VFD Cybersecurity Needed for Malicious Cyberattacks

Overview

Cybersecurity is a huge concern across industry as more and more largely unsecured smart devices and machines become connected via the Industrial Internet of Things (IIoT).  Variable frequency drives (also called AC drives) in particular, widely used in many critical industrial processes, are vulnerable once connected to an IIoT ecosystem.  Whether a VFD system is integrated into an automation infrastructure or directly connected to the internet, malicious cyber-attacks could result in equipment damage, production losses, and/or casualties.

VFD cybersecurity needed, because VFDs are used in industrial applications that are vital to national security, environmental safety, and even human safety. Although, to date, ARC Advisory Group is not aware of any serious cyber-attacks on industrial operations specifically targeted at VFDs, it would be naïve to think that they are not or will not be targets for future cyber-attacks.

While the frequency of these attacks could be very small, the potential impact could be huge.  For example, cyber-attacks on VFDs could cripple water supplies, power plants, and industrial operations of all types.  Clearly, end users, OEM machine builders, and VFD suppliers must take appropriate steps to mitigate future cyber-attacks on VFDs to avert significant physical and financial damage to their operations and personnel injury. 

Cybersecurity, a Hot Topic at the ARC Industry Forum

Cybersecurity attracted tremendous interest at ARC’s Industry Forum in Orlando in February 2017.  At one of the cybersecurity sessions, Dr. Stuart Madnick, Professor of Information Technology and Engineering Systems at the MIT Sloan School of Management provided an academic perspective of cyber-attacks and related hazards in the energy sector.  Dr. Madnick emphasized that attackers could overwrite firmware, such as firmware in VFDs, which could have disastrous consequences. 

Dr. Madnick discussed the analysis his team at MIT conducted on the potential impact that small firmware changes could have on a low-power VFD.   Changes as small as six lines of code could release the energy stored in capacitors and cause a VFD to blow up.  Based on their calculations, the team estimated that the blow out of the energy stored in capacitors in the VFDs driving a 400 HP motor would result in serious damage to the surroundings.   Furthermore, the long lead times needed to replace certain components could result in several months of disruptive and costly downtime.

Virtually every industrial operation uses VFDs, so there is a high potential risk of a cyber-attack.   Additionally, since safety and failsafe mechanisms in many VFDs are also implemented in software, a cyber-attack could conceivably remove all safety limits for an application.  Hence, industrial facilities should have significant concerns of the possibility of either a blow out or operating under unsafe conditions.

Could VFDs Be the Target of a Cyber-Attack?

While Dr. Madnick’s analysis was hypothetical; it implies potentially serious consequences.  Critical industrial applications have already demonstrated their vulnerability to cyber-attacks such as Stuxnet, the malicious computer worm identified in 2010 that caused substantial damage to Iran's nuclear program.  VFDs are an important part of the safe operation of these types of applications.

The Stuxnet malware infected the software at several industrial sites in Iran, including a uranium-enrichment plant.  The Stuxnet worm spread throughout the facility’s automation systems, enabling the worm’s authors to spy on and tamper with the industrial systems.  They instructed the control system to drive the centrifuges at a speed that introduced unacceptable wobble and caused them to self-destruct.  Since the safety limits of VFDs were programmed in software, some industry experts believe that Stuxnet removed safety limits in the controller’s memory, allowing the centrifuges to operate beyond safety limits. 

Yes, that was in Iran.  But, similar attacks could occur in other critical industrial operations in other parts of the world.  Unconfirmed reports suggest that the Stuxnet attack was conducted by a joint Israeli-American operation. Whether or not this is an example of “terrorism” would likely depend on the individual’s world view.  However, in today’s chaotic global political arena, terrorism certainly is a significant concern.  As travel restrictions increase and border vetting becomes more rigorous, many terrorists will seek out opportunities to cyber-attack facilities.  There is no shortage of reasons for terrorists, hackers, or even just disgruntled employees to attempt such an attack.  VFDs in these facilities represent viable targets.  Attackers may not need a malicious worm like Stuxnet, but could cause considerable damage with far less sophisticated means, as demonstrated by Dr. Madnick’s team replacing six lines of code.

IIoT Ecosystem Exposes VFDs to Cyber-attacks

Organizations that use, service, and/or supply VFDs and other smart, connected devices and systems have high expectations that the IIoT ecosystem will deliver on its promises of added value through increased productivity, predictive maintenance, and reduced asset downtime.    

