plant network security - yokogawa plant networ… · changing technologies over the last decade,...
TRANSCRIPT
Whitepaper
Plant Network Security How to defend your Plant against the threats of 2014?
Yokogawa Europe B.V. | Euroweg 2 | 3825 HD Amersfoort, The Netherlands
July 2014
Whitepaper Plant Network Security version 1.1
1 | P a g e
Table of Content
1. Introduction .................................................................................................................... 3
2. Background ..................................................................................................................... 4
2.1 Malware targeting the industry ..................................................................................... 4
2.2 The Human Factor .......................................................................................................... 5
2.3 Security policies and standards ...................................................................................... 5
3. Security solutions ........................................................................................................... 6
3.1 Network Security Design & Zones .................................................................................. 6
3.2 Firewall, first line of defense .......................................................................................... 8
3.3 Anti-Virus: protection against Malware ......................................................................... 8
3.4 Security Patch updates ................................................................................................... 9
3.5 Disaster recovery & Backups ........................................................................................ 10
3.5.1 Backup possibilities ...................................................................................................... 10
3.5.2 Backup and Restore recommendations ....................................................................... 10
3.6 System Hardening ......................................................................................................... 11
3.6.1 Closing all entrances ..................................................................................................... 11
3.6.2 Active Directory, preventing Human errors ................................................................. 11
3.6.3 Restricted USB usage .................................................................................................... 12
4. Wireless in the process control domain ....................................................................... 13
4.1 Wi-Fi ............................................................................................................................. 13
4.2 ISA100 protocol for wireless ........................................................................................ 13
5. The Future .................................................................................................................... 14
6. Recommendations........................................................................................................ 15
Whitepaper Plant Network Security version 1.1
2 | P a g e
Yokogawa's first step into
commercial available
hardware and software was
the introduction of CENTUM
CS3000. This was the first
time that commercially
available PC's running the
Windows Operating System
were introduced as part of the
DCS. In 2005, the next step
was made with the
introduction of Vnet/IP, which
replaced token bus based
Vnet by Ethernet networking
equipment. These major
changes did not only happen
at Yokogawa, but also at other
suppliers. All suppliers have to
adapt to these frequent
developments and changes in
the IT world.
Executive Summary
Over the last decade, technology in industrial process control systems has
changed significantly by utilizing Information Technology (IT). Although using IT
has largely benefitted the industry, it also brought new challenges to the process
control systems such as network security.
The increasing number and reach of cyber threats in process control systems
cannot be ignored. In the past, (cyber) security threats were mainly intended
attacks from the outside. Nowadays, the majority of security incidents, reported
from process control, are unintended incidents, such as malware infections,
often caused by internal sources, like employees.
Besides internal threats, external threats play an
important role too of course. When a hacker -
someone who attempts to gain unauthorized access to
proprietary computer systems - decides to attack a
process control network, the caused damage can vary
from theft of confidential information to a complete
shutdown of systems.
The biggest and most urgent question most plant
owners are concerned about regarding cyber-security
is therefore: how to protect their network from these
hackers and malware infections?
This whitepaper describes the current trends in security
threats for the process control industry. It is intended
to provide insight in how process control systems can
be secured and defended in a changing technology
landscape.
Whitepaper Plant Network Security version 1.1
3 | P a g e
The main motivations for
connecting office network are listed
as follows:
To retrieve data for
Manufacturing Execution
Systems such as: Production
Planning; Production
Scheduling; Reporting and
Accounting.
Remote access from the
office network or from other
locations via Internet;
Retrieve anti-virus and
patch updates from the
office network or Internet.
Data Historians
1. Introduction
Changing technologies
Over the last decade, technologies used in process control networks have
changed significantly. In early days, human interface equipment provided by an
industrial automation supplier was based on proprietary hardware, software and
operating systems. Communication between network elements was also based
on proprietary, or at least not widely commercially used, protocols. However,
industrial process control system suppliers have been forced to introduce low-
cost and open solutions due to the market
demand.
