Electricity + Control

by Tim Craven, H3iSquared

The modern day Internet has become unsecure, and having strong security measures in place is essential for small office networks, and certainly, for large scale control networks.

Security requirements on Mission Critical Control Networks.jphAt a demonstration recently, a device was connected to the Internet with direct port forwarding and no firewall to control or block traffic. Within a few seconds the device had automatically locked down all of its access interfaces, including – not only unsecure interfaces such as Telnet – but secure interfaces such as SSH. This service lockdown was caused by an overload of incorrect login attempts from various locations around the world. These login attempts were not targeted, but simply a way to show how many automated software programs are running 24/7 around the world, and randomly testing different connections for unprotected access interfaces. This was a small yet highly effective demonstration of just how unsecure the modern day Internet has become, and why having strong security measures in place is essential for even small office networks, never mind large scale control networks.

Background

The introduction of Ethernet networkinginto the utility and industrial worlds was a definite milestone and brought about the ability to fully control huge enterprises across large geographical locations without the need for thousands of individual hardwired connections and additional hardware such as signal repeaters or amplifiers. Ethernet allows for much more granular remote control and monitoring of both digital and analogue data over a single infrastructure. As the standards were widely adopted, the rest of the industry followed closely, with IEDs, PLCs and other end devices quickly being developed to directly support various Ethernet based control technologies, such as ModbusTCP (for the industrial side) or IEC61850 [1] (for use in utility networks).

At first these networks were mostly isolated, smaller networks servicing just a single plant, substation or factory, but this quickly expanded to interconnect these smaller sites, with the end goal being a single network to cover all of a company’s assets. In some cases this interconnection is accomplished through company-owned infrastructure, such as long distance fibre optic cabling between sites. In most cases the cost required for these large scale WANs greatly exceeds feasible budgets, not to mention the hassle required in installing, monitoring and maintaining such infrastructure. In these cases the only other options are to use existing infrastructure from an existing ISP.

Using third party infrastructure can be accomplished in a dedicated manner, meaning that secure tunnels through the ISP’s network are dedicated to a single customer. Once again, the cost for this sort of service can be restrictive. The third option is to use an existing network that covers the geographic location in question, which in most cases means using the Internet.

All options to be properly secure

Whilst using a dedicated company network is the most secure method and using the Internet is the least secure, all of these options must be properly secured to ensure that data and devices are properly protected from a variety of attacks, whether directly targeted or random, and whether they are maliciously intended or simply the result of human or machine error. For the purposes of talking about security on mission critical networks, an attack should be considered anything that could adversely affect the data on the network, the legitimate users of the network, and any device connected to the network.

Network security: Physical level

The first level to look at when considering network security is the physical level, which should already be in place as it applies to any type of security. We are of course talking about things like access security and physical disaster recovery. Making sure that unwanted users cannot access physical network devices is obviously a priority, and can be easily accomplished using standard security measures such as walls, fencing, locked buildings etc. Physical disaster recovery is quite straightforward, and includes things like automated or manual firefighting systems, back-up UPSs and similar. While this is definitely a highly critical part of network security, it is too obvious and general to warrant more than a quick mention.

Logical security

Next we need to look at the logical security of the network, which can be roughly broken down into local security (attackers who can get direct physical access to the network and logically access devices that way) and remote security (attackers who are physically connected outside of the local network, and are instead trying to logically breach the network). While these are greatly intertwined and related, it is logical to approach security from a bottom-up approach in most cases. This means we will address local security first.

One of the most prolific breakdowns in local security comes from the tendency of users to not change the default authentication details of networking devices and attached devices. This means anyone can find the login details with a model number, Google and about five minutes of searching.

While it is convenient to not have to record and remember a number of passwords, it is important to remember that a certain level of convenience has to be forsaken in order to have a properly secure network.

Virtual Local Area Networks (VLANs)

This leads us to VLANs and their use on networks, as VLANs are probably among the greatest causes of confusion in any industrial or utility grade network, and as such are often only partially implemented leading to messy and inefficient networks. A rough breakdown of the need for and operation of VLANs is required.

