[ISN] Resist cyber attack: securing integrated scada systems

From: InfoSec News (alerts@private)
Date: Tue Sep 11 2007 - 22:33:09 PDT


http://www.instrumentation.co.za/article.aspx?pklArticleId=4736&pklCategoryId=58

By Citect
September 2007

Until relatively recently, scada systems were physically isolated from 
other systems. Plant control networks operated independently of business 
networks. Scada systems are now integrated into larger company networks 
to leverage their valuable data. Their security is often only as strong 
as the security of the overall network. Written security policy

The process of protecting scada networks starts with the creation of a 
written security policy. Failure to have a policy in place exposes the 
company to attacks, loss of revenue and legal action. The security 
policy should be a living document. The management team needs to draw 
very clear and understandable objectives, goals, rules and formal 
procedures to define the overall position and architecture of the plan.

The security policy should also cover the following key components:

* Roles and responsibilities of those affected by the policy.

* Actions, activities and processes that are allowed and disallowed.

* Consequences of non-compliance.


Vulnerability assessment

Prior to completing the written policy a vulnerability assessment must 
be undertaken to identify the potential risks associated with the 
different aspects of the scada-related IT infrastructure, and the 
priority of the different aspects of the infrastructure. The 
vulnerability assessment helps to identify flaws in the understanding of 
system architecture and sources of threats.

To complete a vulnerability assessment, a physical audit of all the 
computer and networking equipment, associated software and network 
routings needs to be performed. A clear and accurate network diagram 
should be used to depict the infrastructure following the audit.

The results can be presented in a hierarchical manner, which sets the 
priority of security concerns and the level of related funding 
associated with each vulnerability. For example, within a typical scada 
environment, key items and the related hierarchy could be as follows:

* Operational availability of operator stations.

* Accuracy of realtime data.

* Protection of system configuration data.

* Interconnection to business networks.

* Availability of historical data.

* Availability of casual user stations.

After defining the hierarchy and auditing the different system 
components, the options with regard to security measures need to be 
considered. For scada networks there are some common security mechanisms 
that apply to all networks that have any form of wide area (WAN) or 
Internet-based access requirements. These include:

* Network design.

* Regulating physical access.

* Firewalls.

* Intrusion detection systems (IDSs).

* Virtual private networks (VPNs).

* IP security (IPSpec).

* Demilitarized zones (DMZs).


Network design - keep it simple

Simple networks are at less risk than more complex networks. Keep the 
network simple and well-documented from the start.

A key factor in ensuring a secure network is the number of contact 
points. These should be limited as far as possible. While firewalls have 
secured access from the Internet, many existing control systems have 
modems installed to allow debugging access for remote users. These 
modems are often connected directly to controllers in the substations. 
Required access should be through a single point that is password 
protected and where user action logging can be performed.


Regulating physical access

The benefits of a simply designed network can easily be dissipated if 
some basic protection strategies are not followed. Physical access to 
your network should be closely monitored. Do not allow anyone that does 
not belong to your organisation to connect to your network Ethernet or 
to have physical access to your IT server room. Use built-in Microsoft 
Windows features such as NTFS to require user authentication when 
perusing network shares. Monitor your network regularly for activity 
that may be suspicious and note the IP addresses when running sniffing 
software or hardware on the network. Ensure that there are no foreign IP 
addresses on the list. If you find one, trace route to the IP address. 
Once you locate its origin you can take action. If you are unsure 
physically, then disconnect the segment where the potential intruder may 
be on the network.


Firewalls

A firewall is a set of related programs, located at a network gateway 
server that protects the resources of a private network from outside 
users. A firewall, working closely with a router program, examines each 
network packet to determine whether to forward it toward its 
destination. It also includes or works with a proxy server that makes 
network requests on behalf of workstation users. A firewall is often 
installed in a specially designated computer separate from the rest of 
the network, so that no incoming request can get directly at private 
network resources.

It is imperative to utilise a secured firewall between a corporate 
network and the Internet. As the single point of traffic into and out of 
a corporate network, a firewall can be effectively monitored and 
secured. It is important to have at least one firewall and router 
separating the network from external networks not in the company's 
dominion.

On larger sites the control system needs to be protected from attack 
within the scada network. Implementing an additional firewall between 
the corporate and scada network is highly recommended.


Intrusion detection

Firewalls and other simple boundary devices currently lack some degree 
of intelligence when it comes to observing, recognising and identifying 
attack signatures that may be present in the traffic they monitor and 
the log files which they collect. This deficiency explains why intrusion 
detection systems are becoming increasingly important for network 
security.

An IDS is a specialised tool that knows how to read and interpret the 
contents of log files from routers, firewalls, servers and other network 
devices. It often stores a database of known attack signatures and can 
compare patterns of activity, traffic or behaviour in the logs it is 
monitoring against those signatures. In this way it can recognise when a 
close match between a signature and current or recent behaviour occurs.

Most commercial environments use some combination of network- and host- 
and/or application-based IDS systems to observe what is happening on the 
network while also monitoring key hosts and applications.


Virtual private network

One of the main security issues facing complex networks is remote 
access. VPN is a secured way of connecting to remote scada networks. 
With a VPN, all data paths are secret to a certain extent, yet open to a 
limited group of persons, such as company employees. A VPN is a network 
constructed using public wires to connect nodes. There are a number of 
systems that allow the creation of networks using the Internet as the 
transport medium. These systems use encryption and other security 
measures to ensure only authorised users access the network and data 
cannot be intercepted.


IP security

IPsec is a set of protocols developed by the Internet Engineering Task 
Force to support the secure exchange of packets at the IP layer. IPsec 
can be deployed within a network to provide computer-level 
authentication and data encryption. It can also be used to create a VPN 
connection between two remote networks using the highly secured Layer 
Two Tunneling Protocol with Internet Protocol security (L2TP/IPSec).


Demilitarised zones

The use of DMZ buffers is becoming increasingly common as a method of 
segregating business applications from scada networks and is a highly 
recommended additional security measure. DMZs are buffers between 
trusted networks (scada network) and corporate networks or the Internet, 
separated through additional firewalls and routers.


For more information contact Niconette du Toit, Citect, +27 (0)11 699 
6600, niconette.dutoit (at) citect.com, www.citect.com


____________________________________
Visit the InfoSec News Bookstore
http://www.shopinfosecnews.org



This archive was generated by hypermail 2.1.3 : Tue Sep 11 2007 - 22:48:16 PDT