GarrettCom Ethernet Networks and Web Management User Manual

Secure Industrial Control Utilizing High Speed

Ethernet Networks and Web Management

GarrettCom, Inc.

47823 Westinghouse Drive

Fremont, CA 94539

PH: (510) 438-9071

FAX: (510) 438-9072

www.GarrettCom.com

INTRODUCTION

This paper explores the state of network security options today at the Ethernet switch level and offers

an elementary roadmap for industrial operations to plan for and deploy secure communications

systems. Industrial systems need to take advantage of the advanced networking technologies that can

support greater efficiency, reliability, and security in plant and remote operations. As SCADA

systems, relays, and other industrial control, monitoring and management systems become more

intelligent, a rich supply of data is available for improving plant performance and remote maintenance

and management. However, as with all technology advances, there are challenges as well as

opportunities.

SECURITY OVERVIEW

In today’s uncertain world, security stands beside profitability, productivity, performance and control

as a key element for maintaining business activities in industrial facilities. Prevention of malicious

attacks against business infrastructure has become as vital to ongoing success as has the widespread

use of the computer systems which make such attacks so easy and so painful. It is no longer enough to

catch the perpetrator during or after the commission of a malicious act; considerable time and expense

is being consumed to address how to secure systems to prevent intrusion.

Repercussions from the 2003 power blackout in the Northeastern US were felt throughout the country.

Attacks such as the Zobot worm and Mytob bot software effectively shut down well protected

computers at CNN, the New York Times and many other places. Imagine how much worse a

concentrated and widespread act of industrial sabotage might be.

Until just recently, SCADA (Supervisory Control And Data Acquisition) environments were not

considered at risk for cyber attack because of the highly customized nature of these systems. In March

2002, articles were still being written that debunked the concern for more security of utility service

providers. Yet this viewpoint is compromised by documented cyber-related incidents, such as the

Slammer Worm infiltration of an Ohio Nuclear power plant, and the wireless attack on a sewage-

SCADA system in Queensland Australia.

1

More and more industrial sites are taking advantage of Ethernet as a mature, end-to-end, standards-

based networking, communications and data transmission protocol because it offers convenience and

efficiency that bring higher performance and lower cost. In addition, the standards that are in place

support interoperability among many competing equipment vendors as well as world-wide

interconnectivity. At the same time, more extensive use of Ethernet/IP and other well-documented

protocols will make hacking and disruption easier if adequate security measures are not taken.

Password protection, encryption, access authorization and firewalls are some of the many tools

available to protect against cyber invasion.

INDUSTRIAL SECURITY INITIATIVES

While there are similarities between security in enterprise business IT systems (which protects

activities such as bank and stock transactions and on-line purchases), and that required by industrial

control systems, several groups have been chartered to address the technology opportunities and

challenges specific to industrial applications. At the broadest level, the Instrumentation Systems and

Automation Society (ISA) and the National Institute of Standards and Technology (NIST) are looking

at overall security practices for industry. (See APPENDIX A)

On a more specific industrial level, there are groups such as the North American Electric Reliability

Council, which has been named by the US DoE as the electric energy sector’s coordinator for critical

infrastructure protection. The NAERC’s Critical Infrastructure Protection Committee addresses

security concerns and provides guidelines and requirements for utility systems including SCADA and

EMS.

ETHERNET SECURITY – THE SWITCH VENDOR’S OPPORTUNITY

No single vendor or single technology is going to make industry safe from intentional cyber attacks.

Nonetheless, it is critical that vendors of industrial equipment look at ways in which to support the

overall security effort. Standards-based Ethernet networks, with cost effective hardware and software

available from many competing vendors, can make a significant impact. For example, leading Ethernet

switch vendors are adding security in the switch with IEEE and other standards support for security

features.

2

As Ethernet has expanded into outlying industrial facilities, two types of network structures emerge:

Local and Remote. The Local Ethernet structure is within the walls of a single facility which can be

closely watched, with the only serious security risk being from disgruntled employees or persons who

have penetrated the physical security of the plant. Access to data running across this type of Local

Ethernet network can be protected by segregating it with VLANs (Virtual Local Area Networks).

VLANs can be configured to restrict points of access from the outside world and can employ password

protection to provide authorization, authentication, and access control tethered to the Ethernet network

itself. Telnet managed by the switch can be used for remote login to the switch manager software.

However, Ethernet’s benefits to industrial applications run far beyond such restricted local

applications. Much Ethernet connectivity is deployed beyond a single plant and local-only networks

would limit the ability to manage, monitor and collect data from remote operations. Ethernet, using

fiber cabling for distance, noise-immunity and security, is deployed throughout widely distributed

industrial applications. Interconnecting multiple water treatment plants or power substations within a

metropolitan area are typical examples

Remote industrial Ethernet implementations are very popular applications for monitoring (the Data

Acquisition (DA) part of SCADA). They are typically closed systems, which require in-facility access

points for information review, as opposed to casual Internet access from the home or from the remote

laptop of a maintenance supervisor. Within the closed system, remote monitoring may be possible,

eliminating many routine maintenance visits to unmanned outlying operations, with concomitant

reduction in costs. It is also easier to identify potential problems and dispatch maintenance or repair

teams promptly – often avoiding down time or managing outages.

The only security risk in a closed system is a physical breach of the network, and even in the case of

such an event, password protection goes a long way to providing data security. The downside is the

lost opportunity for efficiencies and savings because of the limits placed on management and control

of industrial operations from afar.

Management Supervision and Control – the SC part of SCADA - of remote sites over Ethernet has

traditionally been used less often simply because of concerns regarding security. If these concerns can

3