Blog: OT, ICS, IIoT, SCADA

Got the security controls wrong in OT and maritime? Watch as engineers work around them

Andrew Tierney 16 May 2022

Industrial control systems security is slowly improving, partly a result of attention from regulators and lawmakers. However, we often see security controls implemented that don’t take account of the unique challenges that engineers looking after OT environments face. We see controls brought in from IT environments that just don’t work in OT. No-one  sat down with the engineers to discuss how systems are used and agreed controls that actually worked in practice.

So what happens?

No surprises – the engineers will work around the control. The controls are broken down, possibly exposing the systems. It’s a familiar story.

Here are a few examples we’ve seen of security controls not taking the real world of OT and / or maritime in to account.

Want lousy passwords in OT and maritime? Use a membrane keyboard

As password security gains more attention in the world of industrial control systems and shipping, we’re starting to see operators require non-default/blank/simple passwords on HMIs and bridge systems.

Ever so slowly, the days of passwords being stuck to bridge systems and ICS kit is reducing. Better ways of authenticating users are starting to emerge.

Even better, organisations are starting to consider the cyber-physical risks around device security. Why does an essential piece of navigational equipment such as an ECDIS even need a password for a regular minimum-privilege user account? The last thing anyone needs during a navigation incident is to be working out how to unlock the system!

So installers and ship technology vendors are being made to create slightly better passwords for systems. Good, right?

Well….

Most OT and ship system interfaces for humans are at least partly rugged. Why? Simple – things get spilled on bridges in heavy weather. Keyboards need to withstand heavy usage. You also don’t want loose keyboards sliding around and falling off.

It’s not just bridges though: machinery space is dirty and often vibrating. We’ve seen mustering, fire alarm and other systems that need to be rugged too.

Hence, we often see membrane keyboards in these environments.

Ever tried to use a membrane keyboard? It’s a slow process; some are better than others, but the lack of tactile feedback can make working with credentials quite challenging.

Which leads to an interesting and unintended consequence, like many implementations of security controls in OT and maritime, in that the operators and engineers work around the controls:

We keep finding that the new, more secure passwords to these systems are a feature of the limitations of membrane keyboards. Here are some we’ve seen recently in multiple vessels:

  • qwertyuiop
  • asdfghjkl;
  • zxcvbnm,.

We’ve even got basic complexity requirements in the last two examples!

Oh and “1qaz2wsx3e” has popped up a couple of times.

If you haven’t spotted it, these are simply left-to-right and top down sequences of characters on a standard English-language keyboard.

Biometrics and dirty fingers

Access control in to sensitive areas in industrial control systems, particularly in ships, is quite a challenge. Doors that provide access to dangerous machinery spaces need to be locked, but key management can be a real problem.

Hence, biometric based authentication would seem like a logical solution to key management and access. We’re starting to see biometric fingerprint sensors entering use on some vessels.

Which all seems great, other than that most of the engineers will often have dirty fingers after working on mechanical systems.

Dirty fingers make biometric authentication really quite challenging, both as the print is hard to read and that dirt will often contaminate the sensor.

So what is the result? We’ve seen doors wedged open, locking mechanisms disabled and similar. The wrong control leads to it being worked around

Yes, there are some specialists fingerprint sensors that can deal with dirty fingers, but they’re expensive.

Implement aggressive HMI timeouts at your peril

More recently we’ve seen human machine interfaces with 2.5 minute timeouts set. If there isn’t any activity on the interface, it locks again, needing the password to unlock it.

HMIs are frequently some distance from the plant they control. You might need to open some valves and start a pump on the HMI, go and physically monitor the plant, and return to stop the pump. During this time, the HMI will have locked again.

The control isn’t effective, so the engineers will figure out a workaround. Here’s what they discovered:

The standard user accounts they were given on the HMI had the aggressive lockout, but the HMI also came with two high privilege accounts. After much protesting, the engineers were given credentials to the high privilege accounts, which didn’t lockout. They used only the high privilege accounts from that moment on.

The wrong control resulted in it being worked around and security being eroded.

Conclusion

Engage your engineers, your operators and your bridge crew when building security controls. Watch how they work and operate the systems you’re concerned about. Talk to the people at the ‘coal face’!

Create controls that work for them too. The last thing anyone needs is a system becoming unusable owing to ‘security’ at a critical moment. OT systems are designed to be safe. Don’t let security erode that through implementing the wrong control.

IT security controls don’t always work in the way you might expect in an OT environment.