Control System Hacker Security - Internet Connections

There has been significant concern in the government and in industry groups about "cyber security" and critical control systems controlling
power, water and sewage, and major industrial plants. I have a couple of questions:
First: how many of you here have worked with a control system (DCS, PLC, SCADA, whatever) that was connected to the Internet directly or connected to a company network that had a connection to the Internet (even if through a firewall)?
Second: Are there any commercially available forms of communications that are physically one-way? That is, physically are not capable of two-way communications. For example, an optical link with a "transmitter" on one end and a "receiver" on the other end. Data can flow only one way.
Thanks,
John
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload

We have many motion controllers that are connected to and can be tuned or moved over the internet. We keep 3 controllers on the internet in different configurations to do sales demos and remote training. We are not concerned about security because we want to make our controllers easily accesible. However, our customers have let me tune their systems over the internet , but I must enter name and password before I can access their systems. My account or accesses is only activated for the time I need to tune the systems. I think most security systems are VPNs. With a little care, remote access can save lots of money. Nothing beats unplugging the internet connection when not in use.
Peter Nachtwey
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload

At least two of our clients that I know of (both Petrochemical companies) have the plant control systems (both PLCs) connected to the Internet via a firewall+the Office LAN+another firewall. One site uses Cisco, the other one I'm not sure...
In one other case (a high-risk Shell site) they wanted to, but we managed to convince them that PCAnywhere would fulfil their remote access requirements without the security risk - even then, they unplug the modem when not in use.

Yes. You can set up a high-speed RS232 link this way - not bad for ODBC-style connections if all you want is to populate an Internet Explorer grid on the manager's PC - and with 1 second updates, there is no way to hack it whatever you try - but the data itself is not all that secure.
Example: In one case, we set up a separate Internet-connected PC for Manager access and used CitectSCADA to communicate directly with the PLC over RS232 - no control screens or anything, just the database.
If you are considering remote Internet access, yet another option is to use Modbus/TCP on the standard TCP/IP port numbers to add a bit more security (I'm not sure how many hackers are familiar with Modbus!).
...and, to date, none of these client's site have ever been hacked into, so do these solutions really work or have these clients just been lucky??
I hope this helps, Cameron:-)
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
Hi,

There is a problem with it. Although you don't send any data back at the application level, TCP/IP needs two-way communication for flow control, be it RS-232 or Ethernet. It needs to acknowledge received packets, and ask to resend missing ones. So, one-way link won't work in this case. UDP may be considered for one way comms, but the integrity of the data stream won't be insured. Besides, HTML (IE was mentioned above) runs over TCP/IP, so additional measures are needed for this solution to work.

Did you cut the TX wire on one side of the link?

This is a very very bad idea to rely on hackers' ignorance. They wise up pretty quickly, so it is an accident waiting to happen.
Regards, Andrey Romanenko
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
Andrey,

I recall many years ago when a power generating plant needed data from the transmission 500KV switchyard near the plant, and the plant people were very concerned about accidental high voltage connections and lightning surges, they used a one way optical fiber link. This was in the days before fiber optic communications had really come about. The switchyard (a separate part of the corporation) had a little Data General minicomputer (I date myself!) that contained a table it would fill with the necessary data. A program would output on the optical link a sync signal then each variable in the table in order and repeat. At the power plant end our computer would monitor the optical receiver, looking for the sync signal, and filling a table with the data, so that the table in the computer in the plant would always be the same as the table in the switchyard. We only received data. The reason for the one way link was that in those days if we wanted two way communications we would have to buy two of them. We had no intent of controlling anything in the switchyard, just monitoring some variables (Including some weather info.) It was absolutely hacker proof. A hacker in the power plant could get hold of data such as wind speed and temperature, but could not possibily do anything to the switchyard.
Does any such thing still exist on the market?

Agreed. I don't think any typical computer geek would know Modbus, but the hacker could be a fired employee, or an unsuccessful job seeker who had paranoid ideas about why he wasn't hired into the I&C department.
John www.jashaw.com/pid
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload

John, it doesn't take much to set something like this up using RS232 Optic Fibre Modems (like B&B Electronic's FOSTC www.bb-elec.com) and a bit of custom code.
If you prefer something off-the-shelf, try Electromatic's "Dupline" system (www.dupline.com). This works in a similar fashion to the system you mention - and they have optic fibre interfaces available.
I hope this helps.
Cameron:-)
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
Jonh,
Obviously, I didn't mean one-way comms are impossible in general. It is definitely doable and it does improve your security odds. My intention was solely to criticaly analyze the solution proposed by Cameron for possible flaws. I think we all learn from such exercise.

