Electricity + Control September 2017

Security Requirements on Mission Critical Control Networks Tim Craven, H3iSquared

The modern day Internet has become unsecure, and having strong security meas- ures in place is essential for small office networks, and certainly, for large scale control networks.

Take Note!

Network security is the most important aspect to consider when plan- ning Mission Critical Networks. No network will ever be completely secure from outside attacks. In planningMission Criti- cal Networks, one needs to think like an attacker and decide whether the payoff is worth the effort involved in implementing the security.

1

A s a demonstration recently, a device was connected to the Internet with direct port forwarding and no firewall to control or block traffic. Within a few seconds the device had auto- matically locked down all of its access interfaces, including – not only unsecure interfaces such asTel- net – but secure interfaces such as SSH. This ser- vice lockdown was caused by an overload of incor- rect login attempts from various locations around the world. These login attempts were not targeted,

the ability to fully control huge enterprises across large geographical locations without the need for thousands of individual hardwired connections and additional hardware such as signal repeaters or amplifiers. Ethernet allows for much more gran- ular remote control and monitoring of both digital and analogue data over a single infrastructure. As the standards were widely adopted, the rest of the industry followed closely, with IEDs, PLCs and other end devices quickly being developed to di- rectly support various Ethernet based control tech- nologies, such as ModbusTCP (for the industrial side) or IEC61850 [1] (for use in utility networks). At first these networks were mostly isolated, smaller networks servicing just a single plant, substation or factory, but this quickly expanded to interconnect these smaller sites, with the end goal being a single network to cover all of a com- pany’s assets. In some cases this interconnection is accomplished through company-owned infra- structure, such as long distance fibre optic cabling between sites. In most cases the cost required for these large scale WANs greatly exceeds feasible budgets, not to mention the hassle required in installing, monitoring and maintaining such infra- structure. In these cases the only other options are to use existing infrastructure from an existing ISP.

2

3

but simply a way to show howmany automated software programs are running 24/7 around the world, and randomly testing different connections for unprotected ac- cess interfaces. This was a small yet highly effective demonstration

of just how unsecure the modern day In- ternet has become, and why having strong security measures in place is essential for even small office networks, never mind large scale control networks. Background The introduction of Ethernet networking into the utility and industrial worlds was a definite milestone and brought about