Broadcast

One of the fundamental communication types in TCP/IP networks is a broadcast, where a device sends a packet to every other device within its subnet. The problem is that switches, as layer 2 devices, will flood this packet out of every port besides the one on which it is received. This means that even devices that are not in the originating device’s subnet will still receive this broadcast packet, even though they are not interested in it. These devices will simply discard the packet, however they first must receive, error check and inspect the packet, which takes up resources. The amount of resources consumed will be tiny, but in very large networks these small bits of wasted resources add up, and can seriously affect critical network traffic. For this reason a method of segregating devices into separate broadcast domains is needed.

Routers

Routers will separate broadcast domains, but are not feasible for this application for a myriad of reasons that are irrelevant to this discussion. Instead we require an option to segregate traffic based on a logical configuration of the switches, which can be adjusted as required and is not hardware based. The solution is VLANs. As the name implies, VLANs logically (virtually) separate the network into different LANs, even though at a physical level these VLANs are still connected.

This means that broadcasts will not be sent to devices in a separate VLAN at all, as the switch will be configured to not send them, meaning the end devices do not have to assign any resources to inspecting unwanted traffic.

In order to communicate between VLANs, a router is required. This router will be configured to have an IP interface within each of the relevant VLANs, meaning that it can act as an intermediary and will pass packets from one VLAN (with a unique IP subnet) to another (with a different IP subnet). Most routers will offer some form of firewall, which is effectively a list of rules of what traffic can pass between subnets (and VLANs). This is where the security benefits of VLANs come to light. With the correct configuration and access control, users connecting to the network will only have access to their relevant devices, meaning that they could not adversely affect other parts of the system. This coul even be extended to the level of putting all users into an engineering VLAN, and then only allowing access through the firewall to certain services or features on end devices. The router could possibly be set to record auditing data of these connections, showing who connected to what and when.

Engineering access solution

This thought process can be further extended with the introduction of an engineering access solution.

These software solutions are used to manage, control and monitor user connections to network connected devices, whether actual networking hardware (routers, switches etc.) or the attached end devices (PLCs, IEDs, servers, HMIs etc.). They provide features such as having users log into the engineering server, which then manages which end devices that user can connect to, often to the level of automatically logging into the end devices with the correct access rights and so forth. These systems will closely monitor users, and can perform levels of network maintenance and management, including backing up configurations of devices before and after any change, monitoring of exact changes users make, firmware management and more. Another added benefit from these systems is that users only have to remember a single login and password for the system, which then automatically and transparently manages end device passwords, ensuring that users cannot easily bypass the access system.

From secure to unsecure networks

The next step is to look at the paths from the secure network to any unsecure networks, whether the unsecure is the Internet or even the company’s corporate network, which should be considered unsecure as once again an attack does not have to mean malicious intent. A corporate user could connect a flash drive from their home onto the corporate network to copy a file, inadvertently transferring a virus over to the corporate network.

If the connection from the secure mission critical network to the corporate network is not fully secured this could then mean the virus is able to transfer to the secure network. For this reason any other network must be considered unsecure.

Port forwarding and standard routing

There are many different options for external users to connect to devices on the internal network. Two of the simplest (and least secure of these) are port forwarding and standard routing. Port forwarding simply means allowing external users to connect to the router for a certain service (defined by the

TCP/UDP port they connect to), which will then be forwarded directly to the internal device. Routing of course simply means they connect directly to the internal device’s IP address via a router. While these methods can both be secured to a degree, they are notoriously easy to circumvent any security and should never be used between secure and unsecure networks, rather they should only be employed within the secure network itself.

VPN Technology

The next options we will look at involve connecting to the network using some kind of VPN, or Virtual Private Network, technology. There are a variety of different methods and protocols to establish VPN connection, but all of them effectively provide the same end result, which is a virtual tunnel through an unsecure network (typically the Internet) that secures traffic against outside interference or snooping.This is done by first authenticating the user and establishing a cryptographic exchange which can then be used to encrypt traffic between the two end points. This means that even if an attacker manages to intercept the traffic stream, they will not be able to easily interpret the traffic or be able to pretend to be a legitimately authorised end device (a process known as spoofing or man-in-the-middle attacks).