At the same time, the usage of the Internet in
the public sector has exploded, which
automatically has led to an increasing number of
security threats. The hacker's community
evolved with this changing market. In an earlier
stage, their aim was somewhat ‘innocent’ by
infecting as many computers as possible, mainly
to become famous within the hacker’s
community. Although this is still important, a
new type of hacking has become even more
threatening. These ‘new’ hackers are not just
interested in their reputation, but even more in
money (i.e. theft of credit card numbers) or
causing damage to targeted industries (i.e.
environment activists).
Because in the past the industrial automation systems were not connected to
the Internet, these new cyber threats did not affect the world of industrial
automation. Obviously this has changed. Two formerly different and enclosed
"worlds" are coming together. We have now reached a point that network
security can no longer be ignored within the industrial automation landscape.
Whitepaper Plant Network Security version 1.1
4 | P a g e
“Spending money on
security is similar to
spending money on a
health insurance. If you
don’t have insurance,
only one incident will
cost you an amount of
money that will exceed
the costs of insurance
for the entire lifecycle of
your plant.”
2. Background
2.1 Malware targeting the industry In July 2010, a new threat related to process control systems was discovered.
This new threat is referred to as Stuxnet, which is a sophisticated malware,
targeting Siemens PLC systems. Before the appearance of Stuxnet, process
control systems had not been recognized as a potential target for
malware developers. However, the appearance of this new
generation malware shattered such an optimistic view. After
Stuxnet, many other process control malware emerged.
Within the same year, DUQU, a reconnaissance virus, emerged.
One year later the most sophisticated espionage tool, Flame, was
discovered. And in 2013 the cyber espionage malware program
Red October was discovered.
Statistics from the industry in general, as well as from Yokogawa
show that the number of security incidents has grown with the
increasing number of threats. These statistics are compiled from
threats in all markets. Although not all threats are applicable to process control
systems, the increase of threats can also be projected on process control
systems.
Whitepaper Plant Network Security version 1.1
5 | P a g e
Eugene Howard Spafford,
a leading computer
security expert, once said:
"The only truly secure
system is one that is
powered off, cast in a
block of concrete and
sealed in a lead-lined room
with armed guards - and
even then I have my
doubts."
2.2 The Human Factor Beside security threats due to changes in technology, there are also cyber-
security threats that have been around all along: unintended (human errors)
actions causing security incidents; in- and outsiders with malicious intent.
One way to mitigate the risks associated with cyber threats and ‘the human
factor’ is by implementing physical security in the form of
locked cabinets or rooms with key card authentication. If
personnel have no access to areas where they might cause
serious security incidents, either intended or unintended, risk
factors will be minimized. Another important point to
consider is to give your personnel security awareness training.
2.3 Security policies and standards Because of the increasing security threats, a number of
organizations in the industry have initiated procedures and
standards to reduce the risks. Some of these organizations
focus on setting policies for information communication
technology (ICT) security in general. Others, with specific
interest into the process control industry, have developed a special process
control security policy.
Both the ISA and IEC are good examples of organizations that have developed
security policies. Yokogawa has supported these organizations from the
beginning and contributed to the development.
Process Control Security
Although the security technologies,
which are implemented in process
control systems, are the same as for
ordinary and more general IT systems,
the priorities of a general IT network
differ from those in process control.
Fig. 1 (ANSI/ISA-99) shows these
different priorities, as composed by the
International Society of Automation
(ISA).
Figure 1 ANSI/ISA–99
Whitepaper Plant Network Security version 1.1
6 | P a g e
3. Security solutions Even if we were able to achieve an appropriate security level by introducing
security measures into plant control systems, the security level will decrease
every day, because new malware is being created on a daily basis. Security is a
dynamic & never-ending process and must therefore be seen as part of what
Yokogawa refers to as the Security Lifecycle.
