in industrial communications - wesco...

White Paper • 2003

Information Security in Industrial Communications

SIMATIC NET Information Security for Industrial Communication November 2003

1. Motivation and Objectives...................................................3

1.1 Security Defined................................................................................................................. 3

1.2 Security Risks and Types of Assault........................................................................ 4 1.2.1 Computer Viruses.................................................................................................................................. 5 1.2.2 Trojan Horses ........................................................................................................................................ 5 1.2.3 Sniffer Assaults ..................................................................................................................................... 5 1.2.4 IP Spoofing............................................................................................................................................ 5 1.2.5 DNS Spoofing ....................................................................................................................................... 6 1.2.6 ICMP Assaults....................................................................................................................................... 6 1.2.7 Routing Assaults ................................................................................................................................... 6 1.2.8 Denial of Service Assaults..................................................................................................................... 6 1.2.9 Hopping................................................................................................................................................. 7

2. Security for Industrial Communication ..............................7

2.1 Trends in Industrial Automation Networking ................................................... 7

2.2 Security Requirements of Industrial Communication................................... 9 2.2.1 General Requirements ........................................................................................................................... 9 2.2.2 Specific Requirements......................................................................................................................... 10

3. Examples of Solutions.......................................................11

3.1 Data Communications within an Intranet.......................................................... 11

3.2 Data Communications on the Internet ................................................................. 13

3.3 Data Communications via the Internet for Service Personnel ................ 14

4. Conclusion..........................................................................15

5. Glossary ..............................................................................17

Copyright(c) Siemens AG 2003 All Rights reserved of 17

Excell ence inAu tom ati o n & Drives:

Sie mens


1. Motivation and Objectives Industrial communications is yet another area in which electronic networking is becoming more and more important. Computer systems, networks and data system installations are indispensable resources, but at the same time they represent an enormous security risk, as a result of which enormous damage may be inflicted on companies. Unfortunately, it is beyond dispute that the change from centralized to distributed computing has not made life easier for security officers and network planners with regard to their control tasks. Open internetworking between several facilities, which in some instances may even be located on different continents, determines the scene in present-day enterprises. Due to the worldwide distribution of the infrastructure and the access options that are open to everybody, the requirements for security and confidentiality are rising. Even in-house networks are no longer safe, since potential security risks may come from within. Add that to the continuous rise in espionage in trade and industry, to which an increasing number of companies are resorting as a proven weapon in times of fierce competition in order to gain a competitive edge. 1.1 Security Defined Before taking a closer look at the different aspects of security, it is first necessary to define what is exactly meant by Security. As far as this document is concerned, the security analysis applies in particular to data communications. If secure communication is possible between peers, a considerable step forward has been taken towards the objective of security on the Intranet, Extranet and Internet. Security measures consist of constraints and restrictions on the one hand but, on the other, the systems have to remain usable and user-friendly in order to ensure acceptance of the security measures by staff members. The quest for security must therefore not result in an unacceptably severe burden for system components and users alike. Furthermore, it should be possible for the measures to be implemented with a reasonable amount of manpower, investment and maintenance effort. These different interests have to be weighed against each other and weighted accordingly. However, Information Security makes specific basic demands on an IT system. In this instance, we have to consider the following criteria:

• Confidentiality of information: Information shall be protected against access by unauthorized third parties.

• Integrity of information:

Unauthorized modification or manipulation of message content shall be detected with a specified level of confidence

• Timeliness or sequentiality of message delivery:

Any unauthorized message retiming, resequencing or replay of prior messages must be detectable with a specified level of confidence.



Sie mens


• Authentication and authorization of communication peers: Both the identity of a communicating peer and that peer’s entitlement to participate in a communications relationship must be ascertainable with a specified level of confidence

• Availability of information:

Access to information and system services must be guaranteed at all times. 1.2 Security Risks and Types of Assault The sophisticated architectures of today's information systems feature a large number of points of attack: information is routed through a wide range of stations on its way from the source address to the destination address, including mobile workstations, field offices, network nodes and subnetworks. It is understandable that with the new open systems architecture access and resource usage control is slackening. Evidence of the increasing risk is provided by the rising number of computer crimes. A particular source of potential danger in this context is the Internet. The rise in the number of hosts on the Internet continues to be exponential, as is therefore the rise in the number of potential intruders. But not only the hackers on the Internet corrupt information security. Studies show, that round about 80% of the attacks come from inside the network. In most cases even without criminal intentions, simply as it is easy to do, because there are no internal restraints, mostly. An increasing number of enterprises are being confronted with industrial espionage. The most common methods of industrial espionage are probably the theft or duplication of confidential documents, the gleaning of knowledge from persons having access to confidential material and information, or the tapping of telephones, fax machines and computer systems.

