New BulgarianUniversity

Department of Informatics

Bachelor Program of Network Technologies

Bachelor Thesis

on topic

Security and Safety Technologies in Industrial Networks

Written by: Angel Uzunov

Faculty Number: F28145

Chief Supervisor: Doc.Dr. Emil Stoilov

Second Supervisor:

NBU, November 2008

Acknowledgements

I would like to thank to all the people, who have supported me during the development of my bachelor thesis.

I would like to especially thank to my supervisors: Doc.Dr. Emil Stoilov from New Bulgarian University, Deyan Shkodrov , CEO of IT Specialists , London, UK , George Shkodrov , Brand Manager in IT Specialists, London, UK and many others , for their valuable advices and constant willingness to help through the whole development process.

I am also very thankful to my family for their spiritual and financial support through the whole educational process.

Last but not least, I would like to thank to my friends and colleagues, for their patience and understanding the importance of this work for me.

Copyrights

Any publishing, usage, modifications, distribution or redistribution of the written material is allowed only with the agreement of the author.

The chief and the secondary supervisors are granted with the full right of usage and examination of the bachelor thesis.

TABLE OF CONTENTS

  1. Introduction
  1. What Are Industrial Networks? 6-7
  2. What Is Industrial Networks Security? 6-7
  3. Purpose and Scope 7
  1. Overview of Industrial Control Systems
  1. Industrial Control Systems Operation 8-9
  2. Key Industrial Control Systems components 9

3.1 Control Components 10

3.2 Network Components 11

  1. SCADA Systems 12
  2. Distributed Control Systems 13
  3. Programmable Logic Controllers 14
  1. Industrial Control Systems Characteristics. Threats and Vulnerabilities
  1. Threats 15
  2. Potential ICS Vulnerabilities 16

2.1 Platform Vulnerabilities 18

2.2 Network Vulnerabilities 22

  1. Risk Factors 25

3.1 Standardized Protocols and Technologies 25

3.2 Increase Connectivity 25

3.3 Insecure and Rogue Connections 26

  1. Possible Incident Scenarios 27
  2. Sources of Incidents 27
  3. Documented Incidents 29
  1. Industrial Control Systems Security Program Development and Deployment
  1. Business Case for Security 32
  1. Benefits 32
  2. Potential Consequences 33
  3. Key Components of the Business Case 33
  1. Developing a Comprehensive Security Program 34
  1. Industrial Network Architecture
  1. Firewalls 37
  2. Logically Separated Control Network 38
  3. Network Segregation 39

3.1 Dual-Homed Computer/Dual Network Interface Cards (NIC)

3.2 Firewall between Corporate Network and Control Network

3.3 Firewall and Router between Corporate and Control Networks

3.4 Firewall with DMZ between Corporate and Control Networks

3.5 Paired Firewalls between Corporate and Control Networks

3.6 Network Segregation Summary

  1. Recommended Defense-in-Depth Architecture 45
  2. General Firewall Policies for ICS 45
  3. Recommended Firewall Rules for Specific Services 47

6.1 Domain Name System (DNS) 47

6.2 Hyper Text Transfer Protocol (HTTP) 47

6.3 FTP and Trivial File Transfer Protocol (TFTP) 47

6.4 Telnet 48

6.5 Simple Mail Transfer Protocol (SMTP) 48

6.6 Simple Network Management Protocol (SNMP) 48

6.7 Distributed Component Object Model (DCOM) 48

6.8 SCADA and Industrial Protocols 49

  1. Specific ICS Firewall Issues 49

8.1 Data Historians 49

8.2 Remote Support Access 50

  1. Single Points of Failure 50
  2. Redundancy and Fault Tolerance 50
  3. Preventing Man-in-the-Middle Attacks 51
  1. Industrial Control Systems Security Controls
  1. Management Controls 52
  1. Risk Assessment 52
  2. Planning 53
  3. System and Service Acquisition 53
  4. Certification, Accreditation, and Security assessments 54
  1. Operational Controls 54

