Cybersecurity on the plant floor or within the industrial network has become a top-of-mind issue, and for good reason. Not only are malicious attacks increasing rapidly throughout numerous critical infrastructure sectors (for example, the recent “Havex” attacks), but their sophistication, pervasiveness, and overall sneakiness also makes it extremely challenging for the average engineer to mount a defense before it is too late. This article focuses on a few tips to help you defend your network. We’ll start with “knowing your network” and understanding what traffic should look like, and then move onto firewalling your network and reviewing the logs of those firewalls and, finally, taking special care to protect your end devices.
Know Your Network
|An industrial security device, like the one shown here with a power supply and Ethernet switch, can provide firewall, routing and VPN capabilities. Industrial devices have features—such as Class I, Div. 2 approval, wider temperature range, EMI and shock-resistance—that commercial firewalls do not. (Courtesy Phoenix Contact)|
“Security” isn’t just widgets deployed on your network, or a few processes and procedures documented because the National Institute of Standards and Technology (NIST) or the International Society of Automation (ISA) recommended them. Security is also a deep understanding of your assets, communications and programs.
One of my favorite mantras from my time in the IT world is “know your network.” That is, it is very difficult to defend your assets, or even know if you’re being compromised or attacked, if you don’t know exactly what your network looks like in a normal state.
Too often asset owners don’t have any idea of which IP addresses should be normally talking to one another, on which ports, at what rate, and so on. This lack of knowledge means a red flag, such as the traffic bursts of an infected PC scanning the network, can go completely unnoticed.
There are a number of tools that can help you with knowing your network, many of which are low cost or even free, so “budget constraints” is not a viable argument for avoiding these knowledge-increasing and security-enhancing tasks.
Understanding what constitutes “normal” traffic on your network is essential, and the easiest way to do this is to baseline it during normal operations. Install Wireshark on a laptop and procure a network tap. A passive tap, at a cost of $100 or less, will allow you to monitor your network traffic without interrupting it or injecting packets from your Wireshark laptop. Over the course of several days, you can now capture and analyze traffic passing through different points on your network—for example the link between a PLC and network switch, different I/O points, and the connection points (if any) between your industrial network and the enterprise or IT network.
Wireshark is chock full of useful built-in analysis and even graphing tools to help you understand how the devices are communicating with one another and what type of traffic is typically on that link. For example, the screenshots below show the Summary and Conversations view of a Wireshark capture, as well as an “I/O” graph that allows you to visualize traffic using different filters.
When taking baseline captures, it is a good practice to take them at different points in the network to get a more complete view, and also to take them around the same time of day and day of week, so that your results are more consistent. You can easily use these baseline captures to help determine when something odd is happening on your network—devices communicating with unknown IPs, bursts of traffic scanning different ports, etc.
Restricting Traffic On Your Plant Network
|Figure 1. The Wireshark Summary screen shows useful capture information.|
No good network security solution is complete without some type of firewall. A firewall is, in essence, a hardware appliance whose job it is to examine traffic passing through it and decide whether to let it pass or to drop it. Firewalls can inspect traffic on many different attributes: the sender or receiver’s MAC address or IP address; the type of traffic it is; the port (like HTTP or Modbus/TCP) to which the traffic is destined; and even in some cases the payload “inside” the packet.
A big challenge for engineers and plant managers is figuring out where a firewall needs to be installed and how many are needed. There is no clear-cut, one-size-fits-all prescription for this, as everyone needs to evaluate their own risks, budgets and resources to determine how secure they need to be and at what expense. That said, a few good rules of thumb exist as guidelines as to where to install firewalls and how to configure them.
Protect your plant network from the Enterprise, and prevent unauthorized and unnecessary business traffic from your network. Anywhere your plant network interfaces with the Enterprise/Office network should be protected. There is an enormous amount of broadcast traffic that Windows PCs and servers spew out that can negatively impact Industrial Control System (ICS) equipment, and there is no need for people in the accounting or shipping departments to see your PLC, HMI, drives, etc.
Allow only traffic that is necessary for your operation. The “principle of least privilege” is a popular concept in security and recommends that any user or system (like a data historian, for example) has the minimum access to do its job. This means that our data historian, which might only talk SQL, should not have full access to the PLC or HMI. This helps limit any damage, or malicious activity, that could come accidentally from an untrained user or intentionally from someone malicious.
