A SUPPLEMENT TO CONTROL ENGINEERING MAGAZINE

Securing Control Networks

t was, the pkmt process engineer rcciillcd later, typieal network designs lies hetween an organizations

I like helplessly watching a train \\ reck. ()r an out-

break of the flu. One hy one lhe systems on the
pliint iloor, the ones riinninp the process control
network (PC1\). i|Liit responding and shiil dimn. As
they diti, the machines that made the engine parts
internal network and external networks, such as the
Internet. 'I'his means that any internal host is allowed
connection to lhe outside v\orld.
l^irthemiore, all networks in this architecture are on
the same administrative domain. This means the PCN
stopped and the factor)* grew t|iiiet. itselt is susceptihle to failures of and attacks on the cor-
I'ortunateJy. tail-sales huilt into the eLjiiipmerit and porate network. So a v irus or worm that penetrates the
PCN hy the process engineering group conlined the office network can mine into the I'C'N or SCADy\ sys-
damage to money lost as a result ol downtime alone. tem and spread throughout the factory floor.
No one was injured, hui it took tkiys lo st^imp out and Beyond the security proi)lems, there's a handv\idth
inocLikite against the worm ihat had crawled int(j the issue to deal with as well in this type ot network archi-
PCN through the corporate network. tecture. In a typical IT-designed enterprise, separate
Unfortunately, this incident isnl an isolated event. iirewalls sit between a PCN and lhe application servers
"I hear similar stories almost e\er\ day, says Rich in the DMZ as well as the corporate network.
Clark, Jin inJiLStry security expert and spf)kesperson lor TTie firewall between the PCN and the DMZ can lii-
ln\ensys Wbnderware. ter a lot of data tralfic. especially in a large enterprise
As for why such horror stories are common, it's a where many machines are constantly communicating
result of threats and network security measures that with the ser\ers. Ihis Hood ol trallic has to pass
either uren't lollowed or arent really designed with through the tirewall in both directions, |)otentially over-
process control and SCADA (supenisoiy control and v\helming it, says Clark.
data acquisition) environments in mind. Such settings, One solution, vvhieh has been verified to be secure
designs, and thinking are foreign to many I [ profes- through laboratory testing and modeling by
sionals. Additionally, methods ot breaching seeure net- Wondemare using availahle security practices, designs,
works with \iruses and other malware are Ireely mail- and hardware, and subsequent implementations hy
able on the internet with instructions on how to hiiild several large customers, is to treat the v\bole PCN as
them anc! enter a target enterprise via the corporate net- one end device. In this arrangement, a firewall sits
work through an unsuspecting email user or Web between the proeess control secure area, an effective
surler. DMZ, and the corporate network.
Wonderware understands PCNs and SCADA sys- Most oP the traffic within the PCN flows over a
tems and has developed eonerete guidelines to help secured network, v\ith a workgroup, \irtual LAN, or
secure such networks. A principal component of these domain controller (depending on the scale of the enter-
guidelines involves paying attention to the technology prise) connecting factory machines to application
basics and treating a PCN as an end dexnce—not as a sen'ers, engineering stations, and other devices.
collection ol indixidual machines as many IT depart- Microsoft Active Directory; which stores information
ments olten do. and settings relating to an organization in a central,
organized, accessible database, can be connected to tbe
The Network as One Device \ ' L \ N arid used to manage users and PCN domain
When it comes to a network, tecbnology hasies seeurity in lar;ger enterprises. As a result, minimal traf-
re\oKe around the commiLnication jirotocols that pro- fic passes through the firewall sitting between the cor-
vide the groundwork for the nelwork itself. Most cur- porate network and the PCN.
rent network designs often put the PCN on the same In addition, there is only a single point of entry into
footing as the cor|)orate network^wilh everything sit- the network using this architecture scheme, eilectively
ting behind a tirewall and a deniililarized /.one, or se|)arating lhe PCN trom its coqjorate cousin. This
DMZ. arehiteclure also remines bandwidth consumers such
liiough DMZs bave a proper place, especially lor as [)ersonal emails and Weh surting from the PCN.
W'eb and email servers, the problem is that tbe DMZ in Additionally, the single point of entry allows preemptive