2.1 Personnel Security 54

2.2 Physical and Environment Protection 54

2.3 Configuration Management 54

2.4 Maintenance 55

2.5 System and Information Integrity 55

2.6 Media Protection 55

2.7 Incident Response 55

2.8 Awareness and Training 55

  1. Technical Controls 55

3.1 Identification and Authentication 55

3.2 Access Control 55

3.3 System and Communication Protection 55

  1. Conclusion 56
  2. List of Appendices 57
  3. List of Figures 58
  4. List of Tables 59
  5. References 60

I. Introduction

What Is Industrial Networks Security? To answer on this question, first we have to analyze and define the concept “Industrial Networks”. So, What Are Industrial Networks? The industrial networks are the instrumentation, control and automation networks that exist within three industrial domains:

  1. Chemical Processing - the industrial networks in this domain are control systems that operate equipment in refineries, chemical plants, and other industries that involve chemical processing.
  2. Utilities – these industrial networks serve distribution system spread out over large geographic areas to provide essential services, such as water, wastewater, electric power, natural gas, to the public and industry. Utility grids are usually monitored, managed and controlled by Supervisory Control and Data Acquisition (SCADA) systems.
  3. Discrete Manufacturing - industrial networks serve plants that fabricate discrete objects, ranging from autos to zippers.

Because of the range of the industrial networks, and serving both public and industrial sectors, an industrial networks security concept must be applied to prevent the risk of future security breach which can cause damage in control systems or data leak to dangerous terrorist organizations etc. The scenario with loosing money after those kinds of security breaches is obvious.

When we speak for industrial network security, we are referring to the rapidly expanding field concerned how to keep industrial networks secure, and, by implication how to keep the people processes, and equipment that depend on them secure. Secure means free from harm or potential harm, whether it be physical or cyber damage to the industrial network components themselves, or the resultant disruption or damage to things that depend on correct functioning of industrial networks to meet production, quality, and safety criteria.

Damage to the industrial networks and to the related people, processes or equipment might be through the following:

  1. Malicious Acts – deliberate acts to disrupt services or to cause incorrect functioning of the industrial networks. These might range from a “denial-of-service” attack against a Human Machine Interface (HMI) server to the deliberate downloading of a modified ladder logic program to a PLC
  2. Accidental Events – these may be anything from a “fat-fingered” employee hitting the wrong key and crashing a server to a power line surge, which may cause disruption or damage to an industrial network.

In 1996, Bill Clinton, President of the USA then, issued PDD63 ( Presidential Decision Directive 63) on Critical Infrastructure Protection, declaring that the United States had critical infrastructure that is vital to the functioning of the nation and must be protected. PDD63 identified eight critical infrastructure sectors including:

  • Gas and Oil Storage
  • Water Supply Systems
  • Electrical Energy

Along with these three were also government operations, banking and finance, transportation, telecommunications, and emergency service.

In February 2003, George W. Bush, President of The USA, release The National Strategy to Secure Cyberspace. In it, some additional critical sectors were listed, including:

  • Chemical Industry
  • Defense Industrial Base
  • Food Production

All this industrial sectors operate with the help of industrial networks, so security concepts and assessments must be deployed to protect those facilities.

Securing Industrial networks in those three domains of interest is a prerequisite for securing critical infrastructure at the national or international level. And this is true for all industrialized nations. In fact, the more automated and computer-depended a nation’s critical infrastructure is, the more it must depend on developing and applying industrial network security to ensure functioning in the new age of worldwide terrorism.

Purpose and Scope

The purpose and scope of this document is to examine safety and security issues in industrial networks including threads, vulnerabilities of some segments, SCADA systems, Distributed Control Systems (DCS) and other systems performing control functions. I will try to examine the development and deployment program for Industrial Control Systems security, the network architecture and Industrial Control Systems security controls. This document include some examples of industrial networks attacks which are real and all the information is authentic. The ICS used in this document are typical for electric, water, oil and gas, chemical, pharmaceutical, pulp and paper, food and beverage, and discrete manufacturing (automotive, aerospace etc.) industries.

