Hirose: Connecting the future
Industrial Ethernet Book Issue 72 / 38
Request Further Info   Print this Page   Send to a Friend  

Securing Ethernet-based industrial networks - Part 2

Part 1 of this article

The first half of this article, abridged from an ODVA paper on securing EtherNet/IP–based networks and published in the last issue of this journal, largely dealt with the generalities of industrial network administration from a security perspective. This final part examines specific network technology aspects, including security considerations pertaining to industrial wireless networks.

VLANs ARE A METHOD of creating software configured, logically independent networks within a larger network complex. Several VLANs can co–exist within the same network to constrict individual broadcast domains; this similarly constricts the effects of broadcast storms, worms and viruses, and DoS attacks. VLANs provide the basis for a security policy by segmenting the devices. For example, rules and restrictions may be based on virtual segments rather than individual devices, thereby simplifying the effort to implement and maintain a security approach.

Quality of Service, or QoS, features can be used to ensure that high priority traffic isn't affected when a network storm occurs. Under storm conditions, automation traffic might be delayed or displaced by other, less urgent data without QoS enabled. Setting it up thus becomes a matter for best practice.

  Network resiliency

A common aspect of network resiliency can be provided through redundancy, coupled with firmware in the device that instructs the network to switch to alternate paths upon specific failures. In other words, resiliency can be achieved by forming a backup path when part of the network becomes unavailable.

One of the first technologies developed for this application was IEEE 802.1D Spanning Tree Protocol (STP). Because this first failover mechanism proved too slow for automation applications, 802.1W Rapid Spanning Tree Protocol (RSTP) was developed. However, for networks requiring the fastest recovery times, proprietary ring protocols are commonly used. Consequently, many Industrial Ethernet switch manufacturers have developed proprietary protocols, some based on 802.1W enhancements. These may provide recovery times in the millisecond range for networks with over 100 devices.

Such performance requires that all switches are manufactured by the same vendor due to the proprietary nature of the redundancy mechanism. If the network topology requires a mixing/matching of switch suppliers then RSTP or DLR becomes the most suitable default.

Device Level Ring (known as DLR and part of the IEC 61158 standard) is a standards–based ring topology and thus not specific to a particular device company. A convergence time, possibly less than 5ms for 50-device rings, means that the ring nodes can detect a break in the ring and reconfigure the network fast enough to avoid the loss of I/O connections. The protocol operates via the end devices containing an embedded switch with two external ports.

The Internet Group Management protocol (IGMP) provides a network control mechanism by which multicast traffic is passed only to those end-devices that request the information. IGMP is considered a best practice in many EtherNet/IP systems (and others which also make extensive use of UDP framing).

Enterprise connections

Most significant organisations connect their industrial and enterprise networks somewhat in the manner shown in Fig. 1. The industrial network(s) may pass low frequency data such as inventory statistics to an ordering system or high frequency data like real time I/O data between work cells on a plant floor. However, both have pathways to the enterprise layer and may thus be considered as a single, integrated network for operational security purposes. The risk to industrial network sectors increases greatly when a pathway to the enterprise sector exists, but may be reduced if both networks are designed using security–oriented segmentation.


Fig. 1. Example of an isolated industrial network with multiple controllers. Due to the additional complexity of these types of networks, it is possible for an incident at one end of a facility to affect a device on the other end of the facility, although VLANs help limit that impact. An attacker (whether unintentional or intentional) would still need to be in direct contact with the network to effect plant operations; however, this may occur more often than in the single controller network described above.

Once the industrial network is attached to the corporate infrastructure, there will almost certainly be exposure to the Internet. This means that any employee or contractor in the organisation, regardless of their location, could affect the operation of the industrial network. An incident on the industrial network could affect the enterprise network, or vice versa.

Connecting the enterprise to the industrial network also opens up the possibility that other types of network traffic may maliciously or unintentionally traverse that connection and affect production and control. This type of connectivity is not new and its benefits generally far outweigh the risks if enacted in a secure manner.

Some of the best practice precautions include:

• Using network infrastructure to deeply segment the enterprise and industrial networks, for example with firewalls;

• Creating a 'Demilitarised Zone' (DMZ) where data and services can be shared, but is separate from the industrial or enterprise zone;

• Establishing techniques and services to provide Remote Access.

