ISPE Automation Forum
Cyber Security
Don Dickinson
Project Engineer Phoenix Contact
..50% more infected Web pages in the last three months of 2008 than in all of 2007
Click on one and you won’t notice anything. Your PC gets turned into an obedient “bot”
deployed to attack other computers. All of your sensitive data get stolen.
Source: USA Today 03.17.09
A widespread and coordinated attack on web sites for
Departments of Homeland Security and Defense, the Federal Aviation Administration and the Federal Trade Commission…
Computer Emergency Response Team (CERT)
The Pentagon has spent more than $100M in the past six months responding to and repairing
damage from cyber attacks and other network problems…
… we recognize that we are under assault from the least
sophisticated – what I would say is the bored teenager – all the way up to the sophisticated nation-state…
Source: USA Today 04.08.09
18 year olds have a lot of free time, and
crave attention!
Just hours before Microsoft officially released IE8 a German computer student hacked the browser and won a contest! …broke into within minutes by
exploiting a previously unknown vulnerability in the new browser, said the manager of security
response at 3Com Corp’s Tipping Point, THE CONTEST SPONSOR!
Spies hacked into the US electric grid and left behind computer
programs that would let them disrupt service, exposing potentially
catastrophic vulnerabilities in key pieces of national infrastructure
…the level of sophistication necessary to pull off such
intrusions is so high that it was almost certainly done by state sponsors.
Source: News & Observer 04.10.09
Hacking community spreads its knowledge
(they even have camps)
Obama setting up better security for computers
By LOLITA C. BALDOR, Associated Press Writer Lolita C. Baldor, Associated Press Writer Fri May 29, 2:52 pm ET
Obama said the U.S. has reached a "transformational
moment" when computer networks are probed and attacked millions of times a day.
"It's now clear this cyber threat is one of the most serious
economic and national security challenges we face as a
nation," Obama said, adding, "We're not as prepared as we should be, as a government or as a country."
Cyber threats… unauthorized access to a control system directed from within an
organization by trusted users or from remote locations by
unknown persons using the Internet.
Industrial Network Security
A real & growing imperative
Deployment of Industrial Ethernet
growing at 50% per year
Increasing use of standard IT
components in the industrial environment
Systems become more open for
integration ☺ … and damage
Vulnerabilities spread from office IT
to the shop floor
1000+ vulnerabilities and exploits
reported each year
Securing Control Networks
-More than just security
March 2008
The Hatch nuclear plant in Georgia is forced into an
emergency shutdown for two days as a result of a software update on a single business computer!
Why Networks Need Security
Threats
Network overload by technical
defects, broadcast storms
Accidental human errors:
maloperation, introduction and dissemination of malware,
Phishing
Malware (Worms)
Intended, targeted attacks from
inside and outside: sabotage, espionage, white-collar crime, cyber terrorism
Potential Damages (Risks)
Loss of production
Damage caused to health and
environment
Loss of intellectual property
(process knowledge and data)
Loss of compliance
(e.g. FDA in pharmaceuticals)
Network Security:
Industrial vs. Office Installations
Protecting industrial networks is quite different
Older operating systems - security software unavailable
Heterogeneous hardware & software
Tough environmental conditions
System life cycles of 10-20 years
“Never touch a running system”
Lack of IT security expertise
Potential economic damage in
Use of Routers to secure control systems
Routers provide key security functions
Firewall
Routing and NAT Routing
– Allows for network separation and segmentation
– NAT allows for duplicate IP address schemes on a network
VPN
Old security model – perimeter based
Initial security models had all defense efforts focused on the perimeter. Worked OK, but if it was breached the attacker had the run of the place. Great Wall of China was an awesome defensive structure, but when
breached by the Manchurians, Ming dynasty fell.
“Defense in Depth”
Security concept borrowed from the military
More difficult for an enemy to penetrate many smaller and
varied layers of defense than 1 single large layer that may have a flaw.
Limits scope of an attack to only the layer(s) that have been
breached. The rest of the network is protected.
Breach of outer layers can signal an alarm that an attack is
ongoing, allowing protective measures to take place before all is lost.
Defense in Depth
Industrial router can be used in
conjunction with IT’s security infrastructure to enhance the safety of the network.
IT Corporate Firewall typically
protects from outside threats
IT Router protects Corporate
Office network segments
Industrial router protects the
Control and Industrial network segments and individual
devices.