december2005
 A SUPPLEMENT TO CONTROL ENGINEERING MAGAZINE

security appliances like a .^C()M-Ti|i|)ing Point De\ice Wonderware Secure PCN Architecture Guidance
to he added to filter anti jirolecl the secured area of lhe
PC;N.
lillecli\ely eni|ilo\ing this approach does require a
change in thinking among process contn)! and II The whole
domain is an
groups. Pulling it off successfullv frequently takes a
"End Device"
team composed ot peo|ile from hoth organizations.
As for secure comnuinication protocols to be used in
this kind ol system architecture, tbe one favored by lhe
tnost secure government agencies is IPSec. ,A standard
ti>r securing Internet Protocol (IP) communications,
IPSec encrypts and/or authenticates all IP packets and
proiides seeurity at the network layer. It is closer to the
physical network hardware than other communication
protocols and is part of the upcoming ll'\6, also known
as the next generalion Internet protocol.

Threats Abound
Since its imposs,ible to create an enteqirise that's
100% secure, it's necessary to prioritize threats. The list
ol" potential prohlems is long, with external threats such ex]>erts. the commitlec should include process engi-
as organized crime and terrorism directed against a neers and IT personnel who are being, or have been,
plant or its customer's being one possibility. There are cross-trained in each other's area.
also internal threats arising trom disaffected st.itT and Its es|)ecially inijiortanl to get e.xeculive and upper
contractors. management buy-in anti adberence to the resulting
Some of the attacks will exploit social engineering, policies and procedures. No one v\ithin the organiza-
where the intruder attempts to trick an insider into giv- tion can be exi'inpl (rom these policies and |irocedures.
ing up the infonnation needed for tbe atlack to suc-
ceed. ITiere have also been advances in Ireely available Sweet Security
hacking tools th^n allow increasingly sophisticated Clark has ,i final recoiiimendation ihat should appeal
attacks with less and less intruder leehnical knowledge. to anyone who's ever watched a network crumble under
Today, attackers ean inleet innocent computers, turn the onslaught of a \ irus or worm. "Set traps. Use hon-
them into zombies, and then launch distributed attacks eypots.'/\iul go after lhe attackers," he .says.
that relentlessly probe lor a weakness. Deliberately invitingassauit. "honey]>ols" lure attack-
'Hiat's where the 80/20 rule comes into |)iay Some ers by ottering the sor! of ill-tlefendcd target they seek.
S07t, ol attacks are relatively easy to defend against. The Hy monitoring lhe attackers' activities on these devices
remaining 2(K^ can require increasingly larger amounis that appear to contain valuable data and processes, IT
ol money and resources to prevent. Forlunately, the and |)rocess eontrol |X'rsonnel can gel a better idea
most probable attacks are almost always the ones that about v\bo lhe attackers are, where attacks are original-
are easiest to defend against. Howc\er, only by con- ing, and vvbal their likely avenues of assault will he.
diLcting a risk analysis and risk assessment ean threats Ihat. in turn, can help strengthen defenses and the
be properly categorized and mitigated. When a formal security of lhe rest of the network, and if necessary, tbe
risk assessment is conducted, the [irobability of each coiTipany can involve lhe Department of i lomeland
identilied attack or risk occurring is determined and put Security to catch and prosecute the attackers hy pro-
on a scale between a value ol one, or having a lOO'f viding the lorensic information that was captured and
chance ot happening, and 0, or having a OVr chance ol recorded by observing the attack. As an added bonus,
occurring. Real world threats fall between these two turning the tables on intruders ean be its own reward.
extremes. Tbat proactive approach, along with the right network
Armed with sueh an assessment, a committee with- design and company policies, can help ensure that your
in a eom|)any can establish written corporate security eompany isn't silting there helplessly watching as the
[lolicies and procedures. Composed ol subject matter network goes down, •

(iecembf2005