I believe that the events of last week clearly demonstrate the need (which until now was always seen as very minimal) for security in ALL
the systems that we set up, including industrial automation networks. We should have in place the means to protect our interests: pehaps just a
password, or maybe something more elaborate that can be altered at a moments notice, thereby rendering acts of sabotage more difficult.
Hmmm.....let see....wasnt there a menu somewhere in RSLogix concerning security.......I guess there will be a lot of these type of questions in
the near future.

Gerald Beaudoin

 

> I believe that the events of last week clearly demonstrate the need for security in ALL
> the systems that we set up, including industrial automation networks.

I believe that the events of the last 24 hours - the advent of the nimda worm - provide sufficient demonstration of the need to secure mission-critical networks, whether they're directly exposed to the internet or not.

http://www.infoworld.com/articles/hn/xml/01/09/18/010918hnworm.xml?0918alert
It doesn't take an explosive device (or even the threat of one) to bring a plant to a standstill if that plant's operation depends significantly on an infrastructure that can be digitally compromised.

Automation systems need network topologies designed to prevent electronic misbehavior, maintained by sysadmins who are well-trained and well-informed, who are armed with current information about vulnerabilities, exposures and fixes, who install up-to-date patches as a matter of course, and whose procedures include not only preventative measures but disaster recovery measures. (And it helps if those emergency procedures actually get practiced every once in awhile; even worse than not having a plan is having a plan that turns out to be unworkable.)

Of course, none of this is news to anybody out there. Unfortunately, the willingness to spend money and endure inconvenience in the name of security usually comes late, in the face of an apparent immediate threat.

Greg Goodman
Chiron Consulting

 

Well, now the resolve has been broken. Because finally you make personal rules to eventually break them. Security needs to become numero uno subject now. This looks like playing the same notes in a different way... (please note all views are personal)

Additional Security in Instrumentation Systems:
OR
Avoiding Remote attacks on your systems:
The attacks on September 11th 2001 in USA left little doubt in ones mind that the age of violence with complete disregard for human life has finally dawned. Religious beliefs, doctrines that taking a human life is an ultimate crime will be over ridden by feelings of hatred, vengeance (real or believed ones) and simple supremacy that has so long only been subject in story books.

In June/July 2001 we were seriously discussing the possibility of remote attacks on Automation systems and causing serious ecological damage and
damage to human lives in the Automation list of Control.Com. At that time we assumed that such a damage could probably be caused by Employees with a grudge, Terrorists or even by human error or accidental actions.

At that time there was also some bad feeling, since at times the thread questioned the integrity of people involved in day to day operations, and I should say here, that things did get stretched at the time that the thread was running (happens all the time on the list is the way that i justify it.). Finally it was felt that no one would have the ill will to cause huge human and ecological losses for any purpose or goal and the thread was slowly abandoned. the thread also dissuaded any talks on economic losses as we felt that the economic losses were the least important issue. But now after seeing that Boeing is going to cut back 30000 jobs as on todays news and that other airliners are going to cut manpower by thousands, a single event has caused a huge dent in the world economy and this also needs to be protected.

I also felt that suppose someone is listening to the thread then that person could start getting ideas.

But now, we really need to discuss it and formulate methods of avoiding such threats, because it is possible that some user somewhere is not aware of the possible ways that his system is exposed and that could cause serious damage to his community.

Facts: A Few of them....
Possibility of a remote attack is remote.
It may happen, or it may never happen.
The chances are that you will never be able to know that an attack is underway.
It is Possible that an attack has already occurred on your system and you have been pestering your vendor for a long time as to why the system failed!
If you analyze and find that an attack has occured and your system is down, well.. there may be no passports lying around for nabbing the
culprit, no to and fro tickets identifying previous milk runs and no cars in parking lots with manuals ..... the trace could lead to any other computer in the world which could have in itself be compromised and used for staging the attack. The scenario is unimaginable!

Where can remote attacks occur OR which systems are most exposed?
The Weakest systems are the systems that use a radio or other forms of wireless communication (WAP enabled devices) system.
The next in the list would be where communication cables run for very large distances (over large kilometres of land) and often through remote
areas.
The third would be Systems that are directly or indirectly connected to the internet or other networks.

