security cyber attack

How can I …protect a system from cyber attacks?

System Technical Note

Design your architecture

Cyber security recommendations

3

Disclaimer

This document is not comprehensive for any systems using the given architecture

and does not absolve users of their duty to uphold the safety requirements for the

equipment used in their systems or compliance with both national or international

safety laws and regulations.

Readers are considered to already know how to use the products described in

this System Technical Note (STN).

This STN does not replace any specific product documentation.

4

The STN Collection

The implementation of an automation project includes five main phases: Selection,

Design, Configuration, Implementation and Operation. To help you develop a

project based on these phases, Schneider Electric has created the Tested,

Validated, Documented Architecture and System Technical Note.

A Tested, Validated, Documented Architecture (TVDA) provides technical

guidelines and recommendations for implementing technologies to address your

needs and requirements, This guide covers the entire scope of the project life

cycle, from the Selection to the Operation phase, providing design methodologies

and source code examples for all system components.

A System Technical Note (STN) provides a more theoretical approach by focusing

on a particular system technology. These notes describe complete solution offers

for a system, and therefore support you in the Selection phase of a project.

The TVDAs and STNs are related and complementary. In short, you will find

technology fundamentals in an STN and their corresponding applications in one

or several TVDAs.

Development Environment

PlantStruxure, the Process Automation System from Schneider Electric, is a

collaborative system that allows industrial and infrastructure companies to meet

their automation needs while also addressing growing energy management

requirements. Within a single environment, measured energy and process data

can be analyzed to yield a holistically optimized plant.

5

Table of Contents

1. Security Overview ..............................................................7

1.1. Purpose ................................................................................................................................................... 7

1.2. Introduction ............................................................................................................................................. 7

1.3. Why is Security a Hot Topic Today? ....................................................................................................... 8

2. What is Cyber Security? ................................................ 10

2.1. Cyber Attack Profile .............................................................................................................................. 10

2.2. How Attackers Can Gain Access to the Control Network ..................................................................... 11

2.3. How Attackers Attack ............................................................................................................................ 15

2.4. Accidental Events .................................................................................................................................. 18

2.5. Control System Vulnerabilities .............................................................................................................. 19

3. Schneider Electric Cyber Security Defense ................. 22

3.1. Security Plan ......................................................................................................................................... 23

3.2. Network Separation ............................................................................................................................... 25

3.3. Protecting the Plant Perimeter ............................................................................................................. 27

3.4. Network Segmentation via VLAN .......................................................................................................... 53

3.5. Device Hardening ................................................................................................................................. 57

3.6. Monitoring ............................................................................................................................................ 65

4. Appendix – Methods of Attack ...................................... 67

4.1. IP Spoofing ............................................................................................................................................ 67

4.2. Denial of Service Attacks ...................................................................................................................... 68

4.3. TCP SYN Flood Attack .......................................................................................................................... 69

4.4. Land Attack ........................................................................................................................................... 71

4.5. ARP Spoofing ........................................................................................................................................ 72

4.6. ICMP Smurf .......................................................................................................................................... 74

6

4.7. The PING of Death................................................................................................................................ 75

4.8. UDP Flood Attack ................................................................................................................................. 76

4.9. Teardrop Attack .................................................................................................................................... 76

5. References ...................................................................... 77

1-Security Overview

7

1. Security Overview

1.1. Purpose

The intent of this System Technical Note (STN) is to describe the capabilities of

the different Schneider Electric solutions that answer the most critical applications

requirements, and consequently increase the security of an Ethernet-based

system. It provides a description of a common, readily understandable, reference

point for end users, system integrators, OEMs, sales people, business support

and other parties.

1.2. Introduction

PlantStruxure openness and transparency provides seamless communication

from the enterprise system or the internet to the control network. With this

transparency comes security vulnerabilities that can be exploited to negatively

impact production, equipment, personnel safety, or the environment. Security

practices should be deployed to prevent these unwanted incidents from disrupting

operations.

Security is no longer a secondary requirement but should be considered

mandatory and be viewed as important as safety or high availability. To meet the

security challenges, Schneider Electric recommends a “defense-in-depth”

approach. Defense-in-depth is a concept that assumes there is no single

approach that provides all security needs. Rather, defense-in-depth layers the

network with security features, appliances, and processes to ensure that

disruption threats are minimized. Schneider’s defense-in-depth approach

includes:

Eagle20 Security Router, from its partner Hirschmann Electronics, to

secure the control network perimeter using secure links such as VPN and

DMZ.

Eagle Tofino firewall, from its partner Hirschmann Electronics, to secure

communication zones within the control network using basic firewall rules,

stateful packet inspection and deep packet inspection.

ConneXium infrastructure devices to limit internal access to areas of

responsibility and act as a second line of defense in the event of a firewall

breech.

PACs and Ethernet modules hardened with password protection, access

control and the ability to turn off unneeded services.

1-Security Overview

8

RTUs that offer secure links via VPN and strong authentication

technology.

The intent of this document is to understand what constitutes cyber security in the

industrial market, why cyber security has become such a hot topic, risks caused

by system vulnerabilities, methods of network penetration and Schneider

Electric’s recommendations to mitigate those risks. Remember, there is not one

single product that can defend the network, rather a defense-in-depth approach

ensures the best coverage for a secured, highly available operation.

1.3. Why is Security a Hot Topic Today?

Industrial control systems based on computer technology and industrial-grade

networks have been around for decades. The earlier control system architectures

were developed with proprietary technology and were isolated from the outside

world and therefore security was a primary concern. Physical perimeter security

was adequate to feel comfortable about the systems’ reliability. Today the control

systems have migrated to open systems using standardized technologies such as

Microsoft Windows operating system and Ethernet TCP/IP to reduce costs and

improve performance. Additionally, direct communications between control and

business systems has been employed to improve operational efficiency and

manage production assets more cost-effectively.

1-Security Overview

9

This technical evolution has exposed control systems to vulnerabilities previously

only affecting office and business computers. Although the malware found in the

world has been used to target home, office, or business computers, the industrial

computers employing the same technology has become exposed through lax

internal security practices, external contractors with access to systems, and

through inadvertent publicly accessible networked interfaces. Ethernet and

TCP/IP have provided many new and attractive capabilities:

Integrated applications through networked intelligent devices

Embedded web servers for remote access

Wireless connectivity

Remote access for maintenance

Automated software management

Distributed control

Instant access of information with the business systems – inventory,

production, shipping and receiving, purchasing, etc.

With the use of standard technologies such as Ethernet, control systems are now

vulnerable to cyber attacks from both inside and outside of the industrial control

system network.

The security challenges for the control’s environment are:

Physical and logical boundaries vary.

Systems can span over large geographical regions with multiple sites.

Security implementation can adversely impact process availability.

With the heightened threats caused by political terrorism, cyber attacks, and

internal security threats, companies must be more diligent than ever with how

their systems are protected. Motivations can be hard to understand, but the

implications can be devastating; from lost production, damaged company image,

environmental disaster, or loss of life. Companies need to be more conscious of

security than ever before. No longer will barbed wire and security guards

satisfactorily protect industrial assets. Lessons learned from the IT world must be

employed to protect industrial facilities and infrastructure from disruptions,

damage, or worse.

2-What is Cyber Security

10

2. What is Cyber Security? Cyber security is a branch of security designed to address attacks on or by

computer systems and through computer networks. The objective of cyber

security is to protect information and physical assets from theft, corruption, or

natural disaster, while allowing the information and assets to remain accessible

and productive to its intended users. It is composed of procedures, policies,

equipment; both software and hardware. Cyber security is an ongoing process.

Cyber attacks are actions that target computers and network systems designed to

disrupt the normal operations of the system. These actions can be initiated locally

(from within the physical facility) or remotely (from outside). These attacks are

normally intentional, but in fact could be unintentional due to poor security threat

prevention. All potential causes of cyber attacks need to be considered when

employing a defense-in-depth approach.

2.1. Cyber Attack Profile

Cyber attacks to the control network system can come from a number of sources:

Internal (employees, vendors and contractors)

o Accidental events

o Inappropriate employee/contractor behavior

o Disgruntled employees/contractor

External opportunistic (non-directed):

o Script kiddies

o Recreational hackers

o Virus writers

External deliberate (directed):

o Criminal groups

o Activists

o Terrorists

o Agencies of foreign states

The intent of the cyber attacks on a control system is to:

Disrupt the production process by blocking or delaying the flow of information.


11

Damage, disable, shutdown equipment to negatively impact production or the

environment.

Modify or disable safety systems to cause intentional harm or death.

Most cyber attacks that penetrate the control network system originate from the

enterprise system followed by the internet and trusted third parties.

