My previous article covered part of Scott Howard’s presentation on ICS Security for Oil and Gas applications from this year’s Design Seminar. In that article, we reviewed some of the cyber security fundamentals discussed by Scott.
For example, we examined the fact that most cyber threats are unintentional and originate from within the control network. We also looked at the fact that a perimeter defense is not sufficient and that IT solutions are not appropriate on the plant floor.
Instead, what’s needed is Defense in Depth, that is, multiple layers of defense that work together to prevent network incidents or contain them if they do occur. A key best practice for Defense in Depth is to implement the zone and conduits model as defined in the ISA IEC 62443 standard. While not a regulation, this standard provides practical guidance that leads to more robust cyber security.
Today, we will take a closer look at zones and conduits and then review how they were be implemented in three oil and gas applications.
This year, the Belden Industrial Ethernet Infrastructure Design Seminar is being held in Houston and therefore a number of the sessions are focusing on applications for the oil and gas sector. I had the privilege of attending Scott Howard’s session on cyber security. In it, he reviewed the primary goals of cyber security measures in industrial networks:
- To improve safety
- To reduce downtime
- To increase productivity
In other words, the goals of cyber security are the same as the core goals of most manufacturing teams.
This article reviews the cyber security fundamentals that Scott described and also explains how Belden’s products fit into industrial networking solutions. In Part 2 of this article, I will look at three, specific oil and gas applications discussed by Scott and describe a cyber security solution for each scenario.
Offshore platforms are an example of an oil and gas application with high cyber security requirements.
You have likely never worried about the possibility of a high school geek doing some programming that affects your home water quality. Well, neither had I until I learnt that some municipal networks have no security between the network their schools use and the one that runs their water/wastewater facility.
This was the situation in a mid-sized city in the Eastern U.S. In 2012 the Department of Water Resources upgraded their SCADA network to industrial Ethernet. At the time there was little protection or separation of the SCADA network from the city’s IT network. While this provided many benefits it also made the controls network susceptible to malware attacks and traffic storms.
Fortunately, the team involved, particularly the plant electronics technician, recognized the issue and took the initiative to review the situation and look for ways to improve security. What unfolded next is a great example of how multiple industry players, that is, a standards organization, a cyber security services group and a vendor were able to work together to provide a robust solution.
One of the major differences between industrial networks and enterprise networks is that industrial networks are typically managed by engineers or technicians. Now engineers are experts at making good product, designing control loops and so on, but they are not IT security wizards. That’s the reality, and it means that security products that “just work” reliably and safely with automation systems are going to be more effective in actually delivering security than products that don’t.
That’s why Schneider Electric is to be commended for all the measures they are taking to improve cyber security for their customers. This includes conducting a detailed security analysis of all of their major automation products and partnering with us to create the ConneXium Tofino Firewall in 2012. A , which adds the Tofino Enforcer’s Deep Packet Inspection technology for the EtherNet/IP protocol.
Let’s take a look at what this product does and how its ease of use helps improves SCADA security.
Keeping production systems up and running is the primary concern of controls engineers. Nowadays, part of achieving high availability includes protecting networks from accidental events and unforeseen security threats.
In speaking to our customers about this challenge we found out that they would like an all-around device that is easy to use and that can be deployed in the harshest industrial environments. Today I want to introduce you to a handy new tool for meeting these requirements.
Introducing the EAGLE One Industrial Security Router
Our just announced EAGLE One security router is what we like to call “the Swiss Army knife of routers”. It provides comprehensive industrial network security with a very good price/performance ratio. Plus it is rugged enough for use in industries such as oil and gas.
One of the indicators that it’s time to update your network design is when troubleshooting issues take too long and having a significant impact on production. That was one of the issues Johnson Controls’ Automotive Experience Group was facing when it decided its “one size fits all” flat network infrastructure had to change.
The flat network design had been controlled by the IT department which initially did not understand how the good practices it used to manage the enterprise network were disrupting the plant floor network.
As the demand for real-time information has increased, more and more IT professionals are becoming involved with manufacturing networks. If you are one of those people, or if you are an engineer who wishes IT understood your operational network requirements, then the Johnson Controls story that follows may be helpful. Read more
If you have been following SCADA news in the last month, you might have noticed an avalanche of reports and blogs on new security vulnerabilities in power industry equipment. So far, vulnerability disclosures for 9 products using the protocol have been released by the , with another 21 SCADA product disclosures . Even the and have picked up this story.
Now, more vulnerabilities in SCADA products is hardly news, so why all the fuss?
Do the DNP3 SCADA Master Vulnerabilities make NERC’s Electronic Security Perimeter a Fairy Castle?
Finding Industrial Security Vulnerabilities in All the Wrong Places
All 25 vulnerabilities have been discovered by just two researchers, Adam Crain and Chris Sistrunk, using an impressive new security test tool that Adam developed under his . The scary part is that Adam’s tool is finding these vulnerabilities in SCADA master stations, rather than just in the RTU and IED slave devices past tools have tested.
Jeff Smith of American Axle & Manufacturing (AAM) is a guru in the world of industrial Ethernet networking and ICS Security. We were fortunate to have him speak again at the 2013 Belden Industrial Ethernet Infrastructure Design Seminar.
In a previous article I outlined the reasons AAM decided to move to Ethernet/IP communications and how they implemented best practices such as standardized segmented network configurations. Today I am going to write about Jeff’s approach to ICS security.
Jeff opened his remarks by saying no one wants to spend money on security. However, he feels that that is the wrong question. What you should be asking is:
“How much do I need to spend to feel comfortable with the risk?”
To answer this he suggested you assess your current security posture and then define the objectives for improving that posture.
Jeff Smith says it’s time for end users and vendors to stop talking about ICS Security like it’s a 10 ton elephant.
Recently there was a thread on SCADASEC news, a restricted access critical infrastructure mailing list, about the challenges of firewalling BACnet networks. If you only work in the industrial automation space, you may not have heard of this protocol, but it is big in building automation. Regardless, the discussion around BACnet applies to many industrial protocols.
The question raised was whether or not BACnet traffic can be managed by a firewall. The problem is that BACnet, like many other automation protocols, doesn’t play by the usual IT rules. In BACnet’s case, it does not use TCP/IP at all, so trying to secure it with a typical IT firewall that looks for TCP port numbers is a lost cause.
BACnet is a non-TCP /IP protocol used in building automation systems that cannot be secured by typical IT firewalls. Image courtesy of Schneider Electric.