SCADA security for critical pipeline infrastructure: here is how one major utility secures its automation networks.
The economy of every developed country in the world depends on the supply of oil, gas and water. The average American each day consumes two gallons of gasoline, 220 cubic feet of natural gas for heating and cooking, 30 kilowatt-hours of electricity-produced primarily from fossil fuels--and 150 gallons of water. The supply is an essential part of the critical infrastructure. Providing and protecting the security of that supply is a clear-cut mandate.
Utilities quickly recognized these supply systems needed even more security after the attacks of 9/11, and the increased reports of malicious viruses, hacking and the cyberwar capabilities as discussed in numerous white papers including, "Hacking the Industrial Network" and "Post-Stuxnet Industrial Security."
As a result, utilities realized that many industrial control networks would benefit from diverse firewalls and encrypted Virtual Private Network (VPN) connectivity behind the front-office firewalls. Here is how one leading utility is securing the industrial control networks of its extensive pipeline infrastructure.
The utility operates or manages facilities in 23 states with an extensive network of underground piping. It supports more than 300 remote field sites company-wide. For more than 30 years, it has used a variety of methods to connect to its remote sites, including modems, leased lines, dry pairs and licensed radio.
In 2009, the utility was proactively planning to increase the security of its SCADA control networks. The systems engineering group, corporate IT department and an outside consulting firm were involved in the project and the security product evaluations. A leading IT network solution was initially considered as this path reflected the corporate office network standard. But there were other important considerations.
"We needed an industrial solution, particularly for our remote sites," reported Keith Kolkebeck, systems engineering project manager for the utility company. "We needed a solution that was easy to configure, powered by 24 VDC, met our IT security standards, and could hold up to years of operation in a harsh environment. In the past, we had mixed results using office network-grade products that were expensive, required special skills to configure, and failed frequently."
Finding A Solution
In early 2010, the utility was introduced to the family of mGuard[R] industrial network security devices from Phoenix Contact, created and developed by the Phoenix subsidiary Innominate Security Technologies. The system was designed for harsh environments and includes small, industrial-rated modules that incorporate router, firewall, encrypted VPN tunnels, filtering of incoming and outgoing connectivity, authentication and other functions to provide layers of distributed "defense-in-depth," economically and without disturbing production.
The system is available in various industrial-rated designs: 1) for DIN-rail mounting, 2) for 19-inch rack mounting in cabinets, 3) as PCI cards or 4) as dongle-style patch cords for roaming technicians. The hardened, industrial version of mGuard has been in production since 2005 and has proven effective in tens of thousands of demanding installations. Rated IP 20 for mounting in NEMA enclosures, it is easily installed and enabled by technicians, rather than IT network administrators. Customers in the automotive and other industries have used these versions with excellent results in providing security for older production systems. Clients include a major natural gas and electricity provider and a defense and telecommunications provider. The mGuard security appliances protect industrial automation networks. They are cost-effective, network transparent, simple to install and easily managed. Available fiber connectivity can provide Gigabit bandwidth.
After review of the technology, the utility's IT Department was receptive to the concept because it would allow process personnel to deploy and maintain their own networks, freeing up IT administrators for other tasks. The company installed a dozen devices as a test bed.
Kolkebeck added: "The ability for the mGuard to do AES-256 encryption along with its industrial design was key. Again, the mGuard was easy to deploy, cost effective and met our standards. By default, the mGuard is configured in its most secure configuration. Previously, it would require a day's time of an experienced IT technician, whereas now we can rollout a new VPN device in 10 minutes. The mGuard is very easy for someone with minimal network knowledge to rollout."
In "Stealth Mode" these products are completely transparent, automatically assuming the MAC and IP address of the equipment to which they are connected, so that no additional addresses are required for the management of the network devices. This was a feature that appealed to initially skeptical IT personnel. No changes needed to be made to the network configuration of the existing systems involved. Yet the devices operate invisibly and transparently, monitoring and filtering traffic to the protected systems by providing a Stateful Packet Firewall according to rules that can be configured via templates from a centrally located server. And with bi-directional wire speed capability, the devices will not add any perceptible bottlenecks or latency to a 100 Mb/s Ethernet network.
