ICS Security for Oil and Gas Applications, Part 2 of 2

My previous article covered part of Scott Howard’s presentation on ICS Security for Oil and Gas applications from this year’s Design Seminar. In that article, we reviewed some of the cyber security fundamentals discussed by Scott.

For example, we examined the fact that most cyber threats are unintentional and originate from within the control network. We also looked at the fact that a perimeter defense is not sufficient and that IT solutions are not appropriate on the plant floor.

Instead, what’s needed is Defense in Depth, that is, multiple layers of defense that work together to prevent network incidents or contain them if they do occur. A key best practice for Defense in Depth is to implement the zone and conduits model as defined in the ISA IEC 62443 standard. While not a regulation, this standard provides practical guidance that leads to more robust cyber security.

Today, we will take a closer look at zones and conduits and then review how they were be implemented in three oil and gas applications.

SecurityExpertsImage3

Read more »

ICS Security for Oil and Gas Applications, Part 1 of 2

This year, the Belden Industrial Ethernet Infrastructure Design Seminar is being held in Houston and therefore a number of the sessions are focusing on applications for the oil and gas sector. I had the privilege of attending Scott Howard’s session on cyber security. In it, he reviewed the primary goals of cyber security measures in industrial networks:

  • To improve safety
  • To reduce downtime
  • To increase productivity

In other words, the goals of cyber security are the same as the core goals of most manufacturing teams.

This article reviews the cyber security fundamentals that Scott described and also explains how Belden’s products fit into industrial networking solutions. In Part 2 of this article, I will look at three, specific oil and gas applications discussed by Scott and describe a cyber security solution for each scenario.

OffShoreRigImage_1Offshore platforms are an example of an oil and gas application with high cyber security requirements.

Read more »

PLC Security for Water / Wastewater Systems

You have likely never worried about the possibility of a high school geek doing some programming that affects your home water quality. Well, neither had I until I learnt that some municipal networks have no security between the network their schools use and the one that runs their water/wastewater facility.

This was the situation in a mid-sized city in the Eastern U.S. In 2012 the Department of Water Resources upgraded their SCADA network to industrial Ethernet. At the time there was little protection or separation of the SCADA network from the city’s IT network. While this provided many benefits it also made the controls network susceptible to malware attacks and traffic storms.

Fortunately, the team involved, particularly the plant electronics technician, recognized the issue and took the initiative to review the situation and look for ways to improve security. What unfolded next is a great example of how multiple industry players, that is, a standards organization, a cyber security services group and a vendor were able to work together to provide a robust solution.

Read more »

Improving Industrial Cyber Security with the Schneider ConneXium Tofino Firewall

One of the major differences between industrial networks and enterprise networks is that industrial networks are typically managed by engineers or technicians. Now engineers are experts at making good product, designing control loops and so on, but they are not IT security wizards. That’s the reality, and it means that security products that “just work” reliably and safely with automation systems are going to be more effective in actually delivering security than products that don’t.

That’s why Schneider Electric is to be commended for all the measures they are taking to improve cyber security for their customers. This includes conducting a detailed security analysis of all of their major automation products and partnering with us to create the ConneXium Tofino Firewall in 2012. A new version of this product has just been released, which adds the Tofino Enforcer’s Deep Packet Inspection technology for the EtherNet/IP protocol.

Let’s take a look at what this product does and how its ease of use helps improves SCADA security.

Read more »

Versatile New Industrial Security Router Improves Reliability

Keeping production systems up and running is the primary concern of controls engineers. Nowadays, part of achieving high availability includes protecting networks from accidental events and unforeseen security threats.

In speaking to our customers about this challenge we found out that they would like an all-around device that is easy to use and that can be deployed in the harshest industrial environments. Today I want to introduce you to a handy new tool for meeting these requirements.

Introducing the EAGLE One Industrial Security Router

Our just announced EAGLE One security router is what we like to call “the Swiss Army knife of routers”. It provides comprehensive industrial network security with a very good price/performance ratio. Plus it is rugged enough for use in industries such as oil and gas.