2.2. How Attackers Can Gain Access to the Control Network

The following information is extracted from US-CERT's Control Systems Security

Program and is paraphrased from content on the US-CERT Control Systems:

Overview of Cyber Vulnerabilties web page located at http://www.us-

cert.gov/control_systems/csvuls.html. Schneider Electric recommends reviewing

all the materials at this web site to gain a better understanding of control system

vulnerabilities and potential threats.

In order to attack the control system network, the attacker must bypass the

perimeter defenses to gain access to the control system LAN. The most common

methods of gaining access are:

Dial-up access to RTU devices

Supplier access (Technical support)

IT controlled network products


12

Corporate VPN

Database links

Poorly configured firewalls

Peer utilities

2.2.1. Dial-up Access to the RTU Devices

Most control systems have a backup dial-up modem in the event that the main

network is no longer available. The attacker must know the protocol of the RTU in

order to gain access. Most RTUs don’t have strong security mechanisms

employed and identify themselves to any caller. Authentication mechanisms are

not widely employed.

2.2.2. Supplier Access

In order to minimize down time and reduce costs, suppliers are often given VPN

access for remote diagnostics or maintenance. The suppliers frequently leave

ports open on the equipment to simplify their tasks, giving the attacker access to

the equipment and links to control system network.


13

2.2.3. IT Controlled Communication Equipment

The automation department’s network authority is often limited to the control

network within the facility. The IT department assumes the responsible for long-

distance communication controlled and maintained from the business. A skilled

attacker can access the control network via holes in the communication

architecture and reconfigure or compromise communications to the field control

devices.

2.2.4. Corporate VPNs

Engineers working in the corporate offices and will often use VPN from the

company broadband to gain access to the control network. The attacker waits for

the legitimate user to VPN into the control system network and piggybacks on the

connection.


14

2.2.5. Database Links

Most control systems use real-time databases, configuration databases, and

multiple historian databases. If the firewall or the security on the database is not

configured properly, a skilled attacker can gain access to the database from the

business LAN and generate SQL commands to take control of the database

server on the control system network.

2.2.6. Peer Utility Links

Partners and peers are granted access to information located on either the

business or control network. With the peer-to-peer link, the security of the system

is as strong as the security of the weakest member.


15

2.3. How Attackers Attack

The following information is extracted from US-CERT's Control Systems Security

Program and is paraphrased from content on the US-CERT Control Systems:

Overview of Cyber Vulnerabilties web page located at http://www.us-

cert.gov/control_systems/csvuls.html. Schneider Electric recommends reviewing

all the materials at this web site to gain a better understanding of control system

vulnerabilities and potential threats.

Depending on motives and skills, the attacker may or may not need to know

details of the process to cause problems. For example, if the motive is simply to

shut down the process, very little knowledge of the control process is needed.

However, if the attacker wants to strategically attack a specific process, then

specific details and knowledge is required.

The two most vulnerable processes are:

Data acquisition database

HMI/SCADA display screens

Names of databases differ from suppliers but most use a common naming

convention with a unique number (i.e. Pump1, pump2, breaker1, breaker2…). On

the communications protocol level, the devices are simply referred to by number

(memory location or register address). For a precise attack, the attacker needs to

translate the numbers into meaningful information.

Gaining access to the HMI screens is the easiest method for understanding the

process and the interaction between the operator and the equipment. The

information on the screen allows the attacker to translate the reference numbers

into something meaningful.


16

2.3.1. Control of the Process

Once an attacker has enough information about the process, the next step is to

manipulate it. The easiest way to gain control of the process is to connect to a

data acquisition device, such as a PAC, that also has access to field devices and

send it properly formatted commands. Most of the PACs, gateways or data

acquisition servers lack basic authentication and will accept any commands that

have been formatted correctly.

2.3.2. Exporting the HMI Screen

Another method of attack is to export the HMI screen back to the attacker to gain

control of the operations. A sophisticated attacker may also modify the operator’s

screen to display normal operations in order to disguise the attack. The attacker

is normally limited to the commands allowed for the currently logged-in operator.


17

2.3.3. Changing the Database

The attacker accesses the database and modifies the data in order to disrupt

normal operation of the control system or change stored values to affect the

system’s integrity.

2.3.4. Man-in-the-Middle Attacks

Man-in-the-middle is a type of attack where the attacker intercepts messages from

one computer (Host A), manipulates the data prior to forwarding to the intended

computer (Host B) and vice versa. Both computers appear to be talking to each

other and are unaware of an intruder in the middle.

In order for the attacker to be successful in manipulating the packets, the protocol

must be known. The man-in-the-middle attack allows the attacker to spoof the

operator HMI screens and take full control of the control system.


18

2.4. Accidental Events

While many threats exist from disgruntled employees, hackers, terrorists, or

activists, the majority of system outages related to networks are caused by

accidental events. In this case, we are referring to personnel not following proper

procedures, accidentally connecting network cables in wrong ports, poor network

design, programming errors, or badly behaving network devices. Experts

attribute >75% of network-related system outages to accidental events. Many of

the security features and processes discussed in this document can also prevent

these types of accidental events.

In many cases, contractors are necessary contributors to system design,

commissioning, or maintenance. Proper procedures should be defined that

ensure that contractors don’t bring malware, viruses, or other problems into the

control network. Another example of proper procedures involves how USB keys;

a convenient method to transfer files, can be safely employed in the control

network environment. USB keys are a common source of malware and viruses

and must be carefully screened before permitting their use.

Network architectures are designed and configured at design time to comply with

robust behaviors; including segmenting, filtering, and topological rules.

Individuals who inadvertently connect a network cable into the wrong port on a

multi-port switch might create outages or broadcast storms bringing a network to

its knees. Many of the broadcast storm protections discussed in this document

apply to this accidental events as well as Denial of Service attacks.

In general, the cause might be accidental, but the features, practices, and

procedures used to protect from cyber attack work equally well to prevent

accidental system outages. In this case, disaster recovery methods should be


19

employed and tested to make sure that recovery from an outage or device failure

can be quickly and reliably managed, minimizing downtime and lost production.

High availability and redundant architectures play a role in this area when even

short duration system outages can’t be tolerated.

2.5. Control System Vulnerabilities

The North American Electric Reliability Corporation (NERC) performed a study

identifying the top 10 vulnerabilities of control systems:

1. Inadequate policies, procedures, and culture that govern control system

security:

Clash between operational culture with modern IT security methods.

IT often does not have an understanding of operational requirements of a

control system.

Lack of overall awareness and appreciation of the risk associated with

enabling the networking of these customized control systems.

Absence of control system information security policy.

Lack of auditing, enforcing, or adhering to control system information

security policy not adhered to, enforced or audited.

Lack of adequate risk assessment.

2. Inadequately designed control system networks that lack sufficient defense-

in-depth mechanisms:

Network security of control system devices were not adequately

considered when originally designed. These systems were designed with

availability and reliability in mind.

Control systems may not be capable of secure operation in an

internet/intranet working environment without significant investment to

reengineer the technology so it is in accordance with appropriate risk

assessment criteria.

3. Remote access to the control system without appropriate access control:

Inappropriate use of dial-up modems.

Use of commonly known passwords or no use of passwords.

Implementation of non-secure control system connectivity to the corporate

Local Area Network (LAN).

Practice of un-auditable and non-secured access by vendors for support.


20

4. System administration mechanisms and software used in control systems are

not adequately scrutinized or maintained:

Inadequate patch management

Lack of appropriately applied real time virus protection.

Inadequate account management.

Inadequate change control.

Inadequate software inventory.

5. Use of inadequately secured wireless communication for control:

Use of commercial off-the-shelf (COTS) consumer-grade wireless devices

for control network data.

Use of outdated or deprecated security/encryption methods.

6. Use of a non-dedicated communications channel for command and control

and/or inappropriate use of control system network bandwidth for non-control

purposes:

Internet-based Supervisory Control and Data Acquisition (SCADA).

Internet/Intranet connectivity initiated from control system networks:

File Sharing

Instant Messaging

7. Insufficient application of tools to detect and report on anomalous or

inappropriate activity:

Underutilized intrusion detection systems.

Under-managed network system.

Implementation of immature Intrusion Prevention Systems.

8. Unauthorized or inappropriate applications or devices on control system

networks:

Unauthorized installation of additional software to control system devices.

Peripherals with non-control system interfaces, e.g., multi function or

multi-network printers.

Non-secure web interfaces for control system devices.

Laptops.

USB memory.


21

Other portable devices e.g., personal digital assistants (PDAs).

9. Control systems command and control data not authenticated:

Authentication for LAN-based control commands not implemented.