Purpose of such attacks:
Cause Economic loss which could ruin the working of a company, result in job losses which could cause further disenchantment with people and lead
to further problems.
Cause Ecological Damage.
Cause damage to human lives.
Cause damage to property and infrastructure.

WAP Systems:
Do you use a WAP enabled Device?
Does your device connect to a SCADA or DCS or PLC or any other automation system that you may have in your plant?
WAP technology is generally similar to Mobile technology where radio waves of some frequency are used to transmit data to the Service provider who then retransmits it to your System. Now as we all know most police and such agencies in the world track people by listening to calls made from
Mobile phones. It is very difficult for me to believe that such systems can be totally 'listen proof'. In the case of Mobile telephony, you have to have a good voice copier-simulator to talk with the other party (though such devices are a part of popular movies like MI2 etc., I do not know weather they actually exist), however in the case of your system a listener could wait till the talker is offline and then retransmit the
same signal to your system, not easy, maybe very-very difficult but not impossible. However such a technology is beyond automation personnel like
us, but not beyond a good electronics/telecommunication engineer.
WAP devices can reprogram computers. It may be difficult to do this in some operating systems and easier in others. WAP devices generally
transmit data to your PC. In case a simple file like a miscreant made setup.exe could cause large problems for your systems. Your data could be
leaked out to other telephones, another WAP device may be allowed to connect to your system to get data from your system for later hacks and
the entire works can follow. If you use WAP then you are at considerable risk and need to check that you have the following checks performed:

The WAP system should preferrable not give any command to Your Automation system. This is the simplest solace to you but remember that this is not a end.
Remember that the WAP device communicates with your PC. Most probably your WAP vendor has several routines or a programer could write several routines for WAP devices that will enable it to re-program your entire PC.
This does require considerable skills, but a highly skilled programmer can still do it. In other words, safety is not absolute. And in other words, ensure that your PC has several security tools that prevent such an incident. In linux, your WAP can have a user password and the login is
restricted to the user area, thus the main system is protected. This too is not absolute but bugs in Linux are now proving to be a 'rarity'.
Is the employee to whom you handed the WAP device reliable. Consider conducting a serious background But before hand check, if the laws within your country permit that.
Is the employee who handles the WAP device very careful with his things or does he keep the WAP device lying around. There could be a silly problem like his six year old kid playing with "Papa's gadget" just for fun when papa is having a shower, and your plant could get down due to that. Check and ensure that the WAP device is device from a reputed vendor. There is good encryption technology used.
Update your security tools daily. Have at least one person who continously checks the Internet and other resources for latest security products
updates, new viruses and the entire e-security works that apply to your device.
Number seven and further will be added as and when I think of them.
Radio Modems, Radio ethernet cards and the likes:
Now radio modems and such wireless technologies have been used for ages in Dams and hydel power plants. But no one has made attacks on these radio
systems. In fact in some cases the radio modems used can transmit upto 25 KMS without point of sight.
I also believe in a rumour that reflections of such radio waves reach far beyond and can be captured by satellites and other such media.

We are lucky that nations and countries generally never use means of mass murders for winning wars. Otherwise god knows what human history would
have been like.

Frankly there is little protection for Radio systems but some checks could be:

Do you use a frequency that is not used by general telephones and general Public? Though I thought of this question, it seems an absurd one.
Do you use strong Encryption technologies. remember that usually it takes ten to fifteen minutes to break even tough Encryption with todays modern computers.
In addition, Decryptors usually break codes by brutal force. Thus they may log on several times before cracking the password. It is better to have a system that locks itself on three false passwords and you have to then go to the location and physically connect to the Automation system to unlock the system. But in reality such systems may not exist or you may have chosen a system that does not have this facility and hence it is beter to write routines that will lock the logic when three failed attempts are made and you then have to physicaly turn on a button to reset the logic. Even this is difficult in most of our existing systems. But hope that such systems will come in the future that will safeguard us from brute force atacks.
Encryption does mean that the miscreant may have to use a larger number of hits to get the password, but remember that a radio device enables the listener to listen to hundreds of password checks in a day and thus he could have computer programs that will decrypt the message before hand and he could carry out a couple of milk runs before doing the actual job.
Though such programs are beyond the comprehension of simple Instrumentation engineers like us, it is not beyond very good programmers.
Connected to Other Networks In your Organization:
have you implemented an ERP system and is your production tied up with ERP package. Is your Automation system connected to other systems in your plant in a network. If so then remember that those hundreds or thousands of computers that are within the network are... Ummnh... connected to your Automation system. By loading programs and utilities on any one of the computers, A miscreant could have access to your plant systems.
Some checks that you could conduct:
First is of course integrity checks of employees. In this case if your organization is globally spread out, a very difficult task too. And you
need to check with the laws of all the countries that you operate to know weather such integrity check s are permitted.
You could put firewalls, Encryptions etc., but there is very little actual protection.
Connected to other networks and these other systems connected to Internet:
OR
Directly connected to Internet:

