ISPE Automation Forum
Cyber Security
Where Do I Begin?
Don Dickinson
Project Engineer
Phoenix Contact
..50% more infected Web
Click
on one
you
pages
in the
last and
three
won’tofnotice
anything.
months
2008 than
in all
Your
PC
gets
turned
into
of 2007
an obedient “bot”
deployed to attack other
computers. All of your
sensitive data get stolen.
Source: USA Today
03.17.09
A widespread and coordinated
attack on web sites for
Departments of Homeland Security
and Defense, the Federal Aviation
Administration and the Federal
Trade Commission…
Computer Emergency
Response Team (CERT)
The Pentagon has spent more
than $100M in the past six months
responding to and repairing
damage from cyber attacks and
other network problems…
… we recognize that we are under
assault from the least
sophisticated – what I would say is
the bored teenager – all the way
up to the sophisticated nationstate…
Source: USA Today
04.08.09
18 year olds have a lot of free time, and
crave attention!
Just hours before Microsoft
officially released IE8 a German
computer student hacked the
browser and won a contest!
…broke into within minutes by
exploiting a previously unknown
vulnerability in the new browser,
said the manager of security
response at 3Com Corp’s Tipping
Point, THE CONTEST SPONSOR!
Spies hacked into the US electric
grid and left behind computer
programs that would let them disrupt
…the level of sophistication
service, exposing potentially
necessary to pull off such
catastrophic vulnerabilities in keyintrusions is so high that it was
pieces of national infrastructure almost certainly done by state
sponsors.
Source: News & Observer
04.10.09
Hacking community spreads its knowledge
(they even have camps)
Obama setting up better security for computers
By LOLITA C. BALDOR, Associated Press Writer Lolita C. Baldor, Associated Press Writer Fri May 29, 2:52 pm ET
Obama said the U.S. has reached a "transformational
moment" when computer networks are probed and attacked
millions of times a day.
"It's now clear this cyber threat is one of the most serious
economic and national security challenges we face as a
nation," Obama said, adding, "We're not as prepared as we
should be, as a government or as a country."
Cyber threats… unauthorized
access to a control system
directed from within an
organization by trusted users or
from remote locations by
unknown persons using the
Internet.
Industrial Network Security
A real & growing imperative
Deployment of Industrial Ethernet
growing at 50% per year
Increasing use of standard IT
components in the industrial
environment
Systems become more open for
integration ☺ … and damage Vulnerabilities spread from office IT
to the shop floor
1000+ vulnerabilities and exploits
reported each year
Source: CERT Coordination Center
Securing Control Networks More than just security
March 2008
The Hatch nuclear plant in Georgia is forced into an
emergency shutdown for two days as a result of a software
update on a single business computer!
Why Networks Need Security
Threats
Network overload by technical
defects, broadcast storms
Accidental human errors:
maloperation, introduction and
dissemination of malware,
Phishing
Malware (Worms)
Intended, targeted attacks from
inside and outside: sabotage,
espionage, white-collar crime,
cyber terrorism
Potential Damages (Risks)
Loss of production
Damage caused to health and
environment
Loss of intellectual property
(process knowledge and data)
Loss of compliance
(e.g. FDA in pharmaceuticals)
Damage to corporate image
Network Security:
Industrial vs. Office Installations
Protecting industrial networks is quite different
Older operating systems - security software unavailable
Heterogeneous hardware & software
Tough environmental conditions
System life cycles of 10-20 years
“Never touch a running system”
Lack of IT security expertise
Potential economic damage in
production much more substantial
Use of Routers to secure control systems
Routers provide key security functions
Firewall
Routing and NAT Routing
– Allows for network separation and segmentation
– NAT allows for duplicate IP address schemes on a network
VPN
– Provides secure remote connectivity
Old security model – perimeter based
Initial security models had all defense efforts focused on the perimeter.
Worked OK, but if it was breached the attacker had the run of the place.
Great Wall of China was an awesome defensive structure, but when
breached by the Manchurians, Ming dynasty fell.
Better strategy is defense in depth
“Defense in Depth”
Security concept borrowed from the military
More difficult for an enemy to penetrate many smaller and
varied layers of defense than 1 single large layer that may
have a flaw.
Limits scope of an attack to only the layer(s) that have been
breached. The rest of the network is protected.
Breach of outer layers can signal an alarm that an attack is
ongoing, allowing protective measures to take place before
all is lost.
Defense in Depth
Industrial router can be used in
conjunction with IT’s security
infrastructure to enhance the
safety of the network.
IT Corporate Firewall typically
protects from outside threats
IT Router protects Corporate
Office network segments
Industrial router protects the
Control and Industrial network
segments and individual
devices.