Immature technology for authenticated serial communications to field

devices.

Lack of security implemented on an object by object basis on the control

displays.

10. Inadequately managed, designed, or implemented critical support

infrastructure:

Inadequate uninterruptible power supply (UPS) or other power systems.

Inadequate or malfunctioning HVAC systems.

Poorly defined “6-wall” boundary infrastructure.

Insufficiently protected telecommunications infrastructure.

Inadequate or malfunctioning fire suppression systems.

Lack of recovery plan.

Insufficient testing or maintenance of redundant infrastructure.

3-Schneider Electric Cyber Security Defense

22

3. Schneider Electric Cyber Security Defense No single solution can provide adequate protection against all cyber attacks on

the control network. Schneider Electric recommends employing a “defense in

depth” approach using multiple security techniques to help mitigate risk.

The defense in depth approach recommends six layers of defense for a

PlantStruxure network:

1. Security Plan

Creating the security plan is the first step to secure the control system network.

Polices and procedures must be defined, implemented and most importantly

updated and maintained. The planning process involves perform a vulnerability

assessment, mitigating the risk and creating a plan to reduce or avoid those risks.

2. Network Separation

Physically separating the control system network from other networks, including

the enterprise, by creating demilitarized zones (DMZs).

3. Perimeter Protection

Preventing unauthorized access to the control system through the use of firewall,

authentication and authorization, VPN (IPsec) and anti-virus software. This

includes remote access.


23

4. Network Segmentation

Use VLANs to sub-divide the network providing containment in the event of a

security breach within a subnet. It can be further enhanced using the concept of

communication zones. Each zone would be buffered from other zones by use of

a security firewall to limit access, monitor communications and report incidents.

5. Device Hardening

Device hardening is the process of configuring a device to protect it from

communication-based threats. It involves password management, access control

and disabling all unnecessary protocols and services.

6. Network Monitoring

No network is 100% secure due to the constant evolution of new threats.

Constant monitoring for control network system is necessary to block intruders

before damage is done.

3.1. Security Plan

The first step towards a secure network is to create a security plan with

procedures and policies. A cross-functional team consisting of management, IT

staff, control engineer, operator and a security expert should participate in the

creation of a comprehensive security plan.

The security plan should clearly define:

Roles and responsibilities of those affected by the policy.

Actions, activities and processes that are allowed and not allowed.

Consequences of non-compliance.

For existing networks, a full assessment is needed prior to creating the plan:

Identify communication paths into and out of the control network.

Identify communication paths within the control system network.

Perform a complete audit of devices on the network.

Record security settings of each device.

Draw a detailed network diagram.


24

Once the infrastructure diagram is completed, a vulnerability assessment is

required to identify weaknesses, potential threats and origins of threats.

Vulnerabilities assessed are then:

Prioritized by threat

Prioritized by business consequences

Prioritized by business benefits

Annual business impact is estimated

Introduction to Information Security, Dave Norton, CISSP Program Manager,

Transmission IT Security Entergy – New Orleans

Ri$k = % Probability of Threat of Attack * % Probability of a Vulnerability Being

Exploited * Reasonably Predictable (Financial) Consequences


25

The plan should consist of:

Security policies - Security policies should be developed for the control

system network and its individual components. The policies should be

reviewed periodically for changes in threats, environment or adequate

security level.

Blocking access to resources and services – Protecting the perimeter through

the use of firewalls or proxy servers, access control and anti-virus software.

Limiting communications between separate communications zones through

the use of firewalls and inline security devices.

Detecting malicious activity – Intrusion detection such as monitoring audit and

event logs is necessary to identify problems on the network.

Mitigating possible attacks – The more secure the network becomes, the

greater the impact on latency. In order for the process to run correctly a level

of vulnerability may be required.

Fixing core detected problems – Fixing detected problems usually involves

updating, upgrading, or patching the software vulnerability or removing the

vulnerable application.

3.2. Network Separation

One of the critical elements of designing a control system network is the physical

separation between the control network and external communication networks.

Data access between the internet, enterprise system and the control network

should take place on servers located in a demilitarized zone (DMZ). A DMZ

provides a safe and secure means of sharing data between zones. The DMZ

should contain:

Data servers such as Citect Historian that share and collect data from the

control system and enterprise system.

Patch management

Antivirus server

Web access server

Wireless access point

Remote access

All communication links should end in the DMZ. There should be no direct

communication path into the industrial control network.


26

DMZ Guidelines

All traffic should terminate at servers in the DMZ.

Inbound traffic to the control system should be blocked. Access to devices

inside the control system should be through the DMZ.

Outbound traffic through the control network firewall should be limited to

essential communications only.

All outbound traffic from the control network to the corporate network

should be source and destination-restricted by service and port.

Firewalls should be configured with outbound filtering to stop forged IP

packets from leaving the control network or the DMZ.

Firewalls should be configured to forward IP packets only if those packets

have a correct source IP address for the control network or DMZ networks.

Internet access by devices on the control network should be strongly

discouraged.

The servers in the DMZ zone must be hardened. Security patches and

anti-virus software must be continuously updated.


27

3.3. Protecting the Plant Perimeter

Firewalls are used to protect the network perimeter by blocking unauthorized

access while permitting authorized communications. A firewall is a device or set of

devices configured to permit, deny, encrypt, decrypt, or proxy all (in and out)

traffic between different security domains based upon a set of rules and other

criteria.

Firewalls play an important role in a control system network. Process control

devices require fast data throughput and therefore cannot afford latency

introduced by a over-aggressive security strategy. The control system relies

heavily on perimeter protection to block all unwanted and unauthorized traffic.

There are three categories of firewalls:

Packet filtering: A low cost basic type of firewall having minimal impact on the

network performance. Basic information in each packet, such as IP addresses

is validated prior to forwarding. This type is not recommended due to lack of

authentication. It does not conceal the protected network’s architecture.

Application-Proxy Gateway – An application proxy gateway examines packets

at the application layer and filters traffic based on specific application rules

such as specified applications (e.g., browsers) or protocols (e.g., FTP).

Application proxy gateways provide a high level of security, but can have


28

overhead delays impacting the network performance of the control system.

Their use is therefore not recommended.

Stateful Inspection Firewalls: Stateful multilayer inspection firewalls are a

combination of the above firewall types. Stateful inspection filters packets at

the network layer and validates that the session packets and their contents at

the application layer are legitimate. Stateful inspection makes sure that all

inbound packets are the result of an outbound request. Stateful inspection

firewalls provide a high level of security and good performance but can be

expensive and complex to configure.

3.3.1. Firewall Guidelines

The National Institute of Standards and Technology (NIST) has provided the

following guidelines:

The base rule set should be “deny all, permit none.”

Ports and services between the control system network environment and the

corporate network should be enabled and permissions granted on a specific

case-by-case basis. There should be a documented business justification with

risk analysis and a responsible person for each permitted incoming or

outgoing data flow.

All “permit” rules should be both IP address and TCP/UDP port specific.

All rules should restrict traffic to a specific IP address or range of addresses.

Traffic should be prevented from transiting directly from the control network to

the corporate network. All traffic should terminate in a DMZ.

Any protocol allowed between the control network and the DMZ should

explicitly NOT be allowed between the DMZ and corporate networks (and

vice-versa).

All outbound traffic from the control network to the corporate network should

be source and destination-restricted by service and port.

Outbound packets from the control network or DMZ should be allowed only if

those packets have a correct source IP address that is assigned to the control

network or DMZ devices.

Control network devices should not be allowed to access the Internet.

Control networks should not be directly connected to the Internet, even if

protected via a firewall.


29

3.3.2. Firewall Vulnerabilities

Denial of Service is one of the most common vulnerabilities of the outer perimeter.

Other common vulnerabilities:

Spoofing

Worms and Trojans

Viruses

Hijacking

False identity

Data/Network Sabotage

These attacks on a control system can result in:

Reduction or loss of production at one site or multiple sites

simultaneously

Injury or death of employees

Injury or death of persons in the community

Damage to equipment

Release, diversion, or theft of hazardous materials

National security breech

Environmental damage

Violation of regulatory requirements

Product contamination

Criminal or civil legal liabilities

Loss of proprietary or confidential information

Loss of brand image or customer confidence

3.3.3. Firewall Risk Mitigation

Packet Filtering

Devices on the control network require security based on unique applications and

protocols. Packet filtering is a feature found on a firewall that provides the

protection based on:

IP protocol

Source IP address


30

Source port

Destination IP address

Destination port

With packet filtering, access to a device can be restricted to only allow specific

protocols (ports). In the drawing below, the PC can communicate with the PLC

via port 80, but port 69 messages are blocked by the firewall.