The fired employee scenario is tough because while it is possible to change passwords everywhere, the Modbus memory maps of PLCs and so on will stay untouched. That is why it is better to be healthily paranoid about security <grin>. Security by obscurity is the worst case of insecurity.
Regards, Andrey Romanenko
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
wrote:

Explorer
Who's talking about TCP/IP?? That's way too clunky for serial comms!!
A simple example: 1. Set a PLC RS232 comm port up as Modbus Master, 19.2kbaud (RTU or ASCII take your pick). 2. Set a PC up on the Office LAN using CitectSCADA (or your own custom VB software for all you like) with a PC RS232 serial port set up as Modbus Slave. 3. Program "block write" instructions in the PLC to update the data registers at the PC end once a second. Cut the PC's TxData line if you must. 4. Allow people access to the PC using OPC or HTML or whatever you like to read data from the underlying database and lock out everything else.
Note that all communications with the PLC are one-way and, since *all* the data is refreshed once per second (or as fast as you like), if someone changes it remotely it will be refreshed on the next scan. No access to the PLC is possible and, even if the TxData line was still there, the worst a hacker could do is stop the link - once he found out how it worked.

Yes.
use
security
It's also a bad idea to give them more credit than is due. You need to work out how much security you really need and how much it wil cost to do it.
With the scenario I've mentioned (two firewalls and a one-way data link) I suspect that any sane hacker would target something on the Office LAN and write the Process LAN and one-way links off as too much trouble.
Think about it.. How do they know it's a one way link unless you give them drawings? How long is it going to take them to work it out? How long do they have before they're discovered??
Cameron:-)
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload

I am sorry for being picky but we're talking security here: As you mentioned Internet Explorer, I (mistakingly?) assumed you used HTML/XML/whatever over TCP/IP. Maybe you had another (custom) application as an add-on, and IE was the launcher.
PPP encapsulating IP or even good old SLIP will do fine on RS-232 at a refresh rate of 1s that you mentioned. But speed is not of concern here.

This is where your project stops, unless you give up calling this protocol Modbus as per "Modbus Application Protocol Specification". You indeed may use function 0x10 "write multiple registers" from the master, PLC that is, but the slave, PC, has to send a reply (response PDU) back to the PLC. Otherwise you are not using a compliant Modbus implementation. Nevertheless, such setup does provide one-way comms. Just don't sell it as Modbus.
[]

Absolutely. You may find out, though, that the specs are readily available, for example, at www.modbus.org. And if I am not mistaken, there is even an RFC concerning Modbus/TCP.
[]

And is it worth the effort in the first place? These are valid questions. However, it is recognized what the danger is out there. That's why you see ISA concerned: ISA-TR99.01-2004 "Security Technologies for Manufacturing and Control Systems" and ISA-TR99.00-02-2004 "Integrating Electronic Security Into the Manufacturing and Control Systems Environment.
Regards, Andrey Romanenko
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
Andrey,
wrote:

the
work.
You are correct. The intention is to write off the dual-firewall-protected "Management Information PC" as a potential target and "secure" the incoming data path instead, by making it one-way only.
Practically, you could use any protocol you like to do this (even write your own using a Basic Module if you have the time) - but I have found that the simpler the protocol, the better.
The only requirement is that it be Single-Master (rules A-B's DH1 out) and that Software Handshaking can be disabled (rules Siemens 3964R out). It is assumed that it is physically impossible to access this link from the outside (it is usually contained within the Control Room - and certainly within the plant itself). A HDLC protocol (like Sy/Net) is good if you can find one - it's harder to tamper with.

here.
Both of these require software handshaking (the TxData line) unfortunately.

ASCII
VB
is,
Nevertheless,
Okay. This is what I used as my example since it was relatively easy to get Modbus comms on the Siemens S7 PLC we used at that particular site. Unlike many other protocols, Modbus can be readily set up to not care if it doesn't get a reply. Actually, when it comes to security, departures from the standard are probably a "good" thing! ;-)

them
do
and
Thanks for the links - I was not aware these documents had been issued, although I had heard they were working on it. Personally, I think they're a little misguided..
The reason I think these documents are misguided is that they assume Companies have done all they can. In the vast majority of sites inspected, even changing default passwords is enough to increase security! It was an eye-opener for me...
And here the Millenium Bug actually helped - a study done by the ANZ Bank back in 1999 flagged vulerabilities in what they called "High Impact Targets" (or HITs) - sites where loss of control would cause physical or financial danger to the company or it's customers. The final recommendation was that HIT sites *do not* get physically connected to the Internet (or even a dialup modem in some cases) - ever!... even if it means running their own private optic fibre (not copper) network for kilometres to get the remote connectivity they need.
As far as control system security goes, the biggest danger is access to Control Rooms by unauthorised (or previously authorised) people. Someone physically *in* the Control Room can do far more damage than a "hacker" can from the outside - and I have seen few Control Rooms where a guy on the inside couldn't get his "friend" unrestricted access.
For an example of a well-secured site, try the fuel farm at Changi Airport, Singapore.. ;-)
Cameron:-)
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
Cameron,