If required, the security of networked equipment can be further enhanced. Configuration of specific user firewall rules can restrict the type and duration of access to authorized individuals, who may login and authenticate themselves from varying locations, PCs and IP addresses. Virtual Private Network functions provide for secure authentication of remote stations, and the encryption of data traffic. CIFS Integrity Monitoring functionality can protect file systems against unexpected modifications of executable code, by Stuxnet-derived malware for instance, by sending alerts to administrators.
Kolkebeck stated, "We were implementing multiple measures into our SCADA network in order to actively monitor our system. We utilize network segmentation, VLANS, and centralized firewalls and were looking to introduce intrusion detection (IDS) and intrusion prevention (IPS) systems into our network. The mGuard is a tool that allows us to perform these functions."
The utility company needed to protect remote terminal units (RTUs) and programmable logic controllers (PLCs), remote card access and video systems. As industrial systems migrate toward an Internet Protocol (IP) network, more timely information and control is available. All new PLCs have IP capability. Power monitoring is another example. All new variable frequency drives (VFDs) for motors, switchgear, pumps, compressors and generators have power monitoring capabilities that need to be tied into the SCADA systems. Following field trials, the mGuard appliances were utilized to provide protection from vulnerabilities through firewall, VPN, routing and trap functions.
Kolkebeck concluded in a recent interview, "We currently have mGuard security modules deployed in multiple locations throughout the Northeast. We have used the products both for our SCADA networks and our security networks at remote unmanned locations. We have interfaced the mGuard devices with our existing Cisco[R] infrastructure. We are saving money on remote support from our staff and outside contractors. Site visits are no longer required for minor code changes and troubleshooting."
This article documents how one major utility is protecting access to vulnerable SCADA control systems, distributed over a wide area network with unmanned locations. The application is pertinent to any extended or wide-ranging distribution network, such as those operated as natural gas, crude oil, power, petrochemical, steam, water distribution and other critical infrastructure delivery systems.
It could be wagered that every engineer reading this article is easily able to recognize situations and issues that match those of his or her own facilities. Each of these utility applications include a harsh environment, remote facilities, access control, video security, rotating equipment--whether pumps, compressors or turbines--and control equipment applications delimited by simple PLCs.
All of these systems can include built-in IP capability and are vulnerable to virus propagation and deliberate hacking, by individuals, foreign governments and non-government failed states.
A simple solution already is available. There are proven "defense-in-depth" security products available to provide protection for utilities and critical industrial networks. The mGuard industrial network security appliances have been widely used to protect industrial automation equipment and processes running the newest and oldest operating systems. Among other formats and applications, the mGuard is available as a small, DIN-mount module for NEMA enclosures, easily enabled by technicians rather than IT network administrators. It incorporates router, firewall, encrypted VPN tunnels, filtering of incoming and outgoing connectivity and CIFS functions, to provide distributed defense-in-depth, economically and without disturbing production.
For more information about current threats to networked industrial equipment, an 18-page White Paper, "Hacking the Industrial Network" is available, including footnotes, clickable Internet research links and detailed references. Download at www.innominate.com. An accessible discussion of "Post-Stuxnet Industrial Security" also is available.
Frank Dickman, BSMAE, RCDD, is a widely experienced engineering consultant and former delegate to NEMA, TIA/EIA, ISO, CENELEC and the BICSI Codes & Standards Committees. Based in Chicago, he is a technical consultant to a number of data communications firms and is a recognized expert on U.S. and international physical infrastructure network standards. He can be reached at email@example.com.
|Printer friendly Cite/link Email Feedback|
|Publication:||Pipeline & Gas Journal|
|Date:||Sep 1, 2011|
|Previous Article:||How weather reporting affects petroleum prices.|
|Next Article:||Pipeline route and depth-of-cover survey considerations.|