Industrial Strength Security

For this month’s Cover Story we take a look at the burgeoning issue of cyber security. First off, Andreas Kopke explains why when it comes to securing IT infrastructure, the plant floor is a very different place to the top floor.

  • Posted on 01 May 2007

Problems and faults in the recent past have made many companies aware of the need for IT security measures. A start has also been made in the industrial environment in meeting the increasing threat with concepts and solutions familiar from the office environment. But it has become obvious that requirements and conditions in production plants are different to those in offices. Automated productionsystems thus need new concepts for IT security.

Solutions and standards from the office environment are increasingly used in industrial production plants. This starts with the use of PC technology in machines, and reaches all the way to the use of Ethernet and the Internet protocol TCP/IP at the field level. With the facility to enable integrated networking, industrial Ethernet will increasingly replace established fieldbus solutions, meaning that production networks can be connected directly with the office LAN, the intranet or even the Internet. You can normally access all the information from the production plant without costly conversions, allowing the design of faster and more efficient production processes.

However, along with the recognized benefits of integrated networking of production plant and office come some potential dangers. While it would certainly be wrong not to exploit the opportunities offered by the arrival of open communication standards and modern concepts from the office environment, and to miss out on innovations in the IT sector, it is vital to confront the issue of IT security in production networks.

Attempts have been made to secure production networks in the same way as office LANs – but, usually, this does not meet with much success, as evidenced by plant security problems reported in the media. The reason for this becomes clear when we examine the differences between the industrial and office environments.

Industry versus office
The most significant difference to office automation is to be found in the relatively long life cycles in production plants. A normal office network contains primarily PC systems and IT servers of which the PCs are generally replaced every three to four years. A production machine, on the other hand, or even just an operator panel in an automated plant, usually has to provide service for 13 to 20 years.

Typical PC operating systems have a service life of up to 10 years (this is the period, calculated from the initial launch, during which the software vendor provides updates and the corresponding support). There is no guarantee that up-to-date virus scanners and virus signatures will be available, in addition to the security patches, for this operating system during this period.

Network requirements in industry are also different. The availability of a production network must be almost 100 percent. Each more significant restriction to availability, whether resulting from faults (virus attacks or similar) or frequent maintenance work (installing new security updates, for example) typically generates six-figure costs. Network nodes with sometime “obsolete” operating systems also leave industrial networks open to malicious attacks from viruses, worms and Trojan horses. Industrial environments also have requirements and marginal conditions that are unknown or rare in offices, such as the following:

The different IT characteristics of the factory and the office.
Industry Office
Availability
  • Very high requirements
  • Network downtimes <500ms required to prevent plant standstill
  • Medium requirements
  • Network downtimes of seconds or minutes are accepted
Response Time
  • Guaranteed response times
  • Best possible response without any guarantees (a low-priority transfer once before one of a higher priority is started)
Installation
  • By plant commissioning personnel (incl. trained personnel)
  • By trained technical personnel (network administrator)
Equipment Density
  • Low, switches with fewer ports
  • High, switches with a large number of ports
Topology
  • Cabling in line technology (optionally as a ring) with higher-level plant bus and control room or wiereless
  • Cabling in star topology (structured); storey, building, corporate site

• Real-time communication with guaranteed response times less than 1 ms
• Plant start-up by personnel who are not IT specialists
• Device replacement within just a few minutes (for repair purposes, for example) without modifying or reconfiguringnetwork components

Internal affairs
Dangers to networks emanate mostly from inside and not, as most people would assume, from outside a plant. Studies of IT security and network security confirm this. Access violations, for example, are often not even discovered. Usually unauthorized personnel access devices in the production network through inexperience or simple curiosity. Today, however, networks are protected primarily against external access. This is absolutely necessary and has been practiced successfully for years but it only covers a small percentage of dangers.

More damage is caused by internal threats such as an infected notebook or a “curious” employee. A worm or virus introduced to a company network by an infected notebook can create such high network loads that communication in the network collapses completely even though the worm or virus doesn’t itself cause any damage but simply reproduces itself in the network. In contrast to the office environment, even brief faults of this kind result in huge financial losses.

Traditional security concepts meet internal threats with the installation of virus scanners and personal firewalls on the office PCs. With industrial PCs, this is only possible to a limited extent because it requires constant service and maintenance of the system as well as continuous checking that the new security updates have no adverse effects on the production software. The diversity of automation equipment is also several times greater than in the office area so thatit is not realistically possible to secure all network nodes.

It must also be noted that the automation environment not only includes powerful devices such as PCs, printers or servers, but also devices with memories of only a few 100 KB, the simplest of processors, and I many proprietary operating systems – in other words, devices that cannot be expanded with effective protection measures. For all these reasons, then, an industrial plant network cannot be administered like an office network with regard to security.

