Feature Article
SCADA Security for Critical Infrastructure
Frank Dickman, Consulting Engineer Technical Consulting Group International The economy of every developed country in the world depends on the supply of oil, gas and water as fuels for transportation, heat, electric current production and survival. The average American consumes two gallons of gasoline, 220 cubic feet of natural gas for heating and cooking, 30 kilowatthours of electricity - produced primarily from fossil fuels and 150 gallons of water a day. The supply is an essential part of the critical infrastructure. Providing and protecting the security of that supply is a clear cut mandate. Utilities quickly recognized these systems needed even more security after 9/11, and the increased reports of malicious viruses, hacking and the cyberwar capabilities as discussed in numerous whitepapers including “Hacking the Industrial Network” and “Post-Stuxnet Industrial Security.” As a result, utilities realized that many industrial control networks would benefit from diverse firewalls behind the frontoffice firewalls and encrypted Virtual Private Network (VPN) connectivity. Here is how one leading and progressive utility is securing the industrial control networks of their extensive network infrastructure. The utility operates or manages facilities in 23 US states with an extensive network of underground piping. They support more than 300 remote field sites company-wide. For more than 30 years, they have used a variety of methods to connect to their remote sites, including modems, leased lines, dry pairs and licensed radio. In 2009, they were proactively planning to increase the security of their SCADA control networks. The systems engineering group, corporate IT department and an outside consulting firm were involved in the project and the security product evaluations. A leading IT network solution was initially considered, as this path reflected the corporate office network standard. But there were other important considerations. “We needed an industrial solution, particularly for our remote sites,” said Keith Kolkebeck, systems engineering project manager for the company. “We needed a solution that was easy to configure, powered by 24 VDC, met our IT security standards, and could hold up to years of operation in a harsh environment. In the past, we had mixed results using office networkgrade products that were expensive, required special skills to configure and failed frequently.” cords for roaming technicians. The hardened, industrial version of mGuard has been in production since 2005 and has proven effective in tens of thousands of demanding installations. Rated IP 20 for mounting in NEMA enclosures, they are easily installed and enabled by technicians, rather than IT network administrators. Customers in the automotive and other industries have already used these versions with positive results in providing security for older production systems. Clients include a major natural gas and electricity provider and a defense and telecommunications provider. After review of the technology, the utility’s IT Department was receptive to the concept as it would allow process personnel to deploy and maintain their own networks, freeing up IT administrators for other tasks. The company installed a dozen devices as a test bed. Engineer Kolkebeck said, “The ability for the mGuard to do AES256 encryption along with its industrial design was key. Again, the mGuard was easy to deploy, cost effective, and met our standards. By default, the mGuard is configured in its most secure configuration. Previously, it would require a day’s time of an experienced IT technician, whereas now we can rollout a new VPN device in 10 minutes. The mGuard is very easy for someone with minimal network knowledge to rollout.” In Stealth Mode these products are completely transparent, automatically assuming the MAC and IP address of the equipment to which they are connected, so that no additional addresses are required for the management of the network devices. This was a feature that appealed to initially skeptical IT personnel. No changes need to be made to the network configuration of the existing systems involved. Yet the devices operate invisibly and transparently, monitoring and filtering traffic to the protected systems by providing a Stateful Packet Firewall according to rules that can be configured via templates from a centrally located server. And with bi-directional wire speed capability, the devices will not add any perceptible bottlenecks or latency to a 100 Mb/s Ethernet network. If required, the security of networked equipment may be further enhanced. Configuration of specific user firewall rules can restrict the type and duration of access to authorized individuals, who may login and authenticate themselves from varying locations, PCs, and IP addresses. Virtual Private Network functions provide for secure authentication of remote stations, and the encryption of data traffic. CIFS Integrity Monitoring functionality can protect file systems against unexpected modifications of executable code, by Stuxnet-derived malware for instance, by sending alerts to administrators. “We were implementing multiple measures into our SCADA network in order to activity monitor our system. We utilize network segmentation, VLANS, and centralized firewalls and were looking to introduce intrusion detection (IDS) and intrusion prevention (IPS) systems into our network. The mGuard is a tool that allows us to perform these functions,” said Kolkebeck. The company needed to protect Remote Terminal Units (RTUs) and Programmable Logic Controllers (PLCs), remote card access and video systems. As industrial systems migrate toward an Internet Protocol (IP) network, more timely information and control is available. All new PLCs have IP capability. Power monitoring is another example. All new Variable
The Utility
Finding a Solution
In early 2010, the utility was introduced to the family of mGuard industrial network security devices from Phoenix Contact, created and developed by their subsidiary, Innominate Security Technologies. The system was designed for harsh environments and includes small, industrial-rated modules that incorporate router, firewall, encrypted VPN tunnels, filtering of incoming and outgoing connectivity, authentication and other functions to provide layers of distributed defense-in-depth, economically and without disturbing production. Availability is in various industrial-rated designs; for DIN-rail mounting, for 19-inch rack mounting in cabinets, as PCI cards or as dongle-style patch
www.RemoteMagazine.com
12
http://www.RemoteMagazine.com
Table of Contents for the Digital Edition of Remote - August 2011