SlideShare uma empresa Scribd logo

Are your industrial networks protected...Ethernet Security Firewalls

Schneider Electric
Schneider Electric

Security incidents rise at an alarming rate each year. As the complexity of the threats increases, so do the security measures required to protect industrial networks. Plant operations personnel need to understand security basics as plant processes integrate with outside networks. This paper reviews network security fundamentals, with an emphasis on firewalls specific to industry applications. The variety of firewalls is defined, explained, and compared.

Tecnologia
1 de 7
Baixar para ler offline
Fundamental Principles of Ethernet Security Firewalls in Industrial Environments by Joseph Benedetto Executive summary Security incidents rise at an alarming rate each year. As the complexity of the threats increases, so do the security measures required to protect industrial networks. Plant operations personnel need to understand security basics as plant processes integrate with outside networks. This paper reviews network security fundamentals, with an emphasis on firewalls specific to industry applications. The variety of firewalls is defined, explained, and compared. 998-2095-02-13-14AR0
Fundamental Principles of Ethernet Security in Industrial Environments Introduction If hackers can download a medical formula from a pharmaceutical firm, they could alter that medication by making a slight variation in the formula. In the automotive industry a hacker might alter a robotics program and cause it to make a defective part or to dump material where it should not belong or alter the timing of a particular process. In an oil industry control application, hacker meddling could result in a damaging spill. As manufacturing processes and factories become more “wired”, vulnerabilities in network devices can become targets for individuals writing worms and viruses. These threats are disruptive to the ultimate goal of protecting the industrial environment from any business loss including network failure and process line inefficiency. One of the measures that can be taken to lower the level of risk is the deployment of proper “firewalls”. A firewall is hardware and / or software used to protect network-connected devices or network segments from unauthorized access. In an industrial Ethernet application, a firewall can provide the physical separation between the control network and the plant or corporate networks. It can also be used to create secure control zones within the control network. In a typical firewall installation, the connection coming from the plant network to the firewall is referred as the “untrusted” port or connection. The port that will connect to the control network is referred to as the “trusted” connection (see Figure 1). Outside of Plant Figure 1 The firewall serves as a barrier to unwanted outside intrusion while allowing legitimate data to communicate with key equipment components Internet Internet Untrusted Connection Trusted Connection Firewall Automation System The firewall’s basic function is to control message transmission. It is designed to block unauthorized access while permitting authorized communication to the devices connected on the “trusted” side of the firewall. It can be configured by the user to permit, deny, encrypt, decrypt or act as an intermediary device (proxy) for all (in and out) traffic between different security domains based upon a set of rules. The first step in determining a system’s security requirements is to conduct a survey. The survey identifies all the possible points of access and assists in determining the number and location of firewalls needed in the system. The firewall plays an important role in the overall protection of an industrial control network. The control system requires fast data throughput so that it can provide a rapid response to changes in the operation. At the same time, the control system needs the protection of the Schneider Electric White Paper Revision 0 Page 2
Fundamental Principles of Ethernet Security in Industrial Environments firewall to block all unwanted and unauthorized traffic to devices, to ensure that the data they receive is correct. Firewall categories Three general categories of firewalls exist to protect industrial Ethernet applications. Each provides a different level of protection. The choice of firewall should be based on the application requirements, the level of risk that can be tolerated, and impact on a system should that system be targeted for attack. Below are descriptions of the three firewall categories: • Packet Filtering Firewalls: These firewalls check each incoming or outgoing message packet for its source address, destination address, and function. The firewall accepts or rejects the message based on a comparison to a number of predefined rules called Access Control Lists (ACLs). This is a low cost solution that examines the message packet headers only and not the overall packet content. This type of firewall is easy to circumvent by a skilled attacker. Packet filtering firewalls are not recommended for high risk areas due to lack of authentication and their inability to conceal the protected network’s architecture. • Stateful Inspection Firewalls: These firewalls inspect message packets for each transmission at the network layer and validate that the packets and their contents at the application layer are legitimate. Stateful inspection ensures that all inbound packets are the result of an outbound request. Stateful inspection firewalls provide a high level of security and good performance but can be expensive and complex to configure. • Application-Proxy Gateway: The application-proxy gateway examines every incoming packet at the application layer, filters the traffic based on specific application rules, and then reissues it to the target device. Application proxy gateways provide a high level of security, but have overhead delays that impact the network performance of the control system. Their use is therefore not recommended. Firewall application The security goal of a factory or other industrial site is to protect the control network and all of its devices from any attacks. One consideration when implementing firewalls is the nature of devices to be protected and how these devices are accessed as part of normal operation. When applying a firewall to create a physical separation between the control network and the plant and corporate networks, the simple solution would be to install a single firewall device at the connection point between the plant floor’s control network and the remainder of the plant and company networks. This approach is illustrated in Figure 2 on page 4. In the Figure 2 system configuration, the firewall provides protection between the plant network and the control network. However this configuration does not isolate the Programmable Logic Controller (PLC) system from the Human Machine Interface (HMI) and Historian system. These types of devices are often located on PC-based systems that run standard operating systems. This makes them easier targets for attackers seeking to enter the system. These systems are accessed by devices on the plant network as well as by the PLC systems, increasing the risk that an attack reaches the PLC system that controls an operation or process. In addition, since these devices are PC-based, they can be accessed by multiple users who could intentionally or unintentionally introduce malware or corrupt the system. The simple act of loading a new version of a software package or using another software package that is also running on the PC can introduce a risk to the PLC system. The PLC system is traditionally based on a custom hardware design and utilizes a manufacturer-specific operating system. This makes the PLC system more difficult for an attacker to access, but in no way is the system 100% safe. If a PC-based device such as an HMI or Supervisory Control and Data Acquisition (SCADA) system is on the same ‘trusted’ Schneider Electric White Paper Revision 0 Page 3
Fundamental Principles of Ethernet Security in Industrial Environments side of the firewall as the PLC, then there is a risk that an attack to the SCADA system will affect the PLC. To Corporate Network and Internet Figure 2 Untrusted Port This illustration features a single firewall device at the connection point between the plant floor’s control network and the remainder of the plant and company networks Firewall Trusted Port Plant Network Control Network HMI Historian PLC System w/ Ethernet I/O The solution is to create a network architecture that includes a separate isolated area for network devices such as HMI, SCADA systems and Historians, and that is capable of communicating to both the plant network and the PLC control system. This isolation is accomplished by using two firewalls, one connecting the plant network to the HMI, SCADA systems and Historians, and a second connecting these devices to the PLC control system. This isolated area, referred to as the demilitarized zone (DMZ), provides a safe and secure means for sharing data betweens zones. Figure 3 illustrates this more secure configuration. To Plant and Corporate Network and Internet Figure 3 In this configuration, two firewalls are present in order to create a separate and isolated area to protect important assets Firewall Device accessed by Control and Plant Networks DMZ Local Server Firewall Control Network PLC System w/ Ethernet I/O Schneider Electric White Paper Revision 0 Page 4