• Replicating or otherwise locating critical network–based services within the industrial network sectors (e.g., active directory servers, DHCP servers, print servers, etc.).

Network switches have a leading role in securing an enterprise–integrated industrial network. Managed network switches have numerous options that can be used to implement security and performance processes. The complexity and effort involved in using them must be traded carefully with the perceived risks and costs. Those options most likely to affect control networks are now considered.

Layer 3 switches, network routers and firewalls have the ability to control which devices can communicate through specific port combinations of the switch; this can be used to restrict the sources and destinations of traffic between the enterprise and the industrial networks. A common use of this capability might be to permit only plant, engineering or maintenance managers access to the industrial network from their enterprise connected office computers.

An enterprise–integrated industrial network should be expected to be under continual change and upgrades, especially on the enterprise side. Because of this dynamically changing environment, it is good policy to perform security checks or audits periodically to reduce the risk of changes causing a reduction in security or an introduction of additional threats.

Many managed switches also have the ability to examine the traffic they route at the bit, byte, and/or packet header level. This gives the device the ability to make a judgment and decision on how to handle current and/or future traffic. For example, a switch could be configured to permit all automation traffic but block email traffic frames. Configuring a switch to strictly limit the types of traffic permitted has the benefits of additional security, but can be difficult to manage as new applications are added.

A network firewall provides strict segmentation of traffic passing between two or more zones and restricts or stops the spread of attacks, for instance between the enterprise and industrial networks. Commonplace between office networks and the Internet, a firewall between the enterprise and industrial networks should be configured to only allow predetermined traffic to pass through. This might include allowing certain office personnel access to web pages in the control network that provide production, supply, and maintenance data. Another possibility would be to allow devices on the control network to push (e.g., via email or FTP) their appropriate data out to predefined enterprise devices. Note though that firewalls are limited in their action and many lack the ability to perform packet inspection in applications dominated by feature and function rich automation protocols.

An additional consideration appropriate to firewalls is the creation of a network zone, the DMZ, used to share data and services between the enterprise and industrial networks. Traffic is allowed (although maybe limited) between the enterprise and the DMZ as well as between the Internet and DMZ, but not directly between the enterprise and the Internet. This is a common IT practice to share data and services from an enterprise with entities or users from the Internet and can be implemented between the enterprise and industrial networks. Of course, this entails the use of firewalls to manage the traffic flows and additional servers and network infrastructure to handle the data and services maintained in the DMZ.

Remote access pursues the idea that off-plant personnel or experts can access a portion of the industrial automation and control system from the comfort of their own office. To offer secure remote access, many of the previously mentioned security best practices are recommended:

• Firewalls/DMZ provide a key choke point for network traffic and allow tight control of the access into the industrial network, including authentication enforcement, limiting the type of applications that can be used to access the plant applications, proxy to hide details about the network and devices, and if, enabled, IPS to monitor the traffic for known security attacks.

• Terminal services come in a variety of forms now, either direct, such as Citrix, Remote Desktop Services (MS based) or Virtual Network Computing (VNC), or via web conferencing tools. The DMZ enables the service to be hosted in a network zone which both external and internal personnel can access, but which strictly limits direct communication.

• VLANs provide segmentation to limit remote access networked devices.

Wireless networks

Wireless transport of data is becoming much more common in industrial automation applications. Wireless network use should be subject to the security considerations applicable to wired networks although the nature of the medium raises additional and separate security considerations. For instance smartphones and portable computers have the ability to connect simultaneously to both a wired and a wireless network. While not a default action, such functionality is extremely easy to configure. This is another excellent reason to restrict use of such devices anywhere near the production area.

Where wireless networks are authorised and in service, the use of WPA2 is considered a best practice. 802.1X in conjunction with wireless encryption can also improve the security of the wireless communication.

IEEE 802.1X is an IEEE standard for portbased network access control (¡®port' meaning a single point of attachment to the LAN infrastructure). It provides an authentication mechanism to devices wishing to connect to a LAN, either establishing a point to point connection or preventing it if authentication fails. It is used for most wireless access points.