Ports that need extra protection due to low or no built-in security are:

Non-secure Protocols

IP Protocol Port #

TCP Telnet 23

TCP/UDP HTTP 80

TCP/UDP SNMP

v1&v2 161

TCP FTP 20-Data

21-Command

UDP TFTP 69

TCP/UDP DNS 53

TCP POP3 110

TCP/UDP SMTP 25


31

Packet filtering should be implemented. Trusted ports are for outgoing

connections and untrusted ports are for incoming connections.

Some firewalls are even capable of looking within the protocol to make intelligent

decisions about allowing/restricting specific messages. These highly evolved

firewalls are capable of looking into a protocol like Modbus TCP (port 502) and

allowing certain function codes to pass while blocking others. An example of this

type of firewall is the Eagle Tofino from Hirschmann Electronics.

Anti-virus Software

Always implement anti-virus scanning and keep anti-virus software and definition

files up-to-date. This applies to the SCADA system and all PCs used to monitor or

maintain the control system.

Flood Protection

The firewall is an important player in preventing unwanted traffic such as DoS

attacks onto the control network. DoS attacks are the most common form of flood

attacks. If a DoS attacker is successful in penetrating the control network, the

impact can be minimized using flood protection provided in the firewall.


32

3.3.4. Firewall Rules for Specific Services

Firewalls can deal with and help manage many of the protocols and services

employed in industrial control systems, The ones we will discuss here are DNS,

HTTP, DHCP, FTP, TFTP, Telnet, SMTP, POP, Telnet, SNMP, and NAT.

Domain Name System (DNS) Server

Domain Name System (DNS) server is a database used to translate DNS host

names to IP addresses. Most Internet services rely heavily on DNS, but are rarely

used by control systems.


33

DNS Vulnerabilities

There are numerous exploits against DNS Servers. The two most common ones

are DNS Cache Poisoning and DNS Amplification Attack.

DNS cache poisoning is the result of replacing the intended domain IP address

with the attacker’s domain IP address. As a result of cache poisoning, web traffic,

email, and other important network data can be redirected to systems under the

attacker's control.

DNS amplification attack is a type of DoS attack that generates traffic overload.

DNS Risk Mitigation

DNS requests are seldom used from the control network to the corporate network

and should be avoided if possible.

Do not allow DNS requests into the control network.

It is recommended that the DNS configuration be set to DNS Root Servers.

Queries will be sent to the DNS Root server at the IP address stored in mGuard.

These addresses rarely change.

Hypertext Transfer Protocol (HTTP)

Hypertext Transfer Protocol is the underlying protocol used by the World Wide

Web and is used in many applications: file download, software updates, or to


34

initialize multimedia streams. The use of HTTP is increasing due to embedded

web servers in control products. Schneider Electric web servers use HTTP

communications to display data and send commands via web pages.

Hypertext Transfer Protocol Secure (HTTPS) is a combination of the Hypertext

Transfer Protocol and a cryptographic protocol. The primary differences between

http and https are their default ports (80 for http and 443 for https). HTTPS

operates by transmitting normal HTTP with encryption. There are two common

types of encryption layers:

Transport Layer Security (TLS)

Secure Sockets Layer (SSL) - predecessor

HTTP Vulnerabilities

HTTP has little inherent security and can be used as a transport mechanism for

attacks and worms. Common attacks are man-in-the-middle and eavesdropping.

HTTP Risk Mitigation


35

If the HTTP server is not needed, then disable it. Otherwise use, HTTPS instead

of HTTP if possible and only to a specific device.

DHCP

Dynamic Host Configuration Protocol (DHCP) is a network application protocol

based on BootP. It is used by devices (DHCP clients) to obtain configuration

information for operation in an Internet Protocol network. DHCP is an

unauthenticated protocol. The DHCP service works by using the DORA (Discover,

Offer, Request and Acknowledgment) grants.

DHCP service uses port 67/UDP in the DHCP server, and 68/UDP at the DHCP

clients.

Schneider Electric uses DHCP for Faulty Device Replacement (FDR).

DHCP Vulnerabilities

There are two common types of DHCP attacks:

DHCP starvation attack – The DHCP server is inundated with countless requests

from different MAC addresses. The DHCP server will eventually run out of IP

addresses blocking a legitimate user from obtaining or renewing an IP address.


36

DHCP rogue attack – The attacker disguises itself as a DHCP server and

responds to a DHCP request with false IP addresses resulting in a man-in-the-

middle attack.

DHCP Risk Mitigation

Prevent unauthorized persons to have physical or wireless access to the

computer.

Recommend that DHCP be disabled in the firewall, if not needed.

Conflict: Schneider Electric devices such as the NOE’s or ETY’s have a built-in

DHCP server. The DHCP server uses the device’s MAC address or device name

to serve the IP configuration and the name and location of the configuration file.

FTP and TFTP

File Transfer Protocol (FTP) and Trivial File Transfer Protocol (TFTP) are used for

transferring files between devices. Transparent Ready devices use FTP to load

firmware, custom web pages, retrieving crash logs, etc. TFTP is used as a bare-

bones unidirectional special purpose file transfer (firmware uploads).

FTP Vulnerabilities

FTP uses a login password that is not encrypted, and for TFTP, no login is

required. FTP is vulnerable to Buffer Overflow and FTP Bounce attacks. The FTP

bounce attack uses an FTP server in passive mode to transmit information to any

device on the network. To begin the bounce attack process, the attacker must

login to the FTP server that will be used as the "middleman." Once connected to

the FTP server, the attacker sends the PORT command to direct all data

connections to the destination IP address and TCP port.


37

FTP Risk Mitigation

FTP communications should be allowed for outbound sessions only unless

secured with additional token-based multi-factor authentication and an encrypted

tunnel.

If possible, use more secure protocols such as Secure FTP (SFTP) or Secure

Copy (SCP).

Configure each server connection individually.

Use packet filtering to allow access only to the FTP server.

The FTP file should be checked for viruses. Identify the IP address of the FTP

server and enable content scanning for viruses if files are not expected to exceed

the maximum file size. Large files that exceed the maximum file size are dropped.


38

Telnet

The telnet protocol provides an interactive, text-based communications session

between a client and a host. Telnet provides access to a command-line interface,

typically via port 23. It is mainly used for remote login and simple control services

to systems with limited resources or to systems with limited needs for security.

Due to security risks, Schneider has limited the use of Telnet in its products.

Telnet Vulnerabilities

Use of Telnet is a severe security risk because all telnet traffic, including

passwords, is unencrypted. It can allow a remote individual considerable control

over a device.

Telnet Risk Mitigation

Inbound telnet sessions from the corporate to the control network should be

prohibited unless secured with authentication and an encrypted tunnel.

Outbound telnet sessions should be allowed only over encrypted tunnels (e.g.,

VPN) to specific devices (Covered in the Remote Access section).

Simple Mail Transfer Protocol (SMTP) & Post Office Protocol (POP3)

Email notification in the automation industry is becoming more prevalent as plants

downsize and rely on remote experts to troubleshoot and fix detected problems.

PlantStruxure devices only send email. However, there is potential that non-

Schneider Electric devices residing on the network can receive email. Therefore,

it is highly recommended that firewalls be configured to scan the email for viruses.

The Simple Mail Transport Protocol (SMTP) is an internet standard used by e-mail

clients or mail transfer agents (MTA) to send e-mails. An SMTP server performs

two functions:


39

Verifies that the configuration is valid and grants permission to the

computer sending the message.

Sends the outgoing message to a predefined destination and validates

the successful transfer of the message. If the message is not successfully

transferred, a message is sent back to the sender.

Post Office Protocol v3 (POP3) or Internet Message Access Protocol (IMAP) is

used by local e-mail clients to download email from a remote server. The POP3

server receives the e-mail message and retains the email message until is

retrieved by the local client. POP3 uses port 110.

SMTP & POP3 Vulnerabilities

Directory harvesting is the most common form of attack. The attack relies on

invalid email addresses being rejected by the email system either during the

SMTP conversation or afterwards via a Delivery Status Notification (DSN). When

the attacker receives a rejection from an invalid email address, the email address

sent is discarded. When no rejection or DSN is received, the email address is

considered valid” and is added to a spam database. The attacker typically uses

two methods:

Brute force: an approach that sends messages with all possible

alphanumeric characters and waits for a valid response.

Selective: an approach sending an email using a likely username in

hopes of finding a valid one.

SMTP and POP3 Risk Mitigation

Inbound e-mail should not be allowed to any control network device.


40

Outbound SMTP mail messages from the control network to the corporate

network are acceptable in order to send alert messages. PlantStruxure devices

today only send emails.

