Standards for SCADA security

One of the fundamentals of industrial cyber security is defense in depth, which should be the core of any security program.

05/31/2012


ISS SourceEditor’s Note: This is an excerpt from Eric Byres’ Practical SCADA Security blog at Tofino Security.

One of the fundamentals of industrial cyber security is defense in depth, which should be the core of any security program.

However, there is another foundation concept, which goes hand-in-hand with defense in depth, and that is using ANSI/ISA99 Standards to improve control system security.

There are two opposing trends having an impact on control network design today:

  1. Greater “interconnectedness” of control systems with enterprise systems as organizations seek increased business productivity and as they increase the use of Ethernet-TCP/IP technology.
  2. Isolating control networks as an attempt to block advanced malware threats such as Stuxnet.

How does a controls engineer deal with the conflicting requirements of more integration and more isolation? My advice is to accept and plan for high integration with business systems, and to dismiss the idea of isolated control systems.

I don’t believe isolation really exists today, except, perhaps, if you are a highly defended nuclear facility. Rather, what Stuxnet showed us is there are multiple pathways to the control system, and they don’t require a connection to the Internet.

If isolation is not an effective security measure, then how can you protect your control system? One way you can make significant improvements in your facility’s cyber security posture is to improve network segmentation. Many control networks have remained “flat,” even though more and more devices have been connected to them. Flat networks mean a cyber intrusion or network incident that originates in one part of the network can quickly spread to other areas.

The “zone and conduit” model included in the ANSI/ISA99 security standards provides a framework for network segmentation.

Zones and conduits

ANSI/ISA99 Standards introduce the concept of of “zones” and “conduits” as a way to segment and isolate the various sub-systems in a control system.

A zone is a grouping of logical or physical assets that share common security requirements based on factors such as criticality and consequence.

Equipment in a zone has a security level capability. If the capability level is not equal to or higher than the requirement level, then extra security measures, such as implementing additional technology or policies, must be taken.

Any communications between zones must be via a defined conduit.

Conduits control access to zones, resist Denial of Service (DoS) attacks or the transfer of malware, shield other network systems and protect the integrity and confidentiality of network traffic.

Typically, the controls on a conduit mitigate the difference between a zone’s security level capability and its security requirements. Focusing on conduit mitigations is typically far more cost effective than having to upgrade every device or computer in a zone to meet a requirement.

Defining security zones

Zone and conduit design starts with the facility or operation being analyzed to identify groups of devices that have common functionality and common security requirements. These groups are the zones that require protection.

For example, a facility might first be divided into operational areas, such as materials storage, processing, finishing, etc. Then within these areas it could be further divided into functional layers, such as Manufacturing Execution Systems (MES), Supervisory Systems (i.e. operator HMIs), primary control systems (e.g. DCS Controllers, RTUs and PLCs) and safety systems.

Each zone is defined with not only its boundaries, assets and risk analysis, but also its security capabilities. In other words, the security capability of a zone full of Windows 2008 servers is very different than that of a zone of Windows NT servers or a zone with PLCs. This security capability, along with the security risk faced by the zone, drives the security function requirements for conduits that connect the zone to other zones.

Defining security conduits

The next step is to discover the pathways in the system through which data is passed between these zones; these are the network “conduits.”

Each conduit should be defined in terms of the zones it connects, the technologies it utilizes, the protocols it transports and any security features it needs to offer its connected zones.

Typically, determining the information transfer requirements between zones over the network is straight forward. Tools like traffic flow analyzers or even simple protocol analyzers can show which systems are exchanging data and the services they are using.

It is also wise to look beyond the network, to determine the hidden traffic flows. For example, are files ever moved via USB drive between the lab and the primary control systems? Do people remotely connect to the RTUs using a dialup modem? These flows are easy to miss, but can result in serious security issues if not managed carefully.

