Contents
Process Control System Background
& Security Hardware Vulnerabilities
Software Vulnerabilities
Network Security
by Media & Security
Anil Sinha, Consultant/ Advisor Steps Towards Security
Authentication
Encryption Standards
Other Issues
Notice
Some of the diagrams and the text have
been taken from the World-wide-web, purely
for illustrative purposes. These remain the
copyright/ property of their respective owners
BACKGROUND
1
�Security Need for Security
Once installed, a Process Control System
serves well, till Mal-operation
Mal-operation may be due to
Freedom from Danger, Risk, etc.
• Hardware Failure
• Fault in Software
• Software Bug
• Bad Installation
• Wrong Configuration/ Wrong Handling
• External Factors
• Deliberate Act of Mischief
Hardware Faults Preventive Strategy
The obvious remedy is to Repair or Long-term preventive strategy
Replace the faulty Hardware
• Make available the required Resources
• Identify the Vulnerabilities and prepare
The Resource needed is to counteract
• Trained Workforce Vulnerabilities may be found in
• Documentation
• Easily accessible Spares • Hardware, or related to Hardware
• Tools & Tackle • Software, Including System Software and
• Test & Measurement Equipment Databases
2
�Concerns Different Perceptions
Process Control Systems are computer systems – just smaller Control Systems Information Technology
and more vulnerable
Process Control System is heavily reliant on interconnected Reliability/ Availability –centric
computer systems and these are vulnerable to security breach IT people do not know control
systems
Rely mainly on Obscurity &
Process Control Systems do not change for decades, while the Isolation
Control Systems are not managed
security threats grow every year by IT people, hence ignored
Designed around easily available
Process Control Systems are often HW & OS
The usual IT security may not apply
• Connected to the internet to Control Systems
Vendors usually have back-door
• Not managed by professional IT staff
access lines
• Have a heavy reliance on wireless communication. Trend: connecting Control &
Enterprise Systems
They are under attack already! Notorious for using Default
Passwords
Sections Covered
Sensors
Communication
Automation Systems
HARDWARE Process Control System HW Configuration
VULNERABILITIES
3
�Vulnerabilities Vulnerabilities
Sensors Communication
• Failed Sensors
• Identify • Cabling: Physical damage,
• Block Interference, Cross-talk, Leakage,
• Root Cause Analysis
• Replace
Short
• Off-calibration Sensors • Relays
• Identification • Joints & Connections
• Root Cause Analysis
• Re-calibration • DC Supply & Earth
Vulnerabilities Vulnerabilities
Automation Systems Process Control System Hardware
Configurations
• Supply voltage & Earth • Computer Hardware failure
• Spurious data • LAN equipment failure
• Firmware/ Software Errors • Hard disk failure
• Module failures • Watchdog failure
4
� Sections Covered
System Software
Process Control Software
HMI (Human Machine Interface)
SOFTWARE VULNERABILITIES
Communication SW
Vulnerabilities Vulnerabilities
System Software
Process Control Software
• Operating System corruption
• Inconsistent Versions • Missing Updates
• Incompatible with the Process Control/ Communication/
Other Software • Incompatibility with the OS version
• Virus attack • Corruption/ Deletion of a part of the software
• Missing Updates • Corrupt I/O
• External attacks:
• Spam • Corrupt Configuration data
• Denial of Service (DoS) • Corrupt Database
• Hacking, System Hijack, Impersonation • Failure of redundancy management
• Etc.
