Defense in cyberspaceWireless technology has aroused as much interest as it has skepticism in the industrial control systems industry. While many recognize the easier installation and reduced costs, others question the reliability and security of wireless networks. The principle requirement of industrial wireless technology is clear: It must be robust, reliable, cost-effective, and completely secure. Despite the benefits, the adoption of wireless networks has been gradual in the industry due in part to security concerns. For industrial facilities, the increased vulnerability of the enterprise resulting from open wireless architectures, coupled with a rise in cyber attacks, has made electronic security a major concern. We can no longer take for granted the integrity of vital assets, including operational processes, network architectures, and business applications. The Control Systems Security Program (CSSP CSSP Center for the Study of Social Policy CSSP Council of Scientific Society Presidents CSSP Canadian Shellfish Sanitation Program CSSP Committee on Solar and Space Physics CSSP Community Safety & Security Programme (Singapore) ) cyber researchers regularly evaluate new and introduced solutions. Their reviews suggest wireless solutions can be as secure as wired solutions, alleviating industry concerns. Surpassing wired systems Today, cyber security threats against a site can take different forms and shake out into four categories: 1. Indiscriminant and potentially destructive: This is the most publicized category, malware, which includes viruses, Trojans, and worms attacks. 2. Performance impacts and potential safety issues: Network spoofing (1) Faking the sending address of a transmission in order to gain illegal entry into a secure system. See e-mail spoofing. (2) Creating fake responses or signals in order to keep a session active and prevent timeouts. and "denial of service A condition in which a system can no longer respond to normal requests. See denial of service attack. " threats have performance implications. For example, a denial-of-service attack "DoS" redirects here. For other uses, see DOS (disambiguation). A denial-of-service attack (DoS attack) is an attempt to make a computer resource unavailable to its intended users. can clog a network with spurious requests, keeping an operator from receiving a legitimate alarm, which can result in degraded performance and/or safety issues. 3. Confidentiality: With eavesdropping Secretly gaining unauthorized access to confidential communications. Examples include listening to radio transmissions or using laser interferometers to reconstitute conversations by reflecting laser beams off windows that are vibrating in synchrony to the sound in the room. and password cracking Password cracking is the process of recovering secret passwords from data that has been stored in or transmitted by a computer system. A common approach is to repeatedly try guesses for the password. , protecting data from unauthorized use becomes a concern along with safety. 4. Integrity: This includes data tampering, impersonation Impersonation Patroclus wore the armor of Achilles against the Trojans to encourage the disheartened Greeks. [Gk. Lit.: Iliad] Prisoner of Zenda, The , and packet modification and is especially hazardous if the intruder has malicious intent. The idea that a hacker could access data while it is airborne and stop certain operations at the plant causes great concern in the industry. Indeed, industrial manufacturers are becoming increasingly aware of the threats of industrial espionage industrial espionage Acquisition of trade secrets from business competitors. Industrial spying is a reaction to the efforts of many businesses to keep secret their designs, formulas, manufacturing processes, research, and future plans. and cyber terrorism. However, strong policies and procedures Policies and Procedures are a set of documents that describe an organization's policies for operation and the procedures necessary to fulfill the policies. They are often initiated because of some external requirement, such as environmental compliance or other governmental , proven encryption and authentication strategies, and proper wireless system design can guarantee a level of security at least equaling, or even surpassing, wired systems. Beating the hackers back Industrial control systems employing wireless technology are subject to increasing cyber attacks from inside and outside the network infrastructure. Automation suppliers must recognize the risk to wireless network security and understand how attackers can use wireless vulnerabilities to their advantage. Cyber threats to an industrial control system can come from within an organization by trusted users or from remote locations by unknown persons using the Internet. Attacks also can come from hostile governments, terrorist groups, disgruntled dis·grun·tle tr.v. dis·grun·tled, dis·grun·tling, dis·grun·tles To make discontented. [dis- + gruntle, to grumble (from Middle English gruntelen; see employees, and malicious intruders. To protect against these threats, it is necessary to create a secure cyber barrier around the system infrastructure. Since the radio frequency medium is susceptible to eavesdropping and spoofing, care is paramount to ensure the wireless network is no less secure than traditional wired networks. To combat these inherent vulnerabilities, wireless networks must have strong encryption An encryption method that uses a very large number as its cryptographic key. The larger the key, the longer it takes to unlawfully break the code. Today, 256 bits is considered strong encryption. As computers become faster, the length of the key must be increased. and authentication technology, coupled with robust implementations and management. Security must be integral to the system design, and not an afterthought. For example, the security layer design must accommodate multiple security levels to satisfy various industry requirements. An application that requires a more stringent security necessitates more capable systems, including nodes of potentially higher cost or installation inconvenience. The security layer must be general enough to meet the needs of multiple applications and the underlying network layers. It must support both sensor-to-control system and node-to-node communications, directly or through intermediaries. For industrial control systems, all of the communications paradigms of common field I/O (Input/Output) The transfer of data between the CPU and a peripheral device. Every transfer is an output from one device