Security cell concept
The realization that not all nodes in the production network can protect themselves gives rise to the concept of the “security cell”, the core idea of which is the subdivision of production networks into network segments for security purposes.

Each network segment is a protected area for the network nodes within the segment (security cell). External protection of the security cell is handled by a special network component (security module) that monitors data traffic from and to the cell and checks access authorizations. Only authorized data traffic is allowed to pass.

Undesired data traffic such as that generated by viruses and worms can thus be effectively kept away from devices that cannot protect themselves. Even if the network outside the cell has been compromised, communication within the cell can be maintained.

Such cells already exist from the perspective of the production task, particularly in the automated plants, (e.g. a robot cell), but today these are often connected direct with the factory network without protection. Such cells can be secured with a security module (such as Scalance S from Siemens) – even at a later date.

In theory, a small router with a firewall could be used as a security module, but then IP addresses and subnet dialogs in the existing systems or devices would have to be modified. This is almost out of the question in practice because it is comparable to an initial startup of the system. For this reason, it is important that a security module can be operated not (only) as a router but also as a bridge.

Within a cell, the security module does not affect the exchange of data. However, communication between cells is effectively restricted to the cells that really must communicate with each other. This makes it difficult for bugs (viruses, worms, Trojans) that have managed to penetrate the cell to spread overthe entire network.

The subject of “data spying” has also often been neglected in past years. The protection of devices is only part of the concept; guaranteeing the confidentiality and integrity of production data is just as important. When data exit the manageable area of a security cell they can no longer be protected against either spying or manipulation without further measures.

And the danger from even unintentional data manipulation must not be underestimated. Even slight, undiscovered manipulation of a measured value can result in the loss of an entire production batch. For this reason, the security cell concept provides for encryption of the data communication and establishes a VPN (virtual private network) between the relevant security cells. This guarantees data confidentiality and freedom from corruption.

Design for industry
An IT security concept for industry that only takes account of security aspects doesn’t do the whole job. As already mentioned, there are also requirements and marginal conditions in industrial production that are not met by traditional solutions. The maintenance and startup personnel in the production area often do not have detailed expert knowledge of IT security because their primary task is, after all, in the production area. This is the risk of new solutions.

Detailed knowledge of security certificates, encryption algorithms, and such, cannot be assumed. For this reason, it must be possible to set up security cells with just a few settings. If IT security is too complex to set up, there is the danger of creating security gaps that render all other measures ineffective.

Modern, highly automated plants work 24 hours a day with a small number of personnel. In the event of a fault, a member of the support team must be able to replace a device in the shortest possible time. In such cases, the plant electrician may have not much more than a screwdriver to hand. Whether it’s a simple sensor, a high-grade control component or a security module, you have to be able to replace the device without reconfiguring or adjusting settings on the device.

Implementation example
 Some companies are already working today on security components with which the security cell concept can be implemented. Siemens, for example, offers Scalance S modules (S for security) within its range of industrial network components. These modules combine a high standard of security with the simplest possible configuration and easy replacement for maintenance purposes.

During configuration, the security modules in a network are assigned to groups. Only security modules in the same group, or the devices protected by them, can communicate with each other. The modules can, of course, also be assigned to several groups. Then the relevant configuration files are generated by the configuring tool. The configuring engineer uploads these to the security modules via a secure channel. As well as this minimal configuration, there are also extended settings, such as firewall configuration, that can be used when required.

The configuration files also contain the VPN certificates generated by the configuring tool that are required for establishing the secure channel between security modules. The user does not require any further knowledge for this and does not need to be explicitly concerned with the process. It is nevertheless possible to link the security modules with normal VPN clients, or to use existing VPN certificates from an available public key infrastructure. If necessary, the extended configuring methods can be used for this.

The Configuration Plug (C plug) provides the security modules with a replacement medium as an accessory that enables fast and simple device replacement without the need for a programming device or reconfiguration in the event of a fault. This can reduce the standstill times of network segments and connected network nodes. The configuration data are automatically saved on the C plug. If a device needs to be replaced, the C plug is simply removed from the failed component and plugged into the replacement device. The replacement device is then automatically started up with the configuration of the failed device.

Get protected now
 In view of the potential threats, you are urgently recommended to secure sensitive and endangered plant and production networks. An optimum solution in this case are protected network segments. Thus not every single network station needs to be protected individually. The security cell concept offers a low-cost, easily maintained, but nevertheless powerful solution approach here.

New IT security concepts must always take account of the special marginal conditions in the industrial environment. In the area of automated production in particular, it is necessary to seize the opportunity of achieving a high level of IT security with low overhead in installation, maintenance and operation of plant networks in comparison with traditional office solutions.