The next section describes solutions to
mitigate the risks of cyber-security
incidents. Depending on local situations,
the following security solutions can be
considered:
Network Security Design;
Firewall;
Anti-Virus;
Security Patch Updates;
Disaster Recovery & back-
ups;
Recovery & Backup
System Hardening
3.1 Network Security Design & Zones In case a plant control system consists of a few computers, the network
operators can manage them rather easily. However, even if the number of
computers is not so large, dividing a network into several zones is still important.
In case of a cyber-security incident, the incident can be isolated into a specific
zone. Proper network architecture therefore enables network operators to
manage the network safely. Figure 3 (next page) shows an example of typical
network architecture. This suitable network architecture should be a crucial
basis for all security measures.
To introduce security measures, the following steps are recommended by Yokogawa
1. Determine which kind of asset should be protected.
2. Develop a security policy to protect their asset, based on the type of asset.
3. Introduce security measures based on the security policy. 4. Periodically assess their measures
Yokogawa can provide further advice on these matters.
Whitepaper Plant Network Security version 1.1
7 | P a g e
The classification of a network is the basis of security control. The network is classified
from level 0 to level 4 according to the network security and functionality.
Level 4: The office domain, which is usually out of the Yokogawa scope.
Level 3.5: This is not an official zone, but a Yokogawa definition. This DMZ (demilitarized
zone) makes it possible to get secured data to and from the Process Control domain and
manages all the data traffic coming from Level 4 to check system layers (Level 3 and lower
layers).
Level 3: Site Manufacturing Operations Control Level 3 includes the functions involved in
managing work-flows to produce the desired end products. It consolidates raw data/information
from level 2 PCN, processes them before the data and information will be utilized by level 4
network like ERP system. Therefore, it contributes as vertical integration functionality between
Level 4 corporate network and Level 2 PCN.
Level 2: Area Supervisory Control Level 2 includes the functions involved in monitoring and
controlling the physical process. For example the HMI stations are located here.
Level 1: Local or Basic Control Level 1 includes the functions involved in sensing and
manipulating the physical process. Level 1 includes continuous control, sequence control, batch
control, and discrete control. Also included in Level 1 are safety and protection systems that
monitor the process and automatically return the process to a safe state if it exceeds safe
limits.
Level 0: Process Control Level 0 is the actual physical process. It includes the sensors and
actuators directly connected to the process and process equipment.
Figure 3: example of typical network architecture
Whitepaper Plant Network Security version 1.1
8 | P a g e
3.2 Firewall, first line of defense The firewall is the first line of defense for intrusion from other networks. If a
process control network is connected to any other network, it is considered
mandatory to install a firewall between these two networks. With a firewall, all
traffic between two, or even more, networks can be regulated. A firewall will
block all traffic between the networks, but by adding rules, specific traffic can be
allowed. The firewall does not only reduce the risk that unauthorized people can
get access to the network, but also minimizes the risk that problems in one
network segment traverse to the another network segment or zone.
Office Domain
Process Control Domain
DMZ
Figure 4
In addition to a firewall, an extra layer of security can be created with a so
called, Demilitarized Zone (DMZ > fig. 4). It can be used to segregate process
control networks from office networks. Once a DMZ is created, there is no
longer a direct connection between hosts in the office network and process
control. This can be seen in Figure 4, in which the red arrow shows a direct
connection and the green arrows show the data flow via DMZ.
3.3 Anti-Virus: protection against Malware The most dominant threats these days are viruses, worms, and Trojan horses.
These security threats increased dramatically over the last years. Figure 5 gives
an overview of the number of viruses over the last years reported by McAfee.
Not only is the number of malwares is continuously increasing. At the same time
the vulnerabilities of plant control systems to get infected by malwares is
increasing as well.
Whitepaper Plant Network Security version 1.1
9 | P a g e
Most computers offer network security features to limit outside access to the
computer system. Software such as antivirus programs and spyware blockers
prevent malicious software from running on the machine.