Software, documents

Computers, controltechnology

Communicationsystems

Information resources ofbusiness andproduction processes

PLC

Eavesdropping Hacker attacks Data corruption Unauthorized

access Espionage Sabotage Loss Theft Operator errors

The sections below will take a closer look at the most common types of assault.



Sie mens


1.2.1 Computer Viruses A computer virus is a non-autonomous program routine which propagates itself and, as a result, performs manipulations that the user cannot control in parts of the system, on other programs or their environment. Its property of propagation is responsible for the name "virus", as in the case of its biological archetype. The possibilities of manipulation are manifold. Particularly frequent are overwriting or clinging of the virus code to other programs and sectors of the operating system, this always happens so that the virus code is executed before the original program. Computer viruses also have a certain damaging function in many cases. The most significant damage in this respect is most certainly the loss or corruption of data and programs. The occurrence of these functions in programs may be unintentionally or deliberately controlled. As a matter of principle, we differentiate between boot viruses and file viruses. Loading of the operating system is known as "booting". The data required to boot the system are stored in the "boot sector" of floppy disks or hard disks. Boot viruses overwrite this data sector with their program. As a result, the virus code is executed when the computer starts up and is resident in RAM on the computer as long as the computer is operating. In contrast to boot viruses, file viruses cling to program files. This happens as a result of the virus code being executed before the original program when the file is opened. As a result, the program then runs in its customary manner and the virus is not detected all that quickly.

1.2.2 Trojan Horses Trojan horses are programs with a concealed, undocumented function or effect. In this respect they are related in a specific manner with computer viruses in that the user cannot exercise any influence on the execution of this function. Unlike computer viruses, however, Trojan horses do not propagate themselves. They are attached to a carrier, which can be a quite normal user program. Furthermore, even script languages, such as batch files, ANSI control sequences, Postscript and the like, which are being interpreted by the operating system or user program concerned, can be abused as Trojan horses. The more privileges its carrier program has, the greater is the destructive effect of a Trojan horse. A modified login program, for example, containing a Trojan horse can upload the user's name and password to the perpetrator over the network and then forward them to the login program proper in order to remain undetected.

1.2.3 Sniffer Assaults One method of determining highly confidential data is to monitor the data packets at the Internet protocol (IP) level. Various protocol analyzers support the use of a normal network station as an LAN analysis system. As a result, perpetrators can avail themselves of a large number of passwords and other confidential information in a very short time.

1.2.4 IP Spoofing IP spoofing is a commonly used method to climb under Firewall systems and simultaneously forms the basis for a whole number of other methods of assault. With IP spoofing, the perpetrator fakes the originator's IP address of the IP packets in order to identify himself as an authorized user. This form of assault is particularly dangerous when the Firewall system is a packet filter that is merely in a position to determine the origin of the data packets from their source address. In this instance, the information relating to whether the data packet



Sie mens


concerned is an ordinary or a fake packet is lost. The data packet is treated as if it had presumably originated from an authorized user and is switched forward.

1.2.5 DNS Spoofing Computers connected to the Internet can be clearly identified by their IP addresses. A physical IP address consists of 32 bits, which are normally represented by four decimal figures between 0 and 255 - 198.22.156.94, for example. Since these numbers are not very easy to remember, it is recommended that a name be assigned to this kind of IP address. The procedure for doing this is known as the domain name system (DNS). For example, the Siemens WWW server can be addressed by http://www.Siemens.de and http://139.23.37.94, since the name in translated into the IP address when it is called. So-called name servers have databases at their disposal in which the corresponding IP addresses are assigned to the computer names and the corresponding names to the IP addresses. To translate a name into an IP address, a program sends a UDP packet with a suitable query to a DNS server, which searches for the name in the database and returns it to the inquirer. We talk of DNS spoofing when a perpetrator succeeds in faking the assignment between a computer name and its corresponding IP address - in other words, a name is resolved into a wrong IP address, or vice versa.

1.2.6 ICMP Assaults The purpose of the Internet Control Message Protocol (ICMP) as a component of the TCP/IP protocol stack is, among other things, to display error and diagnostic information to the originator of IP packets in the event of problems occurring on the network. The sender can then react to the error. In many implementations, the TCP/IP stack's automatic reaction to specific messages is immediate, as is necessary. A perpetrator who sends corrupted ICMP protocol elements is thus in a position to manipulate specific computer systems on the network that we have to protect.

