Charlotte Stonestreet
Managing Editor |
Combating the SCADA threat
18 August 2015
Supervisory Control And Data Acquisition (SCADA) for Industrial Control Systems has become a topic of concern from a security perspective, since these technologies control much of the infrastructure that we rely on in our everyday life: from lifts in buildings, to air-conditioning, to power generation, to aircraft management
Historically, the threat was minimal, because the protocols used by SCADA/ICS systems were bespoke, and local. However, SCADA/ICS systems are now accessible, and increasingly, attackable from the Internet.
The Corporate (or Enterprise) Network hosts the business services, sometimes termed Business Support Systems – (BSS), Business Information Systems (BIS) or Management Information Systems (MIS). The majority of the attack vectors and attendant risks at the business level can be mitigated using standard IT countermeasures. The Corporate network is typically protected with a dual or triple firewall DMZ (de-militarised zone).
But these services typically ‘reach down’ into the SCADA system to extract business information such as uptime, failures, and other metrics that affect performance and costs. And here the protocols are specific to the Industrial Control market and are not well protected. Supervisory Control has typically been implemented on Windows machines with GUIs and HMIs implemented as custom Windows or .NET mimics and/or web browsers.
Unique characteristics
Typically PLCs, DCSs, RTUs and Intelligent Electronic Devices (IEDs) run Windows based or related operating systems, such as WinCC with some older systems running or VxWorks. Some standardisation of control software language was introduced with EIC61131, although most manufacturers retain some unique characteristics not covered by the standard.
Typical sizes of such systems range from one or two PLCs and a local supervisory control system to thousands of nodes for large oil and gas installations and pipelines in multiple geographic regions of the world. Until very recently security of these GUIs and HMIs has been very lax leading to a frantic race to retrofit and install security capability to prevent attacks or illegal access.
OPC is a good example. A number of SCADA/ICS servers are typically connected using the WAN, using the OPC protocol. This requires ‘holes’ to be left in the firewall via the security policy in order for it to operate. Allowing these ‘holes’ introduces a large security risk into the system. Further into the plant equipment, multiple protocols operate simultaneously – everything from MODBUS through to OPC-HA, and HTTP through to file transfers. Supporting these protocols with firewalls is difficult and expensive because of the complexity of the zoning.
Iguana Security takes an alternative approach based on its legacy of high security products. Iguana specialises in the protection of critical networks and data assets, to ensure the availability, integrity and confidentiality of the infrastructure and assets. Last year its parent company, L-3 TRL Technology, launched a product range to the commercial ICS market.
Fit & forget data guard
IguanaBlue is tailored directly to the risk and criticality of the plant function, and balances the need for security whilst still maintaining business efficiency, providing a ‘fit-and-forget’ data guard against growing cyber threats. IguanaGreen is based on the same architecture and security aspects as the Catapan range of Government Grade IP Encryption tools and has been designed to securely send and receive sensitive information, whilst harnessing the flexibility of local IP networks and protecting data from the increasing threat of cyber-attack.
A Network Guard, or Data Guard, sits between IT and OT networks to protect network protocol integrity, whilst keeping the network link continually available even whilst subject to invalid data, such as occurs during a cyber attack. The fundamental design of the device has a high side network connection (host) and low side connection (client), and uses FPGA logic or processors to examine and check the data that is passed between them.
A Network Guard provides enhanced protection over an application firewall, in that the two sides of the network connection are isolated – data is passed from high to low sides via an auxiliary processing component within the guard (a process referred to as trans-shipment) – and also in that an element of data inspection takes place and any invalid data content is either corrected or rejected.
Key Points
- Historically protocols used by SCADA/ICS systems were bespoke, however,SCADA/ICS systems are now accessible, and increasingly, attackable from the Internet
- IguanaBlue is tailored directly to the risk and criticality of the plant function, and balances the need for security whilst still maintaining business efficiency
- A Network Guard, or Data Guard, sits between IT and OT networks to protect network protocol integrity, whilst keeping the network link continually available
- More live demos than ever
- Digital twin for sustainable & secure power grids
- A renewed urgency for energy
- Raspberry Pi 3 goes Wi-Fi
- Smart wound sensor in development at Heriot-Watt
- MOD unveils transformed approach to innovation
- Robotic investment helps deliver sales
- Get a stepper head
- Doosan Robotics launches six new cobots
- Humanoid robotics set to transform industries
- No related articles listed