Guide for Cyber Assessment of Industrial Control Systems Field Devices
Programmable logic controllers (PLCs) and other field devices are important components of many weapons platforms, including vehicles, ships, radar systems, etc. Many have significant cyber vulnerabilities that lead to unacceptable risk. Furthermore, common procedures used during Oper- ational Test and Evaluation (OT&E) may unexpectedly lead to unsafe or severe impacts for the field devices or the underlying physical process. This document describes an assessment methodology that addresses vulnerabilities, mitigations, and safe OT&E. Acknowledgements The authors would like to acknowledge the funding and technical support from the Office of the Director, Operational Test and Evaluation (DOT&E) for the development of this paper. Also, there were key contributions by other Sandia National Laboratories (SNL) personnel supporting the analysis, particularly from Mitch Martin, Tricia Schulz, Chris Davis, and Nick Pattengale, and from Pacific Northwest National Laboratory (PNNL), especially Chris Bonebrake, Jim Brown, and Katy Bragg. Executive Summary Industrial control system (ICS) field devices like PLCs play a critical role in the safe and reliable operation of Department of Defense (DOD) platforms and weapon systems operations. Unfor- tunately, these sorts of devices are often rife with cyber security vulnerabilities that can lead to significant risks for mission performance, or even unsafe conditions during routine OT&E. The cyber security issues faced by ICS differ from typical information technology (IT), and this re- quires a different and more specific approach to assess, test, and mitigate ICS vulnerabilities. In a typical IT system, data confidentiality and integrity are the primary concerns. In an ICS, mission operations, safety, public health, and avoiding equipment damage are the primary con- cerns. ICS devices directly control time critical processes and have little margin for delay. Outages or interruptions (even something as simple as a reboot) might not be acceptable, and if unplanned can result in significant risk to mission. Unlike IT system updates or patches, which can be done using automated server-based tools and are widely applicable, ICS updates are specific to the equipment vendor. OT&E on ICS field devices (on deployed platforms, or in high value test rigs) is often a neces- sary requirement, but this causes significant concern within the DOD ICS community. The concern is that implementing routine cyber security measures and testing on active ICS components and systems may damage the ICS or even underlying physical systems. Of particular concern are ICS field devices, which encompasses the specialized hardware that covers the boundary between the cyber and physical domains. Examples of field devices include PLCs, electric power relays, remote terminal units (RTUs), and other embedded devices. According to an Office of the Secretary of Defense (OSD) memorandum regarding "Proce- dures for Operational Test and Evaluation of Cybersecurity in Acquisition Programs," operational test agencies (OTAs) will "include cyber threats... with the same rigor as other threats" [1]. The purpose of cyber security operational test and evaluation is to evaluate the ability of a unit equipped with a system to support assigned missions in the expected environment. The "system" in this case is considered to encompass hardware, software, user operators, etc. This memorandum also spec- ifies the procedures to be used for testing oversight systems. The purpose of this docuemnt is to introduce a Field Device Assessment Methodology (FDAM) that parallels (with some differences due to the focus on ICS hardware and not the entire system) the procedures suggested in the mem- orandum. The FDAM approach is not intended to cover the entire oversight system as referenced in the memorandum; rather, it explains the procedures necessary to evaluate the ICS hardware devices. This focused approach on the hardware subset of the system is warranted because ICS field devices face very different issues than IT systems, and the risks associated with ICS cyber vulnerabilities can be significant. The goals of the FDAM are to research and rank field device vulnerabilities to be tested, sum- marize associated mitigations, and determine cyber test concerns by summarizing potential OT&E test damage/safety issues. The FDAM primarily supports the cooperative assessment stage of OT&E, although the results can also support adversarial assessments. This document provides guidance on tools and procedures that have been developed by SNL that are used to implement the FDAM approach, including an assessment framework, quantitative risk calculation, and ranked access/procedure pairs (APPs). The FDAM process itself is presented in Chapters through -- from initial research and discovery, to standalone lab testing, through to compiling the final report. It should be noted that because cyber security testing is inherently complex and detail-oriented, those performing the tests will generally have a wealth of knowledge and experience that is dif- ficult to fully document or simplify into a step by step process. In every testing situation, the background of the testers may influence how they choose to implement the process, and in which order. Although this document is presented as a logical process, it is not necessary to follow every step in the document as laid out. For example, a tester that is intimately familiar with ICS systems might choose to do the literature review and vulnerability scoring in conjunction with lab testing. Or, if project resources are limited, the best choice might be to do only a literature review and risk scoring without standalone lab testing or even a device teardown. The FDAM is intended to support OTAs, cyber protection teams (CPTs), and other organiza- tions within DOD that support OT&E on weapons platforms and systems, but it can also be applied to ICS used within DOD installations and other bases, particularly for infrastructure support. The DOT&E FDAM is applicable for mission platforms, which are heavily reliant on ICS, including naval shipboard systems (electrical plant management, machinery control, aircraft launch/recovery, radar, fire control, and others), advanced ground vehicle management, and aircraft/avionics. The FDAM also supports a range of DOD assessment requirements [2, 3] and the approach is suitable to varying classification levels, as application details and close-held government information can be included when desirable (and useful).