Fundamental Principles of
Ethernet Security Firewalls in
Industrial Environments
by Joseph Benedetto

Executive summary
Se...
Fundamental Principles of Ethernet Security in Industrial Environments

Introduction

If hackers can download a medical fo...
Fundamental Principles of Ethernet Security in Industrial Environments

firewall to block all unwanted and unauthorized tr...
Fundamental Principles of Ethernet Security in Industrial Environments

side of the firewall as the PLC, then there is a r...
Fundamental Principles of Ethernet Security in Industrial Environments

For critical control applications where it is nece...
Fundamental Principles of Ethernet Security in Industrial Environments

• Configuration of a control network structure tha...
Fundamental Principles of Ethernet Security in Industrial Environments

Industrial grade firewalls

IT / commercial firewa...
Upcoming SlideShare
Loading in …5
×

Are your industrial networks protected...Ethernet Security Firewalls

883 views

Published on

Security incidents rise at an alarming rate each year. As the complexity of the threats increases, so do the security measures required to protect industrial networks. Plant operations personnel need to understand security basics as plant processes integrate with outside networks. This paper reviews network security fundamentals, with an emphasis on firewalls specific to industry applications. The variety of firewalls is defined, explained, and compared.

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
883
On SlideShare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
15
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Are your industrial networks protected...Ethernet Security Firewalls