Fundamental Principles of Ethernet Security in Industrial Environments For critical control applications where it is necessary to isolate a particular control system from the other controls systems on the control network, a firewall can be used to create an isolated zone. In control applications such as emergency shutdown systems or the control of a critical process, the security provided by the additional firewall can easily justify its cost. In Figure 4, two firewalls are used to create a DMZ between the plant network and the control network. The DMZ isolates the control network, and all of the control devices connected to the network, from an attack coming from the plant or company networks. The control system in work cell 3 is controlling a critical process that requires a higher level of security. A firewall is applied between the PLC in work cell 3 and the switch that connects the three work cells to the firewall in the DMZ. In this configuration, work cell 3 is protected from unauthorized access by devices that are inside of the control network. To Plant and Corporate Network and Internet Device accessed by Control and Plant Networks DMZ Local Server Firewall Figure 4 In this configuration, work cell 3 is provided the highest level of security Control Network Work Cell 1 Work Cell 2 Work Cell 3 PLC System w/ Remote I/O PLC System w/ Multi Rack I/O PLC System w/ Ethernet I/O Firewall capabilities An Industrial grade firewall provides protection from systems and devices that are connected to the unsecured plant and / or corporate networks. The firewall must be properly configured and located at the network access points to the control network. Listed below are some capabilities which help to enhance the effectiveness of the firewall: • Configuration of a physical separation between the control network and the plant and corporate networks • Segmentation of control networks into security zones • Identification of an “untrusted” port for the connection of plant networks to corporate networks that are unprotected by a firewall • Configuration of a ”trusted“ port for connection to the control network and its devices that are protected Schneider Electric White Paper Revision 0 Page 5
Fundamental Principles of Ethernet Security in Industrial Environments • Configuration of a control network structure that is invisible to the outside so that hackers cannot determine the types of devices on the network • Restriction of network traffic and selected services only to authorized devices while still allowing secure information to be viewed by authorized users • Allowance of communication “handshaking” for port connections that include autonegotiation, autopolarity, autocrossing and full or half duplex modes • Control of communications messages based on IP addresses of source and destination devices, categories of data that can be transmitted and received, and proper alignment of device access to services provided “No firewall system is 100% impenetrable, but a robust firewall will deter hackers and encourage them to look elsewhere for easier targets to exploit.” • Stateful packet inspection for assurance that all inbound data packets are the result of an outbound request • Dynamic packet filter inspection of data packet source and destination addresses so that undesired traffic can be blocked • Virtual Private Network (VPN) connection so that secure transfer of data over public networks to selected devices can be assured • Protection from the flooding of devices with too much traffic or connections through use of a Denial of Service Traffic Limiter • Provision of security alarm and event logging information that can indicate when an attack or device failure is occurring • Determination of which protocols and services should run over which ports of a device • Anti virus protection capability for HTTP, FTP, SMTP and POP3 protocols • Encryption capabilities that include Data Encryption Standard (DES), 3DES, and Advanced Encryption Standard (AES) • Network Address Translation (1:1 NAT) with FTP, IRC protocol that permits chatting and Port to Port Tunneling Protocol (PPTP) and pass through (in router modes) Firewall limitations A properly configured firewall will not protect against the following: • Unauthorized access through connections that are not connected to the firewall (such as a dial-up modem) • Internal attacks where the attacker bypasses the firewall and connects to the control system • Software vulnerabilities where software packages used in the control system, such as HMI or SCADA, do not have up-to-date patches • User error and human engineering • Virus or malware that enters the control system through an unprotected connection Industrial vs. IT grade firewall In most organizations, the IT group is often tasked with Ethernet security installation, maintenance of firewalls, and other security measures. IT team members should be part of the industrial system survey process, but the selection of firewall devices should be based on the needs and capabilities of the control engineers who will be implementing and maintaining the firewalls as part of the control systems. Industrial grade firewalls are different from commercial / IT grade firewalls. In control applications where interruptions in operation cannot be tolerated, an industrial grade firewall is the correct choice. Table 1 illustrates some of the important differences between IT and Industrial firewalls. Schneider Electric White Paper Revision 0 Page 6
Fundamental Principles of Ethernet Security in Industrial Environments Industrial grade firewalls IT / commercial firewalls Can be configured by control engineer using web-based tools, IT knowledge not required Designed to integrate with industrial controls Requires IT personnel to configure and maintain these devices and requires knowledge of complex tools Designed for continuous operation Shutdowns, reboots and unplanned interruption to operation accepted in IT world Centralized security appliance which leaves security gaps at plant level Requires fan or cooling to work on the plant floor Meets control system component standards Susceptible to electrical noise found in industrial environments Security is a process that begins with a plan that defines the roles and responsibilities of plant personnel, the types of actions and activities that are allowed to be performed, and some clearly communicated consequences for non-compliance. An assessment of critical systems should be performed to identify communication paths and potential external access points. Network attached devices should be audited to determine both security capabilities and vulnerabilities. About the author Joseph Benedetto is responsible for the global development of Schneider Electric's Industrial Ethernet Infrastructure products business. Over the last 35 years he has specialized in developing solutions for Schneider Electric’s Industrial Automation customers. Over his career he has held various roles including: Product Marketing, Industry Marketing, System Engineering and Application Engineer. Mr. Benedetto holds a Bachelor of Science degree in Industrial Engineering from Northeastern University. Schneider Electric. All rights reserved. A firewall is an integral part of any overall system security solution, but by itself, a firewall will only protect the point of entry that it is connected to. No firewall system is 100% impenetrable, but a robust firewall will deter hackers and encourage them to look elsewhere for easier targets to exploit. © 2014 Conclusion Maintenance can be performed by technician or engineer Hardware made of industrial grade components that withstand harsh environments (vibration, shock, heat) Commercial firewall technology is not designed to protect industrial process control networks Designed for an office environment, not part of the automation system, making dedicated protection for each system difficult Divides automation system into work cells, provides protection by isolation Table 1 Must be configured by IT department Schneider Electric White Paper Revision 0 Page 7