While commercial VPN technologies exist that are easy to install and set up, these generally work by communicating out to a cloud solution for the tunnel establishment and encryption. One such example that is commonly used for personal and commercial use is TeamViewer. While these solutions are generally secure and stable, they are still not as secure as a completely in house managed solution, and should not be employed on mission critical networks. Rather a manually configured and maintained VPN solution should be implemented. This will require more initial investment and commissioning time, as well as deeper technical knowledge. The trade-off includes both increased security that is completely under your control, as well as better auditing, monitoring and ease/speed of maintenance as you are not reliant on a third party solution.

VPNs to consider

Host-to-site

The next question then becomes what type of VPN to use and what protocol/s to use to establish the tunnels. In response to the first question there are two major types of VPNs that can be considered.

The first is known as a host-to-site and is the more commonly referred to option when users speak about a VPN. This option involves a single user (the host) connecting from a remote location to a secure network (the site) via an unsecure network (normally the Internet). The user runs software on a laptop that speaks to the VPN server hardware/software on site to establish the VPN tunnel. From this point it will be as if the user is directly connected to the LAN, and the actual VPN tunnel will be transparent to other software on the laptop. This is the most common VPN tunnel type that is used to allow engineers to connect to the network from home or a hotel in another country and perform maintenance, configuration or troubleshooting remotely.

Site-to-site tunnel

The second type of VPN is known as a site-to-site tunnel. In this case, as you may expect, the tunnel is established between two secure networks via an unsecure network, such as in the case of connecting a remote substation to a control room via the company corporate network. The tunnels can be temporary created as required, but are more often left open as permanent tunnels which effectively are used to semi-permanently expand the network across geographical locations. Once again in these set-ups the VPN tunnel will be transparent to end users and devices, which will simply see a standard routed network infrastructure.

Protocol/s for VPN tunnel establishment

The final decision to make is to determine which protocol/s to use for the VPN tunnel establishment. Once again a variety of options exist, however by far the most secure currently is IPSec (Internet Protocol SECurity), which is a VPN protocol that works over a two phase tunnel establishment. Without going into too much detail this involves first an authentication phase where the end devices perform a back-and-forth handshaking process that ensures they are both who they claim to be. This authentication can be done using a few different methods,including just standard PSK (Pre-

Shared Key, basically a password exchange) or by using secure certificates (digital files that are used to uniquely identify end devices). Once this phase is complete phase 2 establishes the cryptographic set-up to ensure proper encryption of the traffic. IPSec caters for a variety of different authentication and crypto standards that can be used depending on the end devices capabilities. By using external authentication and crypto standards it makes the protocol suite more future proof as hopefully future changes and improvements can be included without requiring a complete overhaul of the IPSec standard.

Conclusion

We have glanced at some of the most salient points to consider when planning, designing and implementing security on Mission Critical Networks, however this is a field with just as much depth as it has breadth, and which could be discussed for months without scratching the surface. Network security is without a doubt one of the most important aspects to consider when planning Mission Critical Networks and should not be approached lightly. A final thought to keep in mind is that no network will ever be completely secure from outside attacks, especially when the network is connected to an external network. The process of implementing network security rather becomes a case of deterrence. This means that one must think like a potential attacker, and determine if the payoff is worth the security, or if more security is needed as a proper deterrence. A single firewall may be more than enough to protect most home networks, but a lot more security layers are needed when considering a country-wide smart power grid network, for instance. Always ask the question: ‘Will the cost/time saved by not implementing a certain level of security outweigh the potential loss if the security is breached?’

Reference

[1] IEC 61850. Power utility automation.

 
Full Name*
Invalid Input

Company Name*
Invalid Input

Your Email*
Invalid Input

Phone*
Invalid Input

Postal Address 1*
Invalid Input

Postal Address 2*
Invalid Input

Postal Code*
Invalid Input

Street Address 1
Invalid Input

Street Address 2
Invalid Input

Postal Code
Invalid Input

Town / City*
Invalid Input

Country*
Invalid Input

Magazine

Invalid Input

Invalid Input