Securing Ethernet-based industrial networks - 1

Highly public lapses in the guarding of industrial networks have led to a new awareness. Security is an essential element of network design and management in today's industrial enterprise. Guidelines produced by the ODVA, and abridged here in two parts by James Hunt, introduce the concept of cyber-security for Industrial Ethernet. They provide direction regarding important considerations for cyber security.

CONNECTIVITY to all enterprise processes has increased productivity while reducing the time to market for new offers, but this has resulted in a new path for both esirable and undesirable connections.

The cost of implementing security should be seen against loss of assets: product, plant, production, intellectual property, injury, and/or damage to personnel, products, tools,machines, the environment and company reputation

Many of today's industrial networks and application layers use standard Ethernet with Internet Protocol to connect to the enterprise network and, in turn, the Internet. The benefits include increased visibility of plant floor activities, integration with back-office applications, and lower total cost of ownership. However, this affects the security and availability of the industrial network, as well as the automation and control systems they interconnect.

Security should be applied to loss of assets (including product, plant, production, or intellectual property), injury, and/or damage to personnel, products, tools, machines, the environment or company reputation. There is no 'one-size-fits-all' solution to improving security; it requires changing processes and managing risk.

The right approach

The first step in determining a security strategy for an industrial network running EtherNet/IP or similar appliction protocol entails identifying potential risks. Such concepts are expounded upon in ISA99's Security for Industrial Automation and Control Systems: Establishing an Industrial Automation and Control Systems Security Program documents. An earlier document from ISA99 is also useful: Security for Industrial Automation and Control Systems Part 1: Terminology, Concepts, and Models.

The risk for any particular device/system is the expectation of loss expressed as the probability that a particular threat will exploit a particular vulnerability with a particular consequence¹.

While security incidents in the IT environment can result in the loss or corruption of information, in industry, cyber security incidents can physically affect production or
the health, safety, or environment of the organisation and the surrounding community. For each risk, these questions should be asked:

• What are the consequences?

• What is the likelihood of the risk occurring?

• Cost of prevention vs the cost of the impact?

Reducing risk

There are various general ways to reduce risk. The first is to use a Defence-in-Depth approach. There is no single device or method that will secure a network, so it is necessary to build a system that works together with many layers of protection. Defence-in-Depth applies to both the network's physical and electronic security. To physically secure the network, access to the network devices should be controlled. There are very few factory floor personnel who need access to all industrial pplications, so limit access as far as possible.

To electronically secure the network, multiple barriers or virtual walls should be installed around and within it. This makes an attack more difficult and limits spread should one occur. Then institute a process which ensures that all devices have the most recent security patches and anti-virus updates.

A third way is to minimise time to recovery. Regardless how many methods are used to prevent attack, users should be prepared to handle such an incident. They should have copies of system configurations, plant diagrams, etc., stored in a secure location for disaster recovery.

Costs and tradeoffs

There are significant benefits to connecting automation and control networks with enterprise networks, but there are tradeoffs between risks and costs. Security is about
minimising the risks and threats while taking maximum advantage of the benefits. For example, in connecting the plant to the enterprise, certain types of traffic flows and
applications to communicate may be allowed, but others with greater risk need to be restricted.

EtherNet/IP, like most industrial protocols, uses unencrypted messaging. The encrypting and decrypting of messages would significantly increase both the cost and processing delays in the end devices. In addition, most automation and control networks are protected through network isolation (air-gaps) or through numerous security techniques (Defence-in- Depth). For example, one method of increasing availability is to limit the traffic flow to the automation and control network. Limiting the flow to trusted devices on the plant floor significantly reduces risk.

Confidentiality, authentication, and integrity are normal parts of any secure communications over the Internet, but there are fairly large and expensive communication devices at work in the process (including encryption). Requiring devices to perform these encryption activities would either drastically slow down communication rates, slow down the ability to perform control functions, or need very expensive CPUs to be installed in these devices. Delays through encryption, decryption and increased CPU
processing overhead simply cannot be tolerated in most automation and control systems.

IT vs industrial requirements

The IT and industrial departments employ different methods to achieve their goals because of differing requirements. IT networks, outside of data centres and servers, have relatively low requirements for determinism and availability. A user can wait many seconds for a web page to load or wait hours for a problem to be fixed. Industrial networks, however, have much stricter requirements for determinism and availability.