1.2.7 Routing Assaults Routing is the name given to the process of finding the correct path for transmitting a data packet. Protocols such as OSPF (Open Shortest Path First) or RIP (Routing Information Protocol) supply the necessary information, detect changes of network topology and inform the participating systems about such changes. This use of dynamic routing makes it possible to send current routing information to the computer, it then being used by the computer, without prior checking, to compile its routing tables. If a perpetrator sends corrupted RIP packages, he can manipulate specific transmission paths as a result and thus reconfigure undesired routes.

1.2.8 Denial of Service Assaults One of the greatest dangers on the Internet is what is known as "denial of service assaults“. In these assaults, computers or individual services on the Internet are made to crash or resources are overloaded in such a manner that they are then temporarily unavailable to other users (this is why we speak of "denial of service"). One of the reasons for such assaults being possible is software errors.



Sie mens


1.2.9 Hopping Hopping is the unauthorized "jumping“ from one remote computer system to another computer system. In doing so, the options available to the remote system are used to gain access to the other computer system. In many applications, such as remote maintenance, it is sensible to access computer systems remotely. However, it is essential that unauthorized access cannot be obtained from one computer system to other computers.

2. Security for Industrial Communication All the Security Risks mentioned in section 1.2 are becoming more and more crucial for Industrial Communication. This is due to the fact, that there is a definite trend to use Ethernet in addition to the established Fieldbusses. In the cell level of an automation plant Ethernet was already been in use for many years, but now it is evident, that Ethernet will be increasingly used also at the field-level. The main reasons are:

• Only one (IP-based-)Network within the Automation area without the necessity of gateways between the different automation levels (vertical integration).

• Connecting of the Office-LAN to the Automation plant, so that monitoring, remote programming and diagnosis of automation devices can be done easier, faster and more comfortable.

• IT-Standards such as SMTP (E-Mail) and HTTP (Web-server) can be used also for industrial automation devices

• Connection to WAN for Tele-service purposes with direct access to the field devices or connection of different automation plants is possible with minimal effort, as all the different networks have a common basis (Ethernet physics and TCP/IP).

• Ethernet offers high innovation potential. The still remaining disadvantages (Realtime capability, deterministic) relative to specialized Fieldbusses will probably solved soon.

• Increasing use of Wireless LAN and mobile PC’s for commissioning and service purposes.

The increasing degree of connectivity of formerly isolated industrial communications systems increases the exposure of such systems to attack. This multiplies the need for information security to protect those systems and their communications. Standard IT security protection mechanisms and protocols exist for those base industrial communications protocols, such as TCP/IP, that are shared with the commercial IT world. Unfortunately, these same IT mechanisms and protocols are generally inappropriate for the more resource-limited communications protocols and end systems found in many time-critical applications. 2.1 Trends in Industrial Automation Networking There is a main trend in Industrial Automation to increase connectivity. In this context we can also identify several “sub-trends”:

• Using Ethernet in the field-level to simplify the connection to the cell-level and MES-level (MES = manufacturing execution system).

• Connection of Office-Networks with Automation Networks to enable direct access to the automation data and devices from the work place. This saves time and money.

• Use of Wireless Communication. Especially for Maintenance and Service more and more wireless client PC-Stations are being used. This simplifies the handling, as no



Sie mens


wires and cables are necessary.

• Remote Access via WAN is a very effective way to avoid or reduce high travel expenses of field service personnel and time delays.

• Connection of different automation plants, which are spread all over the world via WAN to exchange data.

• Use of IT-Functionality such as E-Mail or Web-based access. Status and error messages can be sent via E-Mail or SMS to field service personnel. Automation devices with integrated Webserver can be easily accessed via standard Webbrowser.



Sie mens


The Trend in universal Communication in Industrial Automation involves the necessity for appropriate Security measures. 2.2 Security Requirements of Industrial Communication Industrial Communication networks are quite different. The security requirements differ from case to case. The automation network could be connected to other networks within the Intranet or even with “dangerous” networks such as the Internet or Wireless LAN. In every case, people with criminal energy and bad intentions can try to access secret information and to cause damage.

2.2.1 General Requirements The following criteria correspond to the general security demands of Industrial Communication, these are similar the demands of an office network.

Confidentiality of information: •

Information must be protected to ensure third parties cannot access it. Protection against Data-Espionage

Integrity of information: •

Any modification or manipulation of the information must be ruled out. Protection against Data-Manipulation



Sie mens


Authentication and authorization of communication peers: •

It must be possible to establish both the identity and the entitlement of a communication peer so that no doubt remains.

