building secure networks for the industrial world
TRANSCRIPT
1
Building Secure Networks for the Industrial WorldAnders Felling
Vice President, International Sales Westermo Group
Managing Director Westermo Data Communication AB
2
Westermo – What do we do?
Robust data communication devices for harsh environments
We supply products that:
provide the communication infrastructure for control and monitoring systems
are used in mission critical systems, where commercial grade products are not
sufficiently resilient
are derived from proven commercial communication technology
The built in safety, reliability and redundancy is a high value for customers
3
Founded in 1975
Turnover: 33 MEur
Uninterrupted growth since 1994
No. of employees: 160
14% R&D spend
Extensive IPR portfolio for key technologies
Production 100 000 units
Sales and support units in 10 countries, distributors in another 36
Member of the Beijer Electronics Group
Westermo Group 2010
4
Westermo Group
Sweden
Västerås
Westermo Head Office Westermo Branch Offices
Sweden
Stora Sundby
United Kingdom
Southampton
Germany
Waghäusel
France
Paris
Singapore
Singapore
Taiwan
Taipei
United States
Chicago
Switzerland
Leimbach
Austria
Wien
Belgium
Chievres
+ 36 Distributors
Worldwide
5
Critical Infrastructure Projects
6
Cyber Security and Physical Security
7
Security Awareness -
Physical and Cyber
Physical & cyber security is now a key issue
The threat of terrorist attacks is real
CCTV, intruder and chemical detectors are now
part of every system
Cyber attacks are an increasing problem
One UK utility reported that they are
dealing with 8000 attacks a day!
There is now a worm virus actively
seeking and attacking PLC’s
Most serious attacks or infections are
from within i.e. the employees
8
Security Issues and how these can be Addressed
Creating secure connections over insecure networks like the Internet
Security issues and vulnerabilities need to be addressed from the start
It is too late once a vulnerability has been exposed and the system
compromised
How can we address these vulnerabilities using;
Firewall
VLAN’s
DMZ
VPN’s
9
Firewall
10
Effective means of stopping unwanted intrusions from insecure networks
Block unauthorised traffic from the remote site
Block IP ports
Prevent unauthorised access to the management of the router
Prevent the router from replying to probing traffic (ping, port scanning)
Firewall
11
195.168.1.xxx
10.10.10.xxx
172.10.10.xxx
Connection from corporate
LAN 192.168.10.xxx
VLAN 4
VLAN 2
VLAN 5
VLAN 1
VLAN 3
192.168.245.159
Firewalls in Industrial networks
This would
normally require 5
discrete Firewalls
12
VLANs - (Virtual LANs)
13
How Would You Use VLANs?
Automation network VLAN ID 100
Corporate network VLAN ID 200
Security network VLAN ID 300
14
DMZ - (Demilitarized Zone)
15
The DMZ acts a buffer between the trusted and un-trusted zones
The DMZ prevents direct communication between the trusted and
un-trusted zones. All communications from the un-trusted zone are
terminated on an intermediate server or historian
The DMZ can offer protection against cyber attacks such as the
STUXNET worm or many of the other malicious worms and viruses
present in cyberspace
The servers in the DMZ still need to run strong, regularly updated
antivirus software
DMZ (Demilitarized Zone)
16
DMZ
Citrix
Server
SCADA
Server
Typically incoming
traffic will be HTTP,
HTTPS from un-
trusted network
Communications to
trusted network will
typically be industrial
protocols i.e. Ether IP
Profinet, CC Net,
Modbus TCP
X
TrustedUn-Trusted
17
VPNs - Virtual Private Networks
18
IPsec VPN via un-
trusted Network
Corporate network
Internet
MPLS Network
WAN
VPNs
IPsec VPNs are key in allowing industrial networks on different sites to
communicate
VPNs are, in effect, tunnels linking the sites (leased lines)
All connections need to be authenticated before accepted
All data passing through the tunnel is encrypted
19
Cyber Security Policy
No matter how powerful the firewall, you also need good policies
Large corporate or telemetry systems should look at IDS (Intrusion
Detection Software)
SCADA machines need regularly updated antivirus software
Any machines likely to be connected to the industrial LAN should also
have antivirus software
Use a strong password policy, never words that can be looked up in a
dictionary
Servers should be located on trusted networks
Pour glue in the USB ports so they can never be used!
Have a recovery policy should system become infected or compromised
20
Physical Security through
- Robustness
- Redundancy
- Monitoring
- Compatibility
21
Robust products = Secure products
Transient suppression
- Handles interference from high power cables,
reactive loads and transients.
Power supply
- DC-supplied units, redundant power supply
Mechanical performance
- Handles high mechanical strain, DIN-mounted
Extended temperature range
- – 40º to +70ºC
Classifications and Approvals
- EMC, Rail, Isolation, Vibration, Shock, MTBF, DNV,
ATEX
Galvanic isolation
- Galvanic isolation of the interfaces
22
Secure connectivity through redundancy
FRNT
RSTP/STP
OSPF and VRRP
Redundancy
23
L2 Ring Redundancy
FRNT is able to reconfigure redundant ring network
consisting of up to 200 switches within 20ms of the initial
failure, regardless of network load
Focal
Point
Member
Member
Member
Member
Member
X
Media failure
message
Media failure
message
Ports in blocking
mode
Re-learn MAC
tables message
FRNT – Fast Recovery of Network Topology
24
RSTP builds loop free topologies by creating a logical tree of the
connected nodes in the network.
This means that some ports needs to be set in a blocking state depending
on how the nodes are connected together.
RSTP – Rapid Spanning Tree Protocol
X
25
OSPF and VRRP
Layer 3 redundancy with OSPF and VRRP
OSPF keeps track of the active routers and calculates best path to
the connected networks
VRRP creates redundant Default Gateways for the connected nodes
on the LAN network.
Layer 2
Network
Layer 2
Network
Layer 2
Network
Layer 3
Backbone
26
Alarm handling and remote monitoring through
SNMP
Syslog
Configurable alarms
Link alarm
FRNT link alarm
Power supply alarm
Temperature alarm
Digital In alarm
Digital I/O that can be used for intrusion detection
Connect the I/O contact to the cabinet door and receive an SNMP
trap or Syslog message to the central monitoring system if someone
opens the door.
Monitoring