3.4 Security Patch updates It is recognized that operation
systems on computers, such as
Microsoft Windows, are
vulnerable for outside attacks.
Microsoft regularly releases
patches to fix these
vulnerabilities. It is important
that these critical patches are
applied regularly, especially
when connections between
process control systems and
other networks are open.
It is important to mention that
Anti-virus software alone does not reduce the
need for patches. For example, vulnerabilities in Microsoft can be used to switch
off the virus scanner externally.
At the same time, not all patches apply to process control systems. Vendors like
Yokogawa publish the relevant and critical patches online.
Fig. 6 shows the number of reported vulnerabilities for the Microsoft and the
non-Microsoft operating system.
This is a picture from the Microsoft
annual Security Intelligence report.
It shows that Microsoft is doing a
relatively good job, but that there
are still a number of these reported
vulnerabilities that might be a
backdoor for illegal intrusion into
networks.
Figure 5 Increasing number of malware
Figure 6 Reported vulnerabilities Windows (source: Microsoft)
Whitepaper Plant Network Security version 1.1
10 | P a g e
A 100% secured network is
utopia. Just think about the
dilemma that security and
workability may not be in
symphony. Trade-offs may
have to be made between
security and workability,
and nobody can guarantee
that process control
systems will never get
infected with a malware.
Moreover, even if we
establish secure systems
and networks, this would
not avert cyber-security
troubles. Therefore the
owners need to prepare
with what Yokogawa refers
to as an Incident Response
Plan.
3.5 Disaster recovery & Backups What if a malicious incident occurs at your plants network? Without proper
backups, a recovery becomes quite difficult. It could take operators several days
to recover from an incident depending on the system complexity: reinstalling
the OS, applications, patches, system updates, and other system requirements
will take time and resources. Furthermore, even when the system can be
recovered, there is no guarantee that the environment will be exactly the same
as before the incident.
3.5.1 Backup possibilities
Luckily, there are two different backup restore solutions that
differ in the recovery time.
An Image Backup: an image backup is an exact copy or
backup of your entire hard disk and/or or disk partitions
this means that it contains all files, including all installed
software. If a hard disk crashes and needs to be
replaced, the image backup can be used to recover the
PC. It is much faster than reloading the system from the
original software which takes much time because of all
re-installing of software. It may result in serious
production slowdown.
A Data Backup: a data backup means that copies of
individual or multiple data will be made so that these can
restored after a data loss event. This can be useful when
small numbers of files have accidentally been deleted or
corrupted. All changes made over time (maybe years)
will be lost if the database gets corrupted or lost. Therefore, a data backup
would be very valuable.
3.5.2 Backup and Restore recommendations
Even though image backups may not be seen as an essential recovery method -
in fact: you can recover without them - it is still strongly recommended to
implement image backups as a standard procedure. For example: if an
important computer fails, the restoration time should as short as possible.
Otherwise you’ll lose money due to production slowdown. In order to realize a
quick restoration, image backups are the fastest solution.
As already mentioned, from a technical point of view it may seem less critical to
save time when performing a backup. Though especially for large networks,
significant time spent by operators to backup and re-install may lead to
unnecessary operational expenses. This time can be reduced significantly when
backups are automated by a backup manager. It is recommended for large
systems (i.e. more than 10 computers) to install automatically managed backup
software.
Whitepaper Plant Network Security version 1.1
11 | P a g e
Network Management System: securing a sustainable operation
To keep sustainable operation,
it is definitely effective to
introduce a Network
Management System (NMS).
With NMS, network operators
can easily understand a
network situation including the
network devices. NMS has
various types of functions to
monitor soundness of
networks. After configuring
NMS properly, the NMS will
generate alerts if something
happens. E.g. when the
volume of traffic is too high, a
RAID system clash on PCs will
happen. Introduction of NMS
will support network operators
to avoid serious incidents.