Recomendados

Understanding Open Protocols in Building Automation
Understanding Open Protocols in Building AutomationUnderstanding Open Protocols in Building Automation
Understanding Open Protocols in Building Automation
Schneider Electric
 
Cybersecurity for Industrial Plants: Threats and Defense Approach - Dave Hreha
Cybersecurity for Industrial Plants: Threats and Defense Approach - Dave Hreha Cybersecurity for Industrial Plants: Threats and Defense Approach - Dave Hreha
Cybersecurity for Industrial Plants: Threats and Defense Approach - Dave Hreha
Schneider Electric
 
Creating a Reliable and Secure Advanced Distribution Management System
Creating a Reliable and Secure Advanced Distribution Management SystemCreating a Reliable and Secure Advanced Distribution Management System
Creating a Reliable and Secure Advanced Distribution Management System
Schneider Electric
 
Substation Cyber Security
Substation Cyber SecuritySubstation Cyber Security
Substation Cyber Security
Schneider Electric
 
DTN ProphetX® - At a Glance
DTN ProphetX® - At a GlanceDTN ProphetX® - At a Glance
DTN ProphetX® - At a Glance
Schneider Electric
 
Designing a security policy to protect your automation solution
Designing a security policy to protect your automation solutionDesigning a security policy to protect your automation solution
Designing a security policy to protect your automation solution
Schneider Electric India
 
Industrial Control System Cyber Security and the Employment of Industrial Fir...
Industrial Control System Cyber Security and the Employment of Industrial Fir...Industrial Control System Cyber Security and the Employment of Industrial Fir...
Industrial Control System Cyber Security and the Employment of Industrial Fir...
Schneider Electric
 
Schneider Electric Smart City Success Stories (Worldwide)
Schneider Electric Smart City Success Stories (Worldwide)Schneider Electric Smart City Success Stories (Worldwide)
Schneider Electric Smart City Success Stories (Worldwide)
Schneider Electric India
 

Recomendados

Understanding Open Protocols in Building Automation
Understanding Open Protocols in Building AutomationUnderstanding Open Protocols in Building Automation
Understanding Open Protocols in Building Automation
Schneider Electric
 
Cybersecurity for Industrial Plants: Threats and Defense Approach - Dave Hreha
Cybersecurity for Industrial Plants: Threats and Defense Approach - Dave Hreha Cybersecurity for Industrial Plants: Threats and Defense Approach - Dave Hreha
Cybersecurity for Industrial Plants: Threats and Defense Approach - Dave Hreha
Schneider Electric
 
Creating a Reliable and Secure Advanced Distribution Management System
Creating a Reliable and Secure Advanced Distribution Management SystemCreating a Reliable and Secure Advanced Distribution Management System
Creating a Reliable and Secure Advanced Distribution Management System
Schneider Electric
 
Substation Cyber Security
Substation Cyber SecuritySubstation Cyber Security
Substation Cyber Security
Schneider Electric
 
DTN ProphetX® - At a Glance
DTN ProphetX® - At a GlanceDTN ProphetX® - At a Glance
DTN ProphetX® - At a Glance
Schneider Electric
 
Designing a security policy to protect your automation solution
Designing a security policy to protect your automation solutionDesigning a security policy to protect your automation solution
Designing a security policy to protect your automation solution
Schneider Electric India
 
Industrial Control System Cyber Security and the Employment of Industrial Fir...
Industrial Control System Cyber Security and the Employment of Industrial Fir...Industrial Control System Cyber Security and the Employment of Industrial Fir...
Industrial Control System Cyber Security and the Employment of Industrial Fir...
Schneider Electric
 
Schneider Electric Smart City Success Stories (Worldwide)
Schneider Electric Smart City Success Stories (Worldwide)Schneider Electric Smart City Success Stories (Worldwide)
Schneider Electric Smart City Success Stories (Worldwide)
Schneider Electric India
 
How Test Labs Reduce Cyber Security Threats to Industrial Control Systemse cy...
How Test Labs Reduce Cyber Security Threats to Industrial Control Systemse cy...How Test Labs Reduce Cyber Security Threats to Industrial Control Systemse cy...
How Test Labs Reduce Cyber Security Threats to Industrial Control Systemse cy...
Schneider Electric
 
Getting Started with Advanced Network Operations
Getting Started with Advanced Network OperationsGetting Started with Advanced Network Operations
Getting Started with Advanced Network Operations
Schneider Electric
 
Industrial Automation Press Conference Hannover Messe
Industrial Automation Press Conference Hannover MesseIndustrial Automation Press Conference Hannover Messe
Industrial Automation Press Conference Hannover Messe
Schneider Electric
 
Integrated Control and Safety - Assessing the Benefits; Weighing the Risks
Integrated Control and Safety - Assessing the Benefits; Weighing the RisksIntegrated Control and Safety - Assessing the Benefits; Weighing the Risks
Integrated Control and Safety - Assessing the Benefits; Weighing the Risks
Schneider Electric
 
Field Data Gathering Services — A Cloud-Based Approach
Field Data Gathering Services — A Cloud-Based ApproachField Data Gathering Services — A Cloud-Based Approach
Field Data Gathering Services — A Cloud-Based Approach
Schneider Electric
 
Maximize your business and machine performance
Maximize your business and machine performanceMaximize your business and machine performance
Maximize your business and machine performance
Schneider Electric
 
[Industry report] U.S. Grid Automation Report
[Industry report] U.S. Grid Automation Report[Industry report] U.S. Grid Automation Report
[Industry report] U.S. Grid Automation Report
Schneider Electric
 
Smart Grid Security by Falgun Rathod
Smart Grid Security by Falgun RathodSmart Grid Security by Falgun Rathod
Smart Grid Security by Falgun Rathod
ClubHack
 
Cloud computing
Cloud computing Cloud computing
Cloud computing
Schneider Electric
 