Many industrial processes require message timings on the order of tens of milliseconds and 99.999% availability. Determinism and availability requirements for both groups may become more stringent as the IT department adds voice and video traffic on their network, and as multi-axis motion control and safety is added to industrial networks.

IT departments achieve goals by providing many security layers. One such layer is the firewall that separates the entire enterprise network from the Internet and other networks. This inspects all incoming and outgoing packets, and drop any potentially harmful packets. Within the enterprise network, another layer of security is provided by placing limitations on who can access a set of data. Yet another layer is provided by requiring all network servers and PCs to have the latest antivirus and OS patches.

Security - working with IT

If an OS patch is applied to an automation network the moment it becomes available, the machine is forced to reload - this is clearly unworkable for automation systems. Instead, the automation department should work with the IT department to explain the automation requirements - often, these will match the same requirements for data centre systems, where patches are applied during scheduled downtime - the same thinking can be applied to automation systems.

Controlled loss: The risk for any particular device/system is the expectation of loss expressed as the probability that a particular threat will exploit a particular vulnerability with a particular consequence

It is also important for automation departments to explain traffic patterns to other departments. Usually, devices that communicate via EtherNet/IP do not access or send information with devices outside the company, so the risk of a virus infiltrating the enterprise network from an EtherNet/IP device is very low.

Also, based on traffic patterns, network filters and firewalls can be configured to prevent security problems on the enterprise network from affecting devices on the industrial network and vice versa.

Best practices

The following breaks down best practices by the types of industrial network installations. These represent the level of interconnectivity between the industrial and enterprise networks. The security approach should align with the size and connectivity of the network. Moreover, extensions and implementations may develop and migrate with time, so the security considerations for the industrial network would parallel such developments.

Integrating the industrial network with the enterprise network: a risk factor behind a potential security incident

The best practices outlined with each type of network are, therefore, additive - the security best practices for an isolated control network with a single controller would also apply to an isolated control network having many controllers.

For an isolated control network having a single controller, this is the smallest and least complex (Fig. 1). These may be in small, single-operator shops, or there could be a large number of isolated work cells within an organisation. While they only have a single controller, they may have a large number of adapters and I/O points that require many switches.

Fig. 1: An isolated control network with single controller. Such networks may only have a single controller, but can have a large number of adapters and I/O points that require many switches.

Because these systems are considered small and isolated from the enterprise network, the risks are limited. An attacker would have to be in direct contact with the network to affect its operation. The main threat is from infected computer resources (laptops, USB sticks and other media attached via a computer on the network). Users should scan all devices prior to connecting them, or have a company-owned secure laptop available for users that need to connect for maintenance or debugging. Even
systems not having a virus can affect availability if, for example, they are configured to act as a DHCP server or have incorrectly configured network settings.

Another possible threat includes the destruction or manipulation of the controller code (unintentional or intentional). Since these systems usually don't have many operators, there may not be any tracking of changes made to the controller or other network devices. The consequences usually result in the lack of availability of the controller or other resource. An incident may have health, safety, or environmental effects, but will typically be limited to the area around the industrial network.
Configurations should be backed up and stored in a secure location.

Managed switches

While not required for performance reasons in an isolated control network, managed switches can improve network security. They can be configured to limit the traffic rate on a perport basis, using known traffic patterns, via port-based security (e.g., MAC or IP port security). The switch's management features (e.g., QoS, IGMP) can also improve network security. The effect of a network storm resulting from a virus or damaged equipment can be minimised this way. Users should be careful to configure traffic filters so that normal traffic isn't blocked. Switch ports not regularly used should be disabled to prevent accidental connection to the industrial network.

Device maintenance

It is fairly common for larger users to have maintenance contracts on some devices that require a technician to monitor and perform regular maintenance on a device, either locally or via secure remote access. If maintenance is being conducted locally, a strict policy must be enforced on access to the industrial and enterprise networks. Individuals should not be allowed to connect unknown devices without first being checked for current anti-virus updates, software patches or compatibility with the network and applications.

If the maintenance needs to be conducted remotely (dial-up phone line, cellular router, VPN, Internet, etc.), then the network is considered to be enterprise connected and an integrated system, and should be treated as such. A security policy and procedure must be enforced, dictating the authorised users and activity for this connection. The remote connection should use a network segmentation device and should be monitored for any activity outside the recognised security policy.

