1 December 2005
Modern networked systems come with caveat
Industrial applications begin to reap the benefits of remote access. Security breaches a concern.
By Peter Wood
A rich supply of data lives here.
As SCADA systems, breakers, and other industrial control, monitoring, and management systems become more intelligent, this supply is available for improving plant performance and remote maintenance and management.
As with all technology advances, challenges come with opportunities.
We will explore the state of network security options at the switch level and offer an elementary road map for industrial operations to plan for and deploy secure systems to take advantage of the advanced networking technologies that can support greater efficiency, reliability, and security in plant and remote operations.
Manipulating data over the Web
As industrial applications take advantage of standards-based networked communications and data transmission solutions, the upside is higher performance, lower cost, and interconnectivity allowing operators to view and control any part of the plant equipment.
However, networked systems also open up the door to security breaches, and the critical commercial and technical information available in such environments, along with the ability to interfere with industrial monitoring and control. Products attached to the network also enhance the possibility of a security breach.
While corporate hacking and sabotage poses risks and concerns, the potential for mischief, or outright sabotage, in industrial environments can have much broader implications.
Repercussions from the 2003 power blackout in the Northeastern U.S. rippled throughout the country. Imagine how much worse a concentrated and widespread act of sabotage might have been.
With widespread-networked communications comes the new opportunity of accessing and manipulating data over the Web. Simple and ubiquitous, the Web can revolutionize the monitoring and control of the industrial plant. The convenience and efficiency of a Web connection for easy anytime-anywhere access to data is now widely recognized in commercial, industrial, and military applications. The price of this technology, however, is the absolute necessity to implement security precautions such as firewalls, DMZs, virus protection, user authentication, authorization and access control, encryption, and validation to ensure only those entitled to access are able to use it. Despite these precautions, stories of the compromising and shut down of companies' computer systems are prevalent, even in some bastions of technology.
With an awareness of the similarities between business IT systems security and that required by control systems, several groups are addressing the technology opportunities and challenges of the industrial environment to create uniform and consistent standards and terminology. No single vendor or single technology is going to make industry safe from intentional attacks; however, market and technology factors are now in place to enable industrial implementation of expanded communications solutions—including protecting the introduction of Web-based communications into industrial settings. Ethernet networks require ISO/OSI Level 1 security, and responsible vendors will gear up to support more broadly based systemic security requirements from industrial customers.
Local vs. remote access
As Ethernet has expanded into industrial operations, two types of structures emerge.
Closely watching Ethernet within the walls of a single facility is eminently possible, with the only serious security risk being from disgruntled employees or persons who have penetrated the security of the physical plant.
One can protect access to data running across an Ethernet network via a segregated network with restricted points of access to the outside world, password-protected terminals tethered to the Ethernet switch itself, or Telnet sessions.
However, Ethernet's benefits to industrial applications run far beyond such restricted applications. Ethernet using fiber cabling for distance, noise-immunity, and security is working throughout widely distributed industrial applications. It works in activities such as managing and monitoring traffic signals and vehicle flow, collecting data in remote communications outposts and power substations, and linking outlying facilities in aircraft maintenance hubs and other far-flung industrial applications. In these applications, Web access can provide additional efficiency and cost-savings. This is also the area of greatest threat.
No single vendor or single technology involving sole-sourced and/or proprietary solutions is going to make industry safe from intentional attacks; however, widespread, multi-vendor market and technology factors are now in place to enable industrial implementation of expanded communications solutions, including the introduction of Web-based communications into industrial settings. Standards-based hardware and software are now readily available to provide, for example, shadow (proxy) servers, firewalls, and Virtual Local Area Networks (VLANs), all of which are important components of a broader security strategy focusing on an integrated corporate-wide approach. Clearly, a cooperative effort between the factory floor and the IT department is desirable.
Ethernet equipment vendors must, however, take the lead in providing ISO/OSI Level 1 security for Ethernet networks and support more broadly based systemic security requirements from industrial customers.