Firewall Application Scenarios
Remember - Security isn’t just IT’s responsibility, it isn’t just the plant floor’s
responsibility – everyone has a role to play.
Protecting a single device
If this is a PC, you could use an mGuard PCI
A single mGuard can protect a subnet of over 100 devices!
This can be unmanaged or managed switch – SFN, Lean, etc.
Why is a router used
Back in “Old Days” of common bandwidth (half duplex and
hubs), more nodes caused so many collisions communications was stifled.
Routing reduces broadcast domain and collision domain Widespread and WAN communications
Better security model
Protect information by putting it on separate subnet.
Better administration
Separate traffic into logical groups like “Accounting, HR, etc.
Separate traffic into physical groups like 1st Floor, 2nd Floor, etc.
Allows for redirection based on IP information or upper level
Routing – What is it?
Routing vs. Switching
Layer 3 vs. Layer 2 Logical IP Address vs.
Hardcoded MAC Address
Used to segment traffic into
“subnets”.
Calculate Paths to get from Point
A to Point B, whether B is in the same row or around the world.
Devices use “Default Gateway”
address to point to a Router
Gives access to Higher level
protocols such as TCP and UDP.
Hubs Physical Switches Data Link Routers Network Routers/Firewalls/ Other Gateways Transport Session Presentation Managed by Applications Communicating (E-Mail, Web, etc)
Application
Routing / NAT Routing Application Scenarios
Use routing to insulate and isolate control network from IT network or
even other control networks.
NAT Routing allows for
equipment on the same network to use the same IP scheme.
E.g. Identical production cells: mGuard allows them to have unique external addresses, but same internal. Easier to
program and maintain!
mGuard can be used to segment a LAN or connect to the Internet.
Network Address Translation (NAT)
NAT is the translation of an IP address used within one
network to a different IP address known within another network.
One network is designated the inside network and the other is
the outside. Typically, a company maps its local inside network addresses to one or more global outside IP
addresses and unmaps the global IP addresses on incoming packets back into local IP addresses.
1:1 NAT, maps each “inside” address to a unique “outside”
address. For Example 192.168.11.x = 214.136.75.x
Allows for multiple instances of the same IP addresses on the
Virtual Private Networking (VPN)
Establishes a “tunnel” across the Internet to allow for remote
support, diagnostics, pulling data – basically anything that requires communication between local and remote sites.
Distance or intermediary hops are of no concern; that is, the
circuit is a virtual one and the physical path to get from Point A to Point B can change without interruption or interference of the Tunnel.
Ideal for secure communications between multiple networks
Why do I need a VPN?
Remote Connectivity
Diagnostics and Alarming
Data Pull or Push
Support
Security of Data
Utilizing the ubiquitousness of the Internet instead of costly
point to point (e.g. T1, T3) lines, or the poor speed,
additional wiring and recurring costs of multiple analog connections.
All in all a great way to improve support, ease
Basic VPN concept
Initial Authentication takes place between gateway & client
A packet to be sent to a remote location is first encrypted at one VPN
gateway.
The receiving VPN gateway at the remote location is responsible for
decrypting the packet and sending to host.
Contents are safe from sniffing or corruption on the Internet
Private Network Internet Private network IPsec VPN Encryption Decryption Encrypted Data
VPN Application Scenarios
Secure, remote connectivity allows for better, more cost-effective support and
the ability to communicate with remote sites to gather data, alarm events, remote config, control processes, etc.
mGuard can connect to another mGuard directly
mGuards can connect when they are in firewall (Stealth) or in router mode
A single mGuard can support multiple concurrent connections
A connection can be established going through another device, or even from another device, eg Cisco.
Software vs Dedicated Hardware VPNs
Software VPNs are commonly used to access company network from
remote sites. Is there a performance change on your computer when you are connected?
mGuard provides much higher throughput than software VPN – 70mb/s
vs 30-35mb/s for most software
Heavy data flow over software clients is a heavy drain on CPU
Depending on the encryption and compression algorithms used, can
consume 95% CPU time
mGuard can handle 250 concurrent tunnels, software only 1
Is your industrial PCs job to function in the control network or to have its
ISPE Automation Forum
Questions?
Don Dickinson
Project Engineer Phoenix Contact