II. Overview of Industrial Control Systems

Industrial Control Systems Operations

Industrial Control Systems (ICS) is a general term that encompasses several types of control systems, including supervisory control and data acquisition (SCADA) systems, distributed control systems (DCS), and other smaller control system configurations such as skid-mounted Programmable Logic Controllers (PLC) often found in the industrial sectors and critical infrastructures. As I said ICS are typically used in industries such as electrical, water, oil and gas, chemical, transportation, pharmaceutical, pulp and paper, food and beverage, automotive and aerospace etc. These control systems are critical for the operation of the U.S (and other industrial countries) critical infrastructures that are often highly interconnected and manually depended systems. It is important to note that approximately 90 percent of nation’s critical infrastructures are privately owned and operated. This is not very good for the reliability of the services because many times we are witnesses that they try to save some capitals (we talk about millions) instead of developing and deploying good industrial control and network security.

So here is the basic operation of an ICS:

  • Control Loop – control loop consists of sensors for measurement, controller hardware such as PLCs, actuators such as control valves, breakers, switches and motors, and the communication of variables. Controlled variables are transmitted to the controller from the sensors. The controller interprets the signals and generates corresponding manipulated variables, based on set points, which it transmits to the actuators. Process changes from disturbances result in new sensor signal, identifying the state of the process, to again be transmitted to the controller.
  • Human Machine Interface (HMI) – operators and engineers use HMI to configure set points, control algorithms, and adjust and establish parameters in the controller. The HMI also displays process status information and historical information.
  • Remote Diagnostics and Maintenance Utilities – diagnostics and maintenance utilities are used to prevent, identify and recover from failures.

A typical ICS contains a proliferation of control loops, HMI, and remote diagnostics and maintenance tools built using an array of network protocols on layered network architectures. Sometimes these control loops are nested and/or cascading –whereby the set point for one loop is based on the process variable determined by another loop. Supervisory-level loops and lower level loops operate continuously over the duration of a process with cycle times ranging on the order of milliseconds to minutes.

Figure 1. ICS Operation

Key ICS Components

This section defines key ICS components that are used in control and networking. Some of these components can be described generically for use in both SCADA systems, DCS and PLC, while others are unique to one.

Control Components

The following is a list of the major control components of an ICS:

  • Control Server – the control server hosts the DCS or PLC supervisory control software that is designed to communicate with lower-level control devices. The control server accesses subordinate control modules over an ICS network.
  • SCADA Server or Master Terminal unit (MTU) – SCADA server is the device that acts as the master in a SCADA system. Remote terminal units and PLC devices located at remote field sites usually act as slaves.
  • Remote Terminal Unit (RTU) – RTU is a special purpose data acquisition and control unit designed to support SCADA remote stations. RTU are field devices often equipped with wireless radio interfaces to support remote situations where wired based communication is unavailable.
  • Programmable Logic Controller (PLC) - is a small industrial computer originally designed to perform the logic functions executed by electrical hardware. PLC have evolved into controllers with the capability of controlling complex processes, and they are used substantially in SCADA systems and DCS.
  • Intelligent Electronic Devices (IED) – is a smart sensor containing the intelligence required to acquire data, communicate to other devices, and perform local processing and control. The use of IED in SCADA and DCS systems allows for automatic control at local level.
  • Human Machine Interface (HMI) – is a software and hardware that allows human operators to monitor the state of a process under control, modify control settings to change the control objective, and manually override automatic control operations in the event of an emergency.
  • Data Historian – the data historian is a centralized database for logging all processes information within an ICS. Information stored in this database can be accessed to support various analyses, from statistical process control to enterprise level planning.
  • Input/Output (IO) Server – the IO server is a control component responsible for collecting, buffering and providing access to process information from control sub-components such as PLC, RTU and IED. An IO server can reside on the control server or on a separate computer platform. IO servers are also used for interfacing third-party control components, such as an HMI and a control server.