All emails should be scanned for virus. Note that some firewalls are not able to

check encrypted data for viruses.

Identify which IP address requires anti-virus protection and enable content

scanning for viruses if ftp files are not expected to exceed maximum file size.

Simple Network Management Protocol (SNMP)

All PlantStruxure Ethernet devices have SNMP service capability for network

management. Most of the PlantStruxure devices use SNMP v1 which does not

use encryption and is therefore considered unsecure. ConneXium switches are an

exception. They use SNMP v3 which has added security features:

Message integrity

Authentication

Encryption


41

SNMP consist of three parts:

Manager: an application that manages SNMP agents on a network by

issuing requests, getting responses, and listening for and processing

agent-issued traps. Managed devices can be any type of device: routers,

access servers, switches, bridges, hubs, PACs, drives…

Agent: a network-management software module that resides in a

managed device. The agents allow configuration parameters to be

changed by managers.

Network management system (NMS): the terminal through which

administrators can conduct administration tasks.

SNMP Vulnerabilities

SNMP in general is weak in security. Versions 1 and 2 of SNMP use unencrypted

passwords to both read and configure devices. Passwords may not be able to be

changed. Version 3 is considerably more secure but is still limited in use.

Often SNMP is automatically installed with "public" as the read string and "private"

as the write string. This type of installation provides an attacker the means to

perform reconnaissance on a system to create a denial of service.

SNMP also provides information about the system that may allow the attacker to

piece together the network system with the interconnection.


42

SNMP Risk Mitigation

The best defense is to upgrade to SNMP V3, which encrypts passwords and

messages.

SNMP V1 & V2 commands to and from the control network should be prohibited

unless it is over a separate, secured management network.

Control access by identifying which IP address has privilege to query an SNMP

device.

Network Address Translation (NAT)

Network Address Translation (NAT) is a firewall feature that does not permit the

outside from knowing a device’s true IP address and is therefore unable to access

the device directly.

NAT is a method to map the entire network to a single IP address prior to

transmitting. NAT relies on the premise that not every internal device is actively

communicating with external hosts at any given moment. The firewall must track

the state of each connection and how each private internal IP address and source

port was remapped. When the response is received by the firewall, the IP address

mapping is reversed and the packets forwarded to the proper internal host.

Although NAT routers are not technically firewalls because they do not filter the

packets, NAT does protect the PlantStruxure devices from the network. NAT

provides high security by blocking packets originating from the Internet from

accessing the device directly. Only responses to a request are allowed to pass

through.

NAT was initially developed to address the shrinkage of available IP addresses

prior to IPv6. NAT is also referred to as IP-masquerading.

NAT Vulnerabilities

None known

NAT Configuration Recommendation

Use NAT whenever possible. Note that NAT does not support producer-consumer

protocols such as EtherNet/IP or Foundation Fieldbus.


43

Since NAT is usually used on routers and network gateways, it is necessary to

enable IP forwarding so that packets can travel between networks:

3.3.5. External Authentication

Authentication is the process of determining a person’s true identity. There are

several methods of external authentication. Remote Authentication Dial in User

Service (RADIUS) is the most popular network protocol used in the control system

network.

RADIUS provides three functions:

Authenticate users or devices before granting them access to a network.

Authorize users or devices for certain network services.

Account for usage of those services.

Transactions between the client and the RADIUS server are authenticated

through the use of a shared secret. A shared secret is encrypted using the MD5

hashing algorithm. Originally, RADIUS was developed for dial-up remote access.

Today, RADIUS is supported by VPN servers, wireless access points,

authenticating Ethernet switches, Digital Subscriber Line (DSL) access, and other

network access types.


44

Authentication Guidelines

Use a different shared secret for each RADIUS server-RADIUS client pair.

If possible, configure shared secrets with a minimum length of 16 characters

consisting of a random sequence of upper and lower case letters, numbers, and

punctuation.

Authentication Vulnerabilities

The RADIUS shared secret does not have sufficient randomness to face to a

successful offline dictionary attack. This vulnerability is addressed using IPsec in

the Remote Access section.


45

Authentication Risk Mitigation

Implement RADIUS authentication on the firewall.

Enter a shared secret used to authenticate the communication between the

RADIUS server and a RADIUS client.

3.3.6. Remote Access

There is a growing demand to establish connection to the control system that

enables engineers and support personnel to monitor and control the system from

remote locations. Remote access can be costly and susceptible to cyber attacks if

not configured correctly. Many companies are migrating from telephone modems

to a virtual private network (VPN) to reduce this risk. A VPN provides the highest

possible level of security, through encryption and authentication, preventing

viewing of the data over the public internet.


46

There are two VPN technologies used; IPsec and SSL:

Internet Protocol Security (IPSec): IPSec is an open standard, transparent to the

application, which provides IP network-layer encryption to provide private, secure

communications over Internet Protocol (IP) networks. IPSec supports:

network-level data integrity

data confidentiality

data origin authentication

replay protection

IPsec supports both Digital Signature and Secret key Algorithm.

Secure Socket Layer (SSL): SSL is a common protocol built into most web

browsers. SSL is easier to configure and does not require special client software.

However, SSL only works for web-based (TCP) applications and only supports

Digital Signature.


47

For remote access, VPN with IP-security (IPsec) is highly recommended. IPSec is

a suite of standards for performing encryption, authentication, and secure tunnel

setup. IPSec essentially creates private end-to-end tunnels out of the public

bandwidth available on the Internet. IPsec uses the following components:

Internet key exchange (IKE and IKEv2)

Authentication Header (AH)

Encapsulating Security Payload (ESP)

IPsec has two connection modes, Tunnel and Transport mode.

Tunnel mode: connection is established between Gateway-to-Gateway,

Gateway-to-Host and Host-to-Host. The entire IP packet is encapsulated

to provide a virtual “secure hop” between two gateways and provides a

secure tunnel across an untrusted Internet (recommended).

Transport mode: connection is Host-to-Host. Only the payload (the data

you transfer) of the IP packet is encrypted and/or authenticated.

VPN tunnel uses algorithms to encrypt and decrypt user information. The three

common encryption protocols are:

AES (Advanced Encryption Standard)

DES (Data Encryption Standard)

Triple-DES (3DES) - effectively doubles encryption strength over DES.

Authentication is necessary to make sure that no change is made to a message

during transmission. A hash, a one-way encryption algorithm, is used to take an

input message of arbitrary length and produces a fixed-length output message.

Hash algorithms are used by IKE, AH and ESP to authenticate data. The two

popular hash algorithms are:

Message Digest 5 (MD5): 160 bit key.

Secure Hash Algorithm 1 (SHA-1): generates a 160-bit (20 byte) message

digest. SHA-1 is slower than MD5 but offers greater protection against

brute force attacks.

Remote Access Guidelines

All remote access enabling hardware and software should be approved

and installed in accordance with the Security Policy.

Remote access should only be enabled when required, approved, and

authenticated.


48

Disable remote access when not needed.

Change password once a remote maintenance session has terminated.

Consider risk to the process when allowing remote access.

Remote support personnel connecting over the Internet or via dialup

modems should use an encrypted protocol such as IPsec.

Once connected, they should be required to authenticate a second time at

the control network firewall using a strong mechanism, such as a token

based multi-factor authentication scheme, to gain access to the control

network.

Automatically lock accounts or access paths after a preset number of

consecutive invalid password attempts.

Change or delete any default passwords or User IDs.

Change passwords periodically.

For remote access modems:

Change default settings as appropriate:

o Set dial-out modems to not auto answer.

o Increase ring count before answer.

o Utilize inactivity timeout if available.

Use callback whenever possible.

Verify that the VPN devices do not have a negative impact on the control

system network.

Remote Access Vulnerabilities

Inadequate access restriction is the number one vulnerability to the

control system network.

Firewall filtering deficiencies.

Services allowed into the control system network.

War dial-ups (computer dialing consecutive telephone numbers seeking a

modem).

Connection passwords programmed with vendor’s default password.

Access links not protected with authentication and/or encryption.


49

Wireless has additional challenges because radio waves propagate

outside the intended area:

Attackers who are within range to hijack or intercept an unprotected

connection.

Wardriving is a common form of attack where a person is searching for a

wireless device in a moving vehicle, using a portable computer or PDA.

Remote Access Risk Mitigation – External Communication

The firewall should be configured for a VPN connection using Tunnel network to

network. The network to network is the most secure and will function in all

applications.

3.3.7. Protecting the Perimeter for Remote Control

Remote control differs from remote access in that remote control often by-passes

the security perimeter protection due to the latency introduced by the firewall. A

risk analysis by the organization is required to balance risk versus functionality.