and an input to another. See PC input/output. I/O - Input/Output protocols should also be supportable. The best security is in layers, with protection that ensures a single security breach does not compromise the entire system through cascading attacks. The integrity of the security layer should not require that individual nodes will not go down, but should ensure the compromise of a single node does not compromise the data confidentiality or message integrity of communications sessions of which the compromised node is not a part. Specific requirements for the network security layer are here. Data confidentiality Application information exchanged through the network may be sensitive, and the network must protect that information against eavesdropping. To insure a compromise of a network element does not compromise confidentiality, end-toend encryption is a necessity. The encryptions algorithms should be well known and tested, of appropriate key length, and have the ability to accept re-keying as necessary. The current recommended practice is to use 128bit AES encryption for all over-the-air communications. Entity authentication (device trust establishment): Before one node communicates with another, the devices need to authenticate themselves to each other. Entity authentication is the process by which one entity is certain of the identity of a second entity. This prevents unauthorized devices from entering the network. It is important the authentication mechanism be cryptographically secure, using unique and time-sensitive keys. The current recommended practice is to pass unique, time-sensitive, one-time-use cryptographically secure keys though an out-of-band mechanism (such as Infrared transmission) in a manner that does not expose the key to human operations. Message integrity and sender authentication See e-mail authentication and Sender ID. : Data integrity establishes fault processes, such as noise or random error, have not altered a message between transmission and reception. Message authentication establishes an attacker has not maliciously fabricated or altered a message. Sender authentication establishes a message originated from a limited set of authorized senders. Together, these features substantiate that received messages are not corrupt and are from an authorized sender. This is essential, as compromised data could lead to invalid computation. Moreover, bandwidth and radio transmit energy should be minimized by not reacting to forged messages or denial of service attacks An assault on a network that floods it with so many additional requests that regular traffic is either slowed or completely interrupted. Unlike a virus or worm, which can cause severe damage to databases, a denial of service attack interrupts network service for some period. from unauthorized sources. Fault tolerance See fault tolerant. (architecture) fault tolerance - 1. The ability of a system or component to continue normal operation despite the presence of hardware or software faults. This often involves some degree of redundancy. 2. over the lossy See lossy compression. (algorithm) lossy - A term describing a data compression algorithm which actually reduces the amount of information in the data, rather than just the number of bits used to represent that information. channel: The low-rate wireless network used by sensors is lossy, as there is a likelihood of interference. The security layer must adapt to loss of packets, detect loss of synchronization, and provide a mechanism for re-synchronizing the session endpoints. Data freshness: General data freshness is not a security layer goal. However, the security layer must protect against replay attacks. Low packet overhead: For efficient use of bandwidth and battery power, the amount of "overhead" data the security layer adds to the focal transmitted/received data should be as little as possible. Key escrow In cryptography, placing a secret key into the hands of a trusted third party. See key management. (security) key escrow - A controversial arrangement where the keys needed to decrypt encrypted data must be held in escrow by a third party so that government agencies can : Long-term key escrow may be required to satisfy regulatory requirements or because of customer corporate policy. Using the key escrow mechanism for backup of keying material to support failure recovery is possible. Supporting remote key escrow is necessary. Firmware updates: Nodes may require firmware updates to repair software flaws or to add new features. Protecting nodes so they do not accept corrupted firmware or firmware from an unauthorized source is necessary. FIPS (Federal Information Processing Standards) A series of publications issed by the U.S. National Institute of Standards and Technology (NIST) that specifies information security guidelines for federal government departments and agencies. 140-2 compliance: Cryptographic modules should be FIPS 1402 compliant during operation. Nodes should be of such design that we may classify them as "single chip cryptographic modules." Achieving this rating requires, among other things, keys are encrypted whenever off-chip-in other words, keys are never exposed "in the clear" off-chip. There must also be no easy way to read out the chip's data (e.g., disable debugging ports). Availability: Availability means ensuring the services offered by the secured nodes will be available to legitimate users when expected. Attacks on availability are Denial of Service (DoS) attacks. The security protocol should attempt to ensure the wireless network is not a force multiplier A capability that, when added to and employed by a combat force, significantly increases the combat potential of that force and thus enhances the probability of successful mission accomplishment. for the adversary, meaning the magnitude of the attack does not become greater by retrans- mission through the network. The se- curity layer design should also include features to mitigate battery exhaustion (sleep deprivation sleep deprivation Sleep disorders A prolonged period without the usual amount of sleep. See Driver fatigue, Poor sleeping hygiene, Sleep disorders, Sleep-onset insomnia. ) attacks and flash memory wear-out attacks. Protection against traffic analysis: Traffic analysis is a method of inferring node identities, node functions, and probable system states from observation of the timing, lengths, and unencrypted portions of messages. This is only a test In response to growing cyber security threats, the U.S. Department of Homeland Security Noun 1. Department of Homeland Security - the