic interference (EMI) of a certain wavelength into the temperature sensors.
In this scenario, the authors managed to obtain a control of the amplifiers’ output voltage, so it was possible to modify the level of the signal introduced to the input of the analog-digital converter to some extent, thus modify the output reading of these resistive sensors. These new values, as they do not significantly vary, are still valid (but not correct) for PLCs and HMIs that, as they are not prepared to monitor the readings supplied to them, take the appropriate actions assuming the values are legitimate.
Since the attack is conducted before the signal is converted into an Ethernet packet, the faulty measurement cannot be detected by a network monitoring device. The study shows, in turn, that this type of attack is also valid for any sensor using the same signal conditioning. Furthermore, temperature sensors like thermocouples, thermistors or RTDs (Resistance Temperature Detectors) are vulnerable to these attacks even when protected from interference.
- Diagram of the signal conditioning of a temperature sensor. Source: arXiv -
Counterfeit field devices
Recently, there have been many discussions about whether there is a real need to monitor process sensors, given that a large part of the OT cybersecurity community feels that the only way to gain access to sensors and other field devices is through the OT network itself. However, this view has proved incorrect given that, as we’ve already mentioned, it is possible to modify the temperature measurements of a sensor without physically manipulating the device.
Furthermore, there’s another problem besides this: the sale of false transmitters. In 2014, Yokogawa issued a statement in which they warned of the existence of false transmitters being sold with the same logo and appearance as theirs. These transmitters measure various physical values, such as pressure, flow, flux or temperature, and are commonly used in various critical industrial infrastructures, such as nuclear power plants, water treatment plants or oil and gas extraction and treatment centers. However, they do not have any kind of security or authentication measures, so the installation of a false transmitter is perfectly plausible.
In fact, this isn’t the only case. In recent years there have been many more examples of counterfeit field devices, some even with falsified certifications such as ATEX (Atmospheric Explosible), that are required for electrical equipment designed to withstand adverse conditions and environments to be marketed in the EU.
The likely goal of the counterfeiters was to make a financial profit from such activity by offering large discounts for it. However, these counterfeits do not perform the same as the originals, with the resulting problems that this may cause to system operations and, in a more serious case, may act as Trojans used to infect the OT networks in which they are installed with malware.
Countermeasures and security mitigations
On the one hand, in order to prevent changes in sensor measurements, there’s a need to implement some kind of anomaly detection within the sensors themselves that can identify malicious EMI interference in the frequency range where the unwanted rectification effects take place. This goes beyond the scope of security that customers can apply, so it’s necessary for manufacturers themselves to implement continuous monitoring of each signal. However, this idea has yet to be designed and implemented, so it will take some time before we finally see it included in commercial devices.
On the other hand, there’s a need to implement some type of verification, via fingerprinting for example, to detect the differences between original and counterfeit devices. OT monitoring and threat detection system manufacturers should start assuming that field sensors may be compromised and, in line with field device manufacturers, include such checks in their solutions.
Conclusions
As we’ve discussed in this article, field devices are not as secure within OT networks as one might think. As they are electronic devices, falsifying their measurements without having physical access to their components is possible. On the other hand, the sale of counterfeit products is becoming quite common for products from any brand, so security considerations and measures must be applied to the value chain.
There’s no denying that this problem should be given much more attention that it is at present. Because of this, organizations such as ISA (International Society of Automation) or NERC (North American Electric Reliability Corporation) should include measures and guidelines to mitigate these effects in their policies and recommendations, so that manufacturers have a clear idea about the way forward.