Remote industrial Ethernet implementations are very popular applications for monitoring. They are typically closed systems, which require in-facility access points for information review. Because remote monitoring is possible, many routine maintenance visits to unmanned outlying operations are unnecessary, with concomitant reduction in costs. It is also easier to identify potential problems and dispatch maintenance or repair teams promptly, often avoiding the necessity for down time. Equally, remote monitoring allows maintenance crews to pinpoint (or at least determine by sector) outages, reducing the elapsed time necessary to complete a service call.
Ethernet access to remote sites has traditionally served less often for management and control, simply because of concerns regarding a secure connection. Nonetheless, industrial operations, including power utilities and traffic control systems, are beginning to explore secure ways to implement these activities. Although most of these implementations still require access from a hardwired terminal or Telnet session, companies are beginning to believe that the technology is in place to support more interactive remote access.
As companies become more comfortable with remote management and control, planners are turning their attention to the attractiveness of the Web. Instead of leaping in the car to drive to a substation for a 3:00 a.m. emergency, a control engineer may open his laptop and connect to the problem site. Likewise, a key employee on vacation in Hawaii or Florida can gain access to the problem in Kansas from the hotel room, rather than engaging in long-distance question-and-answer sessions, or worse yet, a flight home.
Once a closed-loop network opens to access to-and-from the Web, password protection is no longer enough. While security has multiple components, Ethernet vendors can address Level 1 security issues by providing protection in two of the areas of concern documented in the SP99 committee's first paper—ensuring that a user is who he/she claims to be (authentication) and the password-protected access to an application is encrypted as it crosses the Internet so it cannot be easily accessed and stolen (encryption). Switch management software can, and should, attend to these two components. Authentication and encryption are possible in today's industrial environments by using the same standards and controls that handle the world's financial transactions via the Web. Through established security standards, network management software can provide this functionality.
Authentication and encryption are available by using SNMPv3, Secure Socket Layer (SSL), and Transport Layer Security (TLS). These features allow a switch to handle HyperText Transfer Protocol Secure (HTTPS), the highest level of Web access security available.
Secure Web implementation
Instrumentation is at the very foundation of a plant's ability to control properly and achieve production goals. While many facilities still rely on manual data logging by operations personnel, industrial users recognize the need to install proper and necessary instrumentation. With the advent of increasingly sophisticated systems, current instrumentation today comes with smart diagnostic features and connectivity to allow rapid transfer of that information to the control room. In remote locations, and even within a facility, the economics of industrial life require automation of the collection and analysis of this data. Secure Web access requires fewer visits by maintenance and repair personnel to any particular instrument, while sustaining (or enhancing) the ability to get up-to-the-minute information necessary to avoid outages and fine-tune instrumentation.
Authentication and encryption provide first-level security features that enable faster and more convenient access to data in today's of-necessity security-conscious environment, and it is the duty and responsibility of vendors of Ethernet devices to provide them.
The second aspect of Web security, data security, requires the cooperation of other components of the implementation. This is the area where SP99 and PCSRF hold sway. The further field the users who have a need to access an industrial network, the more critical it is that the network design provides system-wide protection. As a part of lower-level ISO security, standards such as Remote Authentication Dial In User Service (RADIUS 802.1x), Terminal Access Controller Access Control System (TACACS+), and Secure Shell (SSH) extend total system security by shielding traffic running through the switch. Switch manufacturers assist in the support of data security, but the implementation requires broader compliance than that available at the switch. RADIUS defines a mechanism for port based network access control by authenticating and authorizing users and devices attempting to attach to LAN ports that have point-to-point connection characteristics such as wireless access, and denying access if the authentication and authorization fail. TACACS+ provides authentication, authorization, and accounting services for routers, network access servers, and other networked computing devices via one or more centralized servers. Secure Socket Shell allows users remote access, to execute commands or move files in a remote machine. Because it operates over insecure channels, it provides strong authentication, secure communications, and can protect network from attacks such as IP spoofing, IP source routing, and Domain Name Server (DNS) spoofing.
