Westermo Group

Building Secure Networks for the Industrial World
Anders Felling
Vice President, International Sales Westermo Group
Managing Director Westermo Data Communication AB
1
Westermo – What do we do?
Robust data communication devices for harsh environments
We supply products that:
 provide the communication infrastructure for control and monitoring systems
 are used in mission critical systems, where commercial grade products are not
sufficiently resilient
 are derived from proven commercial communication technology
The built in safety, reliability and redundancy is a high value for customers
2
Westermo Group 2010
 Founded in 1975
 Turnover: 33 MEur
 Uninterrupted growth since 1994
 No. of employees: 160
 14% R&D spend
 Extensive IPR portfolio for key technologies
 Production 100 000 units
 Sales and support units in 10 countries, distributors in another 36
 Member of the Beijer Electronics Group
3
Westermo Group
Westermo Head Office
Sweden
Stora Sundby
+ 36 Distributors
Worldwide
Westermo Branch Offices
Sweden
Västerås
United States
Chicago
United Kingdom
Southampton
Taiwan
Taipei
Germany
Waghäusel
Austria
Wien
France
Paris
Switzerland
Leimbach
Singapore
Singapore
Belgium
Chievres
4
Critical Infrastructure Projects
5
Cyber Security and Physical Security
6
Security Awareness Physical and Cyber
Physical & cyber security is now a key issue
The threat of terrorist attacks is real
CCTV, intruder and chemical detectors are now
part of every system
Cyber attacks are an increasing problem
One UK utility reported that they are
dealing with 8000 attacks a day!
There is now a worm virus actively
seeking and attacking PLC’s
Most serious attacks or infections are
from within i.e. the employees
7
Security Issues and how these can be Addressed
Creating secure connections over insecure networks like the Internet
Security issues and vulnerabilities need to be addressed from the start
It is too late once a vulnerability has been exposed and the system
compromised
How can we address these vulnerabilities using;
Firewall
VLAN’s
DMZ
VPN’s
8
Firewall
9
Firewall
Effective means of stopping unwanted intrusions from insecure networks
Block unauthorised traffic from the remote site
Block IP ports
Prevent unauthorised access to the management of the router
Prevent the router from replying to probing traffic (ping, port scanning)
10
Firewalls in Industrial networks
192.168.245.159
195.168.1.xxx
VLAN 3
VLAN 1
VLAN 4
Connection from corporate
LAN 192.168.10.xxx
VLAN 2
10.10.10.xxx
VLAN 5
This would
normally require 5
discrete Firewalls
172.10.10.xxx
11
VLANs - (Virtual LANs)
12
How Would You Use VLANs?
Automation network VLAN ID 100
Corporate network VLAN ID 200
Security network VLAN ID 300
13
DMZ - (Demilitarized Zone)
14
DMZ (Demilitarized Zone)
The DMZ acts a buffer between the trusted and un-trusted zones
The DMZ prevents direct communication between the trusted and
un-trusted zones. All communications from the un-trusted zone are
terminated on an intermediate server or historian
The DMZ can offer protection against cyber attacks such as the
STUXNET worm or many of the other malicious worms and viruses
present in cyberspace
The servers in the DMZ still need to run strong, regularly updated
antivirus software
15
DMZ
SCADA
Server
Un-Trusted
Citrix
Server
Trusted
Communications to
trusted network will
typically be industrial
protocols i.e. Ether IP
Profinet, CC Net,
Modbus TCP
Typically incoming
traffic will be HTTP,
HTTPS from untrusted network
X
16
VPNs - Virtual Private Networks
17
VPNs
IPsec VPNs are key in allowing industrial networks on different sites to
communicate
VPNs are, in effect, tunnels linking the sites (leased lines)
All connections need to be authenticated before accepted
All data passing through the tunnel is encrypted
IPsec VPN via untrusted Network
Corporate network
Internet
MPLS Network
WAN
18
Cyber Security Policy
No matter how powerful the firewall, you also need good policies
Large corporate or telemetry systems should look at IDS (Intrusion
Detection Software)
SCADA machines need regularly updated antivirus software
Any machines likely to be connected to the industrial LAN should also
have antivirus software
Use a strong password policy, never words that can be looked up in a
dictionary
Servers should be located on trusted networks
Pour glue in the USB ports so they can never be used!
Have a recovery policy should system become infected or compromised
19
Physical Security through
- Robustness
- Redundancy
- Monitoring
- Compatibility
20
Robust products = Secure products
Galvanic isolation
- Galvanic isolation of the interfaces
Transient suppression
- Handles interference from high power cables,
reactive loads and transients.
Power supply
- DC-supplied units, redundant power supply
Mechanical performance
- Handles high mechanical strain, DIN-mounted
Extended temperature range
- – 40º to +70ºC
Classifications and Approvals
- EMC, Rail, Isolation, Vibration, Shock, MTBF, DNV,
ATEX
21
Redundancy
Secure connectivity through redundancy
FRNT
RSTP/STP
OSPF and VRRP
22
FRNT – Fast Recovery of Network Topology
L2 Ring Redundancy
FRNT is able to reconfigure redundant ring network
consisting of up to 200 switches within 20ms of the initial
failure, regardless of network load
Media failure
message
Member
Member
X
Ports in blocking
mode
Focal
Point
Re-learn MAC
tables message
Member
Media failure
message
Member
Member
23
RSTP – Rapid Spanning Tree Protocol
RSTP builds loop free topologies by creating a logical tree of the
connected nodes in the network.
This means that some ports needs to be set in a blocking state depending
on how the nodes are connected together.
X
24
OSPF and VRRP
Layer 3 redundancy with OSPF and VRRP
OSPF keeps track of the active routers and calculates best path to
the connected networks
VRRP creates redundant Default Gateways for the connected nodes
on the LAN network.
Layer 2
Network
Layer 3
Backbone
Layer 2
Network
Layer 2
Network
25
Monitoring
Alarm handling and remote monitoring through
SNMP
Syslog
Configurable alarms
Link alarm
FRNT link alarm
Power supply alarm
Temperature alarm
Digital In alarm
Digital I/O that can be used for intrusion detection
Connect the I/O contact to the cabinet door and receive an SNMP
trap or Syslog message to the central monitoring system if someone
opens the door.
26
Questions
27