Protection against Spoofing

Availability of information: •

Access to information and system services must be guaranteed at all times Protection against Communication Overload

Logging: •

It is important to monitor the access-attempts to the secured devices or networks so suitable countermeasures can be taken, if necessary. Otherwise attackers could succeed, if they get enough time.

Logging of failed attempts to get access

2.2.2 Specific Requirements There are however additional requirements in the industrial environment. The following criteria correspond to the demands, which are specific to Industrial Communication. • Avoid interference of automation cells:

Often an automation plant consists of several automation cells or blocks, which are connected together with a backbone network. These automation cells mainly work independently of each other and they shouldn’t interfere with each other or with the backbone or to be interfered with the backbone.

Protection of automation cells against interference

• Inclusion of devices with no own security functionality: In office networks there are devices with Mbytes of memory space and high end processors (PC’s, printers,…), whereas in automation networks there are typically devices with just kBytes of memory space (PLC’s) and low end processors. Such devices are not produced to deal with encryption algorithms. Thus there will remain devices which do not have their own security functionality and which must be secured with an independant security device. In addition to this, PLC’s or roboter controls cannot do harm in the same manner as a PC-user could. Such automation devices can therefore be grouped together to build a “trusted network”, so a whole network segment could be secured and not every device must be secured independently.

Protection of network segments

• Avoid unintentially wrong access: An automation plant could consist of hundreds or thousands of network devices. Incorrect addressing should be prevented, e.g. if someone mistypes the IP-



Sie mens


address access must be denied. For this requirement low level security is sufficient.

Protection against wrong access

• Different security levels: It is evident that the security requirements in automation networks differ from case to case. Such networks could be more or less connected to other networks, they could be small or large and the risks are high or low. Also, high security level means less performance relative to than low security level. This means, a security solution for industrial communication should be adaptable for the particular requirements and needs. It should offer at least both a low and a high security functionality.

Scaleability of Security Functionality

• Easy configuration and maintenance: Often automation networks and especially small networks have no explicit network administration. Also automation engineers and technicians are mostly not security specialists. This means, a security concept for automation has to be easy to use with a minimum of administration effort.

‘Easy to use’ security concept, configuration and administration

• No changing of network structure: It could cause problems or at least reconfiguration work, if security measures necessitate a change of the network structure, such as new subnets or default gateways. It is therefore preferable if network changes could be avoided.

No influence to the network structure

3. Examples of Solutions 3.1 Data Communications within an Intranet The task:

Office network Automationnetwork



Sie mens


The automation network is to be given a secure connection to the office network. It involves true Intranet-based communications within the private LAN - in other words, the connection between the automation and office networks at the same facility.

The solution:

Office Network Automation Network Firewall and/or VPN

Functionality

Security Modulewith

VPN-Tunnel

An approved method to secure networks is the use of a Firewall. A Firewall can be used also to protect the automation network from trespassing. It can be particularly recommended with relatively large networks, since the risk of trespassing rises sharply with an increase in the number of users. In this way, for example, superfluous broadcasts from the office area can be filtered in order to spare the resources of the automation network. Another alternative and very secure way to protect the Automation Network is to use a VPN (virtual private network). An IPSec VPN, for example, offers authentication of the communication partners, encryption of the message and checking of data integrity. As a VPN is always established as a peer-to-peer connection, every device needs to have VPN functionality OR –as this isn’t possible for all automation devices- a VPN-Gateway, which works as a VPN-Proxy for the automation devices. In this case the automation devices do not need their own VPN-functionality. The devices in the office network, which have to access the automation network need also VPN-functionality. If it is possible to group this devices together it is possible to use here a VPN-Gateway as Proxy for them also. No other devices have access and can read or manipulate the VPN-protected messages. If the automation network is large, it is useful to divide this network into segments (e.g. automation cells) and to protect every segment with a VPN-Gateway. In this way, the automation cells cannot influence each other and slow down the communication as only permitted communication is possible. This VPN-Gateway shouldn’t be a Router if it is not wished to change the Network architecture, as a Router always involves the creating of new Subnets.



Sie mens


3.2 Data Communications on the Internet The task:

Computer

Internet

Local ISP

Automation NetworkRemote Network

Local ISP

Local ISP

A network connection is required to be implemented via the Internet. Access to the Internet is normally provided via the public telephone network and the dial-in point of the local internet service provider (ISP). The important difference from the scenario described under section 3.1 is the permanent presence of criminal elements such as hackers or crackers, which can lead to a large threat to the Data Communication and the security of the Automation Network, as this has to be openened to the Internet. In addition, several third-party operators (telephone companies, ISPs, Internet) are normally involved, either directly or indirectly.