IJSRED-V2I2P15
IJSRED-V2I2P15IJSRED-V2I2P15
IJSRED-V2I2P15
IJSRED
 
Essential Elements of Data Center Facility Operations
Essential Elements of Data Center Facility OperationsEssential Elements of Data Center Facility Operations
Essential Elements of Data Center Facility Operations
Schneider Electric
 
How Service-Oriented Drive Deployments improve VSD Driveline Uptime
How Service-Oriented Drive Deployments improve VSD Driveline UptimeHow Service-Oriented Drive Deployments improve VSD Driveline Uptime
How Service-Oriented Drive Deployments improve VSD Driveline Uptime
Schneider Electric
 
DTN Guardian3™
DTN Guardian3™DTN Guardian3™
DTN Guardian3™
Schneider Electric
 
Smart Grid Systems Based Survey on Cyber Security Issues
Smart Grid Systems Based Survey on Cyber Security IssuesSmart Grid Systems Based Survey on Cyber Security Issues
Smart Grid Systems Based Survey on Cyber Security Issues
journalBEEI
 
NERC Critical Infrastructure Protection (CIP) and Security for Field Devices
NERC Critical Infrastructure Protection (CIP) and Security for Field DevicesNERC Critical Infrastructure Protection (CIP) and Security for Field Devices
NERC Critical Infrastructure Protection (CIP) and Security for Field Devices
Schneider Electric
 
Smart Alarming Management
Smart Alarming ManagementSmart Alarming Management
Smart Alarming Management
Schneider Electric
 
How the Convergence of IT and OT Enables Smart Grid Development
How the Convergence of IT and OT Enables Smart Grid DevelopmentHow the Convergence of IT and OT Enables Smart Grid Development
How the Convergence of IT and OT Enables Smart Grid Development
Schneider Electric
 
Smart Grid Cyber Security
Smart Grid Cyber SecuritySmart Grid Cyber Security
Smart Grid Cyber Security
JAZEEL K T
 
Types of Prefabricated Modular Data Centers
Types of Prefabricated Modular Data CentersTypes of Prefabricated Modular Data Centers
Types of Prefabricated Modular Data Centers
Schneider Electric
 
Preparing for the Future: How Asset Management Will Evolve in the Age of Smar...
Preparing for the Future: How Asset Management Will Evolve in the Age of Smar...Preparing for the Future: How Asset Management Will Evolve in the Age of Smar...
Preparing for the Future: How Asset Management Will Evolve in the Age of Smar...
Schneider Electric
 
Security assignment (copy)
Security assignment (copy)Security assignment (copy)
Security assignment (copy)
Amare Kassa
 
Secure Architecture and Incident Management for E-Business
Secure Architecture and Incident Management for E-BusinessSecure Architecture and Incident Management for E-Business
Secure Architecture and Incident Management for E-Business
Marc S. Sokol
 

Mais conteúdo relacionado

Mais procurados

Getting Started with Advanced Network Operations
Getting Started with Advanced Network OperationsGetting Started with Advanced Network Operations
Getting Started with Advanced Network Operations
Schneider Electric
 
Integrated Control and Safety - Assessing the Benefits; Weighing the Risks
Integrated Control and Safety - Assessing the Benefits; Weighing the RisksIntegrated Control and Safety - Assessing the Benefits; Weighing the Risks
Integrated Control and Safety - Assessing the Benefits; Weighing the Risks
Schneider Electric
 
[Industry report] U.S. Grid Automation Report
[Industry report] U.S. Grid Automation Report[Industry report] U.S. Grid Automation Report
[Industry report] U.S. Grid Automation Report
Schneider Electric
 
Smart Grid Security by Falgun Rathod
Smart Grid Security by Falgun RathodSmart Grid Security by Falgun Rathod
Smart Grid Security by Falgun Rathod
ClubHack
 
Cloud computing
Cloud computing Cloud computing
Cloud computing
Schneider Electric
 
Smart Grid Systems Based Survey on Cyber Security Issues
Smart Grid Systems Based Survey on Cyber Security IssuesSmart Grid Systems Based Survey on Cyber Security Issues
Smart Grid Systems Based Survey on Cyber Security Issues
journalBEEI
 
NERC Critical Infrastructure Protection (CIP) and Security for Field Devices
NERC Critical Infrastructure Protection (CIP) and Security for Field DevicesNERC Critical Infrastructure Protection (CIP) and Security for Field Devices
NERC Critical Infrastructure Protection (CIP) and Security for Field Devices
Schneider Electric
 
Smart Alarming Management
Smart Alarming ManagementSmart Alarming Management
Smart Alarming Management
Schneider Electric
 

Mais procurados (20)

How Test Labs Reduce Cyber Security Threats to Industrial Control Systemse cy...
How Test Labs Reduce Cyber Security Threats to Industrial Control Systemse cy...How Test Labs Reduce Cyber Security Threats to Industrial Control Systemse cy...
How Test Labs Reduce Cyber Security Threats to Industrial Control Systemse cy...
 
Getting Started with Advanced Network Operations
Getting Started with Advanced Network OperationsGetting Started with Advanced Network Operations
Getting Started with Advanced Network Operations
 
Industrial Automation Press Conference Hannover Messe
Industrial Automation Press Conference Hannover MesseIndustrial Automation Press Conference Hannover Messe
Industrial Automation Press Conference Hannover Messe
 
Integrated Control and Safety - Assessing the Benefits; Weighing the Risks
Integrated Control and Safety - Assessing the Benefits; Weighing the RisksIntegrated Control and Safety - Assessing the Benefits; Weighing the Risks
Integrated Control and Safety - Assessing the Benefits; Weighing the Risks
 
Field Data Gathering Services — A Cloud-Based Approach
Field Data Gathering Services — A Cloud-Based ApproachField Data Gathering Services — A Cloud-Based Approach
Field Data Gathering Services — A Cloud-Based Approach
 
Maximize your business and machine performance
Maximize your business and machine performanceMaximize your business and machine performance
Maximize your business and machine performance
 
[Industry report] U.S. Grid Automation Report
[Industry report] U.S. Grid Automation Report[Industry report] U.S. Grid Automation Report
[Industry report] U.S. Grid Automation Report
 
Smart Grid Security by Falgun Rathod
Smart Grid Security by Falgun RathodSmart Grid Security by Falgun Rathod
Smart Grid Security by Falgun Rathod
 