Securing Conduits

Once the conduits and their security requirements are defined, the final phase is to implement the appropriate security technologies. There are two popular options for this stage:

  1. Industrial Firewalls
    • These devices control and monitor traffic to and from a zone.
    • They compare the traffic passing through to a predefined security policy, discarding messages that do not meet the policy’s requirements.
    • They are typically configured to pass only the minimum traffic that is required for correct system operation, blocking all other unnecessary traffic.
    • They filter out high risk traffic, such as programming commands or malformed messages that might be used by hackers to exploit a security hole in a product.
    • They are designed to be very engineer-friendly and are capable of detailed inspection of SCADA protocols such as DNP3, Ethernet/IP and Modbus/TCP.

  2. VPNs (Virtual Private Networks)
    • These are networks layered onto a more general network using encryption technology to ensure “private” transmission of data and commands.
    • VPN sessions tunnel across a transport network in an encapsulated format, making them “invisible” to devices that don’t have access to the VPN members’ secret “keys” or “certificates.”

 

ANSI/ISA99 and defense in depth

The zone and conduit approach helps implement a strategy of “defense in depth”, that is multiple layers of defense distributed throughout the control network. This is a proven strategy in the IT community.

I recommend you become proficient with segmenting control networks for zones and conduits, and with appropriate industrial security solutions. Doing so will greatly assist your organization to mitigate against threats from “interconnectedness” and “Son-of-Stuxnet” malware.



No comments
The Top Plant program honors outstanding manufacturing facilities in North America. View the 2013 Top Plant.
The Product of the Year program recognizes products newly released in the manufacturing industries.
The Engineering Leaders Under 40 program identifies and gives recognition to young engineers who...
The true cost of lubrication: Three keys to consider when evaluating oils; Plant Engineering Lubrication Guide; 11 ways to protect bearing assets; Is lubrication part of your KPIs?
Contract maintenance: 5 ways to keep things humming while keeping an eye on costs; Pneumatic systems; Energy monitoring; The sixth 'S' is safety
Transport your data: Supply chain information critical to operational excellence; High-voltage faults; Portable cooling; Safety automation isn't automatic
Case Study Database

Case Study Database

Get more exposure for your case study by uploading it to the Plant Engineering case study database, where end-users can identify relevant solutions and explore what the experts are doing to effectively implement a variety of technology and productivity related projects.

These case studies provide examples of how knowledgeable solution providers have used technology, processes and people to create effective and successful implementations in real-world situations. Case studies can be completed by filling out a simple online form where you can outline the project title, abstract, and full story in 1500 words or less; upload photos, videos and a logo.

Click here to visit the Case Study Database and upload your case study.

Maintaining low data center PUE; Using eco mode in UPS systems; Commissioning electrical and power systems; Exploring dc power distribution alternatives
Synchronizing industrial Ethernet networks; Selecting protocol conversion gateways; Integrating HMIs with PLCs and PACs
Why manufacturers need to see energy in a different light: Current approaches to energy management yield quick savings, but leave plant managers searching for ways of improving on those early gains.

Annual Salary Survey

Participate in the 2013 Salary Survey

In a year when manufacturing continued to lead the economic rebound, it makes sense that plant manager bonuses rebounded. Plant Engineering’s annual Salary Survey shows both wages and bonuses rose in 2012 after a retreat the year before.

Average salary across all job titles for plant floor management rose 3.5% to $95,446, and bonus compensation jumped to $15,162, a 4.2% increase from the 2010 level and double the 2011 total, which showed a sharp drop in bonus.

2012 Salary Survey Analysis

2012 Salary Survey Results

Maintenance and reliability tips and best practices from the maintenance and reliability coaches at Allied Reliability Group.
The One Voice for Manufacturing blog reports on federal public policy issues impacting the manufacturing sector. One Voice is a joint effort by the National Tooling and Machining...
The Society for Maintenance and Reliability Professionals an organization devoted...
Join this ongoing discussion of machine guarding topics, including solutions assessments, regulatory compliance, gap analysis...
IMS Research, recently acquired by IHS Inc., is a leading independent supplier of market research and consultancy to the global electronics industry.
Maintenance is not optional in manufacturing. It’s a profit center, driving productivity and uptime while reducing overall repair costs.
The Lachance on CMMS blog is about current maintenance topics. Blogger Paul Lachance is president and chief technology officer for Smartware Group.