High Performance, Secure VPN Servers for Remote Utility Industrial Automation Systems:

Transcription

1 High Performance, Secure VPN Servers for Remote Utility Industrial Automation Systems: A Water Pumping Station Security Case Study Alvis Chen Product Manager Moxa Inc.

2 Utility Automation systems Industrial Network Security: New Threats The convergence of IT and industrial automation networks has created great opportunity, but has also increased the security threats from hackers, worms, and viruses. Clearly, remote utility network administrators must rethink their network security measures. Ethernet networks have proliferated across most of today s workplaces, and that includes utilities such as pumping stations, electric substations, and oil pumping wells. Initial implementation of Ethernet networks at pumping stations disregarded security measures since most of these networks did not have external network access (i.e, a connection to the public internet). However, this safety is in fact illusory. However safe that may seem it turns out to be just the opposite. Studies have now shown that most attacks (83% 1 ) occur from within the intranet, and not as one might assume, from external internet connections. Further, PLCs and RTUs distributed within the network are not designed to support traditional firewall and anti-virus software protection such as would be used in an IT network. It can easily be the case that employees or equipment vendors use their company laptops outside the workplace network can contract various worms, viruses and other malicious malware threats. Those same laptops will be re-connected to the corporate network and propagate those threats, without even needing to encounter and breach network firewalls. Similar vectors of attack include thumb drives, malicious s, or other peripherals (smartphones, tablets, etc.) that are physically connected to the local LAN. In a recent high-profile example, in 2010 a particular SCADA system used worldwide was targeted by a specially developed SCADA worm known as Stuxnet. The worm was able to subvert windows-based automation systems, and particularly the associated PLCs that it was designed to attack. Incidents like this highlight the huge importance of security, which has now suddenly become a critical necessity for industrial automation networks. 1 Network Security: Managing the Risk and Opportunity, AT&T Survey and White Paper (2007) Released on November 20, 2011, all rights reserved. Moxa manufactures one of the world s leading brands of device networking solutions. Products include industrial embedded computers, industrial Ethernet switches, serial device servers, multiport serial boards, embedded device servers, and remote I/O solutions. Our products are key components of many networking applications, including industrial automation, manufacturing, POS, and medical treatment facilities. How to contact Moxa Tel: Fax: Web: info@moxa.com This document was produced by the Moxa Technical Writing Center (TWC). Please send your comments or suggestions about this or other Moxa documents to twc@moxa.com. Copyright Moxa Inc. 1

3 Security for Remote Access Pumping Station Network Overview Even though allowing remote access to industrial networks introduces many vulnerabilities, it would not be feasible to simply shut down or cut off these networks. Remote utilities dispersed over wide geographic areas, such as pumping stations, are usually numerous and for cost considerations must be managed from central locations. To do otherwise is simply infeasible, so new security measures be implemented. Administrators can protect against some of the security vulnerabilities by implementing the following: VPNs: Virtual Private Networks that allow secure remote access to a network over internal and external networks including the internet. Firewalls: To isolate the automation network from the business network and ultimately external networks. LAN security: To prevent unauthorized access to the network and nodes in the first place. Throughout the world there are countless pumping stations that handle water movement, generally from one reservoir to another. Pumping stations include wells that extract freshwater drinking supplies from ground wells, sewage lift stations that move collected wastewater to sewage treatment plants, and extensive land drainage systems that maintain reclaimed land that is below sea level. Pumping stations are usually a complex collection of distributed devices that can include sterilization equipment, ground and elevated storage tanks, and well and booster pumps. Most of these systems play vital roles to any human settlement and thus cyberterrorists targeting their operations are an obvious concern that must be addressed. Protection of the data acquisition and control systems therefore cannot be overlooked as attacking these resources can cripple a community. For example, pumping stations have traditionally used various SCADA control protocols intended for private network use. Adopting the use of Ethernet networks to be able to remotely monitor and control stations leaves those same SCADA protocols very vulnerable to attack. This is simply because there is a complete lack of authentication and encryption capability in private network SCADA systems, leaving them very insecure. Figure 1 illustrates a traditional water pumping station network. Without proper security, the Local Control Units (LCUs) in the local pumping control system is very vulnerable to attack. 2

4 WHITE PAPER Figure 1: A traditional water pumping station network, without security Security Challenges in Automated Pumping Stations Remote Access: With the wide-geographical placements of pumping stations comes the need for remote access. The approach to remote access must be both secure and economically feasible. When using Ethernet systems, particularly when utilizing existing intranet/internet networks, data transmission must be highly encrypted to thwart malicious attackers from intercepting packets transmitted. Hackers can use those packets to interpret the network topology and command structure to eventually control the system to their liking, so preventing access to the transmission is absolutely necessary. VPNs can be implemented bi-directionally between the pumping stations field sites and the control center. VPNs utilized must support encryption standards that cannot be hacked without extreme difficulty such as triple DES and AES with large key sizes that can generally only be broken using brute force methods. Although there are published attack methods for these encryption systems, they involve extreme methods that require huge operations numbers, beyond the practical feasibility. Video Surveillance: Typically, industrial automated networks using Ethernet are sensitive to delay issues and because of this the security measures that are implemented into the network cannot introduce performance diminishing delay into the system. Functions such as VPN or firewall services must provide the minimal transition delay when inspecting packets or encrypting and encapsulating packets for VPN transfer. Therefore any system utilized must provide enough processing horsepower to adequately perform security functions without any substantial loss in the 3

