Applications - Feature Unbreakable SCADA Security
Frank Dickman, Consulting Engineer, BSMAE, RCDD Piping Design Consultants, Inc.
Protecting Hydrocarbon Facilities and Pipeline Networks
technology to provide ironclad security from eavesdropping or manipulation by competitors, foreign or domestic. Protection from infection by malware was also a consideration. Any connection to the Internet risks penetration into an industrial network, even those behind corporate firewalls.
Located In the heart of Russia, the rich Samotlor hydrocarbon field was discovered in the 1960’s. It is the largest oil and gas field in the country. It lies in Western Siberia where temperatures can range from -58°F in winter to 95°F in summer. Unbreakable Security In this area, a subsidiary of one of the top ten privately owned oil While searching for a simple, economical, commercially available companies in the world operates 8,300 production wells and 2,700 injection solution, the Russians examined what was available in the marketplace wells fitted with the latest equipment, spread over an area of 1,750 square and chose the use of a factory level device, the FL mGuard from Phoenix kilometers of the field, with Contact, developed by In1,100 kilometers of oil pipenominate Security Technologies. line, 1,200 kilometers of water The system was specifically pipelines and 2,100 kilometers designed for harsh environments of surfaced roads. Production and includes small, industrialexceeds 22 million tons of rated modules that incorporate hydrocarbons, and transportarouter, firewall, encryption, aution of 5 billion cubic meters thentication and other functions, of natural gas. Think Houston that can be installed without or Tulsa, the oil boomtowns disturbing production. of the early 1900s. The once An FL mGuard creates sleepy town of Nizhnevartovsk secure data communication is now one of the wealthiest via Virtual Private Network cities in Russia. tunnels (VPN). VPN provides The parent company is far high security over public more vertically integrated than telecom networks, such as the its American counterparts, in Internet, replacing the need for that it controls exploration, requisitioning and maintaining construction, production, expensive dedicated leased-line transportation, processing and circuits in wide area networks. distribution all the way to the Among other features, the retail level, including 1,500 mGuard provides the Internet A natural gas pipeline rupture in a suburb of Moscow, believed caused by an unregulated pressure surge. filling stations. Security Protocol (IPsec), with The Russian subsidiary’s all message traffic encrypted at method for centrally monitoring flow, pressure, temperature, viscosity, the highest level of the Advanced Encryption Standard (AES-256), the same composition, water content and other sampling data from the gathering standard adopted by the US government and others. fields, and SCADA systems responsible for command and control of valves, Communication with control devices is only allowed from designated pumps and compressors, has been via radio communications. This methodlocations via software security keys and authentication via certificates of auology suffers from slow communication speed and lack of security. Anyone thority that verify the communication origin is from specific command-andwith an antenna can monitor radio signals. control individuals at specific workstations. The device filters all outgoing The Russians face the same potential risks to their hydrocarbon infraas well as incoming data packets. Any attempted forms of communication structure as we do here. Fuel distribution is vital to the economy. Pipelines without specific handshake protocols will be intercepted and discarded. need to be monitored and maintained. Like the Alaskan pipeline, many Rus- This method blocks hacking, virus transmission and unauthorized access sian pipelines run long distances aboveground through remote areas. There to data streams of information because the module screens and rejects any always exists the threat of malfeasance, malware, malcontents and mischief; unauthorized packets, including malware and hacker probes. whether by homegrown or foreign terrorists, competitor states, countries or In stealth mode these products are completely transparent, invisible companies, for purposes of sabotage, espionage or extortion. while automatically assuming the Internet Protocol (IP) address of the equipment to which they are connected, so that no additional addresses are required for the management of the network devices. No changes need to To Russia with Love be made to the network configuration of the existing systems. The devices Since August 2011, these oil field networks are being upgraded from inprovide a secure Stateful Packet Firewall, according to rules that can be secure radio modems to the WiMAX standard. WiMAX is a wireless comconfigured via templates from a centrally located server, or by using the munication technology for delivering high-speed Internet service to large default configurations. Specific user firewall rules can restrict the type and geographic areas. Applied to cellular communications here in the USA, it duration of access. Optional Integrity Monitoring functionality can even is part of the fourth generation (4G) network being marketed by cellular protect system files against unexpected modifications of executable code, providers to allow all the advanced Internet features available on the latest by Stuxnet-derived malware for instance, by recognizing changes in data cellular devices. Think of WiMAX as being Wi-Fi on steroids. While that traffic patterns, and sending alerts to administrators. free Wi-Fi node at Starbucks has a range of 30 yards, WiMAX has a range Installation was as simple as mounting the device, providing low voltage of up to 30 miles. DC power, and plugging it in between the communication device and the High-speed digital cellular communication has big advantages over slow local network signal interface. In this case, these were Programmable Logic and insecure radio modems. But as any perusal of the latest celebrity news Controllers (PLCs) equipped with simple two-pair RS485 Modbus remote will show, Internet-capable cell phones can be intercepted, infected, cloned, terminal units (RTUs) common to industrial automation environments. hacked and diverted. So the Russians were looking for an appropriate
12
www.RemoteMagazine.com
http://www.RemoteMagazine.com
Table of Contents for the Digital Edition of Remote - Summer 2012