Cybersecurity for Industrial Control Systems
Cybersecurity is all about processes and people. A lot of threats can be mitigated through technology, but only if people understand how cybersecurity affects control systems and related technology.
What Is Cybersecurity?
Cybersecurity involves the measures taken to protect IT/OT devices like PLCs, switches, servers, endpoint devices, or computer systems against unauthorized access or attack. While cybersecurity is often expressed in terms of technology, it is more often a human challenge and must be implemented through policy.
Undoubtedly, the physical protection of our critical infrastructure and assets is imperative, but more is needed. Software attacks are remote and stealthy with multiple threat agents, each having different motives and objectives, including:
Advanced Persistent Threat (APT): motivations include warfare, intelligence, the stealth of intellectual property, and monetary gain.
Hackers and Hacktivists
Terrorist: attack on society or in preparation for an attack
Noise: untargeted malware infecting anything possible
Cybersecurity is crucial to ensure that attacks are delayed as long as possible to increase the chance of detection, and thus, prevention.
Figure 1. Cybersecurity is critical to preventing software attacks to critical infrastructure. Image used courtesy of Adobe Stock
Determine the Network Architecture and IP Plan
An important concept introduced in process automation are security zones. The concept of security zones categorizes the network segment and identifies the hosts and applications with different security levels. Hosts and devices in the production zone, with high-security levels, are put in one zone protected by a firewall, and these hosts only talk to other hosts after secure authentication.
Apart from defining the required zones, it is important to determine an IP plan for the system. The IP plan will contain hostnames, IP addresses, and additional information for all the hosts in the system, including the zone the host resides in. The IP address is used for planning and assigning addresses and configuring the intrusion detection system (IDS) with acceptable traffic patterns in the system.
Windows Active Directory (AD)
Windows AD combines selected technologies like Kerberos, Lightweight Directory Access Control Protocol (LDAP), Domain Name System (DNS), and proprietary mechanisms to centralize common administrative and maintenance tasks. The advantage of using AD is that almost all user accounts in a zone are managed and authenticated through AD, which makes user management activities like password management easier.
Generally, at least two domain controllers are recommended in any SCADA/DCS system network to achieve redundancy. Domain controllers are servers that host an active directory domain and provide authentication and directory services to clients.
Figure 2. Production Zone and DMZ Windows hosts join the domain. Image used courtesy of Author
The idea behind introducing AD in modern industrial control systems like SCADA and DCS is not to centralize account management for the heterogeneous networks, including Windows and Linux hosts, but to provide a mechanism to enforce Group Policy Object (GPO) to Windows hosts in the AD domain. So overall, we can say that accounts and policies are easily manageable by introducing the AD in the SCADA network.
The following are standard technologies integrated into the AD.
Lightweight Directory Access Control Protocol (LDAP)
LDAP is a service that constitutes the repository function of the AD and contains all data. It is pertinent to mention here that AD and LDAP work together. AD is a Microsoft product used to store and organize IT resources like computers, servers, printers, and users.
In contrast, LDAP is a protocol that allows reading and modifying that information, like authenticating users. This data can be replicated throughout a forest between domain controllers. When we talk about Linux machines in the control system architecture, Linux hosts explicitly use LDAP, and generally, all the users and services are stored and maintained in AD. LDAP is used to access that account information from Linux. The account information includes username, PID, GID, home directory, default shell, and other regular attributes of an account.
It is important to mention that LDAP does not provide authentication—it is purely a catalog service. Windows hosts use the global catalog, a variant of LDAP for Windows hosts. It provides seamless integration of Windows hosts and does not require additional maintenance like LDAP. All Window hosts that join a domain will automatically get all necessary configuration data. However, LDAP in Linux(RHEL) is provisioned by the OpenLDAP package. Important files are:
Kerberos is the secure authentication mechanism implemented to ensure users and services are indeed who they say they are. In this protocol, no username and password are sent in clear text over the network, and the authentication can't be manipulated. Successful authentication returns a ticket to the user or service. It is called Ticket Granting Ticket (TGT) and is used to request session tickets for the actual communication. Every ticket has two expirations times:
One for the maximum lifetime of the authenticated session, also called renewal expiration time. The user and service must re-authenticate after this time expires.
Another expiration time is used to allow the exchange of new keys during a session.
All Kerberos accounts are stored in Windows AD in the domain controllers in the system, including all Linux accounts.
Users interact and authenticate with a username and password, for example, operators or administrators. Services are non-interactive and authenticate using a key table. A key table is a pre-distributed key that replaces the username and password, making it possible for services to authenticate without operator intervention.
Due to the use of expiration times for the tickets, time must also be the same throughout the communicating hosts, typically synchronized using NTP or similar network time protocols. Usually, common configurations use GPS time servers synchronizing Linux hosts, domain controllers, and engineering servers. Workstations and other Windows hosts that are members of the Windows domain are synchronized from the domain controllers.
Figure 3. Production Zone and DMZ Linux hosts in the domain. Image used courtesy of Author
An authentication protocol is implemented as the default authentication mechanism in the Hitachi Network Manager SCADA System. Standard services like Kerberos, LDAP, and DNS are used in different contexts. For example, Kerberos and LDAP are used for the integration of Linux hosts, while DNS is required for Windows domain members.
Domain Name System (DNS)
DNS is not part of AD, but if it is implemented in the same host as a domain controller, all DNS records are stored in the AD.
Group Policy Object (GPO)
GPOs are used to harden windows hosts through security policies, which are enforced by domain controllers within the domain. They are also used for software deployment and installation in order to facilitate uniform installation throughout the Windows hosts in a domain.
Security Audit Trail
Logging security-related events can be very useful for capturing and recording operating systems, applications-related events, and user activity for review and analysis. It is possible to log both the successful actions and failed attempts on the system network, and these log entries can be integrated with the external security functions for secure storage and analysis. The authentication (login/logoff) actions are logged in the domain controller event list. The failed logins are not logged by default; however, after changing the security policy, failed logins will show up in the event list of domain controllers as well.
I agree with most of this article and glad to see that someone actually posted some of the work to do everyday in CS. They actually also get reports daily about Control System Vulnerabilities from several security agencies monitoring and testing your like said systems. I can’t reveal those Specialist due to the nature of their work. NES, CIPS are great assets to have with very knowledgeable people helping in the background.
Probably the biggest challenge IS/IT have is having the Plant personnel buy in to restrictions you have to put on their Control systems to keep infiltration out. OP’s still wanted to make logs and load them on Flash drives. They wanted an alarm monitor to be a Television in the PM hours, They didn’t like signing in every Shift on all Control Monitors. All of the changes and data was logged on the DCS and recorded on raid drives stored daily on a Terrabyte Station.
I did it for about 7 years before I retired 2 years ago.
You Guys are doing Good work and thank all of you working behind the Scenes to Keep the Bad Guys out..
BobM Central Florida 36 years I/C Controls and System Administration.