Network Components

There are different network characteristics for each layer within a control system hierarchy. Network topologies across different ICS implementations vary with modern systems using Internet-based IT and enterprise integration strategies. Control networks have merged with corporate networks to allow engineers to monitor and control systems from outside of the control system network. The connection may also allow enterprise-level decision-makers to obtain access to process data. The following is a list of the major components of an ICS network:

  • Fieldbus Network – this network links sensors and other devices to a PLC or other controller. Use of this technology eliminates the need of point-to-point wiring between the controller and each device. The sensors communicate with the fieldbus controller using specific protocol.
  • Control Network – the control network connects the supervisory control level to lower-level control modules.
  • Communication Routers–those devices are used to transfer massages and data between two networks. Common usage for routers include connecting a LAN to a WAN, and MTU and RTU to a long distance network medium for SCADA communication.
  • Firewall – firewall protects network devices by monitoring and controlling communication packets using predefined filtering policies. Firewalls are also useful in managing ICS network segregation strategies.
  • Modems – modem is a device used to convert between serial digital data and a signal suitable for transmission over a telephone line to allow devices to communicate. Modems are often used in SCADA systems to enable long-distance serial communications between MTU and remote field devices. They are also used for gaining remote access for operational functions such as entering command or modifying parameters.
  • Remote Access Points – are distinct devices, areas and locations of a control network for remotely configuring control systems and accessing process data. Examples include using a PDA device to access data over a LAN through a wireless access point, and using a laptop and modem connection to remotely access an ICS system.

SCADA Systems

SCADA systems are used to control dispersed assets where centralized data acquisition is as important as control. These systems are used in distribution systems such as water distribution and wastewater collection systems, oil and gas pipelines, electrical utility transmission and distribution systems, and rail and other public transport systems. SCADA systems integrate data acquisition systems with data transmission systems and HMI software to provide a centralized monitoring and control system for numerous process inputs and outputs. SCADA systems are designed to collect field information, transfer it to a central computer facility, and display the information to the operator graphically or textually, thereby allowing the operator to monitor or control an entire system from a central location in real time. Based on the sophistication and setup of the individual system, control of any individual system, operation, or task can be automatic, or it can be performed by operator commands.

SCADA systems consist of both hardware and software. Typical hardware includes an MTU placed at a control center, communications equipment (radio, telephone line, cable or satellite), and one or more geographically distributed field sites consisting of either an RTU or a PLC, which controls actuators and/or monitor sensors. The MTU stores and processes the information from RTU inputs and outputs, while the RTU or PLC controls the local process. The communications hardware allows the transfer of information and data back and forth between the MTU and the RTU or PLC. The software is programmed to tell the system what and when to monitor, what parameter ranges are acceptable, and what response to initiate when parameters go outside acceptable values. An IED , such as protective relay, may communicate directly to the SCADA master station, or a local RTU may poll the IED to collect the data and pass it to the SCADA master station. IED provide a direct interface to control and monitor equipment and sensors. IED may be directly polled and controlled by the SCADA master station and in most cases have local programming that allows IED to act without direct instructions from the SCADA control center. SCADA systems are usually designed to be fault-tolerant systems with significant redundancy build into the system architecture.

The particular SCADA system consists of primary control center and three field sites. A second backup control center provides redundancy in the event of a primary control center malfunction. Point-to-point connections are used for all control center to field site communications, with two connections using radio telemetry. The third field site is local to the control center and uses the wide are network (WAN) technology for communication. A regional control center sits above the primary control center for a higher level of supervisory control. The corporate network has access to all control centers through the WAN, and field sites can be accessed remotely for troubleshooting and maintenance operations. The primary control center polls field devices for data at defined intervals (5 seconds, 60 seconds etc.) and can send new set point to a field device as required. In addition to polling and issuing high-level commands, the SCADA server also watches for priority interrupts coming from field site alarm systems.