Protecting the gap: Wireless technology and cyber security
May 15, 2009
By Ian Verhappen and Frank Williams
Recent studies indicate that the industrial Ethernet market will grow at a compounded annual rate in the range of 30 percent per annum over the next three years. It is no surprise then that Ethernet technologies connected both physically and wirelessly are becoming more common in modern digital control systems. With the adoption of open technologies such as Ethernet, both the control system and office environment share many of the same security risks that information technology faces. Wireless systems introduce another variable into the system because the components are not physically joined, causing concern that this is another potential entry point into computer networks.
Today, wired and fibre Ethernet are not very common at the field level. There are a number of field devices starting to come to market that incorporate Ethernet communications capability, though these applications are typically data-intensive operations.
Copper media are the most commonly used means of transmitting data in a plant; however, wireless has been used in SCADA for many decades. By considering changing the Ethernet media from physical (copper and fibre) to wireless, a whole new range of opportunities present themselves, including WirelessHART, OneWireless, ISA-100 and ZigBee, as well as complete SCADA systems using licensed radio.
SCADA systems use a variety of technologies to connect the widely distributed field signals and controllers to the centralized control system. In the past, SCADA tended to use a combination of proprietary communication protocols and, when using wireless, licensed radio bands were the norm. A licensed radio band presented much less risk of interference, typically worked at greater distances and lowered the exposure of competition from other radio signals in the same frequency. However, getting a license for the plant or factory appeared difficult. Today, with advances in wireless technology, license-free solutions are being deployed at an accelerated rate. License-free radios do not carry the stigma of having to get and maintain a license from the government. Many users find this attractive and, therefore, are more willing to deploy a wireless solution.
The most commonly used wireless protocol is 802.11 (Wi-Fi). These commercial standards were developed by the IEEE and contained an inherent form of security protection called WEP (Wired Equivalent Privacy). Very quickly, WEP was shown to be a weak form of protection and has since been upgraded. In June 2004, the new 802.11i standard was released that includes the U.S. government’s basic security algorithm, Rijndael Advance Encryption Standard, with stronger encryption, authentication and key management strategies.
Wireless is also susceptible to jamming or other interference techniques. The wider the band, the harder it is to jam. Some suppliers suggest that frequency hopping provides adequate protection from jamming. This is not true because most frequency hopping is synchronized – master unit transmits a regular beat and the slave units hop to the beat. A jamming signal covering a couple of consecutive channels is enough to interrupt the hopping sequence on every hopping cycle, which effectively stops the system from working.
HART Technology is widely deployed in industry, but not all control systems are able to make use of the maintenance and diagnostic information available from these devices because the I/O does not directly support the HART communications superimposed on the underlying analogue communications signal.
The key features of the new HART 7, as compared to HART 5, include: 32 character tags; device status; peer-to-peer messages; enhanced data publishing; time-stamped data; time-triggered actions; process variable trends; command aggregation; and support for WirelessHART.
WirelessHART uses the same tools and practices as wired HART, making it compatible with any HART-enabled control or asset management system and the underlying EDDL technology. For security purposes, WirelessHART includes AES-128 Encryption and a standard 2.4-GHz IEEE802.15.4 frequency-hopping radio.
ISA formed the ISA-100 committee in 2005 to establish standards, recommend practices, publish technical reports and define technologies and procedures for implementing wireless systems in the automation and control environment. The work will support the complete life cycle of a wireless installation, including the design, implementation, on-going maintenance, scalability and management of the resulting control systems. The standards being developed by ISA-100 must also be compliant with ISA-99 (security) and ISA-84 (safety).
The committee’s focus is to improve the confidence, integrity and availability of components or systems used for manufacturing or control, and provide criteria for procuring and implementing wireless technology in the control system environment. The result will be a robust, flexible and scalable architecture to meet a wide range of plant requirements and environments.