The solution:

Computer

Internet

Local ISP

VPNgateway

Automation Network

Remote Network

VPN gateway

VPN tunnel via Internet

Firewall

To guarantee a secure communication link in this instance, a combined solution consisting of a VPN and Firewall system is recommended. As an Automation Network is commonly part of a LAN, which is already secured by a Firewall, often, only the VPN functionality has to be added. This could happen in the same manner as described in section 3.1 with one or more VPN-Gateways, which secure the Automation Network or parts of it.



Sie mens


3.3 Data Communications via the Internet for Service Personnel The task:

Notebook with modem

Automation Network Internet

Local ISP

Link: Service personnel – Automation

Network via Internet

Local ISP

Local ISP

Service Personnel or SOHOs (Small Office, Home Office) are required to have remote access to the automation network via the Internet. In contrast to LAN-to-LAN links, just one computer will be connected to the automation facility.

The solution:

Notebook with modem acting as VPN client

Internet

Local ISP

VPN connection via Internet

VPN gateway

Firewall

Automation Network

As in the previous section, the Automation Network will be protected by a Firewall system. Data security on the Internet is again guaranteed by a VPN connection. The special feature with this solution is that the mobile client directly establishes the contact with the dial-in node - in other words, no additional client-side gateway is involved. Equipped with a modem or ISDN card, the notebook can operate as a VPN client. A requirement for this is that the requisite VPN client software is installed on the notebook. The most important features of this solution are as follows: • Only authorized users can access the network. • The data is encrypted prior to transmission over the VPN. • The Automation Network is protected by the Firewall system.



Sie mens


4. Conclusion The significance of information data and communication has increased rapidly over the past few years. Assaults on the integrity and availability of this data including sabotage on systems, frequently results in enormous financial losses. In an industrial environment, there are also a large number of risks and threats to information security. On the other hand, there is a whole avalanche of new security products, all of which claim to be the one and only real product to satisfy requirements. But such products were normally dedicated for the use in office networks and do not consider the special requirements of the Industrial Communication as mentioned in chapter 2.2.2. For this reason, SIEMENS offers a Security solution optimized especially for the Industrial Automation, which meets the specific requirements of this environment. The name given to this solution is “Security Module”, as it could be a Software Module, e.g. for client PCs or a Hardware Module such as a network-component like a switch with a security port. The Security Modules offers the following security functionality:

• Packet Filter Firewall without restrictions regarding the dimension of the protected network

• IPSec based VPN for high security level These functionalities can be used independently or combined. The configuration is possible without detailed knowledge of Security mechanisms. Furthermore the Security Modules work transparently. This means a (HW-) Security Module is able to secure a whole network segment with several devices. As a matter of course the Security Modules work independently of the used IP-based communication protocols and even communication layer 2 protocols can be handled. The Security Module is able to reduce the security risks for an Automation Network to a minimum without placing restraints of the usability and functionality of the network. The configuration is easy enough so that Personnel with high security knowledge is not a must.



Sie mens


Features and Functionalities of the Security Module:

Security-Function:Accesslist

Scaleable

Easy of use

Security-Module

Protocol-independant

HW or SWModule

Security-Fct.:Virtual PrivateNetwork (VPN)

Transparent

Based on Standards

Example: Security Module as Network Component :



Sie mens




Sie mens

5. Glossary AAA Authentication, Authorization, Accounting ANS Adaptive Network Security ATM Asynchronous Transfer Mode BDC Backup Domain Controller BRI Basic Rate Interface CA Certification Authority CHAP Challenge Handshake Authentication

Protocol DES Data Encryption Standard DMZ Demilitarized Zone DNS Domain Name System FTP File Transfer Protocol ICMP Internet Control Message Protocol ISAKMP Internet Security Association and Key

Management Protocol ISP Internet Service Provider IKE Internet Key Exchange L2F Layer 2 Forwarding L2TP Layer 2 Tunneling Protocol MD Message Digest NAT Network Address Translation PAP Password Authentication Protocol PEM Privacy Enhanced Mail PGP Pretty Good Privacy PKI Public Key Infrastructure PoP Point of Presence PPTP Point to Point Tunneling Protocol PSTN Public Switched Telephone Network RADIUS Remote Authentication Rail In User Service RAS Remote-Access Service SOHO Small Office, Home Office RSA Rivest, Shamir & Adleman Algorithm SHA Secure Hash Algorithm SSL Secure Socket Layer SSN = DMZ Secure Server Net = Demilitarized Zone TACACS Terminal Access Controller Access Control

System VPN Virtual Private Network WAN Wide Area Network

in industrial communications - wesco...

Documents