3.6 System Hardening Many computers offer network security features to limit outside access to the
network system. Yet, even with all previously argued security measures (like
anti-virus) in place, computers are often still vulnerable to outside access.
System hardening, also called: Operating System
hardening, helps further minimize these security
vulnerabilities.
System Hardening means to protect and close all normal
entrances in the system, for example: if an application is
installed on your computer, it might accept a request from
outside of the PC. System Hardening prevents these
backdoor entrances.
The purpose of system hardening is to eliminate as many
security risks as possible. This is typically done by
removing all non-essential software programs and utilities
from the computer. While these programs may offer
useful features to the user, if they provide "back-door"
access to the system, they must be removed during system
hardening.
Hardening is also used to protect the PC from being used
as a regular computer. For example, if a machine such as
HMI is installed, system hardening will close all possibilities
of accessing the normal Microsoft desktop.
3.6.1 Closing all entrances The introduction of anti-virus and patch updates is the first step to establishing a
secure system. However, only implementing these measures is not enough for a
secure system.
Additionally, hardening of network devices such as Bluetooth, Wi-Fi, etc. is also
highly recommended. Even if network traffic is regulated, network devices
sometimes remain vulnerable for attacks. If an attacker can access devices
physically, he or she can connect an ether-cable to an unused port, and attack all
process control systems.
3.6.2 Active Directory, preventing Human errors
Plant control systems can be protected against unintended attacks such as
human errors, by hardening the system programs that are not required for
process control. The programs that are not required will be disabled in case of
an incident. This will not only protect the systems against intended disruptions,
but also makes it impossible for an operator to start a program that may cause
unintended system malfunctions.
Whitepaper Plant Network Security version 1.1
12 | P a g e
The most effective way to accomplish the system hardening is with the use of
Microsoft active directory. With this, the management of all computers in the
network can be maintained from one single computer.
Additionally, active directory has the possibility to manage users and groups by
checking permissions and passwords for all computers in the network. This will
improve operational efficiency.
Even if there only a few PCs are used in the system,
it is recommended to introduce active directory to
avoid operational mistakes.
3.6.3 Restricted USB usage
Nowadays, the work of maintenance engineers is
very hard without the use of USB sticks. However,
USB sticks are one of the main sources of malware
infections.
Because of workability issues for engineers, USB
devices cannot be completely abolished. To mitigate
the risk, however, it is highly recommended to limit
the use of USB devices. The use of USB devices can
be restricted in various ways. One of these options is
to have an active directory, as mentioned in 3.6.2.
Yokogawa Security Competency Laboratories
Yokogawa’s Security Competence
Laboratories all over the world play
a key role in the company’s overall
cyber-security activities.
Collectively, these laboratories
serve as a dedicated center-of-
excellence in which Yokogawa
system and cyber-security
specialists can collaborate to link
current security technologies to
the company’s systems to help
protect the company’s customers
from constantly evolving and
increasingly sophisticated cyber-
security threats.
Yokogawa Security Competency Laboratory
Whitepaper Plant Network Security version 1.1
13 | P a g e
4. Wireless in the process control domain The need for introducing wireless system in the process industry is increasing,
mainly to reduce costs and improve effective communications. The introduction
of wireless system, however, raises new issues for the industry:
- Real-time operational excellence
- Environment resistance
- Protection against explosion
- Radio wave interference
- Security (e.g. eavesdropping, falsification, spoofing)
In the case of wireless systems, a potential attacker does not need to access a
device physically. Physical security measures are therefore inadequate. It is
necessary to introduce other security measures as well, such as an encryption
system.
4.1 Wi-Fi In the process control landscape Yokogawa does distinguish two types of
wireless: Wi-Fi and ISA100.11a.