5
�Vulnerabilities Vulnerabilities
HMI Communication Software (Protocol)
• Corrupted Software • Wrong Configuration
• Missing updates • Mismatched Versions
• Corrupt system data • Part-/ Non-compliant devices
• Incompatibility with the OS
Sections Covered
Network Security Issues
Serial Link
Dial in/ Dial up
LAN (Local Area Network)
NETWORK SECURITY WAN (Wide Area Network)
VPN (Virtual Private Network)
6
�Network Security Issues Serial Link
A Complete Process Control System Installation No Link Address needed for Point-to-Point
may have the following part Networks: Communication
• Automation Level to Control Centre Level (Serial/ LAN/
WAN/ VPN) Tapping of the Link is relatively simple
• At the Control Centre (Inter-server LAN)
• Link to Internet, Remote HMI, Corporate Net (WAN/ WWW/
VPN) Address spoofing is possible
• Remote Access to Vendor (Dial-in/ WAN/ VPN)
Depending on System Requirement, the later Possible Protocol emulation to inject
two links may or may not be present, but the unauthorised packets
first two links will always be there
Dial-in/ Dial-up LAN
Dial-in or Dial-up facility may be provided for the Based on TCP/ IP, hence very well documented
following reasons:
• To acquire data from or to send command to a low priority process
point, to reduce the cost of communication
Adding additional members is as simple as plug-in
• To access a process point with a rather high cycle time, where the
investment on dedicated communication infrastructure may not be
justified UDP mode is less secure than TCP, but address-spoofing is
• To enable the vendor to remotely access the system for diagnostic or possible in either mode
system update. The recent Installations use WAN for this purpose,
rather than Dial-in
Passive snooping is easily possible
Dial-in/ Dial-up requires the use of a Modem pair
Legitimate looking Packets may be introduced on the Bus by
Hardware can not identify the party at the other end, unauthorised means, thereby disturbing the functioning of the
so impersonation is possible system
7
�WAN VPN
As for LAN, even TCP/ IP WAN is also well Since VPN (Virtual Private Network) is
documented, and similar security issues may be created atop a standard Public Network,
present on the WAN generally Internet, knowledgeable fraudster
may tunnel through the defenses to pose
The false node need not even be located in the control as a legitimate node, and misuse the
centre area. An impersonator located anywhere in the
world can pose as a valid node, and hijack the system privileges to hijack or misdirect the system
Injection of false data and unauthorised commands is
a distinct possibility
Sections Covered
Copper Cables
Fiber Optic Cables
Wireless Communication
Terrestrial Radio Communication
MEDIA & SECURITY WiFi Communication
Microwave Communication
8
�Copper Cables Fiber Optic Cable
Susceptible to physical tapping, by direct contact Very difficult to tap!
In many cases, inductive coupling may be Normal Tapping would require the cable to be
possible, leaving no physical trace physically cut and spliced, leading to damage
and significant loss of power
Tapping diverts a miniscule amount of current
from the line, which can be minimised by using Tapping is possible at an existing node, e.g.,
high impedance circuits Mux or Router, with an extra free Port, This
needs not only physical access, but also the
opportunity to reprogramme the port
Wireless Communication Terrestrial Radio Communication
Wireless Communication includes:
• Radio Communication
• Infrared Communication
Omni-Directional
• Laser (without FO Cable) Communication
Only Radio Communication is referred to here, as
the other two would rarely be applied in a Process
Control Configuration
Easy to install a Sniffer
Radio Communication is notoriously simple to
overhear. The only requirement is to place an Relatively easier to inject false packets,
antenna in the path of the waves. It is totally provided collision is avoided
invisible to the other users
Injecting false packets is possible but difficult.
Packet collision is to be expected
9
�WiFi Communication Microwave Communication
Line-of-sight
Uses 802.11- Standard with built-in security in
place However, there are additional energy lobes away
from the main lobe
Reasonably secure, provided a good password
policy is applied Parallel listening is simple along the extra lobes
It would be practically difficult to inject sufficiently
Security feature is completely lost, if the password powered signal on to the antenna to match the
becomes known to unfriendly elements regular signal
Synchronising the false signal with the clock of the
regular signal dies not rule out collision
Types of Security
Authentication • Prove who you say you are
Integrity
• Ensure the data hasn’t been
tampered with
Encryption
• Hide data from
eavesdroppers
STEPS TOWARDS SECURITY
Key
Management
• Distribute and revoke keys
10
�How Application Layer Security
Routers, Standard Encryptors do not address:
Externally Internally •