5 network performance. Otherwise the system selected may be so under-engineered as to disrupt the normal application requirements. Video surveillance requires that the network delay is kept to a minimum. Video packets are usually streamed using UDP so the delivery needs to be unaffected by security measures and the packet processing incurred by it. Video surveillance data needs to be transmitted securely thus VPNs need to be employed. Using a device with software encryption cannot meet the encryption demands that a high bandwidth video stream requires. Therefore it is essential that hardware encryption be employed to ensure that delay sensitive transmission of video is transmitted smoothly over secure VPN tunnels to centrally located CCTV recording equipment. In order to provide the capability to securely support video s high bandwidth requirement it becomes relatively clear that a separate stand-alone solution, i.e. a stand-alone device, is required. Utilizing existing network infrastructure may not have adequate processing capability to handle the additional security functions. Further, being able to maintain the deterministic system behavior in addition to carrying video feeds is therefore essential in any security device added to the network. Moreover, the device introduced must not prevent critical access or stop any missioncritical packets inadvertently resulting in system failure. In some circumstances that failure could be catastrophic. WAN Redundancy: Critical resources such as pumping stations that are being controlled and monitored remotely need connectivity that is highly reliable. That being said, it could be risky to design a solution without backup or redundant network connectivity over what is known in general terms as the Wide Area Network or WAN (a network linking broad geographical areas). In order to support that redundancy any device that acts as the control and monitoring gateway to critical remote pumping stations needs to support dual connectivity. Having two WAN links reduces to a minimum the likelihood that network connectivity is lost between the control center s LAN and the pumping stations LAN. Operations in Harsh Environments: Pumping stations are normally unmanned locations that do not provide controlled environmental housing for the control and network equipment located therein. Therefore it is absolutely necessary that the security hardware installed is robust enough to withstand large temperature and humidity fluctuations without performance degradation or failure. The hardware needs to be hardened to avoid the expense of craftspeople being dispatched or even more serious damage being caused by the pumping station failing itself. 4

6 WHITE PAPER Enabling a Secure Automation Network for Water Pumping Stations Figure 2: A water pumping station network, with security components in green IPSec VPN Server and Client for Remote Access: When a system has multiple geographically sites, such as dispersed remote pumping stations, operators need to be able to remotely access the pumping stations for both monitoring and control purposes. Remote access in the 21st century often means using the public internet to gain access from the control room. The gateway that acts as a firewall and authenticator to the network must support Virtual Private Networks or VPN tunnels that act as virtual encrypted pipes to ferry control and monitor IP packets securely back and forth between the pumping station and control centers. Having remote access not only saves travel time and costs but it can reduce system downtime. Although there are multiple VPN technologies, IPSec is the secure VPN protocol predominantly deployed and would need to be supported by the pumping station gateway to support the multiple VPN clients that an operator may choose. IPSec essentially sets up a secure channel over possibly multiple networks of which can be either: private, public or a combination of networks. It provides authentication with confidentiality of the party requesting the VPN tunnel and integrity in packet transfer so that the payload transferred (control and monitoring data) is protected using strong encryption methods. 5

7 Figure 3: VPN Solutions maintain security and provide remote access LAN Security, Port Access, 802.1x: The first line of defense for any network or intelligent device is to prevent unauthorized access into the system. Because of their remote nature, pumping station networks are particularly prone to unauthorized access. Monitoring of direct equipment access is not always feasible and moreover susceptible to attack over the public internet used for VPN access. Certain protocols such as RADIUS and TACACS+ provide credential authentication mechanisms that can make it difficult for attackers to gain direct network or device access by using the public internet to try and probe the system. With RADIUS the transmission of the user password is encrypted and with TACACS+ all the key authentication parameters are encrypted. For an unmanned station it is imperative that attackers who gain direct physical access to the station and its network are also defended against. As such the network devices deployed should support further authentication measures to prevent a user from simply connecting, for example, a laptop s NIC directly to an open Ethernet port of the installed network equipment x uses a port-based authentication method to authenticate devices that endeavor to gain access to the protected network. The devices must provide authentication credentials such as username and password or a security certificate to gain access with which 802.1x can then forward the credentials to a RADIUS server for validation. If unsuccessful i.e. an attacker is unable to provide valid credentials then the attempted access to the open ports is thwarted by blocking packet ingress to and egress from the port. Firewall between PLC/RTU Controller and External Traffic: The PLC and RTUs deployed to control pumping stations are highly susceptible to attack by various methods since these devices have never had the capability to support firewall and virus prevention software. Therefore, should a user gain access, attacking these devices and breaching the pumping station operations is relatively simple. The nature of PLC and RTU design prevents them from supporting overly-complex software so that they are extremely reliable at the task they are intended for. However, that leaves them rather vulnerable to external attack where a hacker can utilize simple techniques such as sending malformed packets, creating insecure HTTP and SMNP services that cannot be closed down, or sending valid commands such as, a firmware upgrade command that should not be sent. With this weakness in mind a network planner needs to include a stateful inspection firewall between the network s control devices and the external connectivity. A stateful inspection firewall inspects or eavesdrops all incoming and outgoing packets and 6

