Process Control Protection Mechanisms
Internet Draft James Cupps
Document: draft-cupps-control-protecmech-00.txt
Expires: October 2002
Status of this Memo
This document is an internet-draft and is in full conformance with all
provisions of Section 10 of RFC2026.
Internet-Drafts are working documents of the Internet Engineering Task
Force (IETF), its areas, and its working groups. Note that other
groups may also distribute working documents as Internet-Drafts.
Internet- Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference material
or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
Abstract
This document provides mechanisms and details on ways to protect IP
connected Process Control Devices in a Manufacturing Facility. The
proliferation of IP connected process controls systems has resulted
in significant savings and efficiency gains in many manufacturing
organizations. The added safety risks and security vulnerabilities
must be addressed. Addressed in this document are definitions and
useful logical tools in protecting these systems.
Overview
Connecting manufacturing control systems to site and company local
and wide area networks via Internet Protocol (IP) is a growing trend
in the manufacturing industry. It has provided manufacturers with
an unprecedented ability to control, monitor, troubleshoot and
optimize internal manufacturing facilities. It has also exposed
companies to a significant security and safety threat.
Situation Analysis
With IP connected control systems it is possible to easily gain access
to these systems and associated information proprietary to a companies
processes. If improperly applied there is significant potential for
an unauthorized individual to remotely gain control of physical
equipment. This presents a safety threat in that equipment could
operated outside intended parameters and times. The misuse of this
equipment could be intentional or unintentional.
There is indication that these vulnerabilities may exist in all
manufacturing organizations. The issues involved in the implementation
of these systems should be addressed rapidly worldwide.
Technical Details and Description of Threat
Manufacturing companies currently use several products that should be
reviewed. PLC systems provide actual control and feedback information
on mill equipment. Systems from many common vendors have similar
security issues.
The following is a technical summary of the potential security
vulnerabilities of IP connected process control devices:
Accessibility û The addition of Transmission Control Protocol/Internet
Protocol (TCP/IP) to the control devices suggests that they can be
accessed from any TCP/IP network connected to a company network. Most
manufacturing organizations have access via the Internet as well as
direct dial-in facilities. Because of this the potential exists for
anyone in the world to gain access to these control functions. Edge
protections (firewalls, Network Address Translation [NAT] and Dial in
authentication) provide some level of protection from the open
Internet. These edge protections often do not exist between sites or
regions within a company.
Default Settings û The default settings of these control systems are
designed to ease implementation. TCP access is to specific ports
depending on the vendor. Connection to these ports is often possible
without authentication by default. A data tag specific to the type of
Controller is required to establish an exchange of information. These
data tags are usually in clear text and are available in the technical
documentation provided by the vendor.
Communication Mechanisms û One of the common initiation of the sessions
is by ICMP Ping. The responding server then identifies itself and
provides information relating to its function. This means that it is
possible to rapidly identify all available services by performing a ping
to the network address of the subnet that the device is on.
Findings and Recommendations
There is a significant legitimate risk to manufacturing facilities from
IP connected control systems. These risks can be successfully mitigated
by careful design and periodic review. At risk systems can be divided
into three groups.
Direct Control Systems û systems and devices that directly control
functions in the physical world such as variable speed motors, on/off
switches etc.(i.e. Ethernet I/O, variable speed drives, smart sensors,
etc...)
Indirect Control Systems and metadata manipulation û Systems that
process and route information that is used as input to Direct Control
Systems (i.e. programming terminals, data acquisition, high level
supervisory control, etc...)
Business Integration Systems û Systems that receive data from Direct
and Indirect Control Systems and process it to make it available to
business systems.
Direct Control Systems were determined to pose the greatest safety and
financial risk for several reasons.
IP Connected Direct Control Systems rarely (almost never) have
integrated access control mechanisms instead they typically rely upon
proprietary communication protocols to limit the possibility of access.
This is ineffective because communication on an IP network is not
limited to specific devices and by definition it is possible for any
system to send data to and from any port if properly configured.
There are actually tools (called fuzzers) designed to do this randomly
in attempts to gain illegitimate access to systems. Direct Control
Systems provide control or feedback of physical equipment. This means
if they are triggered at inappropriate times there is a physical risk
to personnel and a possibility of interrupting production resulting in
significant safety and financial risk.
Indirect Control Systems are the second most significant risk.
They typically have the ability to authenticate users but this
capability is not always activated. There is a cost associated with
restricting access to their control and information capabilities
because the vendors often provide the security integration mechanisms
as a separate product. The primary risk on these systems is
intentional or unintentional changes to the data they coordinate.
Another risk of these systems is a denial of service scenario in which
for some reason the device becomes unavailable.
Business Integration Systems pose the least significant risk
and have roughly the same security requirements and concerns as other
business systems. They should be viewed no differently than other
important business systems.
Recommendations
Where possible authentication mechanisms will be used to provide access
to PCN equipment and software. Manufacturers should develop layer three
plus filtering and logging on the Wan and each sites LAN (Specifically
the PCN). There are significant design requirements associated with
this recommendation and other mechanisms could be used to mitigate the
same risks.
A standardized documentation method should be used at least at the site
level if not at the corporate level. This documentation should be
available for audit.
Guidelines
It is essential that the ability to implement these designs and
guidelines be provided to all sites in one way or another. The Process
Control Networks should be developed with multiple layers. Funding
and/or time need to be made available to allow this effort to succeed.
1. One layer that has no inherent routing capabilities (or
tightly filtered routing) for Direct Control Systems.
2. One layer with tightly controlled routing for metadata used
by PCN devices for Indirect Control Systems.
3. Finally the open layer where normal business systems interact
with the PCN network with lightly controlled access and logging.
Firewalls and other layer3+ filtering mechanisms should be used to
facilitate these recommendations. The protection of process control
networks within manufacturing organizations should be given the same
priority as the protection of high value financial networks within
financial organizations.(perhaps more considering the safety issues)
Conclusion
The potential risks to personnel and companies make it essential that
these issues be addressed within an organization on a continuing
basis. Continuing review of designs and equipment must be maintained
to ensure that risks are mitigated. Network connected control systems
provide significant material and financial opportunities to all
manufacturing companies and the proper implementation of them should
be strongly supported. The nature of networked equipment means that
it can never be completely protected but risks can be significantly
reduced with proper diligence.
Comments to:
James B Cupps
Senior Network Security Engineer
SFPNA SPP
james.cupps@na.sappi.com