•
Security at the local site
Security of serial Link over unencrypted radios
• Security of serial Link over terminal servers
• Security from “rogue applications” at master stations
• Linking role-based authentication to the remote site
In a As a part of
separate the protocol Application Layer Security address these
device itself shortcomings, as it secures the
communication from End-to-End
IEC Efforts on Security IEC 62351 Security Standards
IEC TC57 Working Group 15 is working on the Security issues IEC 62351 Standard Targeted Protocols
related to many of the IEC Communication Protocols
IEC 62351-1 Introduction IEC 60870-6 TASE.2 / ICCP
Created to develop security solutions for all TC57 protocols:
IEC 62351-2 Glossary IEC 101/102/103
• IEC 60870-6 (TASE.2/ICCP)
• IEC 60870-5-101,102, 103, 104
IEC 62351-3 TCP Profiles IEC 61850
• IEC 61850 IEC 62351-4 MMS Profiles IEC 104
• IEC 61968/61970 Common Information Model IEC 62351-5 60870-5 and DNP3
Scope includes ‘security policy’ derivatives
IEC 62351-6 IEC 61850 peer-
Result is IEC 62351 Security Standards to-peer
DNP User Group is aligning DNP with recommendations of the IEC 62351-7 Objects for Net
IEC Working Group Mgmt
11
�Application of IEC 62351-5
The standard defines a “generic” protocol
• Message formats
• State machines
• Key lengths
• Timers
• Configurable parameters
• Options
IEC 60870-5/ DNP3 protocols ‘map’ it
• Function codes and Objects to carry the generic messages AUTHENTICATION
• Default values and options
• Interaction with the IEC 60870-5/ DNP3 protocol
Hash to Authenticate Hash Function
Sender Receiver h= hash(m), where ‘m’ is a message of variable size, but ‘h’ is
the output of fixed size
Message Sent
Message Message
‘hash’ is the Hash Function with the following properties:
Key Key not Sent Key • If h=hash(m), there is no function m=unhash(h), to
determine the message from the hash value
• If h1=hash(m1) and h2=hash(m2), then h1h2, if m1m2
• If h1=hash(m1) and h2=hash(m2), then m1m2, if h1h2
Hash Function Hash Function Ideally, Hash Function is a ‘one-way’ function
CRC is a weak example of a Hash Function
Hash Hash Message sent Hash Generally a ‘Key’ is used within the Hash Function
Message For Comparison Message
12
�Authentication Procedure Authentication Strategy
The following steps form the Procedure:
Strategy 1: Maximum
Sender send a hashed authentication message to
Receiver • Add Authentication Procedure in every
packet transmitted
Receiver checks the authenticity of the message
• With a proper ‘Key’ management, this
If Ok, Receiver sends an authentication strategy provides for a very secure
acknowledgement to Sender communication
Sender checks the authenticity of the • Can lead to a major penalty on data
acknowledgement speed/ bandwidth needed
This completes one cycle of Authentication • Requires much higher processing power
Authentication Strategy Authentication Strategy
Strategy 2: Challenge - Response Strategy 3: Aggressive
• Add Authentication hash at the end of Standard
• Authenticate at Protocol message
• Initialisation • The message is authenticated by the receiver and
processed
• Periodically, thereafter
• Generally, no authenticated acknowledgement is sent
• Critical Functions back, only the regular protocol acknowledgement
• Bandwidth/ Processing power requirement is • Reasonable security is achieved, although less than in
moderate other two cases
• Much lesser penalty on time
• Security is quite good, together with good
• At the point of initialisation, Challenge – Response
‘Key’ management strategy should be applied
13
�Key Management
Uses128-bit keys minimum
Two types of keys
Session key
• Initialized on start-up
• Changed every 10 minutes or so
Update key
• Used to encrypt session keys
• Pre-shared
Keys encrypted using Advanced
ENCRYPTION STANDARDS
Encryption Standard (AES) “key wrap”
Key change incorporates challenge-response
Data Encryption Standard DES
Introduced in 1976 by the US Government as FIPS (Federal Uses a 64 bit key, of which 8 bits are the Byte-wise
Information Processing Standard)
parity bits, leaving the real key of 56 bits only
It is a Block Cipher, which uses a 56 bit Key
16 sub-keys of 48 bits each are derived from the main
key by shifting and permuting. The Sub-keys are used
It has been demonstrated to be defeated comparatively in the order of derivation in 16 cascaded encoding
easily, with today’s computational power operations
It has been replaced with the new AES (Advanced
Encryption Standard Each of these steps involves permutation, substitution
and transposition to transform each 64 bit input to a 64
bit output. The output of one step forms the input to
DES has been withdrawn as a Standard the next step
14
�Advanced Encryption Standard AES
AES requires the plain text to be in blocks of 128 bit long
AES is defined in three variations The 16 Round keys are derived from the main key by rotation and
AES replaces the old DES, as it was proven that DES with its substitution