  1. 1. Fundamental Principles of Ethernet Security Firewalls in Industrial Environments by Joseph Benedetto Executive summary Security incidents rise at an alarming rate each year. As the complexity of the threats increases, so do the security measures required to protect industrial networks. Plant operations personnel need to understand security basics as plant processes integrate with outside networks. This paper reviews network security fundamentals, with an emphasis on firewalls specific to industry applications. The variety of firewalls is defined, explained, and compared. 998-2095-02-13-14AR0
  2. 2. Fundamental Principles of Ethernet Security in Industrial Environments Introduction If hackers can download a medical formula from a pharmaceutical firm, they could alter that medication by making a slight variation in the formula. In the automotive industry a hacker might alter a robotics program and cause it to make a defective part or to dump material where it should not belong or alter the timing of a particular process. In an oil industry control application, hacker meddling could result in a damaging spill. As manufacturing processes and factories become more “wired”, vulnerabilities in network devices can become targets for individuals writing worms and viruses. These threats are disruptive to the ultimate goal of protecting the industrial environment from any business loss including network failure and process line inefficiency. One of the measures that can be taken to lower the level of risk is the deployment of proper “firewalls”. A firewall is hardware and / or software used to protect network-connected devices or network segments from unauthorized access. In an industrial Ethernet application, a firewall can provide the physical separation between the control network and the plant or corporate networks. It can also be used to create secure control zones within the control network. In a typical firewall installation, the connection coming from the plant network to the firewall is referred as the “untrusted” port or connection. The port that will connect to the control network is referred to as the “trusted” connection (see Figure 1). Outside of Plant Figure 1 The firewall serves as a barrier to unwanted outside intrusion while allowing legitimate data to communicate with key equipment components Internet Internet Untrusted Connection Trusted Connection Firewall Automation System The firewall’s basic function is to control message transmission. It is designed to block unauthorized access while permitting authorized communication to the devices connected on the “trusted” side of the firewall. It can be configured by the user to permit, deny, encrypt, decrypt or act as an intermediary device (proxy) for all (in and out) traffic between different security domains based upon a set of rules. The first step in determining a system’s security requirements is to conduct a survey. The survey identifies all the possible points of access and assists in determining the number and location of firewalls needed in the system. The firewall plays an important role in the overall protection of an industrial control network. The control system requires fast data throughput so that it can provide a rapid response to changes in the operation. At the same time, the control system needs the protection of the Schneider Electric White Paper Revision 0 Page 2
  3. 3. Fundamental Principles of Ethernet Security in Industrial Environments firewall to block all unwanted and unauthorized traffic to devices, to ensure that the data they receive is correct. Firewall categories Three general categories of firewalls exist to protect industrial Ethernet applications. Each provides a different level of protection. The choice of firewall should be based on the application requirements, the level of risk that can be tolerated, and impact on a system should that system be targeted for attack. Below are descriptions of the three firewall categories: • Packet Filtering Firewalls: These firewalls check each incoming or outgoing message packet for its source address, destination address, and function. The firewall accepts or rejects the message based on a comparison to a number of predefined rules called Access Control Lists (ACLs). This is a low cost solution that examines the message packet headers only and not the overall packet content. This type of firewall is easy to circumvent by a skilled attacker. Packet filtering firewalls are not recommended for high risk areas due to lack of authentication and their inability to conceal the protected network’s architecture. • Stateful Inspection Firewalls: These firewalls inspect message packets for each transmission at the network layer and validate that the packets and their contents at the application layer are legitimate. Stateful inspection ensures that all inbound packets are the result of an outbound request. Stateful inspection firewalls provide a high level of security and good performance but can be expensive and complex to configure. • Application-Proxy Gateway: The application-proxy gateway examines every incoming packet at the application layer, filters the traffic based on specific application rules, and then reissues it to the target device. Application proxy gateways provide a high level of security, but have overhead delays that impact the network performance of the control system. Their use is therefore not recommended. Firewall application The security goal of a factory or other industrial site is to protect the control network and all of its devices from any attacks. One consideration when implementing firewalls is the nature of devices to be protected and how these devices are accessed as part of normal operation. When applying a firewall to create a physical separation between the control network and the plant and corporate networks, the simple solution would be to install a single firewall device at the connection point between the plant floor’s control network and the remainder of the plant and company networks. This approach is illustrated in Figure 2 on page 4. In the Figure 2 system configuration, the firewall provides protection between the plant network and the control network. However this configuration does not isolate the Programmable Logic Controller (PLC) system from the Human Machine Interface (HMI) and Historian system. These types of devices are often located on PC-based systems that run standard operating systems. This makes them easier targets for attackers seeking to enter the system. These systems are accessed by devices on the plant network as well as by the PLC systems, increasing the risk that an attack reaches the PLC system that controls an operation or process. In addition, since these devices are PC-based, they can be accessed by multiple users who could intentionally or unintentionally introduce malware or corrupt the system. The simple act of loading a new version of a software package or using another software package that is also running on the PC can introduce a risk to the PLC system. The PLC system is traditionally based on a custom hardware design and utilizes a manufacturer-specific operating system. This makes the PLC system more difficult for an attacker to access, but in no way is the system 100% safe. If a PC-based device such as an HMI or Supervisory Control and Data Acquisition (SCADA) system is on the same ‘trusted’ Schneider Electric White Paper Revision 0 Page 3
  4. 4. Fundamental Principles of Ethernet Security in Industrial Environments side of the firewall as the PLC, then there is a risk that an attack to the SCADA system will affect the PLC. To Corporate Network and Internet Figure 2 Untrusted Port This illustration features a single firewall device at the connection point between the plant floor’s control network and the remainder of the plant and company networks Firewall Trusted Port Plant Network Control Network HMI Historian PLC System w/ Ethernet I/O The solution is to create a network architecture that includes a separate isolated area for network devices such as HMI, SCADA systems and Historians, and that is capable of communicating to both the plant network and the PLC control system. This isolation is accomplished by using two firewalls, one connecting the plant network to the HMI, SCADA systems and Historians, and a second connecting these devices to the PLC control system. This isolated area, referred to as the demilitarized zone (DMZ), provides a safe and secure means for sharing data betweens zones. Figure 3 illustrates this more secure configuration. To Plant and Corporate Network and Internet Figure 3 In this configuration, two firewalls are present in order to create a separate and isolated area to protect important assets Firewall Device accessed by Control and Plant Networks DMZ Local Server Firewall Control Network PLC System w/ Ethernet I/O Schneider Electric White Paper Revision 0 Page 4
