For those that are thinking of using 802.11 wireless ethernet in your
plants:

http://www.theregister.co.uk/content/55/20877.html
"EE Times reports that a passive ciphertext attack, based on the theoretical
groundwork laid by the researchers, would allow someone with a wireless LAN
connection to retrieve a security key in less than 15 minutes."


Alex Pavloff
Software Engineer
Eason Technology

 

Quite true but, the bad guy needs to get within range of the signal. In a
steel building there is often so much trouble getting a signal where you
want it to be that it would take a pretty high tech system to tap in from
outside. Of course size of building and antenna placement is also an
issue, and there are security protocols which can be added.

Strangely enough, this is actually a benefit of using proprietary
protocols. I wouldn't choose one just for this reason, but there's less
chance that somebody listening to the RF spectrum will figure out
Ethernet/IP (Devicenet). Most hackers don't really know what their doing
anyhow. They just use tools created by people who do. Steve Gibson
explains this in depth @ grc.com. Beyond the random bad luck, security
often really depends on who your enemies are.

Dale

 

> >"EE Times reports that a passive ciphertext attack, based on the
> >theoretical groundwork laid by the researchers, would allow someone
> >with a wireless LAN connection to retrieve a security key in less
> >than 15 minutes."
>
> Quite true but, the bad guy needs to get within range of the signal.
> In a steel building there is often so much trouble getting a signal
> where you want it to be that it would take a pretty high tech system
> to tap in from outside.

Actually it does not take a very sophisticated system to grab wireless signals from the street. The difficulties with signal propagation inside of steel structures is related to dead spots in
the signal strength. You can can find an area with no signal and a few meters away find a perfectly good signal. Now you can always run
a wire to that location but it defeats the purpose of a wireless network so people usually focus on antenna placement. If you are driving by a building with a wireless network it is very likely that they will find a good enough signal somewhere outside to capture packets without having to have NSA equipment.

> Strangely enough, this is actually a benefit of using proprietary
> protocols. I wouldn't choose one just for this reason, but
> there's less chance that somebody listening to the RF spectrum will
> figure out Ethernet/IP (Devicenet).

Proprietary protocols offer virtually no security over and above open ones. Anybody who is going to make the effort to drive by your facility with an antenna for the purposes of capturing packets is not some bored 13-year old using other people's hacking tools. If you are transmitting critical proprietary data on a wireless network and your
company is in a highly competitive market or in an industry where industrial espionage has occurred in the past you can be assured that
proprietary protocols (like Ethernet/IP) that cost a few hundred bucks to get the specs offer NO security. VPN technology will provide very effective security against the vast majority of threats including those of industrial espionage.

> Most hackers don't really know what their doing anyhow. They just
> use tools created by people who do. Steve Gibson explains this in
> depth @ grc.com. Beyond the random bad luck, security often really
> depends on who your enemies are.

Not to nitpick too much but within the community the term "hackers" generally refers to the good guys like Steve Gibson of grc.com. The bad guys are "crackers".

The first mistake in security is to underestimate the threat. My home PC is attacked by foreign computers looking for FTP port and HTTP ports several times an hour on the @Home network. Other than some exciting NASCAR Racing 4 replays there is nothing of value on my home machine. Just imagine if someone realizes that you have something of value on yours. This is no joke. ANYONE with a home PC should be running the ZoneAlarm firewall. Its free for personal use:
http://www.zonelabs.com and it works absolutely GREAT. I urge ALL the A-list members to download this software immediately and protect yourselves. Ignorance is NOT bliss.

Regards,

Ralph Mackiewicz
SISCO, Inc.

 

Hello Ralph,

You make good points. Maybe someday I'll finally learn that on Internet forums (as with political debates) someone will always counterpoint from a
perspective that I did not expect. Yes, you are absolutely right!! But mainly from your perspective, IMHO.

First of all, I tend to think from the perspective of "control" networks when I read the "Automation List." I suppose you were thinking along the lines of IT networks, in which case I WHOLEHEARTEDLY embrace and echo your
concerns as VERY important.

We use Wireless LAN for some control and somebody were to snoop in, he would be exceedingly bored. If the bad guy is a saboteur, we're screwed
(short-term), but one needn't crack a wireless network to do that. Jamming is MUCH easier.