Industrial-EAGLEONE_Swiss-Army

Read more »

Manufacturing IT: Separate the Industrial Network from the IT Network

One of the indicators that it’s time to update your network design is when troubleshooting issues take too long and having a significant impact on production. That was one of the issues Johnson Controls’ Automotive Experience Group was facing when it decided its “one size fits all” flat network infrastructure had to change.

The flat network design had been controlled by the IT department which initially did not understand how the good practices it used to manage the enterprise network were disrupting the plant floor network.

As the demand for real-time information has increased, more and more IT professionals are becoming involved with manufacturing networks. If you are one of those people, or if you are an engineer who wishes IT understood your operational network requirements, then the Johnson Controls story that follows may be helpful. Read more »

New SCADA Security Flaws Part 2: DPI Firewalls an Important Part of the Solution

In last week’s Practical SCADA Security blog, I discussed how the new vulnerabilities discovered in DNP3 SCADA masters are carving big holes in the NERC’s concept of the Electronic Security Perimeter (ESP). Dale Peterson started the ball rolling in his blog “Why the Crain/Sistrunk Vulnerabilities are a Big Deal“. Then Darren Highfill posted a blog explaining that the vulnerabilities don’t even require the attacker climb a fence.

DNP3 serial links connect millions of physically insecure pad and pole-mounted devices. Accessing just one of those devices opens the door to a system wide attack. Since there is no way that every one of these devices can be inside the perimeter, the concept of NERC’s ESP is fatally flawed.

Darren-highfill-blog-part-2-image

Is this a potential backdoor into the power grid? 
 

Read more »

New SCADA Flaws Part 1: Forget NERC’s Electronic Security Perimeter

If you have been following SCADA news in the last month, you might have noticed an avalanche of reports and blogs on new security vulnerabilities in power industry equipment. So far, vulnerability disclosures for 9 products using the DNP3 protocol have been released by the ICS-CERT, with another 21 SCADA product disclosures reportedly on their way. Even the New York Times and Wired Magazine have picked up this story.

Now, more vulnerabilities in SCADA products is hardly news, so why all the fuss?

fairytale_castle_V1

Do the DNP3 SCADA Master Vulnerabilities make NERC’s Electronic Security Perimeter a Fairy Castle?

Finding Industrial Security Vulnerabilities in All the Wrong Places

All 25 vulnerabilities have been discovered by just two researchers, Adam Crain and Chris Sistrunk, using an impressive new security test tool that Adam developed under his AEGIS Project. The scary part is that Adam’s tool is finding these vulnerabilities in SCADA master stations, rather than just in the RTU and IED slave devices past tools have tested.

Read more »

ICS Security: Deep Thoughts by Jeff Smith

Jeff Smith of American Axle & Manufacturing (AAM) is a guru in the world of industrial Ethernet networking and ICS Security. We were fortunate to have him speak again at the 2013 Belden Industrial Ethernet Infrastructure Design Seminar.

In a previous article I outlined the reasons AAM decided to move to Ethernet/IP communications and how they implemented best practices such as standardized segmented network configurations. Today I am going to write about Jeff’s approach to ICS security.

Jeff opened his remarks by saying no one wants to spend money on security. However, he feels that that is the wrong question. What you should be asking is:

“How much do I need to spend to feel comfortable with the risk?”

To answer this he suggested you assess your current security posture and then define the objectives for improving that posture.

 
10 ton security model _ Jeff smith blog
 
Jeff Smith says it’s time for end users and vendors to stop talking about  ICS Security like it’s a 10 ton elephant. 

 

Read more »

Industrial Security Solutions Designed for Controls Engineers

Recently there was a thread on SCADASEC news, a restricted access critical infrastructure mailing list, about the challenges of firewalling BACnet networks. If you only work in the industrial automation space, you may not have heard of this protocol, but it is big in building automation. Regardless, the discussion around BACnet applies to many industrial protocols.

The question raised was whether or not BACnet traffic can be managed by a firewall. The problem is that BACnet, like many other automation protocols, doesn’t play by the usual IT rules. In BACnet’s case, it does not use TCP/IP at all, so trying to secure it with a typical IT firewall that looks for TCP port numbers is a lost cause.

Schneider-Office-Buiding

BACnet is a non-TCP /IP protocol used in building automation systems that cannot be secured by typical IT firewalls. Image courtesy of Schneider Electric.
 

Read more »

On Twitter