ARC sees clear business benefits to integrating IIoT as a key component of VFDs.  For example, process industry applications can often benefit from remote management of assets to monitor, control, and/or optimize different components of production equipment controlled by smart, connected VFDs.  Potential applications include conveyors or lifts, production machinery for processes, and HVAC systems.

IIoT enables remote fault detection and management, including identifying which VFD needs to be replaced and enabling remote updating of parameters.  These features save significant time for production recovery.  VFDs provided a tremendous amount of data for managing industrial operations before the IIoT revolution began, but cybersecurity was rarely addressed. In IIoT ecosystems, where data management and predictive analytics capabilities further increase customer value, this connected environment also makes AC drives systems more vulnerable due to additional entry points for external attacks.  Consequently, safe use of VFDs within an overall IIoT ecosystem requires a robust, validated cybersecurity solution that can be adapted to the latest technological advancements. 

Multi-layered Defense (Defense-in-depth)

While industrial cybersecurity risks can be minimized, it’s not likely that they’ll ever be eliminated entirely.   But by implementing multi-layer security measures designed to provide defense-in-depth, the risk can often be reduced to acceptable levels. Technological solutions integrated into equipment combined with preventive measures that establish a cybersecurity policy for operators and all people who engage with the automation systems is now an imperative. 

A multi-layered defense or defense-in-depth strategy can help mitigate the risk for organizations susceptible to malware and malicious attacks, particularly when devices are connected to outside the relatively safe confines of the immediate plant or corporate networks.

Recommendations

The majority of existing VFD installations utilize proprietary technology, which tends to be somewhat less vulnerable to cyber-attacks than an open- architecture environment, such as IIoT.  For their newer system installations optimized for connectivity, suppliers need to initiate programs aimed at developing and improving product features and processes in concert.  This should be performed in concert with their channels, OEMs, and end users to enable end users to select, deploy and maintain the cybersecurity solutions without substantially sacrificing functional safety, operational performance, or productivity.  It’s also important to analyze risk vs. cost.     

To help ensure the success of VFD projects, VFD suppliers need to plan security standards, follow security design practices, offer network infrastructure products to help protect access to VFDs, and ensure that connected devices and users are authentic and authorized for the operation they are trying to execute.  

To this end, users need to raise specific questions within their own organizations and to VFD suppliers to mitigate vulnerability to cyber-attacks. 

Some of the questions users should ask their VFD suppliers include:

1. Do you have a product security office – a central team to ensure secure design practices are being followed? Do you have an established process to help products or solutions development to incorporate features to support robust cybersecurity?
2. What services can you provide to help design security into an automation system, including VFDs?
3. What is your product migration strategy for replacing older products with newer with more secure offerings?
4. Do you have a program to assess vulnerabilities and help mitigate them?
5. What security standards are you following today and planning to follow in the future?
6. Do you provide a comprehensive defense-in-depth approach to security?
7. What security design practices do you follow to limit vulnerabilities in its products?
8. What network infrastructure products do you offer to limit access to drives?
9. Who are you partnering with to ensure a consistent network security strategy between the IT (information technology) and OT (operations technology) space?
10. What is your disclosure procedure and how do you report vulnerabilities?
11. What security testing do you perform to reduce vulnerabilities in your products?
12. Do you offer products and/or tools that ensure connected devices and users are authentic and authorized for the operation they are trying to execute?

Some of the questions users should raise within their own organization include:

1. What methods do we use to enable users to access VFDs?
2. In a network configuration, what are the attack vectors?
3. In a standalone configuration when an AC drive is not connected to a network, what are the attack vectors and what are the control points for the drive?
4. How is a VFD controlled?  Is speed reference and start, stop controlled through the network, hardwired I/O, local operator interface, or other?
5. Have robust guidelines and protocols been established and implemented for physical access to the facilities and equipment?
6.  How do we limit physical access to VFD?  Are there secured areas for equipment?
7. How is facility access controlled, such as badge readers or other electronic identification?
8. Who should have access to a drive and for what purpose? How will we limit the right level of access to the right users?

The above questions are likely to just be a starting point. 

Conclusion

At the end of the day, cybersecurity solutions should be aimed at reducing business risk, providing comfort and confidence, as well as enabling compliance with standards and legal requirements. Cybersecurity will remain an evolving goal requiring well-established processes in concert with changing surrounding technologies.

ARC encourages VFD drive systems users and suppliers to work collaboratively to establish a robust and flexible environment against cyber-attacks.

If you would like to buy this report or obtain information about how to become a client, please  Contact Us

Keywords: Variable Frequency Drives, AC Drives, VFD, Cybersecurity, Cyber-attacks, IIoT, Automation, Defense-in-depth, ARC Advisory Group.