Deny all unknown traffic. Use a firewall that is “implicit deny,” or set up your firewall so that any traffic not explicitly allowed by a firewall rule is automatically dropped. Often, people get sloppy (or lazy) and just start allowing traffic “to make stuff work.” This conflicts with the principle of least privilege and opens up unnecessary holes in your network.
For greater security, design your network using “zones” with firewalls separating and protecting each zone. ISA99 recommends this model, as it groups like devices together and allows for an organized and orderly means of protecting them.
Analyze the Traffic You Are Blocking
|Figure 2. The Conversations view allows you to see who talks to whom by type of traffic.|
While blocking unwanted traffic is the most important job of a firewall, another essential task is logging the traffic—both traffic that gets blocked and some traffic that gets through. Reviewing these firewall logs ties in with the “know your network” piece above. This gives you a good idea of the type of traffic that is flowing through your plant network. People are often surprised at both the type and volume of traffic that a firewall is blocking; and being able to review and audit the traffic allowed to pass through is often necessary for regulatory compliance, such as NERC CIP.
To log your firewall rules, you’ll need firewall hardware that supports syslog, an open and standard service and protocol for remote logging events, and also a PC or server running syslog or other event management software to collect these events from your firewalls and other network equipment. Setting up syslog on your firewall is typically very easy. The only necessary parameters are a simple Enable/Disable and IP address for the events to be sent. Most firewalls let you pick which firewall rules are logged so that you can cut down on unnecessary messages.
Reviewing this information can show you things like an infected PC scanning a network looking for active IP addresses or open ports; it can also show someone repeatedly trying to access a PLC with which they have no reason to interact.
|Figure 3. The I/O graph can visually show you traffic with different filters applied.|
Don’t Forget the End Devices
This seems obvious, but many people still overlook protecting the ICS devices themselves. The lowest hanging fruit here is physical protection: locked cabinets, switch ports that are blocked, etc. Of special note is dealing with USB ports. On HMIs and PC-based control, USB ports should be disabled in the BIOS unless absolutely necessary. Even then, they should be trusted and scanned before being inserted into any device on your control system.
Technologies like anti-virus, CIFS integrity monitoring and whitelisting each have a role to play in protecting your control system devices. Anti-virus protection can be a challenge because of the need to update signature files from the Internet or an enterprise server. AV is also now reliably identifying less than 50 percent of malware in the wild. So while it is a valuable layer of protection, it can’t be the only protection. Whitelisting doesn’t rely on signatures but relies on users to maintain the list of allowed programs and files. CIFS IM takes the most effective aspects of each, allowing enterprise servers to securely do AV scans of the control system through a firewall, and also monitoring for unexpected changes in the scrutinized files.
|Figure 4. Enable “Logging” on your firewall rules to get better insight into your network.|
Cybersecurity is multifaceted and can be challenging for engineers and plant managers alike (and even for seasoned IT pros). However, if you take it one step at a time, starting with baselining what your network should look like, protecting it from unwanted traffic, and shielding your end devices with both new and trusted technology, you will be well on your way to cybersecurity and all of the benefits it provides.
Dan Schaffer is a networking and security expert with more than 15 years of experience, specializing in network design, security and troubleshooting. Mr. Schaffer is currently Business Development Manager, Network and Security, for Phoenix Contact, where he has held various positions since 2007 in product development and marketing. Prior to joining Phoenix Contact, he was a Senior Network Engineer for several private companies. He holds a bachelor’s degree from the University of Pittsburgh, as well as various IT and Network certifications. He is a member of a number of network and cybersecurity organizations and is involved in standards writing for ODVA, APTA and ISA. Mr. Schaffer can be reached at 717 944-1300, ext. 3314, or firstname.lastname@example.org.
- “New Havex malware variants target industrial control system and SCADA users,” PC World, June 24, 2014.
- “ISA99, Industrial Automation and Control Systems Security,” isa99.org.
- “Protecting industrial PCs: Early discovery and containment with CIFS monitoring,” ECN Magazine, Nov. 26, 2013.
- “Antivirus is dead, says maker of Norton Antivirus,” PC World, May 5, 2014.