"Wi-Fi" is a trademark of the Wi-Fi Alliance and the brand name for products
using the IEEE 802.11 family of standards, which is different to ISA100.11a. This
Wi-Fi has been gradually introduced. However, Wi-Fi has also security issues;
listed measures are therefore highly recommended:
1. Setting up SSID and hiding the SSID
2. Filtering with MAC address
3. Connect the WIFI network only through the previous described
firewall
4. Using encryption (only wpa2)
Introducing only the first two measures will be inadequate to protect plant
control systems, so it would be better to also introduce a firewall and encryption
system.
4.2 ISA100 protocol for wireless ISA100 is an open wireless networking technology standard developed by the
International Society of Automation (ISA). The ISA100 protocol ensures a safe
and secured wireless communication, so that no hack can get access to the
system. The ISA100 protocol is issued in September 2009 and targets field
instruments. This technology brings plant control system owners many
advantages such as cost reduction, and better maintenance.
Whitepaper Plant Network Security version 1.1
14 | P a g e
5. The Future When reflecting over security, most people would like to anticipate how an
attacker will attack. Anno 2014 certain threats are developing within the IT
world which might become applicable to the process control world as well. For
example: there is a large growth in Ransom-ware - a kind of malware that will
encrypt your hard-disk and ask the victim for money (a ransom) for the key to
decrypt. See the figure below from McAfee.
Furthermore, nowadays everybody has a smartphone, and this is likely to
increase even further in the future. Of course this has consequences for the way
we now protect our assets. Think about it: what happens when an employee’s
phone battery needs to be recharged during a nightshift and the only device
available for him is a Distributed Control System (DCS). Some employees might
charge their phones on a free USB port, introducing the risk of a virus entering
the DCS, or even worse: creating a backdoor entry directly into the plant by the
3G network. It is obvious that companies must be aware of these developing
network security risks and how it can affects their plant network security.
For the future it is important to realize that a plant or factory does not only need
protection against ‘evil’ outsiders or hackers, as discussed in this document
internal (employees) use of all kinds of (online) electronic devices are risky too.
Finally you don’t need to be Einstein to see that smart-viruses and malware will
only get smarter. In case of network security the industry may always be one
step behind, but the only way to deal with this is to stay vigilant.
Source: McAfee
Whitepaper Plant Network Security version 1.1
15 | P a g e
Helpful Resources Security Assesment ((by Yokogawa)
Brochure Cyber Security for Industrial Control Systems (by Yokogawa)
Video: Security: YOKOGAWA IA System Security Solutions (YouTube)
Read more: www.yokogawa.com
6. Recommendations Each organization should consider investing in proper security measures. With
the existence of many security threats, implementing a solid security solution
clearly brings long term security (and production) advantages, although they
might be seen as an unwelcome and even unnecessary source of expenses.
Key solutions are to implement things like Anti-virus, patch management, a
firewall, or hardening your system. For medium/larger systems implementing a
Network Management System is essential to monitor your network.
If you are not confident about your plant or factory security approach, or if you
need help convincing your management about security investments, Yokogawa
security consultants can help you by conducting a Security Assessment. The
outcome is a clear report which will list your vulnerabilities and will indicate the
measures that you can take to mitigate these vulnerabilities.
About Yokogawa
Yokogawa Electric Corporation is a Japanese electrical engineering and software company, with businesses based on its measurement, control, and information technologies. Every high-technology product
from Yokogawa has to fulfill
three basic criteria: Quality,
Innovation, Foresight. We are
one of the world leaders in
industrial automation and
control, test and measurement,
information systems and
industrial services. Besides
being high quality, innovative
and advanced, our products are
also safe and durable. In other
words, we supply smart
technology, made by smart
professionals. Many of our
customers are major and global
names in oil and gas upstream
and midstream, refining and
petrochemical, power and
energy industries.
Contact us For more information please visit www.yokogawa.com/eu to find contact
information for Yokogawa in your area.
For Europe please send an e-mail to [email protected] a Yokogawa
security expert will get in contact with you.
You can also use the digital contact page to get in contact with a Yokogawa Security Expert.