Back in my days of working at a major DCS vendor (before 1994) we offered the option of a modem that would allow our technicians at the factory to dial in an examine system software (and possibly make changes. Many customers took the option, but very few actually connected the modem until a voice conversation between a plant or our field technician was in voice conversation with the factory. Then the modem was plugged in, the call made and work done, and the modem unplugged. Other customers would not even allow the modem at all. My understanding was that pharmaceutical companies generally would not allow modems on systems actually controlling a process (or that would be conttrolling a process).

previously authorised) people.<<
Very true. In some plants, even though I was well known and visited prequently, it woould require a long procedure of signing in and showing ID, then being escorted to get control room access. There are others where I could walk right in without even signing in. In general, the security of plants is increasoing, but not fast enough, IMHO.

Airport, Singapore.. ;-)<<
Very true. I have been through Changi several times, and was always impressed with the security (even back in the mid 1980's. I don't think I would even try to approach the tank farm without being with a security officer.
Regards, John
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
snipped-for-privacy@jashaw.com (John Shaw) wrote in message

I have been in several plants where ID's, badges and escorts were required if you came in the front door, but you could park in the back and walk in through the loading dock door carrying toolboxes and a laptop without being stopped.

Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
John Shaw wrote:

Yes the problem is much greater than anyone with knowledge, like to admit.

You have to evaluate the risk. Some things do not matter, other matter tremendously. An audit or comprehensive architecture design review is warranted, but expensive and often not very well performed by folks that have just gotten on the bandwagon, or who come from a traditional MIS background. You need a controls engineer to set up this architecture, who is also an accomplished secruity hack.

What you seek can be performed in a variety of ways, including but not limited to custom hardware and software. It can also be done with configurations of existing equipment so that your bidirectional traffic flows become asysmetric and filtered. This is complex, and requires monitoring the implementation to ensure robustness and integrity.
My favorite, but I'm a linux/BSD type of hack, is to use OSPF internally in the network. OSPF, Open Shortest Path First, is use by complex networks to efficiently route data traffic, such as carriers. OSPF can be configured to give you unique security via obscurity.
If you want a simpler solution, configure your firewall to drop the outbound traffic. It'd be best to implement a custom firewall, rather that fight with the MIS folks.
Last, no matter how you acheive this, you wan to use an IDS, Intrusion Detection System, to verify that your internal traffic is indeed clean, and approved, regardless of how you implement a solution. To do this you have to LEARN how security works, not purchase a product. Due to my knowledge, I could that a few old 486 computers and acheive what your want. I'm a consultant, expensive, and overworked (not looking for more work) but, surely you can find somebody that understands controls and can double as a network secruity hack?
good luck, James

Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
Everybody,
Thanks for the information. The reason for the original question was a US GAO report, http://www.gao.gov/new.items/d04354.pdf , CRITICAL INFRASTRUCTURE PROTECTION Challenges and Efforts to Secure Control Systems, GAO 04-354, March 2004. concerning the protection of critical power plants, industries, utilities, etc. due to the control system being connected, directly or indirectly, to the internet. I had also been asked for comments on the report, the level of risk, and means to prevent "cyber attacts".
My opinion is that a control system in any real plant where an attact could be disruptive or dangerous simply should not be connected to the Internet. I know that advances are being made in firewalls and other security measures, but I still don't know that we can bet so much on software protection measures. We have to assume that a group threating the control system may include ex-employees and others knowledgable about the control system communications (perhaps even with some pass words).
I don't know how many control systems are connected to the Internet. In my own experience I have yet to see such a connection. But from reports, including the GAO report, I know that they exist.
Sometimes people who are not going to be near the control room may need information from the control system on production rates, etc. If top management wants to know every detail, I would consider that micromanagement. Perhaps the manager should apply for a job as an operator :-}
I think that if there is a real need to supply data from the control system to a company wide information system the best method is a physical one-way link (optical transmitter at one end, receiver at the other) and software in the control system to build a table with data and transmit that data, and software in the MIS system to receive the data and build its own data. I just heard of an implementation where one plant DCS communicated with a small DCS (handling non-critical information) by simply connecting some digital output contacts from the plant DCS to digital inputs to the small DCS. The small DCS was part of the company information system and connected to the internet. I have implemented similar communications--security was not a factor but the small amount of communications required made it more economical.
Cameron, thanks for the leads. I will pass them along.
Regards, John
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
To continue the interesting discussion we were having under the above subject line, below please find a recent sales pitch from one of the local crowds encouraging system access over the Internet.
In a nutshell, a KVM switch allows complete control of any connected PC from the Internet - all you have to do is hack in. Hopefully this won't start a new trend...
Comments anyone?? ;-)
Cameron:-)
----- Original Message -----
Sent: Tuesday, June 22, 2004 12:58 PM Subject: A 4 Minute Guide On The Basics Of KVM ServSwitch Technology

Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
I wonder what they would say about having their financial records and processes operated over the net. My personal feeling is that there are about a half dozen military hacker groups which can run through just about any current security systems in a few minutes.
Why the desire to place control of critical operations on an open public network? The potential for untrained personnel to interfere with operations is too great, and the liabilities are nearly unlimited. I would not willingly putting or risk putting a quarter of a billion dollars of chemical plant, community safety, and worker lives into the hands of a teenager with no operational knowledge or even worse, someone with operational knowledge and ulterior motives.
There are few ways to really irritate operators better than to change setpoints on them from a remote location, without telling them about it.
Michael

Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
Herman Family ( snipped-for-privacy@frontiernets.net/without_any_s/) wrote: : I wonder what they would say about having their financial records and : processes operated over the net... :
Like U.S. consumer credit histories ?...
http://sfgate.com/cgi-bin/article.cgi?f=/c/a/2003/11/07/MNG4Q2SEAM1.DTL Credit agencies sending our files abroad
"Two of the three major credit-reporting agencies, each holding detailed files on about 220 million U.S. consumers, are in the process of outsourcing sensitive operations abroad, and a third may follow suit shortly, industry officials acknowledge for the first time.
Privacy advocates say the outsourcing of files that include Social Security numbers and complete credit histories could lead to a surge in identity theft because U.S. laws cannot be enforced overseas.
For their part, the credit agencies say the trend is a necessary cost- cutting move in light of new legislation that would allow all consumers to obtain free copies of their credit reports.
The top credit agencies -- Equifax, Experian and Trans Union -- have refused in the past to comment on their outsourcing plans. No longer..."
--Jerry Leslie Note: snipped-for-privacy@jrlvax.houston.rr.com is invalid for email
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
Cameron Dorrough wrote:

The problem is much wider than this. PDA, especially the ones with wireless capabilities are a HUGH problem. People take these devices home, and download software, either freeware or commercial software onto these system. Then they bring them to work, unaware that the devices contain malicious or malefeasant software. Do not be fooled, just becuase you paid for the software (applications) does not mean it is free from dangerous applications.
The FBI has launched several investigations where the Original Equipment Manufacturer (non_US) is suspected of installing malefeasant code into the firmware (microprocessor base software that a user cannot access or read). This is but one of the reasons that many government agencies are now building embedded devices in_house only.
In my experience, a network that connects machines for serious industrial work has no business being connected to the corporate LAN. There are way to transfer essential data between the 2 networks, securely. Often I show persons that need acess to both networks, to just use 2 different machines. Afterall a second, really nice clown PC, including monitor, in under $500.00.....
Intrusion Detection Systems are mandatory so that key personnel and watch and monitor the dataflows internal in their network. With a judicial deployment of software filters and other tricks, you can capture evidence of interlopers.......
James
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
Cameron,
I would never want to be in a plant using this. I an never convinced that if there is a connection hackers cannot get through, particularly those with evil intentions, money, and knowledge of the control system and process.
I saw a plant recently where there was a desire to have certain data from a PLC and a DCS on a plant network that was connected to the internet and would allow anyone with a password (and most likely, a hacker) to view the information from any internet connection.
The solution was to add a PC with some cheap inputs. They were connected to digital and analog outputs from the PLC and DCS. One group of digital outputs would provide a channel number and a strobe signal, other outputs would provide the data. Sure, it was slow. But it was cheap and would provide the data on the internet with no way of hacking into the controls.
The data were values that did not change rapidly (large tank levels) or that was smoothed (one hour running average of certain steam flows).
Bests, Nita

Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload

Polytechforum.com is a website by engineers for engineers. It is not affiliated with any of manufacturers or vendors discussed here. All logos and trade names are the property of their respective owners.