Internet
Firewall Application Scenarios
Remember - Security isn’t just IT’s responsibility, it isn’t just the plant floor’s
responsibility – everyone has a role to play.
A single mGuard can
protect a subnet of over
100 devices!
This can be unmanaged or
managed switch – SFN,
Lean, etc.
Protecting a single device
If this is a PC, you could use
an mGuard PCI
Why is a router used
Back in “Old Days” of common bandwidth (half duplex and
hubs), more nodes caused so many collisions
communications was stifled.
Routing reduces broadcast domain and collision domain
Widespread and WAN communications
Better security model
Protect information by putting it on separate subnet.
Better administration
Separate traffic into logical groups like “Accounting, HR, etc.
Separate traffic into physical groups like 1st Floor, 2nd Floor, etc.
Allows for redirection based on IP information or upper level
protocols (e.g. TCP or UDP port information).
Routing – What is it?
Routing vs. Switching
Layer 3 vs. Layer 2
Logical IP Address vs.
Hardcoded MAC Address
Used to segment traffic into
“subnets”.
Calculate Paths to get from Point
A to Point B, whether B is in the
same row or around the world.
Devices use “Default Gateway”
address to point to a Router
Gives access to Higher level
protocols such as TCP and UDP.
OSI Model
Application
Presentation
Managed by
Applications
Communicating (EMail, Web, etc)
Session
Transport
Routers/Firewalls/
Other Gateways
Network
Routers
Data Link
Switches
Physical
Hubs
Routing / NAT Routing Application Scenarios
Use routing to insulate and isolate control network from IT network or
even other control networks.
NAT Routing allows for
equipment on the same network
to use the same IP scheme.
E.g. Identical production cells:
mGuard allows them to have
unique external addresses, but
same internal. Easier to
program and maintain!
mGuard can be used to
segment a LAN or
connect to the Internet.
Network Address Translation (NAT)
NAT is the translation of an IP address used within one
network to a different IP address known within another
network.
One network is designated the inside network and the other is
the outside. Typically, a company maps its local inside
network addresses to one or more global outside IP
addresses and unmaps the global IP addresses on incoming
packets back into local IP addresses.
1:1 NAT, maps each “inside” address to a unique “outside”
address. For Example 192.168.11.x = 214.136.75.x
Allows for multiple instances of the same IP addresses on the
same network. Useful with multiple identical lines.
Virtual Private Networking (VPN)
Establishes a “tunnel” across the Internet to allow for remote
support, diagnostics, pulling data – basically anything that
requires communication between local and remote sites.
Distance or intermediary hops are of no concern; that is, the
circuit is a virtual one and the physical path to get from Point
A to Point B can change without interruption or interference
of the Tunnel.
Ideal for secure communications between multiple networks
or multiple hosts
Why do I need a VPN?
Remote Connectivity
Diagnostics and Alarming
Data Pull or Push
Support
Security of Data
Utilizing the ubiquitousness of the Internet instead of costly
point to point (e.g. T1, T3) lines, or the poor speed,
additional wiring and recurring costs of multiple analog
connections.
All in all a great way to improve support, ease
administration, reduce downtime and cut travel costs.
Basic VPN concept
Initial Authentication takes place between gateway & client
A packet to be sent to a remote location is first encrypted at one VPN
gateway.
The receiving VPN gateway at the remote location is responsible for
decrypting the packet and sending to host.
Contents are safe from sniffing or corruption on the Internet
Decryption
Encryption
Private network
Private Network
Internet
IPsec VPN
Encrypted Data
VPN Application Scenarios
Secure, remote connectivity allows for better, more cost-effective support and
the ability to communicate with remote sites to gather data, alarm events, remote
config, control processes, etc.
mGuards can connect when they are in
firewall (Stealth) or in router mode
mGuard can connect to
another mGuard directly
A single mGuard can support
multiple concurrent connections
A connection can be
established going through
another device, or even from
another device, eg Cisco.
Software vs Dedicated Hardware VPNs
Software VPNs are commonly used to access company network from
remote sites. Is there a performance change on your computer when
you are connected?
mGuard provides much higher throughput than software VPN – 70mb/s
vs 30-35mb/s for most software
Heavy data flow over software clients is a heavy drain on CPU
Depending on the encryption and compression algorithms used, can
consume 95% CPU time
mGuard can handle 250 concurrent tunnels, software only 1
Is your industrial PCs job to function in the control network or to have its
resourced siphoned off to handle VPN connectivity?
Request a White Paper
HACKING THE INDUSTRIAL NETWORK
Send e-mail to ddickinson@phoenixcon.com
Subject: Cyber Security White Paper
ISPE Automation Forum
Questions?
Thank
You
Don Dickinson
Project Engineer
Phoenix Contact