Getting to the HART of the Matter: An Evaluation of Real-World Safety System OT/IT Interfaces, Attacks, and Countermeasures

This paper discusses our experience evaluating attack paths and security controls in commonly used, real-world ICS safety system architectures. Specifically, we sought to determine if an SIS-mediated architecture could provide better protection against unauthorized and malicious safety instrument configuration changes than could a MUX-mediated architecture. An assessment question-driven approach was layered on top of standard penetration assessment methods. Test cases were planned around the questions and a sample set of vendor products typically used in the oil and gas sector. Four systems were composed from different product subsets and were assessed using the test cases. We analyzed results from the four assessments to illuminate issues that existed regardless of system composition. Analysis revealed recurring vulnerabilities that exist in all safety systems due to issues in the design of safety instruments and the HART protocol. We found that device-native hardware write-protections provide the best defense, followed by SIS write protections. We concluded that, when using SIS security controls, an SIS-mediated system can protect against unauthorized device reconfigurations better than can a MUX-based system. When SIS security controls are not used, there is no added security benefit. We present lessons learned for ICS stakeholders and for people who are interested in conducting this kind of evaluation.