Different take on security
As industrial applications begin to reap the benefits of remote access, all must take care to avoid security breaches.
Ethernet switches can offer a powerful access point for controlling access and supporting message integrity through encryption. However, it is incumbent on everyone to work toward highly secure network systems that enable the industry to take advantage of the tremendous time- and cost-savings of Web-based networking.
Commerce has led the way with highly secure financial, medical, and retail applications, however, the complexities of industrial security require careful thought and planning, and in many cases, a different take on a security strategy.
The exemplary work of ISA-SP99 and NIST is leading the way to highly effective and highly secure industrial networks. Thanks to the forerunners in the commercial environment, there is a strong base from which to begin the work of adapting and customizing current security standards and protocols to support industrial applications.
Behind the byline
Peter Wood (firstname.lastname@example.org) has a BS in engineering. He is vice president of engineering and operations with responsibility for Ethernet development for telecommunications, enterprise, and industrial applications at Garrett Communications/GarrettCom.
Who let the dogs out?
At the vanguard of developing security guidelines for industrial control systems are ISA and the National Institute of Standards and Technology (NIST).
ISA, through its SP99 committee, has published two technical reports on manufacturing and control systems security that address the growing threats to industrial system security.
The NIST Process Control Security Requirements Forum (PCSRF) has issued the System Protection Profile for Industrial Control Systems (SPP-ICS).
The SP99 committee, Manufacturing and Control Systems Security, represents a cross-section of the industrial market with representation from control system vendors, end-users, system integrators, consultants, and cyber security vendors.
The first two reports from the committee, which came out in 2004, are Security Technologies for Manufacturing and Control Systems (ISATR99.00.01-2004, or TR1) and Integrating Electronic Security into the Manufacturing and Control Systems Environment (ISA-TR99.00.02-2004 or TR2).
TR1 provides guidance for using available electronic security technologies, without making specific technology recommendations. It categorizes 28 electronic security technologies into five broad categories:
Both control engineers and IT management can use the document to understand the opportunities and limitations of deploying IT-based security methods in a real-time environment.
The document provides information on each technology regarding:
In addition, it discusses anticipated future directions, offers recommendations and guidance, and points the reader to information sources and reference material.
While TR1 is a primer, TR2 offers more comprehensive information regarding methodologies and components necessary to create a complete security program and suggests a process to implement more secure systems. Since most control systems are a combination of newer and legacy components, rather than a "built-from-scratch" environment, each system will require individual evaluation.
Today, SP99 is developing a draft of the first of what will be a series of industry standards related to manufacturing security.
The NIST PCSRF's System Protection Profile for Industrial Control Systems (SPP-ICS) released in 2004 is a baseline document that states necessary industrial security requirements at an implementation-independent level. It will help to create security specifications for specific systems and components, such as a water treatment system or a power substation.
The NIST PCSRF includes a number of members of the SP99 Committee, and its charter is to define common information security requirements for process control systems in the future. The Forum consists of more than 450 members from government, academic, and private sectors.
The current document is an extension of ISO/IEC 15408 Common Criteria. Common Criteria is widely used in secure government operations, such as the FAA. The SPP-ICS looks at these concepts in relation to industrial automation.
Industrial facilities can use it to specify security functional requirements for new systems. At the same time, vendors can use it to demonstrate assurance that their products meet these security requirements.
Three encryption flavors
Simple Network Management Protocol (SNMP), introduced in 1988, is a standard for gathering statistical data about network traffic and the behavior of network components such as switches, hubs, and routers. It works in TCP/IP and other networks to monitor and control network devices and manage configurations, statistics collection, and performance. It is easy to implement, install, and use and does not place undue burden on the network. Even better, SNMP modules from different vendors work together with minimal effort.