Andreas Kopke is System Manager, Product Marketing, Siemens Automation & Drives

Security Cell Concept

Protecting the Port

Evading control by traditional layered security technologies, that innocuous USB port can be significant vector for data leaks and malicious uploading. So how can it be protected?

Regulating the electronic flow of information stored in digital format has never been so hard. Most organizations have attempted to reduce the risk of data leaks from servers and networks with firewall, intrusion prevention, authentication and access controls. Enterprises have discovered a requirement to deploy different solutions that solve particular vulnerabilities at each layer of the networked information system.

But now, a new risk is sidestepping these controls – one that creates the opportunity for data to slip outside the protective net without detection. The culprit is any plug-and-play storage device attached to a PC or laptop USB port.

A standard corporate desktop PC may have up to eight USB ports. Some are required for peripherals such as a keyboard or security token reader, but there are usually one or more unused ports. By default, USB ports are “always on,” ready to serve any USB-enabled device that is plugged into the endpoint computer.

People constantly plug devices into their work PC to upload music, images, or transmit digital photos over the Internet. One of the most popular USB storage devices is the Apple iPod multimedia player Consequently, some people have coined “Pod Slurping” as a hip term for transferring files to a USB storage device.

This Achilles heel effectively makes all USB endpoints susceptible to data leaks. Danger can also flow in the other direction when newly attached storage devices send virusinfected files or malicious applications onto the endpoint device – and potentially throughout the enterprise network

Protection options
An enterprise may chose to disable USB via the Windows Group Policy and an ADM template. Unfortunately, this capability does not provide administrators with granular control. It’s all or nothing, so all USB ports on an endpoint are either available or not. And since most endpoints now require USB for mandatory peripherals, this control is practically useless.

Another alternative is physical restraint of unused ports. Some vendors sell plug-in USB “locks” to physically secure unused ports. The physical blocking strategy will do little, however, to stop a user with malicious intent from simply unplugging an existing USB peripheral and inserting an unauthorized storage device in its place.

A much more sophisticated, software-based solution is the Pointsec Device Protector, which enables enterprise-wide control of storage device access through USB (and other I/O ports), and of the data flowing through those connections. It provides a policy-driven port security system to a system administrator for granular control of endpoints that denies all access (black list), provides read-only access, or allows full authorized access (white list).

The level of control is configurable by a security administrator, which is critical for striking the best balance between security and cost. In some enterprises, implementing a rigid security policy puts new strain on end user work patterns. Pointsec’s objective is to offer a customized endpoint security solution that minimizes changes to end user behavior, while also addressing the most critical elements of security policy.

Device management
A media authorization system included within Pointsec Device Protector digitally tags and authorizes devices based on content. A digital signature is written to each device to mark it as “authorized” and is automatically updated when storing information within the protected environment.

If changes to the media are permitted outside of the organization (such as sharing data with a business partner), the device requires re-authorization before it can be used again within the protected environment.

Ensuring that only digitally signed devices can be accessed provides device-specific security rights for content. These rights prevent accidental or deliberate attempts to transfer protected files onto unauthorized portable storage devices.

The solution also prevents transfer of files with malicious content from storage devices onto enterprise endpoints. Administrator-defined file types can be controlled on a user or group basis. And new software packages can only be installed by trusted users and applications.

Based on information supplied by Pointsec (www.pointsec.com)

Setting Standards

G Venkatesh provides an update on the state of cyber security standards.

When I spoke to Bob Webb, Managing Director of the ISA SP99 committee, back in 2005, he emphasized the need for greater awareness in the process and manufacturing sectors about the threat of malicious access to enterprise-wide automation networks. Two years down the line, there seems to have been a sea change in the attitude of the industry, with standardization efforts moving ahead apace.

Essentially, the ISA-SP99 Committee is working towards establishing standards that will define procedures for implementing electronically secure manufacturing and control systems and security practices and assessing electronic security performance.

As industry experts believe, the ISA SP99 standards will enable a better understanding and a streamlined approach to entrenching cyber security in automated systems in the process and manufacturing enterprises. Committee chairman Bryan Singer is of the view that better collaboration is necessary among industry experts to avoid any confusion regarding standards, and that security should not be viewed as an oneoff project or a product but an ongoing concern benefiting from progressive developments in technology.

Singer adds that cyber security technology will not stabilize but keep improving to counter the “bad guys”. He is also encouraged by the rise in awareness in the process sector relative to three or four years ago.

