T BOX MS. Introduction 8 (877) com. Using T BOX. Login HTTP. Firewalll OpenVPN. Enabled. an overview.

Transcription

1 T BOX MS Security Capabilities Introduction In order to meet contemporary security requirements in automation, monitoring, and SCADA applications, Semaphore has provided a broad range of security functionality in T BOX MS. The measures range from basic throughh advanced functions and include access control as well as industry standard reporting protocols. While access control is a preventative measure, the reporting features are important in documenting and adapting to intrusion attempts. Using T BOX MS, users are able to implement those security measuress that best suit requirements, which have been ascertained byy vulnerability assessments according to standard practices in their industries. Login HTTP HTTP Secure (HTTPS) Firewalll OpenVPN IEEE 802 1X DC09 Protocol Simple Network Management Protocol (SNMP) Industrial Defender Enabled Following is an overview of each of the securityy provisions included in T BOX MS.

2 Login HTTP The most basic form of security, access protection is available when connecting to the T BOX RTU through TCP/IP, for example, via TWinSoftt or a web page. A login is required before access is allowed. Login HTTP processor. is available in all T BOX models, whether equipped with a 16 bit or 32 bit HTTPS HTTPS, or HTTP Secure, is the hypertext transfer protocol with encryption using the SSL or TLS protocol. It is now available as an add on, which allowss access to the T BOX MS (when equipped with the MS CPU32 processor) integral web server using HTTPS. Simple menu interactions allow the user to configure the TCP ports for HTTP and HTTPS, whether HTTP is blocked, and to specify a certificatee file name. Since T BOX RTU products allow users to exploit the power of the Internet, HTTPS Secure is a very important feature.

3 Firewall A firewall is a device or software capability that is designedd to allow or deny network transmissions based upon a set of rules. The firewall is used to protectt networks from unauthorized access while allowing legitimate communications to pass. A Firewall is available as an add on with the T BOX MS CPU32 processor. It provides access protection for any incoming or outgoing IP connection. Ethernet ports and GPRS connections can be protected using the Firewall.

4 Open VPN Since many SCADA system networks cover broad, geographical areas and use the Internet or public networks, security is a major issue. To provide security in such situations, many SCADA operators have implemented virtual private networks. A virtual private network, or VPN, usess authentication to deny access to unauthorized users and encryption to privately transport data packets over networks that are, otherwise, unsecured. A VPN allows users to bypass such Internet restrictions as firewalls. Available as an add on to the MS CPU32 processor, OpenVPN allows the T BOX MS to be a client in a virtual private network. IEEE802.1X IEEE 802.1X, a standardd for port based, network access control addresses a key security risk, spoofing, which many operators have uncovered in vulnerability assessments. IEEE 802.1X provides authenticationn for devices wishing to access a local area network (LAN). Available as an add on to the MS CPU32 processor, it prevents rogue devices from attaching to the LAN orr RTU port. That, in turn, prevents unauthorized access to proprietary information and the ability to download configuration or operation parameters.

5 DC09 Event Reporting ANSI/SIA DC Internet Protocol Event Reporting is available as an add on with the T BOX MS CPU32 processor. According to the Security Industry Association (SIA), This voluntary standard details the protocol to report events from premises equipment to a central station using Internet Protocol (IP). Intended for use by manufacturers of control panels and central station receivers to ensure equipment compatibility, this standard also affects security system installers, specifiers and users of central stations and local authorities dealing with compatibility issues. ANSI/SIA DC further enhances the strong IP capabilities and security measures Semaphoree has incorporated in T BOX MS. It provides encrypted, acknowledged and time such as stamped event data and allows communicationn over a variety of physical networks, Ethernet, serial line (SLIP/PPP) and GPRS.

6 Simple Network Management Protocol l (SNMP) SMNP is widely used in informationn technologyy and broadcast networks. A variety of devices, including routers, switches, servers, printers and telecommunication equipment, support this protocol. From an architectural perspective, the SNMP managementt model contains agents and a manager: Agents: potentially many network devices, each containing embedded SNMP implementations that interfacee with devicee management elements Manager: item capable of generating management commands and/or receiving monitoring notifications The architecture allows management and monitoring by direct polling and query of an agent by b the manager or asynchronous receipt of monitoring notification (referred to as a trap).

7 SNMP is available as an add on to T BOX MS when equipped with the MS CPU32 processor. The protocol implementation is in 3 parts: SNMP Trap Protocol SNMP Daemon Protocol SNMP Client Protocol SNMP Trap Protocol The SNMP trap protocol implementation allows Semaphore RTUs to send and receive SNMP trap messages. In this manner, the RTUs may be used to monitor system health and alarm states for information technology or broadcastt equipmentt where the trap functionality associated with SNMP is widely used to providee a mechanism to monitor equipment of different models and from different manufacturers in a unified manner. Alternatively, using the ability to generate SNMP traps, the RTUs may be integrated in such network environments in a manner that alleviates the requirement for a separate supervisory system.

8 For on event communication, T BOX MS supports two message types: Trap request: without acknowledg ement Inform Request: with acknowledge ement SNMP DAEMON Protocol The SNMP daemon protocol implementation provides a server (or slave) SNMP implementation which allows configuration and state information about RTUs to be set, queried or retrieved by remote agents using SNMP. This functionality allows the RTUs to be integrated within network environments where SNMP is employed and administered using existing SNMP management tools. The configuration and state information about the RTUs exposed through this interface include: RTU network address and system identifier; RTU hardware modules and I/O states; Event log information; and Network interface and traffic information. The Semaphore MIB defines those elements off RTU hardware and software configuration available for query and manipulation through the SNMP agent interface provided by the SNMP daemon protocol implementation. The Semaphore RTUs also support the Management Informationn Base for Network Management off TCP/IP based internets (MIB II) as defined in RFC document 1213 which describes SNMP objects that expose information about system configuration, network interfaces and connection and protocol information.

9 SNMP Client Protocol The SNMP client protocol implementation provides a client (or master) SNMP implementationn that allows the RTUs to be used to query, retrieve and set informationn associated with remotee devices using SNMP. In this manner this protocol implementation may be used to extend the scope of monitoring of the RTUs beyond traditional SCADAA applications and physical I/O to incorporate the monitoring of SNMP enabled network equipment.

10 Industrial Defender Enabled Primarily by virtue of the SNMP implementation, Semaphore products such as T BOX MS are Industrial Defender Enabled. Industrial Defender is a company that is dedicated and uniquely focused on providing end toend Defense in Depth cyber security solutions for the real time process control/ /SCADA market. Users benefit by leveragingg Industrial Defender s comprehensive Defensee in Depth approach to cyber security, which includes network security professional services, cyber security technology, and managed security services. Industrial Defender Enabled capabilities allow Semaphore RTU products such as T BOX MS to be monitored by the Industrial Defender Security Event Management (SEM) console enhancing the cyber security posture of the process control/scada network. Customers who purchase an a Industrial Defender (SEM) console will be able to monitor all Industrial Defender Enabled devices on the real time process control/scada network.