SCADA Security Basics: Why Industrial Networks are Different than IT Networks

Previously we looked at the question of “Why are PLCs so insecure?” Today we are going to come at SCADA security from another angle, which is “Why is securing Industrial Networks different than securing IT Networks?” We will also look at three ways to address these differences.

Recently I attended the Belden Industrial Ethernet Infrastructure Design Seminar and participated in an excellent session by Mark Cooksley, product manager for network management in Belden’s Hirschmann group, called “Introduction to Network Security”. It did a great job of explaining why Industrial Control Systems (ICS) are easy to attack, and it also explained high level solutions for securing them.

Industrial Control Systems are not IT Systems

“None of this would be a problem if those plant floor people just used proper security policies – what’s wrong with them?”
IT Manager after a Security Incident

Have you ever heard this?

The heart of IT network systems is often a climate controlled, secured data center where the equipment is usually standardized and less than 10 years old. In contrast, the heart of ICS network systems is on the plant floor, often in a hazardous environment, and the average life of the equipment is more than 10 years. Photo Courtesy: Good Health Group

This type of thought reflects a lack of understanding of the differences between IT and ICS networks. Now, while you might be fully aware of what they are, I will call them out in case you need a handy list for a future chat with an IT professional.

IT and ICS security solutions vary because each system has different:

  • performance requirements
  • reliability requirements
  • operating systems and applications
  • risk management goals
  • security architectures
  • security goals

and different assumptions about security, often incompatible ones.

In particular, the number one goal of IT security is rooted in the concern about privacy - “Protect the Data” whereas the number one goal of ICS security is based on the concern for safety “Protect the Process”.

Priority

IT

SCADA/ICS

#1

Confidentiality

Availability

#2 Integrity Integrity
#3

Availability

Confidentiality

Security Issues in Control Networks

Most ICS system security issues fall into 3 major categories.

1. Soft Targets

First of all, control networks are full of what we would call “soft” targets – devices that are extremely vulnerable to disruption through their network interface. The PCs in many plants run for weeks or months without any security updates, and some even operate without any anti-virus tools. In addition, many of the controllers in these networks were designed in an era when cyber security was not a concern; as a result, many of these devices can be disrupted by malformed network traffic or even by high volumes of correctly-formed traffic.

2. Multiple Pathways

Second, many control networks have multiple pathways through which cyber security threats can enter the plant. These pathways often bypass existing security measures in the plant, and some of them don’t even appear on a network diagram. For example, laptop computers that are carried in and out of facilities, or USB keys that move from one PC to another. These can easily bring malware into the plant and rapidly spread it from one system to another.

3. “Flat” Networks

Third, unfortunately many ICS networks are still implemented as large, “flat” networks with no isolation at all between unrelated subsystems. This means that if a problem does occur in one part of the plant, it can spread very quickly to other unrelated subsystems and even to remote plant sites.

Security Solutions

Mark presented 3 high level approaches to securing SCADA and ICS systems.

1. Harden the Perimeter

The idea of isolating the plant network from the office network with firewalls and a DMZ is nowadays just common sense. It’s a measure that you won’t have any trouble convincing your IT friends of. (Belden's Hirschmann brand has excellent firewalls for this purpose.)

2. Defense in Depth

The concept of Defense in Depth is to go beyond having a security perimeter by having layers of defense throughout the control network. This way, if malware or inappropriate network traffic breaches the perimeter, it can be stopped and/or contained by defenses at other points in the system. For example, removable media used in the plant could introduce malware.

Our technology, the Tofino Industrial Security Solution is particularly designed for this purpose. It can be installed in live plant networks without plant downtime, it is industrially hardened, it secures industrial protocols and it is easy to configure by controls professionals.

An IT analogy for industrial Defense in Depth is the antivirus (AV) and personal firewall software that is installed on PCs. There are many reasons industrial control devices such as PLCs and DCS aren’t running security software, (not the least of which is there is no security software available for PLCs). Unfortunately, the lack of AV for controllers doesn’t mean a lack of security threats for PLCs, so in the industrial case it is preferred to use industrial firewalls.

3. Remote Access

Another way that malware or inappropriate network traffic could penetrate the perimeter firewall is if certain people or machines are given remote access to do things like maintenance from another location (such as for an oil platform that is not easily accessible). In order to secure this type of connectivity, VPNs are recommended. This is a method that is commonly used by IT.

4. Other Recommendations

To further face the challenge of securing control networks, we also recommend:

Cyber Security Inertia is Still Common

During his presentation Mark told of many occasions when he had been called to client sites to help them with security, but unfortunately it was usually after they had experienced damages from a cyber incident, rather than beforehand.