Remote control with wireless brings additional security challenges. The best

defense is to use VPN tunnel with IPsec (same as firewall).

Remote Control Guideline


50

The Wireless recommendations and guidance from the Industrial Control System

Security organization are:

Prior to installation, a wireless survey should be performed to determine

antenna location and strength to minimize exposure of the wireless

network. The survey should take into account the fact that attackers can

use powerful directional antennas, which extend the effective range of a

wireless LAN beyond the expected standard range. Faraday cages and

other methods are also available to minimize exposure of the wireless

network outside of the designated areas.

Wireless users’ access should utilize IEEE 802.1x authentication using a

secure authentication protocol (e.g., Extensible Authentication Protocol

[EAP] with TLS [EAP-TLS]) that authenticates users via a user certificate

or a Remote Authentication Dial In User Service (RADIUS) server.

The wireless access points and data servers for wireless worker devices

should be located on an isolated network with documented and minimal

(single if possible) connections to the ICS network.

Wireless access points should be configured to have a unique service set

identifier (SSID), disable SSID broadcast, and enable MAC filtering at a

minimum.

Wireless devices, if being utilized in a Microsoft Windows ICS network,

should be configured into a separate organizational unit of the Windows

domain.

Wireless device communications should be encrypted and integrity-

protected. The encryption must not degrade the operational performance

of the end device. Encryption at OSI Layer 2 should be considered, rather

than at Layer 3 to reduce encryption latency. The use of hardware

accelerators to perform cryptographic functions should also be considered.

For mesh networks, consider the use of broadcast key versus public key

management implemented at OSI Layer 2 to maximize performance.

Asymmetric cryptography should be used to perform administrative

functions, and symmetric encryption should be used to secure each data

stream as well as network control traffic. An adaptive routing protocol

should be considered if the devices are to be used for wireless mobility.

The convergence time of the network should be as fast as possible

supporting rapid network recovery in the event of a detected failure or

power loss. The use of a mesh network may provide fault tolerance thru

alternate route selection and pre-emptive fail-over of the network.


51

Remote Control Vulnerabilities for Wireless

Security settings are either not configured or configured for poor security.

Radio waves propagate outside the intended area.

Easy to eavesdrop.

Physical location permits easy access.

No security polices for setting up a wireless network.

Attackers who are within range can hijack or intercept an unprotected

connection.

War driving - a common form of attack where a person is searching for a

wireless device in a moving vehicle, using a portable computer or PDA.

Kurt Rogers / San Francisco Chronicle -2009

Remote Control Risk Mitigation

FactoryCast ETG302x provides VPN capabilities for remote control. It is

recommended that two ETGs be used to gain access to the control network from

the RTU station using wireless.

The same rules apply to ETG302x as the firewall:

Pre-shared key is used for authentication.


52

For PlantStruxure devices, always use tunnel mode (mandatory).

The encryption is preconfigured to 3DES (high) and authentication

encryption to SHA-2.

Enable VPN on both ETG302x and configure remote LAN in each.

After selecting VPN mode on both ETGs, configure the GPRS DNS name and the

mode to tunnel.

Here below, you see a fully configured system providing VPN access across the

public internet ensuring secured communications.


53

3.4. Network Segmentation via VLAN

3.4.1. Virtual LANs

Virtual LANs (VLAN) are commonly used to segment networks. VLANs divide

physical networks into smaller logical networks to increase performance, improve

manageability, simplify network design and provide another layer of security.

Segmentation can be accomplished using devices such as firewalls, routers and

Ethernet switches with access control list.

Network segmentation advantages:

Contains attacks (viruses, worms, trojans, spam, adware) to one network

segment.

Improves security by ensuring that nodes are not visible to unauthorized

networks.

Most of the intruders’ scans are dropped by the network before they ever

hit a potential target system.

Contains information leak if there is a security breach on a network.

Broadcasts and multicasts are restricted to their respective VLAN’s.


54

Improves network performance and reduces network congestion.

Controls communication access from one segment to another providing

enhanced security to a critical device or system.

For a control system, segmentation can be done at several levels; switches,

VLANs, and firewalls:

The first level involves the use of Ethernet switches to prevent unwanted

traffic from going to all devices, potentially allowing an attacker to view the

data.

The second level involves the use of switches with VLAN functionality to

further restrict traffic. At this point, the concept of a communications or

security zone is introduced. The control network is broken into separate

zones based on physical proximity of purpose. Use of Access Control

Lists further enhances the level of security to the zones.

The third level involves the use of high performance industrial firewalls or

routers to limit access to a communications zone and to monitor traffic

inside the zone.

As firewalls and routers are added to the system, the user must be cognizant of

potential reduced network performance.


55

VLAN is a broadcast domain (layer 2) configured on Ethernet switches on a port-

by-port basis that isolates traffic from other VLANs. When two devices are defined

as being on the same VLAN, the switch passes messages through with no

filtering.

VLANs are typical grouped by:

Functionality or Cell Area: only relevant traffic for a particular cell area

necessary for operation.

Access Requirements: access requirements differ for different types of users:

Operators, Engineers, Vendors, Accounting …

Security: access to sensitive information needs to be shielded: accounting,

human resource, research …

Traffic: limit traffic load to achieve required throughput.

Segmentation Recommendation Guideline:

Use one VLAN per ring topology for all manufacturing traffic per cell/area

zone.

VoIP should be on a separate VLAN.

Packets entering the DMZ from the Internet are assigned a restricted VLAN

ID that allows access only to devices on the DMZ.

All unnecessary traffic should be removed from the particular VLAN.

Apply QoS ACLs to rate limit the maximum amount of ping traffic allowed.

Prevent all Telnet connections and allow only SSH sessions.

Connect untrusted devices to untrusted ports, trusted devices to trusted ports

Disable unused ports and put them into an unused VLAN.

VLAN Vulnerabilities

VLAN hopping is a method of attacking networked resources on a VLAN. In the

VLAN hopping attack, the attacker uses switch spoofing or double-encapsulated

frames on an unauthorized port to gain access to another VLAN.

Common types of attacks carried out once the intruder has gained access to the

desired VLAN:

MAC flooding attack (confined to the VLAN of origin)

802.1Q and ISL Tagging Attack


56

Double-Encapsulated 802.1Q/Nested VLAN Attack

ARP Attacks

Private VLAN Attack

Multicast Brute Force Attack

Spanning-Tree Attack

Random Frame Stress Attack

VLAN Risk Mitigation

ConneXium VLAN capabilities allow limiting access to areas/zones of

responsibility. For example, the engineer may have access to the entire plant but

an operator responsible for site A & B should not have access to Site C.

Maintenance personal assigned to site C should only have access to that site.

This confines the area of vulnerability.

Use caution when configuring VLAN 0 Transparent Mode. If checked, the packets

are sent without VLAN membership.

Use ingress filtering to validate that the incoming packets are legitimate.

Communications Between VLANs

Once the network is segmented into VLANs, many users desire to allow restricted

communications between VLANs. This can be achieved by use of a Layer 3

switch/router that maps trafficfrom one VLAN to another. Schneider recommends

the Hirschmann MICE range of Layer 3 switches for this purpose.

Communication / Security Zones

Each VLAN can be thought of as a communications or security zone with a

defined list of network traffic that can enter the zone. A zone can be as small as a

single device or as large as an entire plant. To limit the network traffic entering a

zone, Schneider recommends the Hirschmann Eagle Tofino firewall appliance.

This appliance is protocol-aware, providing the ability to monitor and limit access

to specific data registers or function codes for each connected device.

The Eagle Tofino firewall is specifically designed for use in industrial control

systems providing setup and interface familiar to control system engineers.


57

3.5. Device Hardening

Device hardening is a process that reconfigures a device’s default settings to

strengthen security.

Device hardening applies to routers, firewalls, switches and other devices on the

network such as SCADA and PACs. Examples of device hardening:

Password management including encryption

Disabling of unused services

Access Control

Network intrusion detection systems (NIDS)

Strong authentication

The following section will demonstrate methods of hardening Schneider Electric

devices.

3.5.1. Passwords

Password management is one of the fundamental means of device hardening that

can easily and quickly be implemented but often neglected in the control system

network. Policies and procedures are often lacking or missing entirely. Caution


58

must be taken when considering security requirements and potential ramifications

(i.e. performance, safety or reliability are adversely impacted).

Guidelines for password configuration

Default passwords must be changed immediately after installation:

User and Application passwords

Scripts & source code

Network Control equipment

All user accounts must have passwords.

Limit passwords to people that need access.

Passwords should not to be shared and be difficult to guess.

Password should contain at least 8 characters and contain:

Upper and lowercase letters

Numbers

Non-alphanumeric characters (e.g. !, $, #, %)

Passwords should be changed regularly.

