Defense in depth means using multiple layers of protection, so that attackers need to bypass or overcome several firewalls or similar products before they reach the control layer and can cause havoc with plant operation. Defense in depth could be deployed with, as a minimum, a firewall between each layer of the enterprise and a data historian system as a buffer on Level 3 between the control system and the business LAN. Level 3 is often referred to as a Demilitarized Zone or DMZ and is where all the information transferred between the control and business systems is accessed. The business system can only poll for data from the historian and not write commands directly to the control networks; similarly, any information that the control system requires, such as accounting, laboratory and ERP data, is stored on this system and then forwarded to the appropriate application on the supervisory control system.
Unfortunately, the DMZ, though an excellent tool, isnt sufficient to provide all the protection required. This is in part because there are many back doors to the typical control system from the dial-up modem or in some cases direct Internet connection for technical support to the wireless networks that for some reason do not recognize site boundary limits. (See sidebar.) Therefore, the defense in depth must continue through to the field layer and the products to go in that environment must also be able to operate in what regularly is a Zone 2 (Division 2) classified area.
Of course, the solution to the problem must not be more difficult than the problem itself. Whats required is a simple modular solution thats easy to install and configure using techniques with which control engineers are familiar.
A number of manufacturers have released industrially hardened firewalls that require the system administrator to understand System Network Management Protocol (SNMP) and other associated command sets (remember DOS text string commands?) to properly configure each network node. This form of product is manually intensive to maintain, so the firewall manufacturers are now making front ends to assist in the configuration. One vendor is designing a new concept from the ground up to be both electrician and control-engineer friendly to the extent that, if desired, the system for the entire company can be remotely managed from a central location.
Figure 2. Besides firewalls between each level, such arrangements usually include a demilitarized zone.
There are many incentives to improve the degree of protection of your industrial network system, including:
- Chemical plants deemed high risk by the U.S. Department of Homeland Security now for the first time must take specific steps to ensure security (See the June cover story).
- Data from the Industrial Security Incident Database  describes a number of events that directly impacted process control systems and shows that the amount of cyber incidents against SCADA and control systems worldwide has increased significantly since 2001 (Figure 3).
Figure 3. The number of cyber incidents has sharply increased in recent years. Source: Reference 1.
- Studies show that in a typical corporation 80% to 90% of all control networks are now connected to the enterprise network so, although the automation systems themselves rarely are directly connected to the Internet, they wind up interconnected to the Internet in myriad ways . This, combined with the increased use of Commercial Off The Shelf (COTS) technology, raises the vulnerability of a control system to attack.
As Jim Wells recently noted , They (IT) have the responsibility to make sure this portion of the network is safe and secure. Control system engineers have the same responsibility to make sure these control networks are sound and secure. A well managed admin network employs tools like Active Directory, automatic virus scans [which require considerable processor overhead, sometimes increasing processor utilization 60% to 80%] and patches. Conversely, a well managed control network has no unnecessary overhead, no unauthorized external influence, delivers critical information in guaranteed time slots and is fault tolerant or redundant. Therefore with noble and best intentions both groups head in different directions.
One other difference between IT and control networks is that the goal of the IT group is to protect the core of servers, if necessary by sacrificing one or two remote desktops. Those responsible for control systems, on the other hand, must first and foremost look after the edge devices, such as PLCs and remote I/O, that are directly connected to and controlling the process because if something goes wrong there process stability and hence plant safety and reliability are at risk.
Modern digital integrated control systems offer significant benefits but at the price of a possible increase in risk. Our role as engineers is to manage and minimize that risk.
- Byers, E., D. Leversage and N. Kube, Security incidents and trends in the SCADA and process industries: A statistical review of the Industrial Security Incident Database, Symantec Corp., Cupertino, Calif. (2007). Available online at http://www.controlglobal.com/whitepapers/2007/010.html.
- Dorey, P., Security management in process control: The 3 waves of adoption, presented at Spring 2006 Conference, Process Control Security Forum, Falls Church, Va.
- Wells, J., The great IT divide: good intentions separated by common objectives, Industrial Ethernet Book (Feb. 2007). http://ethernet.industrial-networking.com/articles/articledisplay.asp?id=1588.
Ian Verhappen is director, industrial networks, for MTL Instrument Group, and is based in Edmonton, Alta. E-mail him at firstname.lastname@example.org.