Substation Network Security Considerations 86

13.2.1

Setting Up a Secure Substation LAN

Security, as implemented on the SMP Gateway, is not a substitute for full network security that includes properly configured firewalls. It can be argued that if unauthorized users get as far as trying out the SMP Gateway’s security features, there has already been a security breach at some other level. The goal of the SMP Gateway’s built-in firewall, simply stated, is to minimize the risk of unauthorized access (or network traffic) to internal components on the PCN or SCADA systems.

The substation LAN is a critical part of a utility’s network. To ensure its integrity, it must be isolated as much as possible from the outside world. Ensuring the security of the substation LAN is a complex subject beyond the scope of this document. However, we will provide in this section some general guidelines on setting up a secure substation LAN.

A corporate LAN provides a number of access points to the outside world and is exposed to a variety of threats through its connection to the Internet, external mail servers and file transfers, which may contain viruses. If there is a direct connection between the corporate LAN and substation LANs, the substation is not secure.

A significant improvement is the use of firewalls with the ability to establish a number of

demilitarized zones (DMZ) between the enterprise and process control networks. Each DMZ holds a separate "critical" component, such as the data historian, the wireless access point or remote and third party access systems. In effect, the use of a DMZ-capable firewall allows the creation of an intermediate network often referred to as a process information network (PIN).

Creating a DMZ requires that the firewall offer three or more interfaces, rather than the typical public and private interfaces. One of the interfaces is connected to the enterprise and the second, to the PCN/SCADA network; the remaining interfaces are connected to the shared or insecure devices, such as the data historian server or wireless access points.

To isolate the substation LAN, you should take the following precautions:

‰ There should be no email access.

‰ There should be no Internet access.

‰ There should be no direct connection to the corporate LAN.

Furthermore, a redundant path should be provided between the SCADA and the substation, to ensure continued operation in the event of a failure of the corporate WAN. A dedicated communications line is often maintained for this purpose.

A firewall must be used to isolate the substation LAN from the corporate WAN. The firewall should be configured to block all ports and connections except those that are absolutely necessary for the operation of the substation. For instance, the firewall could be set up to accept traffic between the SCADA and the SMP Gateway only. The firewall could also be configured to limit traffic to a single port, such as that used by a DNP3 communications link.

However, note that such a security policy would prevent the use of the SMP Tools outside the substation.

13.2.2

Using SMP Tools through a Substation LAN Firewall

Cybectec SMP Tools use Microsoft DCOM technology. This technology is designed to be used on a LAN. There are two strategies available to use DCOM through a firewall.

‰ The most secure approach is to establish a VPN (Virtual Private Network) connection between the substation LAN and the client workstations on the corporate LAN. A VPN encapsulates and encrypts network messages before forwarding them to the recipient. You will not need any special setup when installing the SMP Tools. This approach will also secure access by any other tools.

‰ If you cannot use a VPN, you will need to open the necessary ports for DCOM on the firewalls and routers that connect to the corporate LAN.

Here is the list of ports and port ranges that you have to open in the substation LAN firewall, to let a PC on one side of the firewall communicate with an SMP Gateway on the other side of the firewall:

For access when not using VPN, open

Application Port Protocol

FTP server 21 TCP Telnet 23 TCP SMP Status 23 UDP Web server 80 TCP RPC server and DCOM 135 TCP DCOM 1024 to 1124 TCP SMP maintenance server 49152 TCP

Optional ports, using VPN or not

Application Port Protocol

CoDeSys server 1200 TCP

Passthrough server 32500 TCP

If using VPN, open

Application Port Protocol

SMP Status 23 UDP

PPTP (VPN) 1723 TCP and UDP

PPTP (VPN) - GRE

Here is a list of the most commonly used ports for RTU and SCADA communication:

SMP Config Protocol Port

DNP3 20000

IEC 60870-5-104/103 2404

IEC 61850 102

ICCP 102

MODBUS 502

If you configured system folders on your SMP Gateway (see “Defining System Folders”, page 119) and the Windows XP or Windows Server 2003 built-in firewall is enabled on your PC, you must also open the following ports:

‰ 445 (TCP protocol).

‰ 137, 138 and 139 (UDP protocol), if you are running NETBIOS on your network. If you are using SNMP, you will also need to open the following ports:

‰ GET and SET commands go through port number 161.

‰ SNMP traps go through port 162.

IMPORTANT:

This configuration will work only if your network DOES NOT use address translation. Check with your network administrator.