1 / 20

Module 3 Technologies

Explore the various types of networking hardware used in industrial control systems (ICS) and the purpose of each. Learn about common communication protocols and network standards used in ICS. Discover new network applications like TCP/IP and how to secure them. Understand the differences between IPv4 and IPv6. Discuss the unique challenges of securing devices associated with ICS. Apply network administration principles to secure critical infrastructure and key resources (CIKR).

seifert
Download Presentation

Module 3 Technologies

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Module3 Technologies

  2. Lesson Objectives • List several types of networking hardware and explain the purpose of each. • List and describe the functions of common communications protocols and network standards used within CI. • Identify new types of network applications, such as TCP/IP<, and how they can be secured. • Identify and understand the differences between IPv4 and IPv6. • Discuss the unique challenges/characteristics of devices associated with industrial control systems. • Explain how existing network administration principles can be applied to secure CIKR.

  3. Comparison of Information Technology versus Operational Technology Source: CNSSI No. 1253

  4. Major Components of an ICS • Control Server • SCADA Server or Master Terminal Unit (MTU) • Remote Terminal Unit (RTU) • Programmable Logic Controller (PLC) • Intelligent Electronic Devices (IED) • Sensors/Actuators • Human-Machine Interface (HMI) • Data Historian • Input/Output (IO) Server From top left, clockwise: Programmable Logic Controller (PLC); rack and servers located in an Energy Operations Center; temperature sensor; actuator. Source: CNISSI No. 1253

  5. Network Components • Many different architectures and network topologies exist within control systems. • Most of these networks now communicate over the Internet or over corporate networks, connecting to corporate networks • Major components of an ICS network may include: • Fieldbus network • Communications routers • Firewall • Modems • Remote Access Points

  6. Fieldbus Network – IEC 61158 • An industrial network system connecting instruments, sensors, and other devices to a PLC or controller. • Eliminates the need for point-to-point wiring between the controller and each device, as devices share a common communication channel. • Typically fieldbus protocols are proprietary, and controllers interfacing with fieldbus usually have less computing capability. • Inherently insecure, due to its shared nature.

  7. Routers • Routers are network layer devices that transfer data between two different networks. • Commonly used in SCADA networks to connect MTUs and RTUs to long-distance medium for SCADA communication. • Routers used in SCADA environments may be “ruggedized” as they must operate in field conditions. • Many come with SCADA-aware firewall capability. Router between 3 LonTalk networks Source: CNSSI No. 1253

  8. Firewalls • A network security device that monitors and filters traffic on a network using predefined “rules” or policies. • Used to segregate ICS networks from corporate networks. • Different types of firewalls can be deployed: • Stateless, or packet filtering – Older firewalls that operated at the Network (Layer 3) only, using “rules” matching traffic to pre-defined rules. Because of their size and cost-efficiencies, these are commonly built into devices but have many security vulnerabilities. • Stateful– Operate at the Transport and Network Layer of the OSI model, examining each packet and making determinations about whether or not each packet is allowed based on context (what has been received before). • Application – Examine application-layer data (http, ftp, browser requests). Because they have to read further into the data packets, they are often too slow for ICS networks.

  9. Modems • Modulators/demodulators. Modems convert digital signals to analog so that they can be transmitted over analog phone lines. • Used in SCADA systems to transmit data between MTUs and remote field devices. • Also used in SCADA systems, DCSs, and PLCs for gaining access to manage devices and perform maintenance or diagnostics to troubleshoot issues.

  10. Remote Access Points Devices, such as personal digital assistants (PDAs), phones, tablets, or laptops, that remotely access data over a local area network (LAN) through a wireless connection.

  11. Communications Protocols Proprietary – Specific to a hardware manufacturer. Limited, if any, compatibility with other equipment or protocols. Open Architecture – Designed to be interoperable with equipment and standards. Popular open communication protocols: • LonWorks • BACNet • Modbus • DNP3 • HART

  12. Modbus • Created by PLC manufacturer Modicon in 1979 for use with its programmable logic controllers (PLCs); now owned by Telemechanique • Established (de facto) standard as it is a simple protocol to transmit data over serial lines between electronic devices • Modbus TCP/IP runs over a TCP/IP network

  13. IPv4 vs. IPv6 • As with ModBus, many systems are converging with data networks, or sending data over the Internet, encapsulated in TCP/IP packets. • TCP/IP is a protocol suite, developed in 1974, that was adopted for communications over the Internet. • IPv4, developed in 1974, is limited with its 32-bit address space in its ability to support the number of devices that would be needed with large-scale addressable. • IPv6 was developed in 1998 and, in addition to supporting 128-bit address space, contains many security features not in IPv4: • Support for authentication of origin (prevents spoofing) • Encryption • While the Internet backbone is IPv6, many private networks run IPv4 to support legacy devices.

  14. ICS Device Challenges “Compromise of devices that run or are connected to different critical infrastructure systems could have the potential for major economic disruption, kinetic damage impacting public safety, or in extreme cases , catastrophic failure of national infrastructure or critical systems.” — NSTAC Report to the President on the Internet of Things National Security Telecommunications Advisory Committee

  15. ICS Device Challenges (cont. 1) Summary of NSTAC findings: • It is estimated that, by 2020, there will be as many as 50 billion or more Internet-connected devices (sensors, processors, actuators), most of these directly supporting the nation’s critical infrastructure systems. • Most of these will be controlled remotely, across the public Internet, from personal smartphones or tablets. • If security is not a made a core consideration, “there will be significant consequences to both national and economic security.”

  16. ICS Device Challenges (cont. 2) The many required connections to other networks and the Internet afford opportunities to attackers. • Absence of basic security “hygiene” in legacy networks. • Many ICS devices are too small to support authentication or encryption. • Patching is difficult; most often devices are disposed of rather than patched. • Many field-located devices must operate in harsh conditions, requiring them to be “ruggedized.” • Prolific use of proprietary protocols and even operating systems complicate interoperability, security, and support.

  17. Network Architecture for Nuclear Power Plant

  18. Securing Critical Infrastructure and Key Resources (CIKR) • Practice “defense-in-depth,” integrating people, technology, and operations capabilities. 1 • Minimize known vulnerabilities and design devices to be future compatible. 2 • Identify and assess security vulnerabilities. 2 • Develop interoperable security and trust frameworks to enable threat information sharing. 2 • As industries update to new technologies, need to segment/separate from networks still containing legacy devices. 3 1Glossary of Key Information Security Terms, NISTIR 7298 Revision 2, NIST. 2NSTAC Report to the President on the Internet of Things, National Security Telecommunications Advisory Committee. 3 Guide to Industrial Control Systems (ICS) Security, NIST Special Publication 800-82 Revision 1.

  19. ICS Firewall Design Considerations • ICS networks should be segregated (separated) from the corporate network. • Use a statefulinspection firewall: • Deny all, grant by exception, blocking all traffic to the ICS network, except specific ICS traffic. • Enable strong authentication (passwords, multi-factor authentication using tokens, biometrics, smart cards) to the ICS network. • Design in the capability to disconnect the ICS network from the corporate network in the event of a compromise to either. “Firewall with DMZ between Corporate Network and Control Network”

  20. Last Slide

More Related