Editor’s Note: This article was created with expertise from Mark Cooksley, a product manager with Hirschmann Automation and Control and an expert on industrial cyber security.
If you are more comfortable programming PLCs than implementing cyber security measures this series of blogs is for you. Its goal is to give you an overview of the security functions built into network devices so you can implement the ones that are appropriate for your application.
In the first blog, I briefly discussed Defense in Depth and how it is important to implement multiple types of defenses at different points in the control network. This best practice maximizes protection from cyber security incidents, whether they are accidental or intentional.
Part 1 also looked at ways to control access to specific devices, such as industrial Ethernet switches. In today’s blog, we look at ways to control the types of messages any device or computer can send or receive on a network.
To help protect industrial networks, like the ones that control the production of rolled steel, take advantage of the cyber security features built into industrial Ethernet switches and routers.
Authentication and Port Security
In the category of “basic, but easily overlooked controls,” is the simple matter of turning off or disabling the unused ports on managed network devices. This prevents unauthorized users or devices from connecting to the network.
Now, let’s consider other means of network access. This is usually controlled using an authentication standard called 802.1x. The “x” refers to different sections of the standard.
There are numerous implementations of this standard, the most common of which is the RADIUS protocol.
802.1x defines these roles:
Supplicant: The device that wants access to the network.
Authenticator: A device on the network, such as a switch that allows or blocks messages from the supplicant. It uses information from the Authentication Server (such as a RADIUS server) to determine whether or not to accept transmissions from the supplicant. RADIUS allows access depending on the log-in credentials of a device or the device’s MAC address.
One way to control network access is to authenticate users and devices using an 802.1x compliant protocol, such as RADIUS, and an authenticator, like an industrial Ethernet switch.
If log-in is not possible – such as the case with IO, a drive or other device that does not have a user interface device to enter log-in credentials – then the device’s MAC address is used. To facilitate ease of replacement, the first three bytes that are used to identify the manufacturer can be used. For example, all network devices sold by Schneider Electric have the same first three bytes in their MAC addresses.
If configured to allow traffic to and from MAC addresses that contain Schneider’s first three bytes, then you have a network access rule that permits all Schneider Electric devices. If a PLC fails, you can replace it with one from the same manufacturer and it will be allowed to transmit packets right away. All traffic from non-conforming devices will be blocked.
An additional means of deploying security in an existing network is to take advantage of port security, which allows a user to define the MAC or IP address of a device allowed to connect to a given port. The ability to allow access by common first three bytes or IP address range allows for easy device replacement and deployment. Any violation can lock down the port and trigger an alarm (relay output and/or SNMP trap). The abstraction layers typically used in TCP/IP communications for ICS and SCADA systems. Note: This is a simplification of the OSI 7-Layer Model (Click here for larger image)
Preventing DHCP-Based Network Attacks
DHCP servers distribute network configuration parameters, such as IP addresses, for interfaces and services. Here are some types of attacks that target DHCP communications:
- Adding another DHCP server to the network that distributes false IP addresses, “DHCP server spoofing”
- Requesting all available IP addresses, “DHCP Exhaustion Attack”
- Taking over the IP address of an existing device, “IP Address Hijacking”
Such attacks can be prevented by:
- Accepting only DHCP server packets from trusted ports
- Comparing the client hardware address in the DHCP tables with the source MAC address of the packet
- Comparing DHCP release communications from untrusted ports with settings in the “bindings table”
The bindings table is a table that correlates the IP and MAC addresses of devices. If someone is hijacking an IP address, the bindings table will show that the MAC address of the hijacker is not what it is supposed to be.
Some network devices, such as Hirschmann industrial Ethernet switches with the Hirschmann Operating System (HiOS) provide additional IP address spoofing through a capability called “IP Source Guard.” When an IP packet is received on an untrusted port, it is compared with the entries in the binding tables. If the source IP address is not located on the port, or optionally if the source MAC address is not located on the port, the packet is discarded.
An example of a bindings table that can be seen in the operating systems of Hirschmann switches.
Access Control Lists
Another way of regulating network access and traffic is to use the Access Control List (ACL) feature common in switches and routers. This feature filters IPv4 packets based on a number of parameters, such as source and destination IP address. ACLs can also filter Ethernet frames based on criteria, including the source and destination MAC address.
ACLs and firewalls can both filter on:
- Source and destination address
- Source and destination port
There is, however, a major difference between them – only firewalls can do Stateful Inspection. In brief, Stateful Inspection involves interpreting a communication using data from the previous information exchange. This includes things like which device started the session, which device last sent a message and was the last message rejected because of error.
While ACLs evaluate a packet based on its real-time evaluation of it, firewalls look at bigger picture information exchanges and then determine which communications are valid and which are not.
Even though ACLs provide a piece of the cyber security puzzle, they do not replace firewalls.
Learn More at Belden Design Seminars
We have covered ways to secure devices and ways to secure networks using capabilities in industrial Ethernet switches. In our final blog in this series, I’ll cover how to detect unusual network activity and cyber incidents using logging and network management tools.Please note that the information in this blog series is also covered in sessions at Belden Design Seminars. These are events where Belden experts give presentations and lead hands-on labs related to key areas of network design, isolation, redundancy, security, wireless and more. Links to 2015 events are given at the end of this blog.
How important are device-level security measures in your Defense in Depth strategy? I look forward to hearing from you.
Industrial Cyber Security
- Blog: Industrial Ethernet Switches Enhance Cyber Security at No Cost – Part 1
- Packetpushers.net: Five Things to Know About DHCP Snooping
- Blog: Defense in Depth Part 2: Layering Multiple Defenses
- Blog: Industrial Networking: Easy Security Risk Assessment
- Blog: Defending Against the Dragonfly Malware
- Blog: Why SCADA Firewalls Need to be Stateful - Part 1 of 3
Belden Products that Contribute to Defense in Depth
- Webpage: RS20/30/40 Series Compact OpenRail Managed Industrial Ethernet Switches
- Webpage: Hirschmann Operating System HiOS 4 Software
- Webpage: Industrial HiVision Network Management Software
- PDF:Tofino Firewall Loadable Security Module
Belden Industrial Ethernet Infrastructure Design Seminars