If the device has a web interface or SNMP, it is recommended that the default password be changed. Also, avoid posting the password in a public or non-secure location. Disable unnecessary ports and services.

End-device security

Devices in the industrial network running a common OS allow introduction of malware, such as a virus, worm, Trojan horse or other common end-device attack, which usually target the common OS. Anti-virus software and regular patching are all common mechanisms to reduce the potential of an attack or downtime resulting from one of these.

An end-device in an industrial network may not be able to be patched as easily or regularly as, for example, an enterprise computer, but a regular maintenance schedule should bedeveloped and kept. Many embedded systems, such as the PLC/PAC or EtherNet/IP remote I/O, do not use these operating systems. Such systems are less complex and do not support as many networking features as an office PC, so need fewer security updates.

Since many EtherNet/IP devices use non-IT hardware and operating systems, the number of viruses, worms, Trojan horses, etc., has remained minimal. However, industrial automation and control systems may be affected by standard DoS attacks on the network, or EtherNet/IP PCbased devices could be affected through standard email, webpage, and file exchange attack methods.

End devices having common operating systems, such as a Windows-based machine, should have security applied for protection such as virus software and should be upgraded and maintained on a regularly scheduled basis. In addition, the use of browser and other Internet applications has been a significant source of security breaches and attacks. Consider limiting Internet access or network accessibility of end-devices in the production environment.

Network management

This plays a key role in any automation and control security approach. Monitoring network and application services is key to recognising and reacting to attacks or breaches. For example, attacks based on sending malformed packets allow an attacker to either disrupt or take over commercial or industrial devices. Malformed packet attacks are possible because of incomplete or non-robust implementations of the existing TCP/IP suite and industrial protocols. Malformed packets and other improper communication can adversely affect performance, or could breach a device.

Managing and monitoring of the network and automation and control devices for CIP errors will help identify and stop such threats, or at least identify possible security breaches. Best practices include setting thresholds in the end devices and controllers to warn operations personnel that abnormally high packet failures or other unexpected conditions have occurred. Similarly, monitoring and management of key network statistics and errors can help prevent attacks targeted at both end devices and the network infrastructure itself.

Using encryption for access to the network infrastructure is an IT best practice suited for plant networks. SNMP v3, SSH and HTTPS for accessing and managing infrastructure devices are included among these. Encryption is also accompanied by use of authentication and authorisation for access to network infrastructure (logins, passwords and access to individual parameters). Simple actions like posting banners on login pages to indicate the type of switch being accessed can help limit errors or unintentional mistakes.

Many controllers

Larger installations may need more than one controller on the industrial network, but corporate policy may require that the industrial network be isolated from the enterprise network (Figure 2). Networks of this type can have a multi-layered architecture using managed switches and VLANs to segment the larger number of devices, including local servers. Controllers can be put into different VLANs to improve overall system performance and availability by separating traffic between devices.

Fig. 2: An isolated control network with many controllers. Networks of this type can have a multi-layered architecture using managed switches and VLANs to segment the larger number of devices, including local servers.

Because of the extra complexity of such networks, it is possible for an incident at one end of a facility to affect a device on the other end, although VLANs help limit the effect. An attacker would still need to be in direct contact with the network to affect plant operations but this may occur more often than in single controller networks. A larger organisation may have contractors working alongside employees maintaining or operating equipment. The industrial network may exist throughout an entire facility and, in addition, may have many open and susceptible network ports.

As with the single controller network, one of the main threats comes in the form of infected computer resources. Another threat that is shared between single and multiple controller systems would be the unintentional or intentional destruction or manipulation of the controller code. In the multiple controller case, it may be because of an attacker maliciously attempting to affect the process, or it could come from the plant engineer uploading a program to the wrong controller. In general, these incidents would be very similar to the single controller case, but the consequences would not be limited to affecting only the local area. An incident at one location may affect the area surrounding the controller, another area at the facility, or the entire facility. Incidents on this type of network would not typically affect many facilities unless a dedicated industrial network had been configured between those
facilities.

Networks having many controllers can be larger and more complex than any one person can manage, so it is good practice to develop detailed policies and procedures to ensure that security practices are being followed. The industrial network should be designed to protect the devices and controllers from inadvertent events that may disrupt normal operations.

www.odva.org