The authenticator role is either performed by the access point itself via a pre shared key (referred to as WPA2 PSK) or, for larger enterprises, by a network service, such as a RADIUS (Remote Authentication Dial In User Service) server. This provides for strong mutual authentication.

In general, effective authentication and encryption are the keys to a secure wireless network. Authentication is the positive identification of a network entity, such as a client or a server. Site authentication has been standard on secure servers for some time, because users require assurance that the data they receive from a site is actually being transmitted by that site, rather than by an impostor or eavesdropper. Encryption is the encoding of data in order to hide its content from everyone except its intended recipient.

Rogue access point and device detection: This is a two step process starting with discovering the presence of an Access Point/wireless device in the network and then proceeding to identify whether it is a rogue or not. Users deploying Wireless LANs should effectively detect and block wireless access points and client stations automatically and in real time.

Disabling SSID broadcasting: Most wireless access points automatically transmit their network name (SSID) into open air at regular intervals (every few seconds). This feature of Wi Fi network protocols is intended to allow clients to dynamically discover and roam between WLANs. However, this feature also makes it easier for hackers to break into a network. Since SSIDs are not encrypted, it becomes easy to grab one by snooping the WLAN looking for SSID broadcast messages coming from the access point.

Other technologies

As security threats expand and change, and computer and networking technology improves, security technologies must evolve to keep up. Here are some of the emerging technologies that may affect security for future control networks. While only a small percentage of industrial networks currently contain devices using security enhanced operating systems, there is a cost and security/reliability trend to move towards incorporating these operating systems into control networks. One example of a security enhanced operating system is SELinux, which is an effort sponsored by the National Security Agency (NSA) to develop and deploy an even more secure version of Linux.

Biometrics provides the ability for a device to authenticate an individual based on a physical or behavioural attribute, such as a retinal scan, fingerprint, or voice recognition. Biometrics could be used to verify that a user is permitted to use a computer that configures devices on the industrial network. Using biometrics for personal authentication is becoming convenient and considerably more accurate than prior methods (such as the use of passwords or PINs). The main reasons are because biometrics links the event to a particular individual while a password or token may be used by someone other than the authorised user. Additionally, it is convenient (nothing to carry or remember), accurate (it provides for positive authentication), can provide an audit trail, and is becoming more cost effective.

Some operating systems (e.g., Linux) and applications (e.g., Peer to peer applications like BitTorrent) already have the ability to throttle network flow. A common complaint in industrial control networks is of the processing and networking overhead required by a computer to download and apply an operating system patch or an antivirus update. Disruptive loads of this type in the control system network can have disastrous effects. However, as more industrial nodes move to Ethernet and TCP/IP based networks, market pressures and advancing technology may bring about the capability to easily perform network, disk, and CPU rate limited patches and antivirus and malware updates.

Network Access Control (NAC) and Network Access Protection (NAP) are developing complementary technologies to validate the end-devices, their security stance and software levels, including for example the level of anti virus updates and based on that, allow (or deny) access to the network. NAC is a set of technologies that uses the network infrastructure to enforce security policy compliance based upon a number of characteristics of the end–device. NAC is often considered as including user base authentication mechanisms such as 802.1x. Network Access Protection is a Microsoft technology that implements NAC for Microsoft based end devices.

NAC and NAP offers a lot of potential for industrial networks as network access may be determined using means other than user–based authentication. Most industrial network devices (controllers, sensors, drives, etc.) do not have 'users'n which to base network access decision. Other means, such as MAC address, IP Address, traffic patterns etc., may be used to validate network access. NAC and NAP offer the ability to validate every device on the network and monitor their behaviour.

NAC and NAP are developing technologies. Due to the nature of allowing or denying access to the network, caution and sufficient testing should occur before implementing any of these technologies.

From the ODVA paper Securing EtherNet/IP Networks. Click to download Pdf

www.odva.org


Source: Industrial Ethernet Book Issue 72 / 38
Request Further Info    Print this Page    Send to a Friend  

Back

Sponsors:
Analog Devices: Time Sensitive Networking
DINSpace fiber optic and Cat 6 patch panels
Japan IT Week Autumn

Get Social with us:



© 2010-2018 Published by IEB Media GbR · Last Update: 14.11.2018 · 21 User online · Privacy Policy · Contact Us