Ethernet is susceptible to such things as data storms, viruses and other forms of intentional and unintentional consequences. Compounding the problem is the fact that most control systems are not inherently protected from these forms of failures. Work done by CERN when selecting the PLCs to be used on the supercollider found that at least 25 percent of PLCs can be compromised with the most commonly used security test tools on the Internet.
The most important tool for a secure system is the creation of an effective security policy outlining such things as cryptography, firewalls, logins, physical and virtual security, back-ups and other decisions often similar for IT and process control networks (PCN). Much of the policy and resulting practices for the IT and PCN systems will be similar; however, the biggest difference will be the mindset of how each support group maintains their high levels of reliability. The IT community typically is interested in protecting the core or servers, and is willing to sacrifice an edge device such as your desktop computer to do so. Unfortunately for the PCN, it is these edge devices that are the most important because they are the ones directly connected to the process. It is important to have open and regular communication between these groups so that simple things such as management of IP addresses across a facility will not result in duplication of addresses in two locations.
Not only is security being regulated by industrial groups such as NERC (North American Electrical Reliability Corporation), but standards are being written by groups like ISA’s ISA-99 committee. The regulations prepared by NERC are being considered for adoption in other parts of the world for the electrical industry in particular, while the work being done by ISA is being considered by the IEC.
The NERC documents are presently undergoing revision to more actively promote a “defence in depth” strategy similar to the one being developed by ISA-99. The U.S. government’s National Institute of Standards and Technology also recently released a draft document of Special Publication 800-82 – Guide to Industrial Control Systems Security. Both groups are supportive of the “defence in depth” principle that implements several layers of protection between the potential methods of attack and the control system. Having multiple layers will not only provide more protection, but in the event that one of the layers is compromised, it will give you the opportunity to catch and stop attackers before they are able to get to the sensitive parts of your system.
A key component of “defence in depth” is the use of a DeMilitarized Zone (DMZ). The DMZ is installed and configured so that there is no direct connection between the office/corporate LAN and the PCN. All data requests from the LAN are through mirror historians in the DMZ, and if the data is not on those servers, they can request it from the PCN.
Fortunately there are products and tools available to assist in managing a network. One of the tools to help determine the level and type of protection required is the “Zone and Conduit” concept proposed in the ISA-99 standards. This model is similar to what has been used for years in the safety system market – break the entire system into zones; for each zone determine a target Security Level SLT; compare it against the calculated Security Level SLC; and if the two are not the same, then some additional form of security protection is required. Similarly, if there is communication required between zones, suitable protection must be put in place to ensure that the message is of the same security level as it crosses the boundary.
Security must be continuously monitored to be sure that it has not been compromised. Tools used for measuring the level of security in a system include such items as firewalls and intrusion detection systems.
POWER OVER ETHERNET
This leaves one other significant roadblock to the adoption of Ethernet, and that is the issue of power in the field. The solution in this case is Power over Ethernet (PoE). One of the enablers to the wide adoption of PoE is the IEEE 802.3af standard. The IEEE 802.3af standard is based on a 30-volt signal and, therefore, is not suitable for Intrinsic Safe (IS) applications. Fortunately, a range of products that have been used in the mining industry for many years have now been approved for use in the hydrocarbon industry. The system is somewhat like traditional IS installations with an isolator as the boundary between the safe and hazardous areas, and then an IS power supply is required to go to each of the devices mounted in the classified area. As an alternate to running a separate DC power cable to each device, PoEx can supply up to 500 mA at 12 volts to each of the ports from the managed five-port switch.
Industrial Ethernet in its various forms provides significant opportunities to better control our processes, yet at the same time opens up potential new vulnerabilities, especially as it relates to security. Fortunately, the industry is working to resolve this conflict through the development of appropriate standards and products to ensure safe, reliable and secure control systems.
Ian Verhappen, P.Eng., is an ISA Fellow, Certified Automation Professional and director of industrial networks at MTL, a provider of industrial connectivity solutions. Frank Williams is president of Elpro Technologies, a division of MTL Instruments and a leader in wireless solutions.