Remove employee’s access account when employment has terminated.

Use different passwords for different accounts, systems and applications.

There needs to be a master of all passwords at all times in the plant that

can quickly be accessed in the event of an emergency that is secured.

Password implementation must never interfere with the ability of an

operator to respond to a situation (e.g. emergency shut-down).

Passwords should not be transmitted electronically over the insecure

Internet, such as via e-mail.

Password Vulnerabilities

Storing passwords and dial-up numbers on unprotected portable devices

that may be lost or stolen.

Lack of password policy to define strength and usage.

Use of default password allowing unauthorized access.


59

Passwords are not kept confidential and are shared or posted.

Sending unencrypted passwords through unprotected comms (i.e. FTP,

SMTP…).

Providing inappropriate process control privileges to operators; either too

much (e.g. administrative privileges) or too little (e.g. preventing operators

from being able to take emergency corrective actions).

Poorly chosen passwords can easily be guessed by humans or computer.

Default passwords are not changed and default settings can be easily

found in manuals.

Password Risk Mitigation

SMTP – Email Server, HTTP - Web Server

Enable password authentication on all email and web servers: PLCs, Ethernet

interface modules, built-in web servers…

FTP

Change default password to FTP server.

3.5.2. Device Access Control

One method of device hardening is to implement access control on the Schneider

Electric devices. Access control, similar to IP packet filtering on the firewall, only

permits access to the addresses entered in the Access table. It is useful to

prevent access from one plant area to another.

Guideline for Access Control

Access control should be implemented at all levels: firewall, switches and devices.

Access Control Vulnerability

Accessing PAC logic that could have a negative impact on production, equipment

and safety of personnel.

Access Control Risk Mitigation


60

Configure the access control to determine whether or not a device is allowed to

open a TCP connection to the module.

3.5.3. ConneXium Ethernet Switches

To harden the network system it is necessary to parameterize the following

features of the ConneXium managed Ethernet switches to provide additional

protection against unauthorized users:

SNMP

Telnet/Web access

Ethernet Switch Configurator Software Protection

Port access control via IP or MAC address

SNMP

A network management station communicates with the device via the Simple

Network Management Protocol (SNMP). A SNMP packet contains the IP of the

sending computer along with the device’s password needed for access.

The device receives the SNMP packet and compares the IP address of the

sending computer and the password with the entries in the device MIB. If the

password has the appropriate access right, and if the IP address of the sending

computer has been entered, then the device will allow access.


61

In the delivery state, the device is accessible via the password "public" (read only)

and "private" (read and write) to every computer.

SNMP Vulnerabilities

Ethernet switches are susceptible to MAC spoofing, table overflows, and attacks

against the spanning tree protocols, depending on the device and its

configuration.)

SNMP Risk Mitigation

Use SNMP v3 whenever possible.

Password protect.

Limit the access rights of the known passwords or delete their entries.

Telnet/Web access

The device’s Telnet server allows you to configure the device by using the

Command Line Interface (in-band).

The ConneXium switch can be configured using the web server. On delivery, the

server is activated.

Telnet/Web Access Vulnerabilities

Same vulnerabilities as described in the firewall section.

Telnet/Web access Configuration Recommendation

Deactivate Telnet and web servers if not used.

Ethernet Switch Configurator Software Protection

The Ethernet Switch Configurator Software protocol allows you to assign the

device an IP address based on its MAC address.

Ethernet Switch Configurator Software Vulnerability

Unauthorized access

Ethernet Switch Configurator Software Risk Mitigation

It is recommended that the Ethernet Switch Configurator Software function for the

device be disabled after you have assigned the IP parameters to the device.


62

Disable the Ethernet Switch Configurator Software function in the "Ethernet

Switch Configurator Software Protocol" frame or limit the access to "read-only".

Ethernet Switch Port Access

Implement port security to prevent unauthorized physical connection to the

Ethernet port. Methods of securing the ports are:

Disabling of open ports.

MAC address locking – locking a specific MAC address to a specific port

on the Ethernet switch.

IP address locking - locking a specific IP address to a specific port on the

Ethernet switch. Commonly used for faulty device replacement.

Ethernet Switch Port Vulnerability

A malicious user who has physical access to an unsecured port on a network

switch could plug into the network behind the firewall to defeat its incoming

filtering protection.

Ethernet switches maintain a table called the Content Address Memory (CAM)

that maps individual MAC addresses on the network to the physical ports on the

switch. In a MAC flooding attack, a switch is flooded with packets, each containing

different source MAC addresses filling the CAM table. Once the CAM table is full,

the switch becomes an Ethernet hub allowing all incoming packets to be

broadcasted on all ports. The attacker then could use a packet sniffer (such as

Wireshark) running in promiscuous mode to capture sensitive data from other

computers (such as unencrypted passwords, e-mail and instant messaging

conversations), which would not be accessible were the switch operating normally.

Port Access Configuration Recommendation

Disable unused ports.

Restrict port access by allowing only selected devices (Up to 10 devices per port).

3.5.4. SCADA System

SCADA, or Supervisory Control and Data Acquisition systems are heavily used in

industrial control for data collection, human interface, and data analysis.

Schneider’s Vijeo Citect is an example of this functionality. SCADA systems, due

to their typical PC-based architecture, simple access to process control functions

and criticality to the process, are one of the most vulnerable devices on the

control system network. Steps required to harden the SCADA system are:


63

Limit the viewable areas by configuring roles.

Use web clients instead of internet display clients.

Use multiple digital signatures.

Carefully configure privileges without interfering with the process.

Implement MS windows authentication.

SCADA System Guidelines

Routinely track and monitor audit trails especially in the critical areas to

identify suspicious activity and remedy the activity immediately.

Configure mirrored servers such as the historian in the DMZ for external

access. Do not allow direct access on the control system network.

Validate that there are no foreign IP addresses on the access list.

Keep the anti-virus software current. This can often conflict with

production and may require a risk assessment.

Maintain Passwords.

No email or web access.

Disable or remove CD-ROM and diskette drive.

Disable USB ports not used by the keyboard or mice.

Do not leave remote units available.

Secure in locked cabinets if possible.

Dual firewalls are recommended.

SCADA Vulnerabilities

SQL Injection is a code injection technique that occurs in the database layer of an

application. The attacker executes unauthorized SQL commands by taking

advantage of poorly secured code on a system connected to the Internet. Most of

the security issues center around the login and url string.

SQL injection attacks are used to steal information from a database and/or to gain

access to an organization's host computers through the computer that is hosting

the database.


64

SCADA Risk Mitigation

Assign Roles

Limit access to plant areas to prevent unauthorized access to areas of non-

responsibility. If an intruder is able to penetrate, access will be to a specific area

and not the entire plant.


65

Web Servers

Internet Display Clients (IDC) are configured using FTP. As stated before, FTP is

an untrusted protocol and should be avoided. Highly recommend that

CitectSCADA web client be used instead of IDCs.

Multiple Digital Signatures

Whenever possible use multiple digital signatures for task that require a higher

authorization such as modifying thresholds.

3.5.5. Device Hardening for Legacy Devices

In many cases, the devices in the control system are older and were not equipped

with sufficient device hardening features. In this case, an external device can be

applied in combination with the installed end device to improve the hardening.

Schneider recommends use of the Hirschmann Eagle Tofino firewall to provide

these features. It is recommended to configure the firewall to use the same IP

address as the end device so the combination of the two units appears as a single

end device to the rest of the network

The single combined unit can also take advantage of the Eagle’s ability to limit

network traffic, restrict access to allow only data requests from specific originating

devices and even limit access to specific data register areas or use of specific

function codes.

3.6. Monitoring

Security monitoring on the control system network is critical. No system is fully

protected due to the continuous evolution of new cyber attacks. By monitoring the

system, immediate action can be taken to block intrusion attempts before damage

is done.

3.6.1. Methods of Monitoring Networks

There are several methods of monitoring the network for suspicious activity:

Monitoring of log files.

Usage of authentication traps.


66

Use of an Intruder Detection System (IDS) - Monitors activity on the

network such as traffic patterns, file access, changes in port status,

invalid password entries, equipment detected failure …

There are two types of IDS:

Network Intruder Detection System (NIDS) – Monitors traffic to and from

all devices on the network.

Host Intrusion Detection Systems (HIDS) – Run on individual host or

devices on the network.

3.6.2. Monitoring Recommendations

SNMP Authentication Traps

Enable SNMP Authentication traps to monitor for unauthorized login attempts.

Monitor Event Log

Monitor Event logs for devices for unusual activity.