Often people take the approach that if nothing has happened (or has been detected) previously, then nothing will happen now. The concept of leaving systems alone is attractive to many controls professionals.

Mark urged people who are thinking this way that it is not if, but when, a cyberattack will occur. He urged people to just get started, and to resist the idea that plant cyber security is complicated or that it has to cost a lot of money.

He closed his presentation with the Japanese proverb:

“When you are thirsty, it is too late to think about digging a well.”

Do you have any tips to share on how your organization got moving on ICS security? What about how to work effectively with IT? We look forward to your comments.

1 Formerly ANSI/ISA-99 Standards

Related Content to Download

Presentation - "Introduction to Network Security"

 

Download this 71 slide presentation and learn:

  • The differences between IT and ICS systems and high level solutions for securing industrial networks
  • What firewalls do and what they do not do
  • The OSI Model and how different technologies secure different layers of it
  • What VPNs are and the different types of encryption they use

Related Links

 

RSS Feed Subscribe to the "Practical SCADA Security" news feed

Comments

10

This is exactly what i was looking for to take to my meeting today.

It is frustrating to listen to IT suggestions without their understanding of 'a day in the life of a control system engineer' (and why his pw hasn't been changed in 5 years).

By now, everyone knows we need patch management, antivirus discipline, firewalls, user accounts, logging, etc. but
each suggestion is in fact a project which must be assigned resources followed by documentation and training effort.

One of my favorite papers by Eric Byres is the trilogy of OPC Security White Papers esp. #3 - Hardening Guidelines for OPC Hosts.

I am glad this article came in handy.

I feel like the situation around industrial cyber security now is similar to what happened with marketing and social media a few years ago. I knew I should have been doing it and learning it, but what work could I put aside to do it?

Anyhow, I hope you prevailed in your meeting.

If anyone else is interested in the White Paper mentioned, here is a link to it:

http://www.tofinosecurity.com/professional/opc-security-white-paper-3-ha...

(Note: you will have to become a member of this site to download it. To do that, go to: https://www.tofinosecurity.com/user/register)

While there's no doubt we have differences between the two disciplines, I'd also suggest that there are a number of principles from the IT side that can be adapted for Industrial Networks.

While AIC may be the priority for a production system, I'd suggest that, for a Safety PLC, the priority should be IAC. Depending on the Safety Integrity Level (perhaps as defined by IEC61508) required, principles derived from an appropriate Control Set (as used by IT) could be used to secure that Safety PLC.

As I mentioned in my reply to Eric Ste-Marie (see above) I agree with your idea that Integrity may be more important than Availability in the ICS world - I will be writing a blog about it.

Regards
Eric Byres

Well put, solid article.

To make our life a bit more miserable, it is lacking some crucial points. Just to bringing up one of them: The control of the data that LANDS to the ICS environment.

It is far more important than the data that LEAVES the environment. Like article already show'd up - there are many vectors of attack towards ICS.

I am touching this 'data conveyed to the environment' issue with article available at http://mikk0j.wordpress.com/2012/10/02/legitimate-thought-for-securing-r...

Enterprise users put following demands that create more and more uncontrolled assets working as port of entry for malware

reports/alarm logs in MS excel files

Alarm text message to 50 plus operation/maintenance personnel thru open public GSM domain.

Demand for more and more live data with minimum latency in place of history data sitting in a separate safe zone.

No control on POS terminal( handled by THIRD PARTY CONTRACTORS) access to process control system

Allowing vendor to access live control processors from the comfort of their office 100 of miles away to avoid paying the vendor.

L. Rajagopalan (Raj)

In terms of the priority concerning the CIA I agree with your classification but there is, IMHO, a missing variable that is the domain of infrastructure management. For instance, to offer reliability to critical industrial control networks, the networm management system need to be protected. With the network management systems and control centers, the priority should be 1- Integrity, 2-availability 3-confidentiality

That is because the reliability and security of the network service depend on the integrity of the configuration, therefore the management systems. Unfortunately, management système in support of critical infrastructures are too often seen as IT systems.

I agree with your idea that Integrity may be more important than Availability in the ICS world. In fact, I agree so much I am going to write a blog about it. Stay tuned!

Regards
Eric Byres

This is a great article. I wanted to convey to others what the differences are moving forward with IT concerns. Thanks for breaking it down.

It drives me absolutely nuts when people assume that they are one and the same! I have considerable experience with industrial networks, so of course that means that I know what to do with an IT network - um, what?

Thank you for sharing this article - it clearly shows where the differences lie and I wish more people in my social circle would give it a read.

Add new comment