56 bit key is not secure enough
• AES 128 with 128 bit Key
• AES 192 with 192 bit Key
Encryption is carried out on a ‘state’ (Matrix of 4x4 Bytes=128 bits)
• AES 256 with 256 bit Key • Each byte of the state processed by XOR-ing it with the Round Key
With increasing Key size, the level of security goes up
• Every byte undergoes a substitution using a Look-up table
AES 128 is the one most commonly applied • Each row of the state is shifted cyclically by a pre-defined no. of bits
It should be noted that even AES can be broken. However, the
time required to break it is very long, making the method • The four bytes in the state column are combined together
• The round-key is added to the result
practical with good results in most real life situations
• The final round is the same, without the ‘combining’ step
The above is only a highly simplified description of the Procedure
Identifying Problems
Most Process Control Systems have extensive plausibility and
error checks to flag an issue at the earliest
Some instruments are capable of self error analysis
In the case of redundant data, additional plausibility check may
be carried out, else a variance analysis may be undertaken
There are Expert-Systems available in the market, but these
are difficult to configure and also difficult to interpret
OTHER ISSUES
However, the most potent tool is an experienced operator, who
should be able to flag problems, based on an interpretable
series of events in the system
15
�Measures Labeling Back-ups
Ensure timely updation of the relevant part of the automation,
OS, Process Control & HMI software, without fail! In the case With the possibility of multiple copies of back-ups floating
of multiple instances, all the instances must be updated in one around, a consistent method of labeling of fresh back-ups is
lot, and logged just as important, as is the deliberate destruction of old copies
With every change, irrespective of the reason, update the Both the steps help avoid misuse of wrong copies under stress
backup copies of the relevant software (PLC/ DCS/ RTU SW, conditions
System SW, Process Control SW, HMI SW, any other SW in
the complex; The action must be logged The label should have (Suggestion):
With every change, update the back up copies of the relevant • Project, Location & Equipment Identifier
configuration data and log the action
• Content & The program/ version needed to use the backup
Formulate a policy for backing up the process data. It should • Version, Date and copy identifier (1. copy/ 2. copy, etc)
be backed up at regular intervals. In the case of significant • Name/ Designation of the author
issues, need-based back up should be taken. Logging is a
must • Reason for creation, reference
Saving Back-ups Access Control
Handling Back-ups is a serious issue and it deserves A Simple but very effective precaution!
management-level attention
Make extensive use of Access Control on the Process Control
Formulation of a written down and auditable Software and Data configuration
Backup Policy is a must
Remember, bad element may not always be external to the
organisation. There are many instances of a disgruntled
Equally important is timely audit of this process, to ensure strict employee taking steps to harm the employer
compliance
Previous employees form another set of suspects, who are
The local copies of the back up may be stored in the local aware of the organisational functioning and policies
library, however, with access control
Use Strong Passwords, and change them regularly!
It is recommended to keep the latest two versions of back-up,
provided the older version is from a stable system, else No shared Passwords and no person should be allowed access
maintain a copy of the last known stable version when another user is logged-in
16
�Access Control Other Precautions
The online system should not be used to make copies; Go by
Do not permit Log-ins and/ or Passwords to be shared the vendor’s/ manufacturer’s recommendations
Do not use the Process Control related Computers (including
the HMIs) for any other purpose
By policy, make Log-in/ Log-out compulsory, even for
short durations Strictly avoid extraneous software, e.g. Games or Music, on the
Process Control configuration
Maintain a mandatory system of Handing-over/ Taking- Do not use the Process Control Computers to access Internet.
over, to avoid unauthorised access Better still, do not load web-enabled programs, e.g., Internet
Explorer, on these computers. It is preferred to use another
computer for web-access and transfer the requisite data, as
If the vendor is permitted On-line access to the system needed
for testing and maintenance, it should be fully logged
and under local supervision Avoid Flash Drives; Else use only trusted & tested Flash Drives
Are We Doing Enough?
LAST WORDS
17
�Security is Paramount!
Remember: Thank you
Hacking into a Process Control System by an
unauthorised person can lead to a disaster of
immense magnitude!
Safety First!
18