  5. 5. Fundamental Principles of Ethernet Security in Industrial Environments For critical control applications where it is necessary to isolate a particular control system from the other controls systems on the control network, a firewall can be used to create an isolated zone. In control applications such as emergency shutdown systems or the control of a critical process, the security provided by the additional firewall can easily justify its cost. In Figure 4, two firewalls are used to create a DMZ between the plant network and the control network. The DMZ isolates the control network, and all of the control devices connected to the network, from an attack coming from the plant or company networks. The control system in work cell 3 is controlling a critical process that requires a higher level of security. A firewall is applied between the PLC in work cell 3 and the switch that connects the three work cells to the firewall in the DMZ. In this configuration, work cell 3 is protected from unauthorized access by devices that are inside of the control network. To Plant and Corporate Network and Internet Device accessed by Control and Plant Networks DMZ Local Server Firewall Figure 4 In this configuration, work cell 3 is provided the highest level of security Control Network Work Cell 1 Work Cell 2 Work Cell 3 PLC System w/ Remote I/O PLC System w/ Multi Rack I/O PLC System w/ Ethernet I/O Firewall capabilities An Industrial grade firewall provides protection from systems and devices that are connected to the unsecured plant and / or corporate networks. The firewall must be properly configured and located at the network access points to the control network. Listed below are some capabilities which help to enhance the effectiveness of the firewall: • Configuration of a physical separation between the control network and the plant and corporate networks • Segmentation of control networks into security zones • Identification of an “untrusted” port for the connection of plant networks to corporate networks that are unprotected by a firewall • Configuration of a ”trusted“ port for connection to the control network and its devices that are protected Schneider Electric White Paper Revision 0 Page 5
  6. 6. Fundamental Principles of Ethernet Security in Industrial Environments • Configuration of a control network structure that is invisible to the outside so that hackers cannot determine the types of devices on the network • Restriction of network traffic and selected services only to authorized devices while still allowing secure information to be viewed by authorized users • Allowance of communication “handshaking” for port connections that include autonegotiation, autopolarity, autocrossing and full or half duplex modes • Control of communications messages based on IP addresses of source and destination devices, categories of data that can be transmitted and received, and proper alignment of device access to services provided “No firewall system is 100% impenetrable, but a robust firewall will deter hackers and encourage them to look elsewhere for easier targets to exploit.” • Stateful packet inspection for assurance that all inbound data packets are the result of an outbound request • Dynamic packet filter inspection of data packet source and destination addresses so that undesired traffic can be blocked • Virtual Private Network (VPN) connection so that secure transfer of data over public networks to selected devices can be assured • Protection from the flooding of devices with too much traffic or connections through use of a Denial of Service Traffic Limiter • Provision of security alarm and event logging information that can indicate when an attack or device failure is occurring • Determination of which protocols and services should run over which ports of a device • Anti virus protection capability for HTTP, FTP, SMTP and POP3 protocols • Encryption capabilities that include Data Encryption Standard (DES), 3DES, and Advanced Encryption Standard (AES) • Network Address Translation (1:1 NAT) with FTP, IRC protocol that permits chatting and Port to Port Tunneling Protocol (PPTP) and pass through (in router modes) Firewall limitations A properly configured firewall will not protect against the following: • Unauthorized access through connections that are not connected to the firewall (such as a dial-up modem) • Internal attacks where the attacker bypasses the firewall and connects to the control system • Software vulnerabilities where software packages used in the control system, such as HMI or SCADA, do not have up-to-date patches • User error and human engineering • Virus or malware that enters the control system through an unprotected connection Industrial vs. IT grade firewall In most organizations, the IT group is often tasked with Ethernet security installation, maintenance of firewalls, and other security measures. IT team members should be part of the industrial system survey process, but the selection of firewall devices should be based on the needs and capabilities of the control engineers who will be implementing and maintaining the firewalls as part of the control systems. Industrial grade firewalls are different from commercial / IT grade firewalls. In control applications where interruptions in operation cannot be tolerated, an industrial grade firewall is the correct choice. Table 1 illustrates some of the important differences between IT and Industrial firewalls. Schneider Electric White Paper Revision 0 Page 6
  7. 7. Fundamental Principles of Ethernet Security in Industrial Environments Industrial grade firewalls IT / commercial firewalls Can be configured by control engineer using web-based tools, IT knowledge not required Designed to integrate with industrial controls Requires IT personnel to configure and maintain these devices and requires knowledge of complex tools Designed for continuous operation Shutdowns, reboots and unplanned interruption to operation accepted in IT world Centralized security appliance which leaves security gaps at plant level Requires fan or cooling to work on the plant floor Meets control system component standards Susceptible to electrical noise found in industrial environments Security is a process that begins with a plan that defines the roles and responsibilities of plant personnel, the types of actions and activities that are allowed to be performed, and some clearly communicated consequences for non-compliance. An assessment of critical systems should be performed to identify communication paths and potential external access points. Network attached devices should be audited to determine both security capabilities and vulnerabilities. About the author Joseph Benedetto is responsible for the global development of Schneider Electric's Industrial Ethernet Infrastructure products business. Over the last 35 years he has specialized in developing solutions for Schneider Electric’s Industrial Automation customers. Over his career he has held various roles including: Product Marketing, Industry Marketing, System Engineering and Application Engineer. Mr. Benedetto holds a Bachelor of Science degree in Industrial Engineering from Northeastern University. Schneider Electric. All rights reserved. A firewall is an integral part of any overall system security solution, but by itself, a firewall will only protect the point of entry that it is connected to. No firewall system is 100% impenetrable, but a robust firewall will deter hackers and encourage them to look elsewhere for easier targets to exploit. © 2014 Conclusion Maintenance can be performed by technician or engineer Hardware made of industrial grade components that withstand harsh environments (vibration, shock, heat) Commercial firewall technology is not designed to protect industrial process control networks Designed for an office environment, not part of the automation system, making dedicated protection for each system difficult Divides automation system into work cells, provides protection by isolation Table 1 Must be configured by IT department Schneider Electric White Paper Revision 0 Page 7

×