Bridging the gap
Eric Byres, CEO of Byres Security, a recognized figure in industrial cyber security circles and an SP99 Voting Member, believes that there is a strong need to bridge the gap between knowledge of IT tools for cyber security and control engineering expertise in the process sector, by adapting operators to the need for and the implications of cyber security of automated systems. “There are instances where the integration of these two seeming ‘islands’ has resulted in immense benefits as far as security and safety in the process sector goes. The imperativeness of cyber security has filtered through to a wide gamut of process industries – water, power, oil/gas, etc – yet, there is a long way to go,” he said when he spoke to Control Engineering’s Peter Welander at this year’s Process Control System Forum (PCSF) in Atlanta.

He went on to say: “A business case needs to be built up and a corporate-wide recognition of the need for cyber security is very essential. What is also to be ingrained is the need to educate and train people about security, check the ‘defenses’ periodically, and strengthen them on the basis of feedbacks obtained. Single lines of defense may turn out to be ineffective, and the process sector should think on the lines of ‘defense in depth’.”

Meanwhile, the ISO/IEC 27000 series of standards (from ISO/IEC 27000 to ISO/IEC 27006) advocates a Plan-Do-Check- Act model aimed at progressive improvement of information security management systems (ISMS) in all types of organizations – commercial enterprises, government agencies, not-for profits.

Roger Frost of the Marketing and Communications Department of the ISO Secretariat in Geneva provided CE Asia with information regarding the ISO/IEC 27000 certifications around the world. As of March 22 2007, there were 3363 ISMS certifications. Japan comes right on top with 1910 certifications, followed by the UK and India. And the USA has just 47, which is not much more than Singapore’s 28 certifications. It is interesting to note that China is still far behind Japan and India with only 47 certifications. The numbers will only increase from here on in – and rapidly.

Increasing market size
Another reason for this rise in awareness which both Byres and Singer refer to, and thereby the creation of a much bigger market for cyber security tools and solutions suppliers, is the fact that there is an ever-increasing integration on a global scale with the interdependency among suppliers and producers around the world becoming starker by the month.

The more arterial the network and the greater the number of “crossroads” in the information highway, the greater are the number of junctions which are prone to misuse. The more options an industry has as far as sourcing its raw materials and production goes, the greater risk it has to secure itself against, even while enjoying the advantages of a larger palette to choose from and ensure reliability of supply.

A prominent player in IT security market is Fortinet Inc. In response to queries from CE Asia, the company spokesperson said, perhaps not surprisingly, that it does not expect the market sector to shrink any time in the near future “because the threats from Trojans, phishing and spam are increasing in sophistication”.

Fortinet also points to an emerging trend of integration of security features into networking equipment, such as network switches, and the rapid rise in mobile workers bringing viruses, Trojans and worms into the corporate network through infected notebooks. Isolating these and dealing with internal security threats is already a challenge recognized by IT departments in many companies. This has led to an emerging demand for such products as Network Access Control (NAC) systems. Fortinet recently launched its first product in this market space with the FortiGate-224B.

SP99 makes progress
ISA’s SP99 standards development committee says it is making “substantial progress” on several fronts in its work to develop standards and guidelines for the electronic security of industrial automation and control systems.

The committee has conducted a second round of voting on the draft standard, Security for Industrial Automation and Control Systems Part 1: Terminology, Concepts and Models. The draft received enough votes to pass, but the committee will evaluate all comments and reissue another draft if necessary. This first standard will establish the context for all of the remaining standards in the ISA-99 series by defining a common set of terminology, concepts and models for electronic security.

The planned Part 2 standard in the ISA-99 series, Establishing an Industrial Automation and Control Systems Security Program, is being prepared for its own second committee ballot in the coming months. This standard will provide guidance for developing a program for the security of industrial automation and control systems – including detailed guidance on process activities and key elements for establishing a cyber security management system.

ISA-SP99 has also established a new working group to develop a further standard in the series, Specific Security Requirements for Industrial Automation and Control Systems. This standard will define the characteristics of industrial automation and control systems that differentiate them from other information technology systems from a security point of view. The standard will establish the security requirements that are unique to this class of systems. Beyond its work on the initial standards in the ISA-99 series, the committee is also planning to release a revised and updated technical report, Security Technologies for Industrial Automation and Controls Systems, focuses on identifying and evaluating currently available technologies for control systems security, covering areas including:

• Authentication and Authorization
• Filtering/Blocking/Access Control
• Encryption and Data Validation
• Audit, Measurement, Monitoring and Detection Tools
• Operating Systems
• Physical Security

According to committee chair Bryan Singer, “There has been substantial improvement in the degree of awareness in the process industry relative to what it was when work on forming these standards commenced. While the ISA SP99 standards will definitely enable a smoother, easier and faster incorporation of the element of security into process industries, security technologies will keep developing continuously, to stay one-up on the growing cyber threats.” CEA

Eric Byres

  • More About