This year, the Belden Industrial Ethernet Infrastructure Design Seminar is being held in Houston and therefore a number of the sessions are focusing on applications for the oil and gas sector. I had the privilege of attending Scott Howard’s session on cyber security. In it, he reviewed the primary goals of cyber security measures in industrial networks:
- To improve safety
- To reduce downtime
- To increase productivity
In other words, the goals of cyber security are the same as the core goals of most manufacturing teams.
This article reviews the cyber security fundamentals that Scott described and also explains how Belden’s products fit into industrial networking solutions. In Part 2 of this article, I will look at three, specific oil and gas applications discussed by Scott and describe a cyber security solution for each scenario.
Offshore platforms are an example of an oil and gas application with high cyber security requirements.
Industrial Cyber Security Threat Sources
Over the past few years, there have been a number of high-profile, advanced malware threats that have attacked the energy sector (e.g., Stuxnet, Flame, Shamoon). While these are significant threats that need to be taken into account in oil and gas industry risk assessments, the fact is that they account for a low number of overall threat sources.
Scott explained that most threats come from inside the industrial network. Industry research shows that threat sources breakdown as follows:
Most cyber security threats and incidents are unintentional and occur inside industrial networks. Source: The Repository of Industrial Security Incidents, 2011
Industrial networks are susceptible to internal incidents because many PCs on the network run 24 hours per day, seven days a week, and do not have antivirus protection. In addition, there are many ways for malware to enter control networks, such as USB keys, maintenance systems and the laptops of visitors. Controllers designed for real-time I/O, and not robust network communications, may not respond well to malformed messages or high levels of traffic. Finally, many industrial networks are “wide open” with no isolation between sub-systems, making it easy for problems to spreaderimeter Defense is Not Enough for Industrial Security
You may think that because there is a firewall protecting the edge of a network that the plant network is secure. However, as we just explained, many cyber security incidents originate from within industrial networks. Therefore, additional security measures need to be taken in order to harden control networks.
The best approach to take is one of Defense in Depth, i.e. where there are multiple layers and types of security in place. The best guidelines for this are the ISA/IEC 62443 (formerly ISA99) standards which recommend defining “zones” within networks and allowing the zones to communicate only through secure “conduits.” With this method, only the minimum necessary network traffic passes between zones and unusual traffic generates alarms and is blocked.
Why IT Solutions Do Not Work for Plant Networks
IT professionals have been successfully dealing with cyber security threats for years. Why can’t these same solutions be applied to control and SCADA networks? Here’s why:
- Control devices cannot be secured with automated third-party tools.
- Manufacturing networks cannot be shut down for testing, configuration and maintenance, as is done with business networks. Instead, industrial security products must be set up and maintained while the plant network is running.
- Industrial networks use unique communication protocols not seen in the IT world and not addressed by IT security products.
- Plants require hardened equipment that can survive harsh electrical and environmental conditions.
- Also, plant networking equipment needs to work for decades, whereas IT gear has a lifecycle measured in years.
Getting Started on Cyber Security
The first place to start to improve cyber defenses is to do a risk assessment. If you are unsure of how to conduct one, there are links to resources that will help at the bottom of this article.
Alternatively, you could work with one of Belden’s security partners, such as Cylance, exida or Securicon. These companies can help you develop and implement a security plan both quickly and cost effectively.
Once a plan is underway, use the Security Lifecycle (shown below) to guide your actions for keeping defenses up to date.
Scott Howard talks about cyber security at the 2014 Belden Design Seminar.The Security Life Cycle is shown on the right.
Belden's Industrial Cyber Security Solution
Belden’s product line supports security at many levels of communication, including at the physical level with high-reliability cables and at the data level with switches that have many built-in security features. At the network level and higher in the OSI model, we have security-specific products that include EAGLE routers and Tofino Security appliances.
In general, use the EAGLE family of routers and firewalls to secure the EDGE of networks. They are Layer 3 routers with firewalls and stateful packet inspection. They also have VPN capabilities for securing connections between untrusted networks.
Use the Tofino family of products to secure the CORE of industrial networks. The Tofino Security Appliance is a Layer 2 bridge with no IP address that can be installed without disrupting live networks and with no changes to network design. It provides high levels of security using a "whitelist" approach that allows for simple deployment.
The Tofino product line also includes modules that do content inspection (also known as Deep Packet Inspection) for popular industrial protocols, such as Modbus TCP, OPC Classic and EtherNet/IP. This capability inspects messages and only allows approved types of messages through. For example, allowing read messages to pass through the firewall, but blocking write messages.
In Part 2 of this series, I will look at cyber security solutions for three oil and gas applications: an offshore platform, an oil refinery and a pipeline system. We will look at the network diagrams of each application and show where EAGLE or Tofino devices can be added as part of a Defense in Depth security strategy.
What are the cyber security challenges you are facing? I look forward to hearing from you.
Malware and the Energy Sector:
- Tofinosecurity.com Blog: Summing up Stuxnet in 4 Easy Sections
- Blog: Flame – The Latest Super Worm Discovered in the Middle East Energy Industry
- Blog: Shamoon – Malicious Malware Harms 30,000+ Computers
Cyber Security Fundamentals:
- Blog: ICS Security for Oil ad Gas Applicaions, Part 2 of 2
- Blog: Cyber Threats Increase for U.S. Critical Infrastructure
- Blog: Defense in Depth Part 2: Layering Multiple Defenses
- Blog: Why Industrial Networks are Different than IT Networks (and What to do About It)
- Blog: Why SCADA Firewalls Need to be Stateful - Part 1 of 3
- Blog: Industrial Networking: Easy Security Risk Assessment
- Blog: SCADA Security: Justifying the Investment
Belden Security Products
- Webpage: EAGLE One Security Router
- Webpage: EAGLE20-0400 and EAGLE30-0402 Multi-port Firewalls
- Webpage: Tofino Xenon