I'll first say a small prayer, In fact Since I now believe in equality of all mankind, womankind and children, I'll remember all the gods of all the faiths, all the saints of all the faiths that have existed and do exist in this world...
OM, Shanti, Shanti...
Oh God, May no terrorist ever see this system and may this system never be compromised, may this system never be connected to any hazardous plant or related to any system that can cause ecological or human loss.
God you are great,

The next 30+ billion words of the prayer which for brevity's sake does not appear here are the names of all the possible gods in this world.

Safety in Internet has till day eluded us.
This is not to say for all those that silently listen and get data from you without much fanfare.
To Sum it up it is a scary world that we have to live in.
There are Firewalls, routers, Antivirus scans and so on, but these are may be able to provide you safety today.
Some of the methods used for various ends are, and I'll just throw the words at you and offer brief explainations as even explaining what limited knowledge I have would take pages...

Eavesdropping and snooping: It is generally a misconception that the electrical signal that you send from computer 1 to computer 2 in your
network travels similar to your travel from your home to office in a single road, from source to destination. rather in Computers, the entire
network gets the electrical signal and computer 2 picks it up and the others (if they are honourable) do not. Think of this as if you are
suddenly distibuted everywhere and the destination were to pick you up and the others, though you are near them do not pick you up. In other words, all the others in your network and at times those in other networks also get the data that you send from computer 1 to 2.
Password capture: Now listen to what he says, what he said "Open Sesame".
Well then "Sesame" could be the password. Maybe not so simple but not so difficult either. rarely a network will have different passwords for
administrator and different keys for encryption on each computer so listen and analyze and you could reduce the number of possibilities of the
passwords. Got the user password, very good, now create a message "Fatal Error, Enter Root password to continue", there 9 out of ten you can get the root password. All you may have to do is ask!
Port Scanning. You have a very good password. But did you know that your software uses an old Telnet protocol with a hole in its security... Hmm
makes nice Remote control possible. The Firewall is standing on the front door but the back door is open! Advant 500 OCS used to have FTP, telnet
and other services enabled, we as users at that time used to think of this as a great feature, but now I know otherwise. Sanning of the ports can
yield superb data for later use by the miscreant.
Denial of Service Attacks. You have a stop command for safe shutdown in your system which goes on the TCP/IP protocol or another protocol to your control PLC or Control station of DCS or Controllers or other devices. Now a Denial of service attack is one where your entire network can be put down by various methods. You cannot give that shutdown command and will may see the rupture disc blow or an unsafe trip. So much of financial loss....methods are vaious Ping of Death (older one), a simpler one where the miscreant uses addresses that are on the network causing the network to fail. there are more methods like SYN attacks, ICMP flooding, DNS cache
pollution, roiute redirection and so on.
Impersonation and its likes impersonate as the Domain Service provider or the server for clients and get their passwords and also configure them so
as to make them able to respond to you 'as you like it'.DHCp, WINS, DNS impersonation and so on.
Man in the middle. tell computer 1, that I am cmputer2, tell computer 2 that i am computer 1, pass data from here to there and vice versa and
slowly pick everything up and set them up as you want them to be.
First, get yourself up to date with the methods, find out what is applicable to you and then keep yourself updated every moment and hope that the snoopers (the bad ones) never have an upper hand over the snoopers (the good ones). the good snoopers called Hackers provide means and
solutions to attacks and the bad ones called crackers cause extensive damage. Some times hackers win and some battles go to the Crackers, but you are at constant warfront.