I thought that the following comment "security often really depends on who your enemies are" would have made it clear that I was not addressing
security against a motivated attacker. Given a skilled, determined, and equipped opponent, network security is IMPOSSIBLE to achieve. We must take an approach appropriate to the reasonably conceived threat with full knowledge that there's really no such thing as security. We can only protect ourselves.

If I start to read occasional stories of factory control networks being cracked and / or sabotaged I'll re-assess my approach. As for proprietary
networks as a means of security, yes, it's pitifully weak. It's kind of like locking the door to your house -- stops most but doesn't phase a pro.

In the meantime, the biggest threat to either IT or Control network security is internal users. They are far more likely to either accidentally or intentionally steal from or sabotage a system.

I agree with the Zone Alarm Recommendation. I've used it on my home cable modem for a couple of years now. Especially when XP hits market, it will be extremely important that all PC users run behind at least one firewall. I have purchased an old PC to setup as a LINUX firewall but haven't gotten around to configuring it yet. I haven't even concluded the best method.

I caution users of appliance firewall devices that they will likely become obsolete before a well-maintained LINUX firewall. I have more confidence in the Linux community to keep me up-to-date than in Lynksys.

Dale Malony

 

> First of all, I tend to think from the perspective of "control"
> networks when I read the "Automation List." I suppose you were
> thinking along the lines of IT networks, in which case I
> WHOLEHEARTEDLY embrace and echo your concerns as VERY important.

You are correct that my perspective was a little different. But my concerns I believe are nearly as relevant to control networks as to IT networks. I also understand that industrial sabotage is not an everyday occurence. There are probably industries where such matters never happen. However, there are industries where such things do happen (pharmaceuticals for one).

> We use Wireless LAN for some control and somebody were to snoop in, he
> would be exceedingly bored. If the bad guy is a saboteur, we're
> screwed (short-term), but one needn't crack a wireless network to do
> that. Jamming is MUCH easier.

Jamming might be easier but it is easy to detect. Jamming can be an effective denial of service attack, but a serious bad guy will find issuing a malicious Modbus write over a wireless network to be the superior way to cause damage to a company and it is virtually undetectable after the fact. Its unlikely that anyone would ever be able to figure out happened.

> I thought that the following comment "security often really depends on
> who your enemies are" would have made it clear that I was not
> addressing security against a motivated attacker. Given a skilled,
> determined, and equipped opponent, network security is IMPOSSIBLE to
> achieve. We must take an approach appropriate to the reasonably
> conceived threat with full knowledge that there's really no such thing
> as security. We can only protect ourselves.

I don't propose that wireless networks should not be used because of an obscure chance of espionage or terrorism. However, you need to be aware of the risks in the first place in order to determine what preventive measures will be cost-effective, if any. My original response was really to make the point only that so-called proprietary protocols are not more secure than open protocols. The nature of the ownership of the protocols is mostly irrelevant from a security
perspective.

> If I start to read occasional stories of factory control networks
> being cracked and / or sabotaged I'll re-assess my approach. As for
> proprietary networks as a means of security, yes, it's pitifully weak.
> It's kind of like locking the door to your house -- stops most but
> doesn't phase a pro.

It is very unlikely that you would ever hear of such stories unless they grow to epidemic proportions where non-technical media starts to
notice. The VAST majority of security breaches, industrial espionage, computer cracking, embezzlement, disgruntled employee sabotage, etc.
are not reported. They are rarely even reported to the police. I think it would be wise to examine your own company's position and the
liklihood that someone could reap large financial gain at your expense to determine if there are such risks for yourself. Otherwise, the first time you hear about it will be when it happens to you. Remember what happened to Omega the temperature controls company.

> In the meantime, the biggest threat to either IT or Control network
> security is internal users. They are far more likely to either
> accidentally or intentionally steal from or sabotage a system.

Absolutely correct.

> I agree with the Zone Alarm Recommendation. I've used it on my home
> cable modem for a couple of years now. Especially when XP hits
> market, it will be extremely important that all PC users run behind at
> least one firewall. I have purchased an old PC to setup as a LINUX
> firewall but haven't gotten around to configuring it yet. I haven't
> even concluded the best method.

You might want to take a look at the Soho Borderguard product. Its a LAN sharing device with a packet inspection firewall built-in. Cost
under $200 I think. Other LAN sharing devices, like the Linksys router, have some security features but do not have a packet inspection firewall like the Borderguard unit.

Regards,

Ralph Mackiewicz
SISCO, Inc.