A full secure Web implementation requires careful evaluation of the security requirements of the system and informed implementation of the authentication and encryption features. Basic security, in the form of authentication and encryption, first surfaced in 1998 with SNMPv3. Accepted as a full Internet standard in 2002, SNMPv3 also provides for the ability to update configuration parameters in SNMP agents, thus enabling complete remote management of SNMP devices, which is an added convenience as Web management comes into play.
It is important to note SNMPv3 adds several levels of capability and increasing complexity to an SNMP implementation. Unless an implementation requires security features, most SNMP deployments will remain at SNMPv1 or SNMPv2. Perhaps the wisest approach for a vendor of Ethernet switches is to continue to offer these earlier versions, as well as SNMPv3, in its network management package to accommodate users with various levels of security requirements.
SNMP messages—protocol data units—pass data from SNMP agents (hardware and/or software processes reporting activity in a network device) to the workstation console manager used to oversee the network. Agents and managers share a database of information, called the Management Information Base (MIB), which describes object characteristics and provides control mechanisms.
SNMPv3 introduced the concept of a principal, which is the entity on whose behalf services take place. The use of principals gives human security managers flexibility in assigning network authorization because security policies can tailor to the specific principal, agent, and information exchange.
The authentication mechanism in SNMPv3 provides three assurances: The received message transmitted by and for the principal whose identifier appears as the source in the message header; no one altered the message in transit; and there was no artificial delay or replaying of the message.
Communicating SNMP engines share a secret authentication key that the sending entity provides. A message authentication code is included in the message and is a function of the contents of the message, the identity of the principal and engine, the time of transmission, and a secret key only the sender and the receiver know. When the receiving entity gets the message, it uses the same secret key to calculate the message authentication code again. If the receiver's version of the code matches the value appended to the incoming message, then the receiver knows the message can only have originated from the authorized manager, and no one or circumstance altered the message during transmission. The shared secret key between sending and receiving parties must be a preconfigured item that a network manager previously loaded into the databases of the various SNMP managers and agents.
A separate privacy facility enables managers and agents to encrypt messages to prevent eavesdropping by third parties. Again, manager entity and agent entity must share a secret key. When an invoked privacy situation exists between a principal and a remote engine, all traffic between them undergoes encryption using the Data Encryption Standard (DES). The sending entity encrypts the entire message, using the DES algorithm and its secret key, and sends the message to the receiving entity, which decrypts it using the DES algorithm and the same secret key.
Another facility, access control, makes it possible to configure agents to provide different levels of access to the agent's MIB to different managers. An agent entity can restrict access to its MIB for a particular manager entity by restricting access to a certain portion of its MIB or by limiting the operations that a principal can use on any portion of the MIB. Unlike authentication, which the user controls, a group mandates access control, where a group may be a set of multiple users.
SSL and its companion TSL extend SNMP features to web-based applications.
SSL, which is a protocol designed to enable encrypted, authenticated communications across the Internet, works mostly in communications between Web browsers and Web servers. When a URL begins with "https," rather than "http," this indicates that an SSL connection will be used, providing authentication, as well as privacy and message integrity (through encryption). Another way of explaining SSL is to say it ensures the information transmits unchanged, only to the server to which the sender intended to send it. SSL serves online shopping sites, among other applications, to safeguard credit card information, and therefore, has already demonstrated a level of security that should be adequate and appropriate for industrial applications.
TLS is a successor to SSL, using the same cryptographic methods but supporting a wider variety of cryptographic algorithms. The Internet Engineering Task Force (IETF) standardized TLS and all significant software providers accept it.
To enhance authentication, it is possible for vendors to add additional levels of access security. IP management allows switch administrators to control remote access via Web and Telnet at the IP address level. Port security can work to block computers from accessing the network by requiring the port to validate the Media Access Control (MAC) address against a known list of MAC addresses. If there is an insecure access on a secondary device connected to a switch, these levels of control allow authorized users to continue to access the network while unauthorized packets are dropped, preventing their access to the network.