I sincerely believe that keeping yourself updated in Communication Security, and automation and also making that 30 day shutdown with its 45
days jobs happen in 25 days (preponement of startup) is not an easy task.
Follow the standard as presented in Sept-2001 issue of Intech or visit smbd.org for regular updates. This is a simple solution, but not a
standard. Hopefully one will come out soon.

Some guidelines if you have to live with your automation system connected to the internet either directly or indirectly:

Put Firewalls everywhere. I should say, updated firewalls here. A bad firewall is worse than no firewall, because you gain a sense of false
security.
Use data encryption in all your communications. Please note that several old DCS systems will not allow encryption to be used and you may have to
upgrade.
That 232 connection is not invisible to the outside world, it is seen as a device on the computer where it is attached. A bit difficult perhaps but not impossible to rip. Anything and everything that communicates and is connected directly or indirectly to the internet can be hacked or cracked.
If not today then tomorrow.
Use a different password on each computer. Use passwords that are as unthinkable as possibe. Know that you are just putting hurdles inthe way
and a persistent chaser could and will eventually capture your password so change them every week. This is the most difficult part. In a large
organization, with operators every shift and their offs, making it 4 per Control room at a minimum, thats a great task and if you keep changing them, you are likely to get a lot of flak, but there is no other way.
Disable all unnecessary services like FTP, Telnet and the likes. Ensure that since you may not be actively using mail on the DCS, remove this
service. And so on. the lesser software you run, the lesser you have to guard and update.
Check all your TCP-IP records. This should be available from your Firewall service provider. Check for any anomalies. Please note that you may be increasing your workload and having a network security analyzer in your company's armour is a good idea. Or you may end up protecting your
security but not getting time for all those calibrations...
I believe that you may have guessed it by now, I'm not a great champion of connecting your plant to the internet either directly or indirectly. Even if you have to do it, say you have an ERP system, ensure that no intelligent path exists between that final safety PLC and other systems.

Advanced Security for PLC's, SoftPLC's, SCADA, DCS and other systems:
Now, the advantage of PLC, SCADA, DCS and such systems is its programmability, you can just run in development or program mode and then save it all and your application is updated. This is the boon and this could also become the curse in an unprotected system.
Where possible use systems that provide you with keys to lock the programming mode.
A good example before me is the PLC that I have seen since 1990, AB PLC2/05 and 2/17 then and later PLC5 in many forms. There is a keyswitch
with three positions, run position, there is a program key position and there is a remote-run key position. Keep the keyswitch at run all the
times and put on remote run very infrequently and as soon as your debugging is over, put it back on run mode.
Such keyswitches and jumpers where available (and they are available on several PLC's, Controllers and other systems) should be in a position that
prohibits programming.
In Case your system does not have a keyswitch, use a small routine to check the scan time or program length and so on and try to make out the
difference if your program has been changed. Check your program at frequent intervals for any changes. But these methods are only helpful if
the miscreant is going to make changes now and use them later (in case you have a time advantage).
Put passwords, but remember to give all passwords to your successor when you leave the organization or they will be in big trouble at a later date.
Have a good password recording procedure that has some security (so that unnecessary personnel do not see it) properly built into.

More issues: Threat to special control systems:
There are several special control systems, typically for controlling a specific process from a vendor.
Typical example a BMS package from a standard vendor, a Gas turbine Control system and so on.
Hunting for such systems and then writing a specific code that is likely to affect only one such type of system could cause complex wide havoc.
Imagine a situation where several power plants were to trip simultaneously at one instance. This could in a worst case bring the entire national grid down.
If you have such systems, ensure that you have sufficient emergency systems in place to take care of all eventualities. There is very little
in your hands, best is if you have such system not conected to plant and other networks.

Very long communication cables
Very long communication cables are also a problem. Someone could tap the cable midway and then stage attacks on your computers. Regular checks on cable routes and finding traces of any tampering is importants to find this out. This is more easier to trace out but regular checks are
required.

More will follow later on.