Monitor MS Windows Event Viewer

Monitor MS Windows Event Viewer (Control Panel/Administrative tools/Event

Viewer/Application Log) for unusual activity.

Monitor Network Load

Using network diagnostic tools like HiVision from Hirschmann Electronics, monitor

and immediately investigate unusual traffic load.

Monitor Device Log

Monitor Device Log FileMonitor log files produced by devices. For example:

Crash log file (i.e. Quantum PAC)

Alarm log files (i.e. PAC)

Diagnostic log files (i.e. ConneXium Switch)

4 – Appendix

67

4. Appendix – Methods of Attack

4.1. IP Spoofing

IP Spoofing is a method used to disguise the identity of the attacker in the attempt

to perform various malicious attacks such as denial of service and man-in-the-

middle. IP spoofing is accomplished by manipulating the IP address.

The Internet Protocol (IP) is the main protocol used to communicate data across

the Internet. The IP header of the data contains the information necessary to

transport data from the source to the destination. The header contains information

about the type of IP datagram, how long the datagram remains active on the

network, special flags indicating any special purpose the datagram is supposed to

serve such as whether or not the data can be fragmented, the destination and

source addresses, and several other fields.

The receiver of the packet is able to identify the sender by the source IP address.

IP does not validate the source’s IP address. In IP spoofing, the attacker

manipulates the datagram. The most common manipulation is creating a false

source IP address to hide identity.

The primary motives of the attack are to:

To gather information about open ports, operating systems, or applications on the

host from the replies. For example: a port 80 response may indicate that the host

is running a web server. Using telnet, the attacker may be able to see the banner

and determine the Web server version and type. Now the attacker can try to

exploit any vulnerability associated with that Web server.

To uncover the sequence-number. TCP requires the use of sequence number for

every byte transferred and requires an acknowledgement from the recipient. An

4 – Appendix

68

attacker will send several packets to the victim in hopes of determining the

algorithm. Once the algorithm is determined, the attacker tricks the target in

believing its legitimacy and begins to launch various attacks.

Hijacking an authorized session by monitoring a session between two

communicating host and then injecting traffic that appears to be coming from one

host. By doing so the hijacker steals the session from one host and terminates its

session. The hijacker continues the same session with the same access

privileges to the other legitimate host.

4.2. Denial of Service Attacks

Denial of Service (DoS) is an attempt to prevent legitimate users access to

computer services either temporarily or permanently. One common method of

attack involves saturating the victim’s computer with external communications

requests to either block responses or respond so slowly that the system is

considered ineffective. The attacker usually accomplishes this by:

Step Description

1 Crashing the system.

2 Deny communication between

systems.

3 Bring the network or the system

down or have it operate at a reduced

speed affecting productivity.

4 Hang the system, which is more

dangerous than crashing since there

is no automatic reboot. Productivity

can be disrupted indefinitely.

There are several variations of DoS. The most popular are:

TCP SYN flood attack

Land attack

ARP spoofing

ICMP smurf attack

Ping of death

UDP flood attack

Teardrop attack

4 – Appendix

69

4.3. TCP SYN Flood Attack

A TCP SYN flood is a form of denial-of-service attack in which an attacker sends

a succession of SYN requests to a target's system.

In a TCP SYN attack, the client attempts to start a TCP connection to a server,

the client and server exchange information in the following sequence:

Step Description

1 The client requests a connection by

sending a SYN (synchronize)

message to the server.

2 The server acknowledges the

request by sending SYN-ACK back

to the client.

3 The client responds with an ACK

and the connection is established.

This is called the TCP three-way handshake.

There is a limit to available resources. Once the limit has been reached, all other

requests are dropped. Older operating systems are more vulnerable than newer

operating systems. Newer operating systems manage resources better making it

more difficult to overflow tables, but still are vulnerable.

4 – Appendix

70

4 – Appendix

71

4.4. Land Attack

In a land attack a spoofed TCP SYN packet is sent in which the source IP

addresses and the source port number are identical to the target IP address and

port number. The target machine replies to itself in an endless loop until the idle

timeout value is reached.

4 – Appendix

72

4.5. ARP Spoofing

Address Resolution Protocol (ARP) is a Layer 2 protocol that maps an IP address

to a MAC address stored in a table (ARP cache) residing in memory.

Step Description

1 ARP checks the local ARP cache for an entry for

destinations IP address. If a match is found, then the

hardware address of the destination is added to the

frame header and the frame sent.

2 If a match is not found, then an ARP request

broadcast is sent to the local network (remember it

knows the destination is on the local network by

working out the Network ID from the IP address and

the subnet mask). The ARP request contains the

senders IP address and hardware address, the IP

address that is being queried and is sent to

255.255.255.255 (everyone, but it won't get routed).

3 When the destination host receives the broadcast, it

sends a ARP reply with its hardware address and IP

address.

4 – Appendix

73

4 When the source receives the ARP reply, it will update

its ARP cache and then create a frame and send it.

ARP flood spoofing, also known as ARP poisoning or ARP routing, sends fake

ARP messages on the network. The intent is associate the attacker’s MAC

address of another node (i.e. gateway) by poisoning the ARP caches of the

system to intercept traffic.

4 – Appendix

74

4.6. ICMP Smurf

In a Smurf attack the attacker spoofs the target IP address, sending an ICMP

Echo Request (pings) to the broadcast address on an intermediary network. As a

result, the target host is flooded with replies and resources become exhausted so

legitimate users can not access the server. The ICMP Smurf attack is the same as

an ICMP flood attack except Smurf attacks uses other networks to multiply the

number of request.

4 – Appendix

75

4.7. The PING of Death

A feature of TCP/IP is to allow fragmentation by separating a single IP packet into

smaller segments. When fragmentation is performed, each IP fragment needs to

carry information about which part of the original IP packet it contains. This

information is kept in the Fragment Offset field, in the IP header.

The PING of death attack sends an ICMP Echo Request (pings) request multiple

fragmented packets that are larger than the maximum IP packet size (63, 535

bytes). Since the received ICMP echo request packet is larger than the allowed IP

packet size, the remote system crashes while attempting to reassemble the

packet.

4 – Appendix

76

4.8. UDP Flood Attack

A UDP flood attack is similar to the ICMP flooding. The difference is that UDP

datagrams of different sizes are used. In the UDP flood attack, the attacker sends

a UDP packet to a random port on the victim’s system. When the victim’s system

receives a UDP packet, it checks to see if there is an application listening at that

port. If not, then it will reply with an ICMP Destination Unreachable packet to an

unreachable spoofed IP address. If enough UDP packets are delivered to enough

ports on victim, the system will go down.

The primary motivation of the UDP flood attack is not to break into a system but to

make the target system deny the legitimate user giving service.

4.9. Teardrop Attack

Teardrop attack is the most popular fragment attack method. It involves inserting

false offset information into fragmented packets. As a result, during reassembly,

there are empty or overlapping fragments that can cause the system to crash.

The primary motivation of the teardrop attack is to hang or crash a system.

5-References

77

5. References US Department of Homeland Security:

http://www.us-cert.gov/control_systems/

Catalog of Control Systems Security: Recommendations for Standards

Developers - 2008

Guide to Industrial Control Systems (ICS) Security - National Institute of

Standards and Technology (NIST), Keith Stouffer, Joe Falco, Karen Scarfone

– 2008

Common Cyber Security Vulnerabilities Observed in Control System

Assessments by the INL NSTB Program - U.S. Department of Energy Office

of Electricity Delivery and Energy Reliability, National SCADA Test Bed

(NSTB) - 2008

Control Control Systems Cyber Security: Defense in Depth Strategies – Idaho

National Laboratory – May 2006

The Instrumentation, Systems and Automation Society (ISA):

Intrusion Detection and Cyber Security Monitoring of SCADA and DCS

Networks - 2004

Mitigations for Security Vulnerabilities Found in Control System Networks -

2006

2008 CSI Computer Crime & Security Survey - Robert Richardson, CSI

Director

Design Secure Network Segmentation Approach - SANS Institute InfoSec

Reading Room – 2005

VLAN Best Practices – White paper FLUKE networks -2004

OPC Security Whitepaper #3 Hardening Guidelines for OPC Hosts - Digital

Bond,

British Columbia Institute of Technology, Byres Research – 2007

http://www.vicomsoft.com/knowledge/reference/firewalls1.html

78

Due to evolution of standards and equipment, characteristics indicated in texts and imagesin this document are binding only after confirmation by our departments.

Print:

Version 1.2 – 03 2011

Schneider Electric Industries SAS

Head Office France

35 rue Joseph Monier

92506 Rueil-Malmaison Cedex

www.schneider-electric.com

security cyber attack

Documents