March/April 2011

The Final Say

Network security in the Automation world

By Dan Schaffer

In today's highly connected world, office and industrial networks are more interconnected than ever before. In the not-too-distant past, the Information Technology (IT) department bore the sole responsibility for protecting the network and guaranteeing secure, reliable communications. While network security remains a top priority for IT departments, plant managers and engineers frequently neglect it.

Many engineers and plant managers are skeptical that cyber attacks can affect their control equipment. Some feel these threats are solely the realm of the office network. Others believe they have "security by obscurity"-that is, their SCADA equipment and controls protocols are not mainstream, so they cannot be easily learned or exploited. Both arguments are misplaced.

Threats and cyber incidents, malicious and accidental, happen every day on industrial networks. It is easier than ever to learn about industrial protocols and equipment … and how to exploit their vulnerabilities. A simple Google search results in thousands of hits leading to websites on how industrial protocols work, how to exploit SCADA, and even "hacking toolkits" to automate attacks.

Until recently, industrial cyber incidents fell into two categories. The first is direct attacks by individuals with axes to grind. These individuals often use insider know-ledge to assault a known weakness in the system. For example, a disgruntled employee, recently fired from his job at a wastewater plant, connected into an unsecured Access Point and gained access to the control network. Using his knowledge of the SCADA system, he manipulated the system, releasing unsafe water into the system.

The second category of industrial cybersecurity incidents occurs when the control network is collateral damage. This usually happens when a blind, rapidly propagating worm floods the network with data. The resulting packet storm can overwhelm control equipment such as programmable logic controllers (PLCs) or I/O, essentially shutting them down. In these cases, the control network is not specifically targeted, but the damage can be destructive just the same.

The Stuxnet worm, discovered in July 2010, does not fit in either category. This sophisticated worm explicitly targets Siemens' control software and inserts instructions into PLC programs, meaning it can cause physical damage and harm to equipment or to workers operating on the industrial network. As clever as it is dangerous, Stuxnet utilizes five separate Windows vulnerabilities to infect and spread itself to other systems. It is now widely accepted that Stuxnet was developed by Western governments and programmed specifically to attack Iranian nuclear facilities. These facilities have, in fact, been harmed; so Stuxnet, as a guided "cyber-missile," was very effective.

Now that Stuxnet is in the wild, hackers, hostile governments, etc., can deconstruct it. With this powerful worm as a blueprint, new attacks that affect other control platforms will certainly follow; clearly, the need for strong industrial cybersecurity is present and growing.

When looking to address cybersecurity on the industrial network, the ideal solution should:

  • Provide necessary network and security functions in industrially rugged hardware, to withstand the demanding conditions of the plant floor.
  • Maximize interoperability with existing IT networks by adhering to IEEE and IETF open standards.
  • Be easy to use. User-friendly features such as web-based graphical user interface (GUI) and "security out of the box" make it easy for non-IT personnel to install these solutions.

Industrial security devices can come in several different form factors, depending on the application needs. For a control cabinet application, a DIN rail-mountable solution is ideal, while a PCI card will provide the best protection for an industrial PC. Additionally, some applications may require fiber instead of copper or gigabit speeds. But whatever the form factor, there are three key features to look for. 

The first is a firewall. A firewall blocks unwanted or unneeded network traffic, so it never reaches your vital equipment. Using a hardware firewall offers high throughput with minimal latency and can protect a multitude of Ethernet devices regardless of operating system or function.

Router functionality is also critical. The router separates the control network from the office/IT network, insulating and isolating from any unnecessary traffic. This prevents broadcast traffic from leaking from one subnet to another, while still allowing devices on different subnets to talk to one another.

Finally, a Virtual Private Network (VPN) will extend security beyond the local network and provide secure remote connectivity across the Internet. This makes it easy to safely provide remote support, troubleshooting, and programming to machines deployed across the country or around the world. The authentication and encryption all happen "behind the scenes" in a fraction of a second. Once the VPN "tunnel" is established, network traffic can flow securely in both directions.

The need for cybersecurity to protect industrial networks is real and growing. While today's control systems are increasingly complicated, protecting them from a cyber threat does not need to be.

ABOUT THE AUTHOR

Dan Schaffer is a product specialist for Phoenix Contact's networking and security products. He has more than 15 years experience as a network engineer, running numerous private company network infrastructures. He specializes in network troubleshooting, security, and design.