Cloud computing
Cloud computing Cloud computing
Cloud computing
 
IJSRED-V2I2P15
IJSRED-V2I2P15IJSRED-V2I2P15
IJSRED-V2I2P15
 
Essential Elements of Data Center Facility Operations
Essential Elements of Data Center Facility OperationsEssential Elements of Data Center Facility Operations
Essential Elements of Data Center Facility Operations
 
How Service-Oriented Drive Deployments improve VSD Driveline Uptime
How Service-Oriented Drive Deployments improve VSD Driveline UptimeHow Service-Oriented Drive Deployments improve VSD Driveline Uptime
How Service-Oriented Drive Deployments improve VSD Driveline Uptime
 
DTN Guardian3™
DTN Guardian3™DTN Guardian3™
DTN Guardian3™
 
Smart Grid Systems Based Survey on Cyber Security Issues
Smart Grid Systems Based Survey on Cyber Security IssuesSmart Grid Systems Based Survey on Cyber Security Issues
Smart Grid Systems Based Survey on Cyber Security Issues
 
NERC Critical Infrastructure Protection (CIP) and Security for Field Devices
NERC Critical Infrastructure Protection (CIP) and Security for Field DevicesNERC Critical Infrastructure Protection (CIP) and Security for Field Devices
NERC Critical Infrastructure Protection (CIP) and Security for Field Devices
 
Smart Alarming Management
Smart Alarming ManagementSmart Alarming Management
Smart Alarming Management
 
How the Convergence of IT and OT Enables Smart Grid Development
How the Convergence of IT and OT Enables Smart Grid DevelopmentHow the Convergence of IT and OT Enables Smart Grid Development
How the Convergence of IT and OT Enables Smart Grid Development
 
Smart Grid Cyber Security
Smart Grid Cyber SecuritySmart Grid Cyber Security
Smart Grid Cyber Security
 
Types of Prefabricated Modular Data Centers
Types of Prefabricated Modular Data CentersTypes of Prefabricated Modular Data Centers
Types of Prefabricated Modular Data Centers
 
Preparing for the Future: How Asset Management Will Evolve in the Age of Smar...
Preparing for the Future: How Asset Management Will Evolve in the Age of Smar...Preparing for the Future: How Asset Management Will Evolve in the Age of Smar...
Preparing for the Future: How Asset Management Will Evolve in the Age of Smar...
 

Semelhante a Are your industrial networks protected...Ethernet Security Firewalls

Augmentation of a SCADA based firewall against foreign hacking devices
Augmentation of a SCADA based firewall against foreign hacking devices Augmentation of a SCADA based firewall against foreign hacking devices
Augmentation of a SCADA based firewall against foreign hacking devices
IJECEIAES
 
169
169169
169
vivatechijri
 
Welcome to International Journal of Engineering Research and Development (IJERD)
Welcome to International Journal of Engineering Research and Development (IJERD)Welcome to International Journal of Engineering Research and Development (IJERD)
Welcome to International Journal of Engineering Research and Development (IJERD)
IJERD Editor
 
Stallings,_William_Computer_Security_Principles_and_Practice_Pearson [312-342...
Stallings,_William_Computer_Security_Principles_and_Practice_Pearson [312-342...Stallings,_William_Computer_Security_Principles_and_Practice_Pearson [312-342...
Stallings,_William_Computer_Security_Principles_and_Practice_Pearson [312-342...
ams1ams11
 
what is firewall in information security?
what is firewall in information security?what is firewall in information security?
what is firewall in information security?
haq107457
 
what is firewall in information security?
what is firewall in information security?what is firewall in information security?
what is firewall in information security?
ezoicxcom
 
Interfirewall optimization across various administrative domain for enabling ...
Interfirewall optimization across various administrative domain for enabling ...Interfirewall optimization across various administrative domain for enabling ...
Interfirewall optimization across various administrative domain for enabling ...
Editor IJMTER
 

Semelhante a Are your industrial networks protected...Ethernet Security Firewalls (20)

Security assignment (copy)
Security assignment (copy)Security assignment (copy)
Security assignment (copy)
 
Secure Architecture and Incident Management for E-Business
Secure Architecture and Incident Management for E-BusinessSecure Architecture and Incident Management for E-Business
Secure Architecture and Incident Management for E-Business
 
Industrial control systems cybersecurity.ppt
Industrial control systems cybersecurity.pptIndustrial control systems cybersecurity.ppt
Industrial control systems cybersecurity.ppt
 
Augmentation of a SCADA based firewall against foreign hacking devices
Augmentation of a SCADA based firewall against foreign hacking devices Augmentation of a SCADA based firewall against foreign hacking devices
Augmentation of a SCADA based firewall against foreign hacking devices
 
169
169169
169
 
Welcome to International Journal of Engineering Research and Development (IJERD)
Welcome to International Journal of Engineering Research and Development (IJERD)Welcome to International Journal of Engineering Research and Development (IJERD)
Welcome to International Journal of Engineering Research and Development (IJERD)
 
Stallings,_William_Computer_Security_Principles_and_Practice_Pearson [312-342...
Stallings,_William_Computer_Security_Principles_and_Practice_Pearson [312-342...Stallings,_William_Computer_Security_Principles_and_Practice_Pearson [312-342...
Stallings,_William_Computer_Security_Principles_and_Practice_Pearson [312-342...
 
Operational Technology Security Solution for Utilities
Operational Technology Security Solution for UtilitiesOperational Technology Security Solution for Utilities
Operational Technology Security Solution for Utilities
 
introduction to #OT cybersecurity for O&M teams.pdf
introduction to #OT cybersecurity for O&M teams.pdfintroduction to #OT cybersecurity for O&M teams.pdf
introduction to #OT cybersecurity for O&M teams.pdf
 
Firewall
Firewall Firewall
Firewall
 
Firewall protection
Firewall protectionFirewall protection
Firewall protection
 
Ch20 book
Ch20 bookCh20 book
Ch20 book
 
what is firewall in information security?
what is firewall in information security?what is firewall in information security?
what is firewall in information security?
 
Firewall ppt
Firewall pptFirewall ppt
Firewall ppt
 
Firewall presentation
Firewall presentationFirewall presentation
Firewall presentation
 
Firewall.pdf
Firewall.pdfFirewall.pdf
Firewall.pdf
 
A COMBINATION OF THE INTRUSION DETECTION SYSTEM AND THE OPEN-SOURCE FIREWALL ...
A COMBINATION OF THE INTRUSION DETECTION SYSTEM AND THE OPEN-SOURCE FIREWALL ...A COMBINATION OF THE INTRUSION DETECTION SYSTEM AND THE OPEN-SOURCE FIREWALL ...
A COMBINATION OF THE INTRUSION DETECTION SYSTEM AND THE OPEN-SOURCE FIREWALL ...
 
