Greetings,

I come across couple of topics on Security risks for Industrial control systems. This seems to be very interesting subject. Can any pl provide pointers about the security threats to the DCS/PLC/RTU/SCADA and more importantly any threat to Fieldbus Networks.

Thanks
Gopinath Ch

 

I don't have any specific info on Fieldbus, but I've started collecting, links, presentations, white papers on the topic at http://scada.trinux.org

- mdf
________________________________________________________________________
Matthew D. Franz [email protected]
http://trinux.sourceforge.net http://www.io.com/~mdfranz/

 

The best security device is an air gap... If you don't have any outside connection such as Internet, radio or dial-up etc. you cannot get to the system unless you are already on the "inside" of the plant (in which case you can make all kinds of damage).

Today the control systems in most plants are not connected anywhere and has no outside access so there is no problem. For a plant type installation the possible security risk is if the control system is connected to the enterprise IT network without adequate security. You should have a router with firewall between the control system network and the IT network. If this router is administered by the corporate IT people they may disable the security for their own administrative convenience, this would be a risk. Therefore, it is a good idea that the control people administer (have ownership of) a router on the control system network side, even if this means there are two routers back to back. This way the control system engineers are in control of who can gain outside access to the control system. If you have dial-up access to the control system, you need passwords etc. If you use wireless LAN in the control system (e.g. for portable maintenance tools etc.) you need to enable the wireless LAN security such as encryption and MAC address filtering etc.

For widely geographically distributed applications such as SCADA where all the gear is on the "outside" and communication is often by radio use similar means. Communication shall be encrypted (done by many radios) and frequency hopping (i.e. radio only dwells a few ms at each frequency making it impossible to track). Radios may also permit a limit to the number of devices connected, making it impossible for additional connection). Additional encryption can be done using VPN or SSL in a PC, embedded in network gear, or even a device.

In addition to the above, it is very difficult to interpret data in order to eavesdrop or insert commands unless you have a copy of the system configuration file allowing you to understand what data is actually being communicated.

All of the above is at the higher-level network (typically Ethernet), which is the only place where external access can take place. Field-level buses (fieldbus) usually has no direct connection to the outside world.

Jonas Berge
==================
[email protected]
www.smar.com

 

ISA has started a working group on security - SP99. They will be meeting in Houston on 23/24th Jan 2003 in conjunction with an ISA security conference 21-23rd Jan.

There is a growing collection of example "security breaches", most of which could have been prevented by common sense and active management of the meager security most control systems already have. For example, there have been several cases of ex-employees or sub-contractors who have not had a contract renewed because the system "runs ok without you" who try to prove they are still needed by using pilfered radio modems or dialup passwords to log back in and cause problems. Obviously had the access codes changed, these wouldn't have occurred.

There is also a growing collection of "boo-boos" where someone in one state/country accidentally resets or reprograms a robot or controller in another state/country by typing the wrong IP address. Obviously, the WAN could have been setup to block this - but there may also be legitimate reasons to access devices remotely.

So in many ways it's not a technology problem. It is more how average, non-security expert users can understand the risks and make system security an active process that prevents common problems.

Best Regards

Lynn August Linse,
[email protected]
IA Firmware Specialist, Digi Int'l (www.digi.com)

 

Lynn,

Can you give any sites with extracts from these collections?

Bruce.

 

I didn't do it but I heard about one from the guy (at a different company) who did it. A tech and an IT person were working on a database and wanted to delete a number of tables. The logged in and then deleted the tables. As they watched results of the commands, they saw tables deleted that they didn't recognize. It turned out that a database at another company plant, in another country, had the same database name, passwords, and most of the same table names. I'm told it was an exciting Saturday afternoon!

Ed

Speaking for me, not for Starbucks. . .

 

Unfortunately Bruce, industry is still a bit in denial so most such incidents are quietly dismissed as one-off-never-to-happen-again - most I've heard lately from the auto industry have been at various private meetings related to Ethernet protocol standards. A number of people who thought they could worry about security 2-3 years from now ... have changed their minds ;^)

As could be imagined, such failures can have a very negative impact in customer confidence and even serious contract issues with unions. Imagine being a line worker and now you have to worry that some guy 500 miles away may accidentally take over your nearest robot and ask it to do "something else". Forget all the interlocks and laser curtains that means you won't
really get hurt - it's just the idea that your "friend" here could go mad at any instant because of the wonderful world of networks.

One group very interested in this and actively creating such a 'collection' is at http://www.tc.bcit.ca/gait/iel/ - give them a call and ask for Mr. Byres. He is collecting this info to help industry understand the real situation, not just imagined scenarios.

Best Regards
Lynn August Linse, [email protected]
IA Firmware Specialist, Digi Int'l (www.digi.com)
Foothill Ranch CA 92610-1743 USA
Ph/Fx: 949-916-1524 or 949-212-5802

 

I am working on coming with a white paper on Security aspects in Industrial control systems . It will be very helpful any information shared on this topic .Few points I am mentioning here. 1) EPRI suggests that ICCP protocol for SCADA needs to be enhanced to take care information security and also feels Fieldbus protocols and DNP 3.O protocol shall also be strengthened by industry. Any work in this direction is happening as far as fieldbus protocols , DNP 3.0 . 2) The Industrial Ethernet based fieldbus protocols like Ethernet/IP , Ethernet/TCP, HSE , are they vulnerable to security threats , any work in progress to strengthen these protocols. 3) It it interesting to know that real time secured kernels are emerging , one example I came across is TTCB (Trusted Timely Computing Base ) . Any more systems are there like this ? How the commercial RTOS like VxWorks / QNX / are catering to the security issues ? Can anyone pl throw some light . Thanks Gopinath Ch