Well planned security architecture is probably the most important technical factor in determining if a process control facility can be effectively secured from cyber attack. If the architecture is properly designed, then a defense-indepth approach will be feasible and the security countermeasures deployed will achieve their maximum effectiveness.
Unfortunately, the North American Electrical Reliability Council (NERC) report on the Top Ten Vulnerabilities in Controls Systems notes that poor defense in depth design is the second most common security vulnerability. Poorly designed architectures lose their defence-in-depth advantage and the deployed security countermeasures can end up being dangerous placebos, offering a false sense of security. For example, in January 2003, the Slammer worm penetrated a number of plant floor networks that staff had believed were secure since there were firewalls separating them from the corporate network. In most cases, these infections occurred because poor network design allowed alternate pathways around the firewall in the form of poorly configured VPN tunnels, servers with dual network interface cards and shared network infrastructures.
Current industry best practices call for the SCADA or process control network to be clearly separated from regular IT network segments. Byres Research recommends that this be implemented using independent switches isolated behind a business/PCN firewall, in accordance with the recommendations found in ISA-dTR99.00.02 Integrating Electronic Security into the Manufacturing and Control Systems Environment and the NISCC Good Practice Guide on Firewall Deployment for SCADA and Process Control Networks. We also recommend the deployment of Demilitarized Zone (DMZ) for shared Enterprise/PCN Assets such as data historians. Figure 1 illustrates this type of architecture.
Figure 1: Firewall with Demilitarized Zone for Shared Enterprise/PCN Assets
This primary control system firewall defines the security perimeter for the control system and acts as the choke point for all traffic between the outside world and the control system. Proper design and deployment of this firewall is critical. Often this is not the case - as Dr. Paul Dorey, the CSO of BP, noted in his keynote speech at the Process Control Security Forum AGM in 2006, comments like “My networks aren’t connected, my server uses a separate network card to connect to the PCN and the corporate network” do not indicate a secure network design and are simply a great way to infect both networks. Similarly, using routers or switches with access control lists (ACL) is not acceptable.
It is important to note that the security needs of the business network are not the same as the security needs of the control network. For example, the business firewall must typically allow users on the inside of the network to browse the Internet using HTTP, while the control system typically requires security policies that explicitly forbid this. Simply put, single firewall can not be all things to all departments. Thus a good control system security strategy needs to offer layers of protection, starting with a dedicated control system firewall and progressing to specific protection for key devices and systems on the plant floor or SCADA system.
Once the electronic perimeter of the control system is secured, it is necessary to build the secondary layers of defence on the control system itself. This can be achieved using two primary techniques. For those control components (such as HMIs and Data Historians) that are based on traditional IT operating systems such as Windows and Linux, this can take advantage of the proven IT strategies of Patch and Anti-Virus Management.
In many cases the most critical devices in a control system such as the PLC, DCS or RTU, are based on operating systems and architectures that do not allow the addition of security features such as A/V software or permit regular patching. Furthermore, the majority of control devices in use today offer no authentication, integrity or confidentiality mechanisms and can be completely controlled by any individual that can “ping” the device. Thus the most critical devices on the plant floor are also the most vulnerable.
A rapidly evolving security solution is the use of low-cost security appliances deployed directly in front of each control device (or group of devices) that needs protection. These appliances provide protection directly at the critical edge device, similar to the way personal firewalls, antivirus software or Intrusion Detection Systems provide local protection for desktop computers and servers. The result is a true “defence- in-depth” strategy, so that even if a hacker or virus manages to get through the main corporate firewall, they will still be faced with an army of SCADA-focused security devices that need to be breached before any damage can be done. Typically each of these remote security appliances are centrally configured, monitored and managed from a central management system. Because of their focus on protecting a small number of critical devices rather than a whole network, each appliance can be tuned to meet the security needs of the device it is protecting.
Byres Security Inc. and Byres Research
P.O. Box 178
Lantzville BC V0R 2H0
Phone: 250-390-1333
Fax: 250-390-3899
Email: info@Byressecurity.com
