Professional Documents
Culture Documents
Philip Nunn
Product Line Manager - Industrial Networks
Agenda
Section 1: The current scenario
Section 2: The four myths of network security
Section 3: How control system security differs from
IT security
Section 4: Firewall Technology
Section 5: The Bastion Model
Section 6: Defence in Depth network security
Section 7: Where and what to protect
The Current
Scenario
A few incidents
Water Industry
Salt River Project SCADA Hack
Maroochy Shire Sewage Spill
Trojan/Keylogger on Ontario SCADA System
Viruses Found on Aussie SCADA Laptops
Audit/Blaster Causes Water SCADA Crash
DoS attack on water system via Korean
telecom
Penetration of California irrigation district
wastewater treatment plant SCADA
Chemical Industry
IP Address Change Shuts Down Chemical Plant
Modem
Nachi Worm on Advanced Process Control
Servers
PLC
Sasser Causes Loss of View in Chemical Plant
Infected New HMI Infects Chemical Plant DCS
Blaster Worm Infects Chemical Plant
Copyright MTL / BSI
Petroleum Industry
Anti-Virus Software Prevents Boiler Safety
Shutdown
Slammer Infected Laptop Shuts Down DCS
Electronic Sabotage of Gas Processing Plant
Slammer Impacts Offshore Platforms
Code Red Worm Defaces Automation Web
Pages
Penetration Test Locks-Up Gas SCADA System
Contractor Laptop Infects Control System
Power Industry
Slammer Infects Control Central LAN via VPN
Slammer Causes Loss of Comms to
Substations
Slammer Infects Ohio Nuclear Plant SPDS
Utility SCADA System Attacked
Virus Attacks a European Utility
Power Plant Security Details Leaked on
Internet
Four Myths of
Industrial Network
Security
Myth 1 Nothing
much has changed
Reported Incidents
1994 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005
Malware growth
Incident Drivers
Before 2001
After 2001
Inappropriate employee
activity
Virus/Trojan/Worm
Frequency
Denial of Service
Accidental events
Audit or Other
5%
External
27%
Accidental
32%
A ccidental
58%
External
61%
Internal
15%
Copyright MTL / BSI
Internal
2%
Possibilities of Shift
12
Incident Types
DoS
6%
System
Penetration
13%
Sabotage
13%
Appears to match IT
trends
Malware
68%
% of Incident Types
2002 to Sept. 2005
13
Malware
68%
Other
8% Sabotage
4%
Accidental
79%
Accidental
12%
Hacker
8%
Sabotage
21%
15
Myth 3 We
dont connect to
the Internet
16
External entry
Local
27%
Remote
56%
Physical
2%
Other or None
15%
17
Myth 4 Hackers
dont understand
SCADA
18
19
TOORCON 7
20
Misapplication of IT Security
Assumptions
There are important differences between
Information Technology (IT) networks and
Industrial Automation and Control Systems
(IACS) networks
Problems occur because assumptions that are
valid in the IT world may not be on the plant floor
22
Then we patch
23
25
Solutions
DONT throw out all IT security technologies and
practices and start from scratch
DONT ignore the whole cyber security problem
and hope it goes away
26
Firewall Technology
Types of Firewalls and how they work
Challenges of Traditional IT Firewalls
Firewall Rule Basics
27
Types of Firewalls
Three general classes of Firewall:
Packet Filter
Stateful Inspection
Application Proxy
28
Firewall Policy
Access Control Lists (rules) typically permit or
deny data packets based on:
Firewall Rules
201 permit
201 permit
202 permit
202 permit
deny
tcp
tcp
tcp
tcp
Linux IP Tables
$IPT -A PCN_DMZ -p tcp --dport ! $DH_PORT -j LOG_PCN_DMZ
31
32
33
Internet
Office LAN
Mis-Configured
Firewalls
Infected
Laptops
Unauthorized
Connections
Modems
Plant Network
HIS
USB
Control LAN
FCS
RS-232 Links
34
External
PLC Networks
Defence In Depth
Network Security
36
Defence-in-Depth Strategy
By Defence-in-depth strategy, we mean the
protection measures composed of more than one
security control to protect the property.
By the use of this kind of multi-layer measures,
another layer will protect the property even if one
layer is destroyed, so the property is protected
more firmly.
Yokogawa Security Standard of System
TI 33Y01B30-01E
37
Patches
Personal Firewalls (like ZoneAlarm)
Anti-Virus Software
Encryption (VPN Client or PGP)
38
39
Internet
Attacks
Internet
Infected
Business PC
Internet
Firewall
Layer 5 Defence
(Enterprise)
Business Network
DMZ
Business/Control
System Firewall
Distributed
FW
Infected HMI
Cluster of
PLCs
Distributed
FW
SCADA RTU
DCS Controllers
40
41
42
Zero-configuration in field
Attach the firewall to the DIN Rail
Attach instrument power
Plug in network cables
Walk away
43
MODBUS/TCP
Ethernet/IP
Profinet
DNP3
DeltaV
IEC MMS
GE SRTP
Plantscape
Etc
45
46
47
Office LAN
Plant Network
HIS
Control LAN
External
PLC Networks
FC
S
48
RS-232
Links
Office LAN
Plant Network
Control LAN
FCS
49
50
51
Wireless
Access
Point
Office LAN
Plant Network
Control LAN
53
Plant Network
54
Office LAN
NT4
Based
Server
Plant Network
Control LAN
55
Plant Network
MODBUS/TCP LSM
only allows MODBUS
Read commands
HIS
Control LAN
Safety System
FCS
56
Office LAN
Plant Network
HIS
Off-Site
PLC Networks
Control LAN
FCS
Insecure
Network
57
MTL Tofino
Name
Tofino Security Solution
Purpose
CMP, LSMs and Hardware
Secures process & automation control
networks
Protects control devices from malicious or
accidental security issues
Helps achieve NERC CIP / ISA 99
compliance
Certification
Hazardous:
ATEX Zone 2
Class I Div 2
Security:
Protocol:
59