A Combination of the Intrusion Detection System and the Open-source Firewall ...
A Combination of the Intrusion Detection System and the Open-source Firewall ...A Combination of the Intrusion Detection System and the Open-source Firewall ...
A Combination of the Intrusion Detection System and the Open-source Firewall ...
 
what is firewall in information security?
what is firewall in information security?what is firewall in information security?
what is firewall in information security?
 
Interfirewall optimization across various administrative domain for enabling ...
Interfirewall optimization across various administrative domain for enabling ...Interfirewall optimization across various administrative domain for enabling ...
Interfirewall optimization across various administrative domain for enabling ...
 

Mais de Schneider Electric

Secure Power Design Considerations
Secure Power Design ConsiderationsSecure Power Design Considerations
Secure Power Design Considerations
Schneider Electric
 
Digital International Colo Club: Attracting Investors
Digital International Colo Club: Attracting InvestorsDigital International Colo Club: Attracting Investors
Digital International Colo Club: Attracting Investors
Schneider Electric
 
Key Industry Trends, M&A Valuation Trends
Key Industry Trends, M&A Valuation TrendsKey Industry Trends, M&A Valuation Trends
Key Industry Trends, M&A Valuation Trends
Schneider Electric
 
EcoStruxure™ for Cloud & Service Providers
EcoStruxure™ for Cloud & Service Providers EcoStruxure™ for Cloud & Service Providers
EcoStruxure™ for Cloud & Service Providers
Schneider Electric
 
A Practical Guide to Ensuring Business Continuity and High Performance in Hea...
A Practical Guide to Ensuring Business Continuity and High Performance in Hea...A Practical Guide to Ensuring Business Continuity and High Performance in Hea...
A Practical Guide to Ensuring Business Continuity and High Performance in Hea...
Schneider Electric
 

Mais de Schneider Electric (20)

Secure Power Design Considerations
Secure Power Design ConsiderationsSecure Power Design Considerations
Secure Power Design Considerations
 
Digital International Colo Club: Attracting Investors
Digital International Colo Club: Attracting InvestorsDigital International Colo Club: Attracting Investors
Digital International Colo Club: Attracting Investors
 
32 phaseo power supplies and transformers briefing
32 phaseo power supplies and transformers briefing 32 phaseo power supplies and transformers briefing
32 phaseo power supplies and transformers briefing
 
Key Industry Trends, M&A Valuation Trends
Key Industry Trends, M&A Valuation TrendsKey Industry Trends, M&A Valuation Trends
Key Industry Trends, M&A Valuation Trends
 
EcoStruxure™ for Cloud & Service Providers
EcoStruxure™ for Cloud & Service Providers EcoStruxure™ for Cloud & Service Providers
EcoStruxure™ for Cloud & Service Providers
 
Magelis Basic HMI Briefing
Magelis Basic HMI Briefing Magelis Basic HMI Briefing
Magelis Basic HMI Briefing
 
Zelio Time Electronic Relay Briefing
Zelio Time Electronic Relay BriefingZelio Time Electronic Relay Briefing
Zelio Time Electronic Relay Briefing
 
Spacial, Thalassa, ClimaSys Universal enclosures Briefing
Spacial, Thalassa, ClimaSys Universal enclosures BriefingSpacial, Thalassa, ClimaSys Universal enclosures Briefing
Spacial, Thalassa, ClimaSys Universal enclosures Briefing
 
Relay Control Zelio SSR Briefing
Relay Control Zelio SSR BriefingRelay Control Zelio SSR Briefing
Relay Control Zelio SSR Briefing
 
Magelis HMI, iPC and software Briefing
Magelis HMI, iPC and software BriefingMagelis HMI, iPC and software Briefing
Magelis HMI, iPC and software Briefing
 
Where will the next 80% improvement in data center performance come from?
Where will the next 80% improvement in data center performance come from?Where will the next 80% improvement in data center performance come from?
Where will the next 80% improvement in data center performance come from?
 
EcoStruxure for Intuitive Industries
EcoStruxure for Intuitive IndustriesEcoStruxure for Intuitive Industries
EcoStruxure for Intuitive Industries
 
Systems Integrator Alliance Program 2017
Systems Integrator Alliance Program 2017Systems Integrator Alliance Program 2017
Systems Integrator Alliance Program 2017
 
EcoStruxure, IIoT-enabled architecture, delivering value in key segments.
EcoStruxure, IIoT-enabled architecture, delivering value in key segments.EcoStruxure, IIoT-enabled architecture, delivering value in key segments.
EcoStruxure, IIoT-enabled architecture, delivering value in key segments.
 
It's time to modernize your industrial controls with Modicon M580
It's time to modernize your industrial controls with Modicon M580It's time to modernize your industrial controls with Modicon M580
It's time to modernize your industrial controls with Modicon M580
 
A Practical Guide to Ensuring Business Continuity and High Performance in Hea...
A Practical Guide to Ensuring Business Continuity and High Performance in Hea...A Practical Guide to Ensuring Business Continuity and High Performance in Hea...
A Practical Guide to Ensuring Business Continuity and High Performance in Hea...
 
Connected Services Study – Facility Managers Respond to IoT
Connected Services Study – Facility Managers Respond to IoTConnected Services Study – Facility Managers Respond to IoT
Connected Services Study – Facility Managers Respond to IoT
 
Telemecanqiue Cabling and Accessories Briefing
Telemecanqiue Cabling and Accessories BriefingTelemecanqiue Cabling and Accessories Briefing
Telemecanqiue Cabling and Accessories Briefing
 
Telemecanique Photoelectric Sensors Briefing
Telemecanique Photoelectric Sensors BriefingTelemecanique Photoelectric Sensors Briefing
Telemecanique Photoelectric Sensors Briefing
 
Telemecanique Limit Switches Briefing
Telemecanique Limit Switches BriefingTelemecanique Limit Switches Briefing
Telemecanique Limit Switches Briefing
 

Último

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Angeliki Cooney
 

Último (20)

AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 

Are your industrial networks protected...Ethernet Security Firewalls

  • 1. Fundamental Principles of Ethernet Security Firewalls in Industrial Environments by Joseph Benedetto Executive summary Security incidents rise at an alarming rate each year. As the complexity of the threats increases, so do the security measures required to protect industrial networks. Plant operations personnel need to understand security basics as plant processes integrate with outside networks. This paper reviews network security fundamentals, with an emphasis on firewalls specific to industry applications. The variety of firewalls is defined, explained, and compared. 998-2095-02-13-14AR0
  • 2. Fundamental Principles of Ethernet Security in Industrial Environments Introduction If hackers can download a medical formula from a pharmaceutical firm, they could alter that medication by making a slight variation in the formula. In the automotive industry a hacker might alter a robotics program and cause it to make a defective part or to dump material where it should not belong or alter the timing of a particular process. In an oil industry control application, hacker meddling could result in a damaging spill. As manufacturing processes and factories become more “wired”, vulnerabilities in network devices can become targets for individuals writing worms and viruses. These threats are disruptive to the ultimate goal of protecting the industrial environment from any business loss including network failure and process line inefficiency. One of the measures that can be taken to lower the level of risk is the deployment of proper “firewalls”. A firewall is hardware and / or software used to protect network-connected devices or network segments from unauthorized access. In an industrial Ethernet application, a firewall can provide the physical separation between the control network and the plant or corporate networks. It can also be used to create secure control zones within the control network. In a typical firewall installation, the connection coming from the plant network to the firewall is referred as the “untrusted” port or connection. The port that will connect to the control network is referred to as the “trusted” connection (see Figure 1). Outside of Plant Figure 1 The firewall serves as a barrier to unwanted outside intrusion while allowing legitimate data to communicate with key equipment components Internet Internet Untrusted Connection Trusted Connection Firewall Automation System The firewall’s basic function is to control message transmission. It is designed to block unauthorized access while permitting authorized communication to the devices connected on the “trusted” side of the firewall. It can be configured by the user to permit, deny, encrypt, decrypt or act as an intermediary device (proxy) for all (in and out) traffic between different security domains based upon a set of rules. The first step in determining a system’s security requirements is to conduct a survey. The survey identifies all the possible points of access and assists in determining the number and location of firewalls needed in the system. The firewall plays an important role in the overall protection of an industrial control network. The control system requires fast data throughput so that it can provide a rapid response to changes in the operation. At the same time, the control system needs the protection of the Schneider Electric White Paper Revision 0 Page 2
  • 3. Fundamental Principles of Ethernet Security in Industrial Environments firewall to block all unwanted and unauthorized traffic to devices, to ensure that the data they receive is correct. Firewall categories Three general categories of firewalls exist to protect industrial Ethernet applications. Each provides a different level of protection. The choice of firewall should be based on the application requirements, the level of risk that can be tolerated, and impact on a system should that system be targeted for attack. Below are descriptions of the three firewall categories: • Packet Filtering Firewalls: These firewalls check each incoming or outgoing message packet for its source address, destination address, and function. The firewall accepts or rejects the message based on a comparison to a number of predefined rules called Access Control Lists (ACLs). This is a low cost solution that examines the message packet headers only and not the overall packet content. This type of firewall is easy to circumvent by a skilled attacker. Packet filtering firewalls are not recommended for high risk areas due to lack of authentication and their inability to conceal the protected network’s architecture. • Stateful Inspection Firewalls: These firewalls inspect message packets for each transmission at the network layer and validate that the packets and their contents at the application layer are legitimate. Stateful inspection ensures that all inbound packets are the result of an outbound request. Stateful inspection firewalls provide a high level of security and good performance but can be expensive and complex to configure. • Application-Proxy Gateway: The application-proxy gateway examines every incoming packet at the application layer, filters the traffic based on specific application rules, and then reissues it to the target device. Application proxy gateways provide a high level of security, but have overhead delays that impact the network performance of the control system. Their use is therefore not recommended. Firewall application The security goal of a factory or other industrial site is to protect the control network and all of its devices from any attacks. One consideration when implementing firewalls is the nature of devices to be protected and how these devices are accessed as part of normal operation. When applying a firewall to create a physical separation between the control network and the plant and corporate networks, the simple solution would be to install a single firewall device at the connection point between the plant floor’s control network and the remainder of the plant and company networks. This approach is illustrated in Figure 2 on page 4. In the Figure 2 system configuration, the firewall provides protection between the plant network and the control network. However this configuration does not isolate the Programmable Logic Controller (PLC) system from the Human Machine Interface (HMI) and Historian system. These types of devices are often located on PC-based systems that run standard operating systems. This makes them easier targets for attackers seeking to enter the system. These systems are accessed by devices on the plant network as well as by the PLC systems, increasing the risk that an attack reaches the PLC system that controls an operation or process. In addition, since these devices are PC-based, they can be accessed by multiple users who could intentionally or unintentionally introduce malware or corrupt the system. The simple act of loading a new version of a software package or using another software package that is also running on the PC can introduce a risk to the PLC system. The PLC system is traditionally based on a custom hardware design and utilizes a manufacturer-specific operating system. This makes the PLC system more difficult for an attacker to access, but in no way is the system 100% safe. If a PC-based device such as an HMI or Supervisory Control and Data Acquisition (SCADA) system is on the same ‘trusted’ Schneider Electric White Paper Revision 0 Page 3
  • 4. Fundamental Principles of Ethernet Security in Industrial Environments side of the firewall as the PLC, then there is a risk that an attack to the SCADA system will affect the PLC. To Corporate Network and Internet Figure 2 Untrusted Port This illustration features a single firewall device at the connection point between the plant floor’s control network and the remainder of the plant and company networks Firewall Trusted Port Plant Network Control Network HMI Historian PLC System w/ Ethernet I/O The solution is to create a network architecture that includes a separate isolated area for network devices such as HMI, SCADA systems and Historians, and that is capable of communicating to both the plant network and the PLC control system. This isolation is accomplished by using two firewalls, one connecting the plant network to the HMI, SCADA systems and Historians, and a second connecting these devices to the PLC control system. This isolated area, referred to as the demilitarized zone (DMZ), provides a safe and secure means for sharing data betweens zones. Figure 3 illustrates this more secure configuration. To Plant and Corporate Network and Internet Figure 3 In this configuration, two firewalls are present in order to create a separate and isolated area to protect important assets Firewall Device accessed by Control and Plant Networks DMZ Local Server Firewall Control Network PLC System w/ Ethernet I/O Schneider Electric White Paper Revision 0 Page 4
  • 5. Fundamental Principles of Ethernet Security in Industrial Environments For critical control applications where it is necessary to isolate a particular control system from the other controls systems on the control network, a firewall can be used to create an isolated zone. In control applications such as emergency shutdown systems or the control of a critical process, the security provided by the additional firewall can easily justify its cost. In Figure 4, two firewalls are used to create a DMZ between the plant network and the control network. The DMZ isolates the control network, and all of the control devices connected to the network, from an attack coming from the plant or company networks. The control system in work cell 3 is controlling a critical process that requires a higher level of security. A firewall is applied between the PLC in work cell 3 and the switch that connects the three work cells to the firewall in the DMZ. In this configuration, work cell 3 is protected from unauthorized access by devices that are inside of the control network. To Plant and Corporate Network and Internet Device accessed by Control and Plant Networks DMZ Local Server Firewall Figure 4 In this configuration, work cell 3 is provided the highest level of security Control Network Work Cell 1 Work Cell 2 Work Cell 3 PLC System w/ Remote I/O PLC System w/ Multi Rack I/O PLC System w/ Ethernet I/O Firewall capabilities An Industrial grade firewall provides protection from systems and devices that are connected to the unsecured plant and / or corporate networks. The firewall must be properly configured and located at the network access points to the control network. Listed below are some capabilities which help to enhance the effectiveness of the firewall: • Configuration of a physical separation between the control network and the plant and corporate networks • Segmentation of control networks into security zones • Identification of an “untrusted” port for the connection of plant networks to corporate networks that are unprotected by a firewall • Configuration of a ”trusted“ port for connection to the control network and its devices that are protected Schneider Electric White Paper Revision 0 Page 5
  • 6. Fundamental Principles of Ethernet Security in Industrial Environments • Configuration of a control network structure that is invisible to the outside so that hackers cannot determine the types of devices on the network • Restriction of network traffic and selected services only to authorized devices while still allowing secure information to be viewed by authorized users • Allowance of communication “handshaking” for port connections that include autonegotiation, autopolarity, autocrossing and full or half duplex modes • Control of communications messages based on IP addresses of source and destination devices, categories of data that can be transmitted and received, and proper alignment of device access to services provided “No firewall system is 100% impenetrable, but a robust firewall will deter hackers and encourage them to look elsewhere for easier targets to exploit.” • Stateful packet inspection for assurance that all inbound data packets are the result of an outbound request • Dynamic packet filter inspection of data packet source and destination addresses so that undesired traffic can be blocked • Virtual Private Network (VPN) connection so that secure transfer of data over public networks to selected devices can be assured • Protection from the flooding of devices with too much traffic or connections through use of a Denial of Service Traffic Limiter • Provision of security alarm and event logging information that can indicate when an attack or device failure is occurring • Determination of which protocols and services should run over which ports of a device • Anti virus protection capability for HTTP, FTP, SMTP and POP3 protocols • Encryption capabilities that include Data Encryption Standard (DES), 3DES, and Advanced Encryption Standard (AES) • Network Address Translation (1:1 NAT) with FTP, IRC protocol that permits chatting and Port to Port Tunneling Protocol (PPTP) and pass through (in router modes) Firewall limitations A properly configured firewall will not protect against the following: • Unauthorized access through connections that are not connected to the firewall (such as a dial-up modem) • Internal attacks where the attacker bypasses the firewall and connects to the control system • Software vulnerabilities where software packages used in the control system, such as HMI or SCADA, do not have up-to-date patches • User error and human engineering • Virus or malware that enters the control system through an unprotected connection Industrial vs. IT grade firewall In most organizations, the IT group is often tasked with Ethernet security installation, maintenance of firewalls, and other security measures. IT team members should be part of the industrial system survey process, but the selection of firewall devices should be based on the needs and capabilities of the control engineers who will be implementing and maintaining the firewalls as part of the control systems. Industrial grade firewalls are different from commercial / IT grade firewalls. In control applications where interruptions in operation cannot be tolerated, an industrial grade firewall is the correct choice. Table 1 illustrates some of the important differences between IT and Industrial firewalls. Schneider Electric White Paper Revision 0 Page 6
  • 7. Fundamental Principles of Ethernet Security in Industrial Environments Industrial grade firewalls IT / commercial firewalls Can be configured by control engineer using web-based tools, IT knowledge not required Designed to integrate with industrial controls Requires IT personnel to configure and maintain these devices and requires knowledge of complex tools Designed for continuous operation Shutdowns, reboots and unplanned interruption to operation accepted in IT world Centralized security appliance which leaves security gaps at plant level Requires fan or cooling to work on the plant floor Meets control system component standards Susceptible to electrical noise found in industrial environments Security is a process that begins with a plan that defines the roles and responsibilities of plant personnel, the types of actions and activities that are allowed to be performed, and some clearly communicated consequences for non-compliance. An assessment of critical systems should be performed to identify communication paths and potential external access points. Network attached devices should be audited to determine both security capabilities and vulnerabilities. About the author Joseph Benedetto is responsible for the global development of Schneider Electric's Industrial Ethernet Infrastructure products business. Over the last 35 years he has specialized in developing solutions for Schneider Electric’s Industrial Automation customers. Over his career he has held various roles including: Product Marketing, Industry Marketing, System Engineering and Application Engineer. Mr. Benedetto holds a Bachelor of Science degree in Industrial Engineering from Northeastern University. Schneider Electric. All rights reserved. A firewall is an integral part of any overall system security solution, but by itself, a firewall will only protect the point of entry that it is connected to. No firewall system is 100% impenetrable, but a robust firewall will deter hackers and encourage them to look elsewhere for easier targets to exploit. © 2014 Conclusion Maintenance can be performed by technician or engineer Hardware made of industrial grade components that withstand harsh environments (vibration, shock, heat) Commercial firewall technology is not designed to protect industrial process control networks Designed for an office environment, not part of the automation system, making dedicated protection for each system difficult Divides automation system into work cells, provides protection by isolation Table 1 Must be configured by IT department Schneider Electric White Paper Revision 0 Page 7