8 based on its preconfigured rules of allowable and disallowable packet content, it either passes or drops packets. The firewall further needs to be able to guard against malicious attacks without mitigating the network performance. To obtain that level of performance a network planner needs to include network access devices that sit at the edge of the network and have a hardware/software combination that can provide the necessary gateway performance to protect the network with minimal latency. Since automation networks commonly employ various Fieldbus protocols the firewall chosen needs to be able to restrict communications to the automated networks to only the associated port. Having a firewall with industrial Fieldbus settings means an automation engineer can easily implement the restriction without any over complex procedure. Figure 4: Firewall policies inspect traffic to maintain security Use DMZs for Public or Shared Servers: DMZ, or demilitarized zone, is often employed in IT solutions but also serves as a strong attack defense in automation networks. For maintenance or remote monitoring, some of the data servers or HTTP servers will need to be accessed often from public networks or the internet by common operators. To maintain security, we should islate these shared servers and control/scada servers into different networks. This way, general users can only access the shared servers, and are not given access to the control network. Industrial-grade Devices: As mentioned earlier a security device targeted for a pumping station needs to be hardened since usually unmanned pumping stations do not provide environmental control beyond perhaps a secure enclosure. Therefore the hardware needs to be designed to accommodate operation in very wide temperature ranges. If a cheaper IT enterprise unit is selected, its likelihood of failing becomes very high since these devices are usually only designed for narrow indoor controlled temperature ranges. Failure of such a device is more than just the cost of loss man hours required to replace it. It could very well mean pumping station failure which may tally far greater costs. 7

9 Utility Automation systems Further, any security device deployed would require a relatively robust housing targeted for the harsh conditions that a pumping station may encounter. The components need to be contained in a metal enclosure that will not crack from temperature issues or unexpected stresses from mechanical impact. Along with a durable and strong encasing the device should also support dual power input to give the operator an option of providing a second emergency power solution during primary power failures. Conformal Coating: In line with operating temperature range the devices selected also need protection from humidity. Constant changes in exterior humidity conditions can easily cause condensation within containers and possibly damage to a device s hardware resulting in operation failure. It is imperative that the device electronics are protected using modern conformal coating methods. The thin plastic film applied protects the hardware from contaminants and further acts to prevent corrosion in harsh environments. With the Right Tools, Remote Access and Security Can Go Together Utilizing an access device with IPSec VPN server mode means that craftspeople who need access to the pumping stations devices can securely tunnel from multiple remote locations including even their home. Without such a secure gateway installed access from remote locations over the public internet can be easily hacked using simple methods thereby mandating its use. Multiple videosurveillance cameras at each pumping station necessitates selecting a security gateway with hardware encryption to provide enough IPSec tunnel performance that will maintain smooth and secure video streams without affecting transmission of critical control and monitoring protocol packets.. Any gateway s firewall needs to support configurable stateful inspection of ingress packets to the pumping station network to provide a line of defense against not only external network attacks but by internally connected company devices infected from outside sources. On top of that, access to the gateway and other devices throughout the network should support modern (RADIUS or TACACS+) secure user authentication for remote attack attempts. And, for local physical access where a non-authorized person attempts to directly plug-in to the network, 802.1x port security should be employed.. Finally due to the remote locations, a pumping station gateway needs to be durable for the harsh environment it may face and have redundant systems in case the power and networks it relies on fails. Durable means not only designed for wide temperature ranges but also sturdy device design that includes rigid metal encasing with IP protection and special conformal coatings for the electronics to resist moisture and other chemical and dust attacks. Redundancy means the device needs both secondary power and WAN capabilities to maintain service when primary systems fail. Disclaimer This document is provided for information purposes only, and the contents hereof are subject to change without notice. This document is not warranted to be error-free, nor subject to any other warranties or conditions, whether expressed orally or implied by law, including implied warranties and conditions of merchantability, or fitness for a particular purpose. We specifically disclaim any liability with respect to this document and no contractual obligations are formed either directly or indirectly by this document. 8