federal department that administers all matters relating to homeland security Homeland Security executive department - a federal department in the executive branch of the government of the United States (DHS DHS Department of Homeland Security (USA) DHS Department of Human Services DHS Department of Health Services DHS Demographic and Health Surveys DHS Dirhams (Morocco national currency) ), National Cyber Security Division The National Cyber Security Division (NCSD) is a division of the Office of Cyber Security & Communications, within the United States Department of Homeland Security's Directorate of National Protection and Programs. , created CSSR CSSR Council of Societies for the Study of Religion CSSR Canadian Society for the Study of Religion CSSR Cost/Schedule Status Report CSSR Communications System Segment Replacement CSSR Call Setup Success Rate (telecommunications) The goal of the CSSP is to reduce the risks to control systems within and across all critical infrastructure and key resources by coordinating efforts among federal, state, local, and tribal governments. National laboratories, such as the Idaho National Laboratory, support the CSSP through providing technology expertise, data analysis, and research and testing capabilities. A key objective of the CSSP is to help reduce the likelihood of success, and severity of impact, of a cyber attack against critical infrastructure control systems through risk-mitigation activities including red teaming scenarios. These activities platform on a clear understanding of cyber threats, control systems vulnerabilities and attack paths, and control systems engineering. The CSSP works closely with the control systems community to ensure industry subject-matter experts have vetted recommended best practices before they are publicly available. DHS CSSP regularly assesses vendors' development of product updates and enhancements so as to improve their products' security posture and to provide DHS with greater awareness of related security issues. An assessment may take as many as 1,200 hours. One of the targets of evaluation (TOE) is the sensor-to-multinode communications. The cyber security researchers (hackers) were able to conArm the cyber security enhancements for the defined TOE. A recent test of a Honeywell technology demonstrated strong key encryption on all sensor-to-server data transfers. For additional protection, data was encrypted again when transferred over the mesh network A communications network in which there are at least two pathways to each node. If one of the paths fails, the other is still available. A "fully meshed" network means that every node has a direct connection to every other node, which is a very elaborate and expensive architecture. (double encryption), making it extremely difficult to capture and modify data. Additional testing took place to evaluate disruption and manipulation of gateway-to-control network communications. This work proved to be challenging for the cyber engineers, since it required reverse engineering of communications protocols. They had to use the Control Data Access protocol in clear text format and limited it to Level 1 and 2 networks. Additionally, the limited protocol structure did not provide the information needed to manipulate or conduct a successful attack. Correlation of data had to take place with an additional component of the control system in order to identify the data points, making it inherently harder to perform. A CSSC CSSC China State Shipbuilding Corporation CSSC Civil Service Sports Council (UK) CSSC Center for the Study of Southern Culture CSSC Certified Structured Settlement Consultant CSSC Canadian Strategic Software Consortium assessment of the OneWireless technology solution did identify additional findings. Honeywell and the CSSC are currently addressing these findings in a proactive manner by developing and mitigating the vulnerabilities. Under the worst-case scenario worst-case scenario n → Schlimmstfallszenario nt , cyber test engineers could only degrade throughput in the system, but not stop it. Under these conditions, no data corruption Data corruption refers to errors in computer data that occur during transmission or retrieval, introducing unintended changes to the original data. Computer storage and transmission systems use a number of measures to provide data integrity, the lack of errors. occurred, and the system remained functional throughout the evaluation. Working together, automation suppliers and government cyber security specialists are making strides in recognizing potential risks in industrial control system security, and understanding how attackers can use cyber vulnerabilities to threaten the security to critical infrastructure and key resources. Protecting your plant Process engineers and operations management Operations management is an area of business that is concerned with the production of goods and services, and involves the responsibility of ensuring that business operations are efficient and effective. professionals often wonder if the IT group is not already handling the cyber security concerns. One of the best ways to determine this is to do a self-assessment at your plant. Usually there are some definite differences between the requirements of the corporate network and the control network. There are: * Differences in goals between the two network organizations * Differences in assumptions of what needs to be protected * Understanding of what "real-time performance and continuous operation" really means * The nature of control systems and how some well-intentioned softwarebased security solutions can interfere with operations No matter which department addresses cyber security within the plant, it is crucial there be protection against both deliberate attack A type of offensive action characterized by preplanned coordinated employment of firepower and maneuver to close with and destroy or capture the enemy. and human error. When it comes to security, the "best in class" perspective is not a choice, it is a necessity. Wireless technology has proven it can deliver security as well as wired solutions. As more and more plants start implementing wireless technology, it is vital to be aware of how the system is able to protect against malicious intent and to protect your intellectual property, your bottom line, and your people. © 2008 Instrument Society of America Provided by ProQuest LLC (Logical Link Control) See "LANs" under data link protocol. LLC - Logical Link Control . All Rights Reserved. 
|
|
||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion