protect a system from cyber attacks?

Transcription

protect a system from cyber attacks?
How can I …
protect a system
from cyber attacks?
System Technical Note
Cyber security recommendations
Design your
architecture
2
Disclaimer
This document is not comprehensive for any systems using the given architecture
and does not absolve users of their duty to uphold the safety requirements for the
equipment used in their systems or compliance with both national or international
safety laws and regulations.
Readers are considered to already know how to use the products described in
this System Technical Note (STN).
This STN does not replace any specific product documentation.
3
The STN Collection
The implementation of an automation project includes five main phases: Selection,
Design, Configuration, Implementation and Operation. To help you develop a
project based on these phases, Schneider Electric has created the Tested,
Validated, Documented Architecture and System Technical Note.
A Tested, Validated, Documented Architecture (TVDA) provides technical
guidelines and recommendations for implementing technologies to address your
needs and requirements, This guide covers the entire scope of the project life
cycle, from the Selection to the Operation phase, providing design methodologies
and source code examples for all system components.
A System Technical Note (STN) provides a more theoretical approach by focusing
on a particular system technology. These notes describe complete solution offers
for a system, and therefore support you in the Selection phase of a project.
The TVDAs and STNs are related and complementary. In short, you will find
technology fundamentals in an STN and their corresponding applications in one
or several TVDAs.
Development Environment
PlantStruxure, the Process Automation System from Schneider Electric, is a
collaborative system that allows industrial and infrastructure companies to meet
their automation needs while also addressing growing energy management
requirements. Within a single environment, measured energy and process data
can be analyzed to yield a holistically optimized plant.
4
Table of Contents
1.
Security Overview..............................................................7
1.1.
Purpose ................................................................................................................................................... 7
1.2.
Introduction ............................................................................................................................................. 7
1.3.
Why is Security a Hot Topic Today? ....................................................................................................... 8
2.
What is Cyber Security? ................................................ 10
2.1.
Cyber Attack Profile .............................................................................................................................. 10
2.2.
How Attackers Can Gain Access to the Control Network ..................................................................... 11
2.3.
How Attackers Attack ............................................................................................................................ 15
2.4.
Accidental Events .................................................................................................................................. 18
2.5.
Control System Vulnerabilities.............................................................................................................. 19
3.
Schneider Electric Cyber Security Defense ................. 22
3.1.
Security Plan ......................................................................................................................................... 23
3.2.
Network Separation ............................................................................................................................... 25
3.3.
Protecting the Plant Perimeter ............................................................................................................. 27
3.4.
Network Segmentation via VLAN .......................................................................................................... 53
3.5.
Device Hardening ................................................................................................................................. 57
3.6.
Monitoring ............................................................................................................................................ 65
4.
Appendix – Methods of Attack ...................................... 67
4.1.
IP Spoofing ............................................................................................................................................ 67
4.2.
Denial of Service Attacks ...................................................................................................................... 68
4.3.
TCP SYN Flood Attack .......................................................................................................................... 69
4.4.
Land Attack ........................................................................................................................................... 71
4.5.
ARP Spoofing ........................................................................................................................................ 72
4.6.
ICMP Smurf .......................................................................................................................................... 74
5
4.7.
The PING of Death................................................................................................................................ 75
4.8.
UDP Flood Attack ................................................................................................................................. 76
4.9.
Teardrop Attack .................................................................................................................................... 76
5.
References ...................................................................... 77
6
1-Security Overview
1. Security Overview
1.1.
Purpose
The intent of this System Technical Note (STN) is to describe the capabilities of
the different Schneider Electric solutions that answer the most critical applications
requirements, and consequently increase the security of an Ethernet-based
system. It provides a description of a common, readily understandable, reference
point for end users, system integrators, OEMs, sales people, business support
and other parties.
1.2.
Introduction
PlantStruxure openness and transparency provides seamless communication
from the enterprise system or the internet to the control network. With this
transparency comes security vulnerabilities that can be exploited to negatively
impact production, equipment, personnel safety, or the environment. Security
practices should be deployed to prevent these unwanted incidents from disrupting
operations.
Security is no longer a secondary requirement but should be considered
mandatory and be viewed as important as safety or high availability. To meet the
security challenges, Schneider Electric recommends a “defense-in-depth”
approach. Defense-in-depth is a concept that assumes there is no single
approach that provides all security needs. Rather, defense-in-depth layers the
network with security features, appliances, and processes to ensure that
disruption threats are minimized. Schneider’s defense-in-depth approach
includes:

Eagle20 Security Router, from its partner Hirschmann Electronics, to
secure the control network perimeter using secure links such as VPN and
DMZ.

Eagle Tofino firewall, from its partner Hirschmann Electronics, to secure
communication zones within the control network using basic firewall rules,
stateful packet inspection and deep packet inspection.

ConneXium infrastructure devices to limit internal access to areas of
responsibility and act as a second line of defense in the event of a firewall
breech.

PACs and Ethernet modules hardened with password protection, access
control and the ability to turn off unneeded services.
7
1-Security Overview

RTUs that offer secure links via VPN and strong authentication
technology.
The intent of this document is to understand what constitutes cyber security in the
industrial market, why cyber security has become such a hot topic, risks caused
by system vulnerabilities, methods of network penetration and Schneider
Electric’s recommendations to mitigate those risks. Remember, there is not one
single product that can defend the network, rather a defense-in-depth approach
ensures the best coverage for a secured, highly available operation.
1.3.
Why is Security a Hot Topic Today?
Industrial control systems based on computer technology and industrial-grade
networks have been around for decades. The earlier control system architectures
were developed with proprietary technology and were isolated from the outside
world and therefore security was a primary concern. Physical perimeter security
was adequate to feel comfortable about the systems’ reliability. Today the control
systems have migrated to open systems using standardized technologies such as
Microsoft Windows operating system and Ethernet TCP/IP to reduce costs and
improve performance. Additionally, direct communications between control and
business systems has been employed to improve operational efficiency and
manage production assets more cost-effectively.
8
1-Security Overview
This technical evolution has exposed control systems to vulnerabilities previously
only affecting office and business computers. Although the malware found in the
world has been used to target home, office, or business computers, the industrial
computers employing the same technology has become exposed through lax
internal security practices, external contractors with access to systems, and
through inadvertent publicly accessible networked interfaces. Ethernet and
TCP/IP have provided many new and attractive capabilities:

Integrated applications through networked intelligent devices

Embedded web servers for remote access

Wireless connectivity

Remote access for maintenance

Automated software management

Distributed control

Instant access of information with the business systems – inventory,
production, shipping and receiving, purchasing, etc.
With the use of standard technologies such as Ethernet, control systems are now
vulnerable to cyber attacks from both inside and outside of the industrial control
system network.
The security challenges for the control’s environment are:

Physical and logical boundaries vary.

Systems can span over large geographical regions with multiple sites.

Security implementation can adversely impact process availability.
With the heightened threats caused by political terrorism, cyber attacks, and
internal security threats, companies must be more diligent than ever with how
their systems are protected. Motivations can be hard to understand, but the
implications can be devastating; from lost production, damaged company image,
environmental disaster, or loss of life. Companies need to be more conscious of
security than ever before. No longer will barbed wire and security guards
satisfactorily protect industrial assets. Lessons learned from the IT world must be
employed to protect industrial facilities and infrastructure from disruptions,
damage, or worse.
9
2-What is Cyber Security
2. What is Cyber Security?
Cyber security is a branch of security designed to address attacks on or by
computer systems and through computer networks. The objective of cyber
security is to protect information and physical assets from theft, corruption, or
natural disaster, while allowing the information and assets to remain accessible
and productive to its intended users. It is composed of procedures, policies,
equipment; both software and hardware. Cyber security is an ongoing process.
Cyber attacks are actions that target computers and network systems designed to
disrupt the normal operations of the system. These actions can be initiated locally
(from within the physical facility) or remotely (from outside). These attacks are
normally intentional, but in fact could be unintentional due to poor security threat
prevention. All potential causes of cyber attacks need to be considered when
employing a defense-in-depth approach.
2.1.
Cyber Attack Profile
Cyber attacks to the control network system can come from a number of sources:



Internal (employees, vendors and contractors)
o
Accidental events
o
Inappropriate employee/contractor behavior
o
Disgruntled employees/contractor
External opportunistic (non-directed):
o
Script kiddies
o
Recreational hackers
o
Virus writers
External deliberate (directed):
o
Criminal groups
o
Activists
o
Terrorists
o
Agencies of foreign states
The intent of the cyber attacks on a control system is to:

Disrupt the production process by blocking or delaying the flow of information.
10
2-What is Cyber Security

Damage, disable, shutdown equipment to negatively impact production or the
environment.

Modify or disable safety systems to cause intentional harm or death.
Most cyber attacks that penetrate the control network system originate from the
enterprise system followed by the internet and trusted third parties.
2.2.
How Attackers Can Gain Access to the Control Network
The following information is extracted from US-CERT's Control Systems Security
Program and is paraphrased from content on the US-CERT Control Systems:
Overview of Cyber Vulnerabilties web page located at http://www.uscert.gov/control_systems/csvuls.html. Schneider Electric recommends reviewing
all the materials at this web site to gain a better understanding of control system
vulnerabilities and potential threats.
In order to attack the control system network, the attacker must bypass the
perimeter defenses to gain access to the control system LAN. The most common
methods of gaining access are:

Dial-up access to RTU devices

Supplier access (Technical support)

IT controlled network products
11
2-What is Cyber Security
2.2.1.

Corporate VPN

Database links

Poorly configured firewalls

Peer utilities
Dial-up Access to the RTU Devices
Most control systems have a backup dial-up modem in the event that the main
network is no longer available. The attacker must know the protocol of the RTU in
order to gain access. Most RTUs don’t have strong security mechanisms
employed and identify themselves to any caller. Authentication mechanisms are
not widely employed.
2.2.2.
Supplier Access
In order to minimize down time and reduce costs, suppliers are often given VPN
access for remote diagnostics or maintenance. The suppliers frequently leave
ports open on the equipment to simplify their tasks, giving the attacker access to
the equipment and links to control system network.
12
2-What is Cyber Security
2.2.3.
IT Controlled Communication Equipment
The automation department’s network authority is often limited to the control
network within the facility. The IT department assumes the responsible for longdistance communication controlled and maintained from the business. A skilled
attacker can access the control network via holes in the communication
architecture and reconfigure or compromise communications to the field control
devices.
2.2.4.
Corporate VPNs
Engineers working in the corporate offices and will often use VPN from the
company broadband to gain access to the control network. The attacker waits for
the legitimate user to VPN into the control system network and piggybacks on the
connection.
13
2-What is Cyber Security
2.2.5.
Database Links
Most control systems use real-time databases, configuration databases, and
multiple historian databases. If the firewall or the security on the database is not
configured properly, a skilled attacker can gain access to the database from the
business LAN and generate SQL commands to take control of the database
server on the control system network.
2.2.6.
Peer Utility Links
Partners and peers are granted access to information located on either the
business or control network. With the peer-to-peer link, the security of the system
is as strong as the security of the weakest member.
14
2-What is Cyber Security
2.3.
How Attackers Attack
The following information is extracted from US-CERT's Control Systems Security
Program and is paraphrased from content on the US-CERT Control Systems:
Overview of Cyber Vulnerabilties web page located at http://www.uscert.gov/control_systems/csvuls.html. Schneider Electric recommends reviewing
all the materials at this web site to gain a better understanding of control system
vulnerabilities and potential threats.
Depending on motives and skills, the attacker may or may not need to know
details of the process to cause problems. For example, if the motive is simply to
shut down the process, very little knowledge of the control process is needed.
However, if the attacker wants to strategically attack a specific process, then
specific details and knowledge is required.
The two most vulnerable processes are:

Data acquisition database

HMI/SCADA display screens
Names of databases differ from suppliers but most use a common naming
convention with a unique number (i.e. Pump1, pump2, breaker1, breaker2…). On
the communications protocol level, the devices are simply referred to by number
(memory location or register address). For a precise attack, the attacker needs to
translate the numbers into meaningful information.
Gaining access to the HMI screens is the easiest method for understanding the
process and the interaction between the operator and the equipment. The
information on the screen allows the attacker to translate the reference numbers
into something meaningful.
15
2-What is Cyber Security
2.3.1.
Control of the Process
Once an attacker has enough information about the process, the next step is to
manipulate it. The easiest way to gain control of the process is to connect to a
data acquisition device, such as a PAC, that also has access to field devices and
send it properly formatted commands. Most of the PACs, gateways or data
acquisition servers lack basic authentication and will accept any commands that
have been formatted correctly.
2.3.2.
Exporting the HMI Screen
Another method of attack is to export the HMI screen back to the attacker to gain
control of the operations. A sophisticated attacker may also modify the operator’s
screen to display normal operations in order to disguise the attack. The attacker
is normally limited to the commands allowed for the currently logged-in operator.
16
2-What is Cyber Security
2.3.3.
Changing the Database
The attacker accesses the database and modifies the data in order to disrupt
normal operation of the control system or change stored values to affect the
system’s integrity.
2.3.4.
Man-in-the-Middle Attacks
Man-in-the-middle is a type of attack where the attacker intercepts messages from
one computer (Host A), manipulates the data prior to forwarding to the intended
computer (Host B) and vice versa. Both computers appear to be talking to each
other and are unaware of an intruder in the middle.
In order for the attacker to be successful in manipulating the packets, the protocol
must be known. The man-in-the-middle attack allows the attacker to spoof the
operator HMI screens and take full control of the control system.
17
2-What is Cyber Security
2.4.
Accidental Events
While many threats exist from disgruntled employees, hackers, terrorists, or
activists, the majority of system outages related to networks are caused by
accidental events. In this case, we are referring to personnel not following proper
procedures, accidentally connecting network cables in wrong ports, poor network
design, programming errors, or badly behaving network devices. Experts
attribute >75% of network-related system outages to accidental events. Many of
the security features and processes discussed in this document can also prevent
these types of accidental events.
In many cases, contractors are necessary contributors to system design,
commissioning, or maintenance. Proper procedures should be defined that
ensure that contractors don’t bring malware, viruses, or other problems into the
control network. Another example of proper procedures involves how USB keys;
a convenient method to transfer files, can be safely employed in the control
network environment. USB keys are a common source of malware and viruses
and must be carefully screened before permitting their use.
Network architectures are designed and configured at design time to comply with
robust behaviors; including segmenting, filtering, and topological rules.
Individuals who inadvertently connect a network cable into the wrong port on a
multi-port switch might create outages or broadcast storms bringing a network to
its knees. Many of the broadcast storm protections discussed in this document
apply to this accidental events as well as Denial of Service attacks.
In general, the cause might be accidental, but the features, practices, and
procedures used to protect from cyber attack work equally well to prevent
accidental system outages. In this case, disaster recovery methods should be
18
2-What is Cyber Security
employed and tested to make sure that recovery from an outage or device failure
can be quickly and reliably managed, minimizing downtime and lost production.
High availability and redundant architectures play a role in this area when even
short duration system outages can’t be tolerated.
2.5.
Control System Vulnerabilities
The North American Electric Reliability Corporation (NERC) performed a study
identifying the top 10 vulnerabilities of control systems:
1. Inadequate policies, procedures, and culture that govern control system
security:

Clash between operational culture with modern IT security methods.

IT often does not have an understanding of operational requirements of a
control system.

Lack of overall awareness and appreciation of the risk associated with
enabling the networking of these customized control systems.

Absence of control system information security policy.

Lack of auditing, enforcing, or adhering to control system information
security policy not adhered to, enforced or audited.

Lack of adequate risk assessment.
2. Inadequately designed control system networks that lack sufficient defensein-depth mechanisms:

Network security of control system devices were not adequately
considered when originally designed. These systems were designed with
availability and reliability in mind.

Control systems may not be capable of secure operation in an
internet/intranet working environment without significant investment to
reengineer the technology so it is in accordance with appropriate risk
assessment criteria.
3. Remote access to the control system without appropriate access control:

Inappropriate use of dial-up modems.

Use of commonly known passwords or no use of passwords.

Implementation of non-secure control system connectivity to the corporate
Local Area Network (LAN).

Practice of un-auditable and non-secured access by vendors for support.
19
2-What is Cyber Security
4. System administration mechanisms and software used in control systems are
not adequately scrutinized or maintained:

Inadequate patch management

Lack of appropriately applied real time virus protection.

Inadequate account management.

Inadequate change control.

Inadequate software inventory.
5. Use of inadequately secured wireless communication for control:

Use of commercial off-the-shelf (COTS) consumer-grade wireless devices
for control network data.

Use of outdated or deprecated security/encryption methods.
6. Use of a non-dedicated communications channel for command and control
and/or inappropriate use of control system network bandwidth for non-control
purposes:

Internet-based Supervisory Control and Data Acquisition (SCADA).

Internet/Intranet connectivity initiated from control system networks:

File Sharing

Instant Messaging
7. Insufficient application of tools to detect and report on anomalous or
inappropriate activity:

Underutilized intrusion detection systems.

Under-managed network system.

Implementation of immature Intrusion Prevention Systems.
8. Unauthorized or inappropriate applications or devices on control system
networks:

Unauthorized installation of additional software to control system devices.

Peripherals with non-control system interfaces, e.g., multi function or
multi-network printers.

Non-secure web interfaces for control system devices.

Laptops.

USB memory.
20
2-What is Cyber Security

Other portable devices e.g., personal digital assistants (PDAs).
9. Control systems command and control data not authenticated:

Authentication for LAN-based control commands not implemented.

Immature technology for authenticated serial communications to field
devices.

Lack of security implemented on an object by object basis on the control
displays.
10. Inadequately managed, designed, or implemented critical support
infrastructure:

Inadequate uninterruptible power supply (UPS) or other power systems.

Inadequate or malfunctioning HVAC systems.

Poorly defined “6-wall” boundary infrastructure.

Insufficiently protected telecommunications infrastructure.

Inadequate or malfunctioning fire suppression systems.

Lack of recovery plan.

Insufficient testing or maintenance of redundant infrastructure.
21
3-Schneider Electric Cyber Security Defense
3. Schneider Electric Cyber Security Defense
No single solution can provide adequate protection against all cyber attacks on
the control network. Schneider Electric recommends employing a “defense in
depth” approach using multiple security techniques to help mitigate risk.
The defense in depth approach recommends six layers of defense for a
PlantStruxure network:
1. Security Plan
Creating the security plan is the first step to secure the control system network.
Polices and procedures must be defined, implemented and most importantly
updated and maintained. The planning process involves perform a vulnerability
assessment, mitigating the risk and creating a plan to reduce or avoid those risks.
2. Network Separation
Physically separating the control system network from other networks, including
the enterprise, by creating demilitarized zones (DMZs).
3. Perimeter Protection
Preventing unauthorized access to the control system through the use of firewall,
authentication and authorization, VPN (IPsec) and anti-virus software. This
includes remote access.
22
3-Schneider Electric Cyber Security Defense
4. Network Segmentation
Use VLANs to sub-divide the network providing containment in the event of a
security breach within a subnet. It can be further enhanced using the concept of
communication zones. Each zone would be buffered from other zones by use of
a security firewall to limit access, monitor communications and report incidents.
5. Device Hardening
Device hardening is the process of configuring a device to protect it from
communication-based threats. It involves password management, access control
and disabling all unnecessary protocols and services.
6. Network Monitoring
No network is 100% secure due to the constant evolution of new threats.
Constant monitoring for control network system is necessary to block intruders
before damage is done.
3.1.
Security Plan
The first step towards a secure network is to create a security plan with
procedures and policies. A cross-functional team consisting of management, IT
staff, control engineer, operator and a security expert should participate in the
creation of a comprehensive security plan.
The security plan should clearly define:

Roles and responsibilities of those affected by the policy.

Actions, activities and processes that are allowed and not allowed.

Consequences of non-compliance.
For existing networks, a full assessment is needed prior to creating the plan:

Identify communication paths into and out of the control network.

Identify communication paths within the control system network.

Perform a complete audit of devices on the network.

Record security settings of each device.

Draw a detailed network diagram.
23
3-Schneider Electric Cyber Security Defense
Once the infrastructure diagram is completed, a vulnerability assessment is
required to identify weaknesses, potential threats and origins of threats.
Vulnerabilities assessed are then:

Prioritized by threat

Prioritized by business consequences

Prioritized by business benefits

Annual business impact is estimated
Ri$k = % Probability of Threat of Attack * % Probability of a Vulnerability Being
Exploited * Reasonably Predictable (Financial) Consequences
Introduction to Information Security, Dave Norton, CISSP Program Manager,
Transmission IT Security Entergy – New Orleans
24
3-Schneider Electric Cyber Security Defense
The plan should consist of:

Security policies - Security policies should be developed for the control
system network and its individual components. The policies should be
reviewed periodically for changes in threats, environment or adequate
security level.

Blocking access to resources and services – Protecting the perimeter through
the use of firewalls or proxy servers, access control and anti-virus software.
Limiting communications between separate communications zones through
the use of firewalls and inline security devices.

Detecting malicious activity – Intrusion detection such as monitoring audit and
event logs is necessary to identify problems on the network.

Mitigating possible attacks – The more secure the network becomes, the
greater the impact on latency. In order for the process to run correctly a level
of vulnerability may be required.

Fixing core detected problems – Fixing detected problems usually involves
updating, upgrading, or patching the software vulnerability or removing the
vulnerable application.
3.2.
Network Separation
One of the critical elements of designing a control system network is the physical
separation between the control network and external communication networks.
Data access between the internet, enterprise system and the control network
should take place on servers located in a demilitarized zone (DMZ). A DMZ
provides a safe and secure means of sharing data between zones. The DMZ
should contain:

Data servers such as Citect Historian that share and collect data from the
control system and enterprise system.

Patch management

Antivirus server

Web access server

Wireless access point

Remote access
All communication links should end in the DMZ. There should be no direct
communication path into the industrial control network.
25
3-Schneider Electric Cyber Security Defense
DMZ Guidelines

All traffic should terminate at servers in the DMZ.

Inbound traffic to the control system should be blocked. Access to devices
inside the control system should be through the DMZ.

Outbound traffic through the control network firewall should be limited to
essential communications only.

All outbound traffic from the control network to the corporate network
should be source and destination-restricted by service and port.

Firewalls should be configured with outbound filtering to stop forged IP
packets from leaving the control network or the DMZ.

Firewalls should be configured to forward IP packets only if those packets
have a correct source IP address for the control network or DMZ networks.

Internet access by devices on the control network should be strongly
discouraged.

The servers in the DMZ zone must be hardened. Security patches and
anti-virus software must be continuously updated.
26
3-Schneider Electric Cyber Security Defense
3.3.
Protecting the Plant Perimeter
Firewalls are used to protect the network perimeter by blocking unauthorized
access while permitting authorized communications. A firewall is a device or set of
devices configured to permit, deny, encrypt, decrypt, or proxy all (in and out)
traffic between different security domains based upon a set of rules and other
criteria.
Firewalls play an important role in a control system network. Process control
devices require fast data throughput and therefore cannot afford latency
introduced by a over-aggressive security strategy. The control system relies
heavily on perimeter protection to block all unwanted and unauthorized traffic.
There are three categories of firewalls:

Packet filtering: A low cost basic type of firewall having minimal impact on the
network performance. Basic information in each packet, such as IP addresses
is validated prior to forwarding. This type is not recommended due to lack of
authentication. It does not conceal the protected network’s architecture.

Application-Proxy Gateway – An application proxy gateway examines packets
at the application layer and filters traffic based on specific application rules
such as specified applications (e.g., browsers) or protocols (e.g., FTP).
Application proxy gateways provide a high level of security, but can have
27
3-Schneider Electric Cyber Security Defense
overhead delays impacting the network performance of the control system.
Their use is therefore not recommended.

Stateful Inspection Firewalls: Stateful multilayer inspection firewalls are a
combination of the above firewall types. Stateful inspection filters packets at
the network layer and validates that the session packets and their contents at
the application layer are legitimate. Stateful inspection makes sure that all
inbound packets are the result of an outbound request. Stateful inspection
firewalls provide a high level of security and good performance but can be
expensive and complex to configure.
3.3.1.
Firewall Guidelines
The National Institute of Standards and Technology (NIST) has provided the
following guidelines:

The base rule set should be “deny all, permit none.”

Ports and services between the control system network environment and the
corporate network should be enabled and permissions granted on a specific
case-by-case basis. There should be a documented business justification with
risk analysis and a responsible person for each permitted incoming or
outgoing data flow.

All “permit” rules should be both IP address and TCP/UDP port specific.

All rules should restrict traffic to a specific IP address or range of addresses.

Traffic should be prevented from transiting directly from the control network to
the corporate network. All traffic should terminate in a DMZ.

Any protocol allowed between the control network and the DMZ should
explicitly NOT be allowed between the DMZ and corporate networks (and
vice-versa).

All outbound traffic from the control network to the corporate network should
be source and destination-restricted by service and port.

Outbound packets from the control network or DMZ should be allowed only if
those packets have a correct source IP address that is assigned to the control
network or DMZ devices.

Control network devices should not be allowed to access the Internet.

Control networks should not be directly connected to the Internet, even if
protected via a firewall.
28
3-Schneider Electric Cyber Security Defense
3.3.2.
Firewall Vulnerabilities
Denial of Service is one of the most common vulnerabilities of the outer perimeter.
Other common vulnerabilities:

Spoofing

Worms and Trojans

Viruses

Hijacking

False identity

Data/Network Sabotage
These attacks on a control system can result in:

Reduction or loss of production at one site or multiple sites
simultaneously
3.3.3.

Injury or death of employees

Injury or death of persons in the community

Damage to equipment

Release, diversion, or theft of hazardous materials

National security breech

Environmental damage

Violation of regulatory requirements

Product contamination

Criminal or civil legal liabilities

Loss of proprietary or confidential information

Loss of brand image or customer confidence
Firewall Risk Mitigation
Packet Filtering
Devices on the control network require security based on unique applications and
protocols. Packet filtering is a feature found on a firewall that provides the
protection based on:

IP protocol

Source IP address
29
3-Schneider Electric Cyber Security Defense

Source port

Destination IP address

Destination port
With packet filtering, access to a device can be restricted to only allow specific
protocols (ports). In the drawing below, the PC can communicate with the PLC
via port 80, but port 69 messages are blocked by the firewall.
Ports that need extra protection due to low or no built-in security are:
Non-secure Protocols
IP
Protocol
Port #
TCP
Telnet
23
TCP/UDP
HTTP
80
TCP/UDP
SNMP
v1&v2
161
20-Data
TCP
FTP
UDP
TFTP
69
TCP/UDP
DNS
53
TCP
POP3
110
TCP/UDP
SMTP
25
21-Command
30
3-Schneider Electric Cyber Security Defense
Packet filtering should be implemented. Trusted ports are for outgoing
connections and untrusted ports are for incoming connections.
Some firewalls are even capable of looking within the protocol to make intelligent
decisions about allowing/restricting specific messages. These highly evolved
firewalls are capable of looking into a protocol like Modbus TCP (port 502) and
allowing certain function codes to pass while blocking others. An example of this
type of firewall is the Eagle Tofino from Hirschmann Electronics.
Anti-virus Software
Always implement anti-virus scanning and keep anti-virus software and definition
files up-to-date. This applies to the SCADA system and all PCs used to monitor or
maintain the control system.
Flood Protection
The firewall is an important player in preventing unwanted traffic such as DoS
attacks onto the control network. DoS attacks are the most common form of flood
attacks. If a DoS attacker is successful in penetrating the control network, the
impact can be minimized using flood protection provided in the firewall.
31
3-Schneider Electric Cyber Security Defense
3.3.4.
Firewall Rules for Specific Services
Firewalls can deal with and help manage many of the protocols and services
employed in industrial control systems, The ones we will discuss here are DNS,
HTTP, DHCP, FTP, TFTP, Telnet, SMTP, POP, Telnet, SNMP, and NAT.
Domain Name System (DNS) Server
Domain Name System (DNS) server is a database used to translate DNS host
names to IP addresses. Most Internet services rely heavily on DNS, but are rarely
used by control systems.
32
3-Schneider Electric Cyber Security Defense
DNS Vulnerabilities
There are numerous exploits against DNS Servers. The two most common ones
are DNS Cache Poisoning and DNS Amplification Attack.
DNS cache poisoning is the result of replacing the intended domain IP address
with the attacker’s domain IP address. As a result of cache poisoning, web traffic,
email, and other important network data can be redirected to systems under the
attacker's control.
DNS amplification attack is a type of DoS attack that generates traffic overload.
DNS Risk Mitigation
DNS requests are seldom used from the control network to the corporate network
and should be avoided if possible.
Do not allow DNS requests into the control network.
It is recommended that the DNS configuration be set to DNS Root Servers.
Queries will be sent to the DNS Root server at the IP address stored in mGuard.
These addresses rarely change.
Hypertext Transfer Protocol (HTTP)
Hypertext Transfer Protocol is the underlying protocol used by the World Wide
Web and is used in many applications: file download, software updates, or to
33
3-Schneider Electric Cyber Security Defense
initialize multimedia streams. The use of HTTP is increasing due to embedded
web servers in control products. Schneider Electric web servers use HTTP
communications to display data and send commands via web pages.
Hypertext Transfer Protocol Secure (HTTPS) is a combination of the Hypertext
Transfer Protocol and a cryptographic protocol. The primary differences between
http and https are their default ports (80 for http and 443 for https). HTTPS
operates by transmitting normal HTTP with encryption. There are two common
types of encryption layers:

Transport Layer Security (TLS)

Secure Sockets Layer (SSL) - predecessor
HTTP Vulnerabilities
HTTP has little inherent security and can be used as a transport mechanism for
attacks and worms. Common attacks are man-in-the-middle and eavesdropping.
HTTP Risk Mitigation
34
3-Schneider Electric Cyber Security Defense
If the HTTP server is not needed, then disable it. Otherwise use, HTTPS instead
of HTTP if possible and only to a specific device.
DHCP
Dynamic Host Configuration Protocol (DHCP) is a network application protocol
based on BootP. It is used by devices (DHCP clients) to obtain configuration
information for operation in an Internet Protocol network. DHCP is an
unauthenticated protocol. The DHCP service works by using the DORA (Discover,
Offer, Request and Acknowledgment) grants.
DHCP service uses port 67/UDP in the DHCP server, and 68/UDP at the DHCP
clients.
Schneider Electric uses DHCP for Faulty Device Replacement (FDR).
DHCP Vulnerabilities
There are two common types of DHCP attacks:
DHCP starvation attack – The DHCP server is inundated with countless requests
from different MAC addresses. The DHCP server will eventually run out of IP
addresses blocking a legitimate user from obtaining or renewing an IP address.
35
3-Schneider Electric Cyber Security Defense
DHCP rogue attack – The attacker disguises itself as a DHCP server and
responds to a DHCP request with false IP addresses resulting in a man-in-themiddle attack.
DHCP Risk Mitigation
Prevent unauthorized persons to have physical or wireless access to the
computer.
Recommend that DHCP be disabled in the firewall, if not needed.
Conflict: Schneider Electric devices such as the NOE’s or ETY’s have a built-in
DHCP server. The DHCP server uses the device’s MAC address or device name
to serve the IP configuration and the name and location of the configuration file.
FTP and TFTP
File Transfer Protocol (FTP) and Trivial File Transfer Protocol (TFTP) are used for
transferring files between devices. Transparent Ready devices use FTP to load
firmware, custom web pages, retrieving crash logs, etc. TFTP is used as a barebones unidirectional special purpose file transfer (firmware uploads).
FTP Vulnerabilities
FTP uses a login password that is not encrypted, and for TFTP, no login is
required. FTP is vulnerable to Buffer Overflow and FTP Bounce attacks. The FTP
bounce attack uses an FTP server in passive mode to transmit information to any
device on the network. To begin the bounce attack process, the attacker must
login to the FTP server that will be used as the "middleman." Once connected to
the FTP server, the attacker sends the PORT command to direct all data
connections to the destination IP address and TCP port.
36
3-Schneider Electric Cyber Security Defense
FTP Risk Mitigation
FTP communications should be allowed for outbound sessions only unless
secured with additional token-based multi-factor authentication and an encrypted
tunnel.
If possible, use more secure protocols such as Secure FTP (SFTP) or Secure
Copy (SCP).
Configure each server connection individually.
Use packet filtering to allow access only to the FTP server.
The FTP file should be checked for viruses. Identify the IP address of the FTP
server and enable content scanning for viruses if files are not expected to exceed
the maximum file size. Large files that exceed the maximum file size are dropped.
37
3-Schneider Electric Cyber Security Defense
Telnet
The telnet protocol provides an interactive, text-based communications session
between a client and a host. Telnet provides access to a command-line interface,
typically via port 23. It is mainly used for remote login and simple control services
to systems with limited resources or to systems with limited needs for security.
Due to security risks, Schneider has limited the use of Telnet in its products.
Telnet Vulnerabilities
Use of Telnet is a severe security risk because all telnet traffic, including
passwords, is unencrypted. It can allow a remote individual considerable control
over a device.
Telnet Risk Mitigation
Inbound telnet sessions from the corporate to the control network should be
prohibited unless secured with authentication and an encrypted tunnel.
Outbound telnet sessions should be allowed only over encrypted tunnels (e.g.,
VPN) to specific devices (Covered in the Remote Access section).
Simple Mail Transfer Protocol (SMTP) & Post Office Protocol (POP3)
Email notification in the automation industry is becoming more prevalent as plants
downsize and rely on remote experts to troubleshoot and fix detected problems.
PlantStruxure devices only send email. However, there is potential that nonSchneider Electric devices residing on the network can receive email. Therefore,
it is highly recommended that firewalls be configured to scan the email for viruses.
The Simple Mail Transport Protocol (SMTP) is an internet standard used by e-mail
clients or mail transfer agents (MTA) to send e-mails. An SMTP server performs
two functions:
38
3-Schneider Electric Cyber Security Defense

Verifies that the configuration is valid and grants permission to the
computer sending the message.

Sends the outgoing message to a predefined destination and validates
the successful transfer of the message. If the message is not successfully
transferred, a message is sent back to the sender.
Post Office Protocol v3 (POP3) or Internet Message Access Protocol (IMAP) is
used by local e-mail clients to download email from a remote server. The POP3
server receives the e-mail message and retains the email message until is
retrieved by the local client. POP3 uses port 110.
SMTP & POP3 Vulnerabilities
Directory harvesting is the most common form of attack. The attack relies on
invalid email addresses being rejected by the email system either during the
SMTP conversation or afterwards via a Delivery Status Notification (DSN). When
the attacker receives a rejection from an invalid email address, the email address
sent is discarded. When no rejection or DSN is received, the email address is
considered valid” and is added to a spam database. The attacker typically uses
two methods:

Brute force: an approach that sends messages with all possible
alphanumeric characters and waits for a valid response.

Selective: an approach sending an email using a likely username in
hopes of finding a valid one.
SMTP and POP3 Risk Mitigation
Inbound e-mail should not be allowed to any control network device.
39
3-Schneider Electric Cyber Security Defense
Outbound SMTP mail messages from the control network to the corporate
network are acceptable in order to send alert messages. PlantStruxure devices
today only send emails.
All emails should be scanned for virus. Note that some firewalls are not able to
check encrypted data for viruses.
Identify which IP address requires anti-virus protection and enable content
scanning for viruses if ftp files are not expected to exceed maximum file size.
Simple Network Management Protocol (SNMP)
All PlantStruxure Ethernet devices have SNMP service capability for network
management. Most of the PlantStruxure devices use SNMP v1 which does not
use encryption and is therefore considered unsecure. ConneXium switches are an
exception. They use SNMP v3 which has added security features:

Message integrity

Authentication

Encryption
40
3-Schneider Electric Cyber Security Defense
SNMP consist of three parts:

Manager: an application that manages SNMP agents on a network by
issuing requests, getting responses, and listening for and processing
agent-issued traps. Managed devices can be any type of device: routers,
access servers, switches, bridges, hubs, PACs, drives…

Agent: a network-management software module that resides in a
managed device. The agents allow configuration parameters to be
changed by managers.

Network management system (NMS): the terminal through which
administrators can conduct administration tasks.
SNMP Vulnerabilities
SNMP in general is weak in security. Versions 1 and 2 of SNMP use unencrypted
passwords to both read and configure devices. Passwords may not be able to be
changed. Version 3 is considerably more secure but is still limited in use.
Often SNMP is automatically installed with "public" as the read string and "private"
as the write string. This type of installation provides an attacker the means to
perform reconnaissance on a system to create a denial of service.
SNMP also provides information about the system that may allow the attacker to
piece together the network system with the interconnection.
41
3-Schneider Electric Cyber Security Defense
SNMP Risk Mitigation
The best defense is to upgrade to SNMP V3, which encrypts passwords and
messages.
SNMP V1 & V2 commands to and from the control network should be prohibited
unless it is over a separate, secured management network.
Control access by identifying which IP address has privilege to query an SNMP
device.
Network Address Translation (NAT)
Network Address Translation (NAT) is a firewall feature that does not permit the
outside from knowing a device’s true IP address and is therefore unable to access
the device directly.
NAT is a method to map the entire network to a single IP address prior to
transmitting. NAT relies on the premise that not every internal device is actively
communicating with external hosts at any given moment. The firewall must track
the state of each connection and how each private internal IP address and source
port was remapped. When the response is received by the firewall, the IP address
mapping is reversed and the packets forwarded to the proper internal host.
Although NAT routers are not technically firewalls because they do not filter the
packets, NAT does protect the PlantStruxure devices from the network. NAT
provides high security by blocking packets originating from the Internet from
accessing the device directly. Only responses to a request are allowed to pass
through.
NAT was initially developed to address the shrinkage of available IP addresses
prior to IPv6. NAT is also referred to as IP-masquerading.
NAT Vulnerabilities
None known
NAT Configuration Recommendation
Use NAT whenever possible. Note that NAT does not support producer-consumer
protocols such as EtherNet/IP or Foundation Fieldbus.
42
3-Schneider Electric Cyber Security Defense
Since NAT is usually used on routers and network gateways, it is necessary to
enable IP forwarding so that packets can travel between networks:
3.3.5.
External Authentication
Authentication is the process of determining a person’s true identity. There are
several methods of external authentication. Remote Authentication Dial in User
Service (RADIUS) is the most popular network protocol used in the control system
network.
RADIUS provides three functions:

Authenticate users or devices before granting them access to a network.

Authorize users or devices for certain network services.

Account for usage of those services.
Transactions between the client and the RADIUS server are authenticated
through the use of a shared secret. A shared secret is encrypted using the MD5
hashing algorithm. Originally, RADIUS was developed for dial-up remote access.
Today, RADIUS is supported by VPN servers, wireless access points,
authenticating Ethernet switches, Digital Subscriber Line (DSL) access, and other
network access types.
43
3-Schneider Electric Cyber Security Defense
Authentication Guidelines
Use a different shared secret for each RADIUS server-RADIUS client pair.
If possible, configure shared secrets with a minimum length of 16 characters
consisting of a random sequence of upper and lower case letters, numbers, and
punctuation.
Authentication Vulnerabilities
The RADIUS shared secret does not have sufficient randomness to face to a
successful offline dictionary attack. This vulnerability is addressed using IPsec in
the Remote Access section.
44
3-Schneider Electric Cyber Security Defense
Authentication Risk Mitigation
Implement RADIUS authentication on the firewall.
Enter a shared secret used to authenticate the communication between the
RADIUS server and a RADIUS client.
3.3.6.
Remote Access
There is a growing demand to establish connection to the control system that
enables engineers and support personnel to monitor and control the system from
remote locations. Remote access can be costly and susceptible to cyber attacks if
not configured correctly. Many companies are migrating from telephone modems
to a virtual private network (VPN) to reduce this risk. A VPN provides the highest
possible level of security, through encryption and authentication, preventing
viewing of the data over the public internet.
45
3-Schneider Electric Cyber Security Defense
There are two VPN technologies used; IPsec and SSL:
Internet Protocol Security (IPSec): IPSec is an open standard, transparent to the
application, which provides IP network-layer encryption to provide private, secure
communications over Internet Protocol (IP) networks. IPSec supports:

network-level data integrity

data confidentiality

data origin authentication

replay protection
IPsec supports both Digital Signature and Secret key Algorithm.
Secure Socket Layer (SSL): SSL is a common protocol built into most web
browsers. SSL is easier to configure and does not require special client software.
However, SSL only works for web-based (TCP) applications and only supports
Digital Signature.
46
3-Schneider Electric Cyber Security Defense
For remote access, VPN with IP-security (IPsec) is highly recommended. IPSec is
a suite of standards for performing encryption, authentication, and secure tunnel
setup. IPSec essentially creates private end-to-end tunnels out of the public
bandwidth available on the Internet. IPsec uses the following components:

Internet key exchange (IKE and IKEv2)

Authentication Header (AH)

Encapsulating Security Payload (ESP)
IPsec has two connection modes, Tunnel and Transport mode.

Tunnel mode: connection is established between Gateway-to-Gateway,
Gateway-to-Host and Host-to-Host. The entire IP packet is encapsulated
to provide a virtual “secure hop” between two gateways and provides a
secure tunnel across an untrusted Internet (recommended).

Transport mode: connection is Host-to-Host. Only the payload (the data
you transfer) of the IP packet is encrypted and/or authenticated.
VPN tunnel uses algorithms to encrypt and decrypt user information. The three
common encryption protocols are:

AES (Advanced Encryption Standard)

DES (Data Encryption Standard)

Triple-DES (3DES) - effectively doubles encryption strength over DES.
Authentication is necessary to make sure that no change is made to a message
during transmission. A hash, a one-way encryption algorithm, is used to take an
input message of arbitrary length and produces a fixed-length output message.
Hash algorithms are used by IKE, AH and ESP to authenticate data. The two
popular hash algorithms are:

Message Digest 5 (MD5): 160 bit key.

Secure Hash Algorithm 1 (SHA-1): generates a 160-bit (20 byte) message
digest. SHA-1 is slower than MD5 but offers greater protection against
brute force attacks.
Remote Access Guidelines

All remote access enabling hardware and software should be approved
and installed in accordance with the Security Policy.

Remote access should only be enabled when required, approved, and
authenticated.
47
3-Schneider Electric Cyber Security Defense

Disable remote access when not needed.

Change password once a remote maintenance session has terminated.

Consider risk to the process when allowing remote access.

Remote support personnel connecting over the Internet or via dialup
modems should use an encrypted protocol such as IPsec.

Once connected, they should be required to authenticate a second time at
the control network firewall using a strong mechanism, such as a token
based multi-factor authentication scheme, to gain access to the control
network.

Automatically lock accounts or access paths after a preset number of
consecutive invalid password attempts.

Change or delete any default passwords or User IDs.

Change passwords periodically.

For remote access modems:



Change default settings as appropriate:
o
Set dial-out modems to not auto answer.
o
Increase ring count before answer.
o
Utilize inactivity timeout if available.
Use callback whenever possible.
Verify that the VPN devices do not have a negative impact on the control
system network.
Remote Access Vulnerabilities

Inadequate access restriction is the number one vulnerability to the
control system network.

Firewall filtering deficiencies.

Services allowed into the control system network.

War dial-ups (computer dialing consecutive telephone numbers seeking a
modem).

Connection passwords programmed with vendor’s default password.

Access links not protected with authentication and/or encryption.
48
3-Schneider Electric Cyber Security Defense

Wireless has additional challenges because radio waves propagate
outside the intended area:

Attackers who are within range to hijack or intercept an unprotected
connection.

Wardriving is a common form of attack where a person is searching for a
wireless device in a moving vehicle, using a portable computer or PDA.
Remote Access Risk Mitigation – External Communication
The firewall should be configured for a VPN connection using Tunnel network to
network. The network to network is the most secure and will function in all
applications.
3.3.7.
Protecting the Perimeter for Remote Control
Remote control differs from remote access in that remote control often by-passes
the security perimeter protection due to the latency introduced by the firewall. A
risk analysis by the organization is required to balance risk versus functionality.
Remote control with wireless brings additional security challenges. The best
defense is to use VPN tunnel with IPsec (same as firewall).
Remote Control Guideline
49
3-Schneider Electric Cyber Security Defense
The Wireless recommendations and guidance from the Industrial Control System
Security organization are:

Prior to installation, a wireless survey should be performed to determine
antenna location and strength to minimize exposure of the wireless
network. The survey should take into account the fact that attackers can
use powerful directional antennas, which extend the effective range of a
wireless LAN beyond the expected standard range. Faraday cages and
other methods are also available to minimize exposure of the wireless
network outside of the designated areas.

Wireless users’ access should utilize IEEE 802.1x authentication using a
secure authentication protocol (e.g., Extensible Authentication Protocol
[EAP] with TLS [EAP-TLS]) that authenticates users via a user certificate
or a Remote Authentication Dial In User Service (RADIUS) server.

The wireless access points and data servers for wireless worker devices
should be located on an isolated network with documented and minimal
(single if possible) connections to the ICS network.

Wireless access points should be configured to have a unique service set
identifier (SSID), disable SSID broadcast, and enable MAC filtering at a
minimum.

Wireless devices, if being utilized in a Microsoft Windows ICS network,
should be configured into a separate organizational unit of the Windows
domain.

Wireless device communications should be encrypted and integrityprotected. The encryption must not degrade the operational performance
of the end device. Encryption at OSI Layer 2 should be considered, rather
than at Layer 3 to reduce encryption latency. The use of hardware
accelerators to perform cryptographic functions should also be considered.

For mesh networks, consider the use of broadcast key versus public key
management implemented at OSI Layer 2 to maximize performance.
Asymmetric cryptography should be used to perform administrative
functions, and symmetric encryption should be used to secure each data
stream as well as network control traffic. An adaptive routing protocol
should be considered if the devices are to be used for wireless mobility.
The convergence time of the network should be as fast as possible
supporting rapid network recovery in the event of a detected failure or
power loss. The use of a mesh network may provide fault tolerance thru
alternate route selection and pre-emptive fail-over of the network.
50
3-Schneider Electric Cyber Security Defense
Remote Control Vulnerabilities for Wireless

Security settings are either not configured or configured for poor security.

Radio waves propagate outside the intended area.

Easy to eavesdrop.

Physical location permits easy access.

No security polices for setting up a wireless network.

Attackers who are within range can hijack or intercept an unprotected
connection.

War driving - a common form of attack where a person is searching for a
wireless device in a moving vehicle, using a portable computer or PDA.
Kurt Rogers / San Francisco Chronicle -2009
Remote Control Risk Mitigation
FactoryCast ETG302x provides VPN capabilities for remote control. It is
recommended that two ETGs be used to gain access to the control network from
the RTU station using wireless.
The same rules apply to ETG302x as the firewall:

Pre-shared key is used for authentication.
51
3-Schneider Electric Cyber Security Defense

For PlantStruxure devices, always use tunnel mode (mandatory).

The encryption is preconfigured to 3DES (high) and authentication
encryption to SHA-2.

Enable VPN on both ETG302x and configure remote LAN in each.
After selecting VPN mode on both ETGs, configure the GPRS DNS name and the
mode to tunnel.
Here below, you see a fully configured system providing VPN access across the
public internet ensuring secured communications.
52
3-Schneider Electric Cyber Security Defense
3.4.
Network Segmentation via VLAN
3.4.1.
Virtual LANs
Virtual LANs (VLAN) are commonly used to segment networks. VLANs divide
physical networks into smaller logical networks to increase performance, improve
manageability, simplify network design and provide another layer of security.
Segmentation can be accomplished using devices such as firewalls, routers and
Ethernet switches with access control list.
Network segmentation advantages:

Contains attacks (viruses, worms, trojans, spam, adware) to one network
segment.

Improves security by ensuring that nodes are not visible to unauthorized
networks.

Most of the intruders’ scans are dropped by the network before they ever
hit a potential target system.

Contains information leak if there is a security breach on a network.

Broadcasts and multicasts are restricted to their respective VLAN’s.
53
3-Schneider Electric Cyber Security Defense

Improves network performance and reduces network congestion.

Controls communication access from one segment to another providing
enhanced security to a critical device or system.
For a control system, segmentation can be done at several levels; switches,
VLANs, and firewalls:

The first level involves the use of Ethernet switches to prevent unwanted
traffic from going to all devices, potentially allowing an attacker to view the
data.

The second level involves the use of switches with VLAN functionality to
further restrict traffic. At this point, the concept of a communications or
security zone is introduced. The control network is broken into separate
zones based on physical proximity of purpose. Use of Access Control
Lists further enhances the level of security to the zones.

The third level involves the use of high performance industrial firewalls or
routers to limit access to a communications zone and to monitor traffic
inside the zone.
As firewalls and routers are added to the system, the user must be cognizant of
potential reduced network performance.
54
3-Schneider Electric Cyber Security Defense
VLAN is a broadcast domain (layer 2) configured on Ethernet switches on a portby-port basis that isolates traffic from other VLANs. When two devices are defined
as being on the same VLAN, the switch passes messages through with no
filtering.
VLANs are typical grouped by:

Functionality or Cell Area: only relevant traffic for a particular cell area
necessary for operation.

Access Requirements: access requirements differ for different types of users:
Operators, Engineers, Vendors, Accounting …

Security: access to sensitive information needs to be shielded: accounting,
human resource, research …

Traffic: limit traffic load to achieve required throughput.
Segmentation Recommendation Guideline:

Use one VLAN per ring topology for all manufacturing traffic per cell/area
zone.

VoIP should be on a separate VLAN.

Packets entering the DMZ from the Internet are assigned a restricted VLAN
ID that allows access only to devices on the DMZ.

All unnecessary traffic should be removed from the particular VLAN.

Apply QoS ACLs to rate limit the maximum amount of ping traffic allowed.

Prevent all Telnet connections and allow only SSH sessions.

Connect untrusted devices to untrusted ports, trusted devices to trusted ports

Disable unused ports and put them into an unused VLAN.
VLAN Vulnerabilities
VLAN hopping is a method of attacking networked resources on a VLAN. In the
VLAN hopping attack, the attacker uses switch spoofing or double-encapsulated
frames on an unauthorized port to gain access to another VLAN.
Common types of attacks carried out once the intruder has gained access to the
desired VLAN:

MAC flooding attack (confined to the VLAN of origin)

802.1Q and ISL Tagging Attack
55
3-Schneider Electric Cyber Security Defense

Double-Encapsulated 802.1Q/Nested VLAN Attack

ARP Attacks

Private VLAN Attack

Multicast Brute Force Attack

Spanning-Tree Attack

Random Frame Stress Attack

VLAN Risk Mitigation
ConneXium VLAN capabilities allow limiting access to areas/zones of
responsibility. For example, the engineer may have access to the entire plant but
an operator responsible for site A & B should not have access to Site C.
Maintenance personal assigned to site C should only have access to that site.
This confines the area of vulnerability.
Use caution when configuring VLAN 0 Transparent Mode. If checked, the packets
are sent without VLAN membership.
Use ingress filtering to validate that the incoming packets are legitimate.
Communications Between VLANs
Once the network is segmented into VLANs, many users desire to allow restricted
communications between VLANs. This can be achieved by use of a Layer 3
switch/router that maps trafficfrom one VLAN to another. Schneider recommends
the Hirschmann MICE range of Layer 3 switches for this purpose.
Communication / Security Zones
Each VLAN can be thought of as a communications or security zone with a
defined list of network traffic that can enter the zone. A zone can be as small as a
single device or as large as an entire plant. To limit the network traffic entering a
zone, Schneider recommends the Hirschmann Eagle Tofino firewall appliance.
This appliance is protocol-aware, providing the ability to monitor and limit access
to specific data registers or function codes for each connected device.
The Eagle Tofino firewall is specifically designed for use in industrial control
systems providing setup and interface familiar to control system engineers.
56
3-Schneider Electric Cyber Security Defense
3.5.
Device Hardening
Device hardening is a process that reconfigures a device’s default settings to
strengthen security.
Device hardening applies to routers, firewalls, switches and other devices on the
network such as SCADA and PACs. Examples of device hardening:

Password management including encryption

Disabling of unused services

Access Control

Network intrusion detection systems (NIDS)

Strong authentication
The following section will demonstrate methods of hardening Schneider Electric
devices.
3.5.1.
Passwords
Password management is one of the fundamental means of device hardening that
can easily and quickly be implemented but often neglected in the control system
network. Policies and procedures are often lacking or missing entirely. Caution
57
3-Schneider Electric Cyber Security Defense
must be taken when considering security requirements and potential ramifications
(i.e. performance, safety or reliability are adversely impacted).
Guidelines for password configuration

Default passwords must be changed immediately after installation:

User and Application passwords

Scripts & source code

Network Control equipment

All user accounts must have passwords.

Limit passwords to people that need access.

Passwords should not to be shared and be difficult to guess.

Password should contain at least 8 characters and contain:

Upper and lowercase letters

Numbers

Non-alphanumeric characters (e.g. !, $, #, %)

Passwords should be changed regularly.

Remove employee’s access account when employment has terminated.

Use different passwords for different accounts, systems and applications.

There needs to be a master of all passwords at all times in the plant that
can quickly be accessed in the event of an emergency that is secured.

Password implementation must never interfere with the ability of an
operator to respond to a situation (e.g. emergency shut-down).

Passwords should not be transmitted electronically over the insecure
Internet, such as via e-mail.
Password Vulnerabilities

Storing passwords and dial-up numbers on unprotected portable devices
that may be lost or stolen.

Lack of password policy to define strength and usage.

Use of default password allowing unauthorized access.
58
3-Schneider Electric Cyber Security Defense

Passwords are not kept confidential and are shared or posted.

Sending unencrypted passwords through unprotected comms (i.e. FTP,
SMTP…).

Providing inappropriate process control privileges to operators; either too
much (e.g. administrative privileges) or too little (e.g. preventing operators
from being able to take emergency corrective actions).

Poorly chosen passwords can easily be guessed by humans or computer.

Default passwords are not changed and default settings can be easily
found in manuals.
Password Risk Mitigation
SMTP – Email Server, HTTP - Web Server
Enable password authentication on all email and web servers: PLCs, Ethernet
interface modules, built-in web servers…
FTP
Change default password to FTP server.
3.5.2.
Device Access Control
One method of device hardening is to implement access control on the Schneider
Electric devices. Access control, similar to IP packet filtering on the firewall, only
permits access to the addresses entered in the Access table. It is useful to
prevent access from one plant area to another.
Guideline for Access Control
Access control should be implemented at all levels: firewall, switches and devices.
Access Control Vulnerability
Accessing PAC logic that could have a negative impact on production, equipment
and safety of personnel.
Access Control Risk Mitigation
59
3-Schneider Electric Cyber Security Defense
Configure the access control to determine whether or not a device is allowed to
open a TCP connection to the module.
3.5.3.
ConneXium Ethernet Switches
To harden the network system it is necessary to parameterize the following
features of the ConneXium managed Ethernet switches to provide additional
protection against unauthorized users:

SNMP

Telnet/Web access

Ethernet Switch Configurator Software Protection

Port access control via IP or MAC address
SNMP
A network management station communicates with the device via the Simple
Network Management Protocol (SNMP). A SNMP packet contains the IP of the
sending computer along with the device’s password needed for access.
The device receives the SNMP packet and compares the IP address of the
sending computer and the password with the entries in the device MIB. If the
password has the appropriate access right, and if the IP address of the sending
computer has been entered, then the device will allow access.
60
3-Schneider Electric Cyber Security Defense
In the delivery state, the device is accessible via the password "public" (read only)
and "private" (read and write) to every computer.
SNMP Vulnerabilities
Ethernet switches are susceptible to MAC spoofing, table overflows, and attacks
against the spanning tree protocols, depending on the device and its
configuration.)
SNMP Risk Mitigation

Use SNMP v3 whenever possible.

Password protect.

Limit the access rights of the known passwords or delete their entries.
Telnet/Web access
The device’s Telnet server allows you to configure the device by using the
Command Line Interface (in-band).
The ConneXium switch can be configured using the web server. On delivery, the
server is activated.
Telnet/Web Access Vulnerabilities
Same vulnerabilities as described in the firewall section.
Telnet/Web access Configuration Recommendation
Deactivate Telnet and web servers if not used.
Ethernet Switch Configurator Software Protection
The Ethernet Switch Configurator Software protocol allows you to assign the
device an IP address based on its MAC address.
Ethernet Switch Configurator Software Vulnerability
Unauthorized access
Ethernet Switch Configurator Software Risk Mitigation
It is recommended that the Ethernet Switch Configurator Software function for the
device be disabled after you have assigned the IP parameters to the device.
61
3-Schneider Electric Cyber Security Defense
Disable the Ethernet Switch Configurator Software function in the "Ethernet
Switch Configurator Software Protocol" frame or limit the access to "read-only".
Ethernet Switch Port Access
Implement port security to prevent unauthorized physical connection to the
Ethernet port. Methods of securing the ports are:

Disabling of open ports.

MAC address locking – locking a specific MAC address to a specific port
on the Ethernet switch.

IP address locking - locking a specific IP address to a specific port on the
Ethernet switch. Commonly used for faulty device replacement.
Ethernet Switch Port Vulnerability
A malicious user who has physical access to an unsecured port on a network
switch could plug into the network behind the firewall to defeat its incoming
filtering protection.
Ethernet switches maintain a table called the Content Address Memory (CAM)
that maps individual MAC addresses on the network to the physical ports on the
switch. In a MAC flooding attack, a switch is flooded with packets, each containing
different source MAC addresses filling the CAM table. Once the CAM table is full,
the switch becomes an Ethernet hub allowing all incoming packets to be
broadcasted on all ports. The attacker then could use a packet sniffer (such as
Wireshark) running in promiscuous mode to capture sensitive data from other
computers (such as unencrypted passwords, e-mail and instant messaging
conversations), which would not be accessible were the switch operating normally.
Port Access Configuration Recommendation
Disable unused ports.
Restrict port access by allowing only selected devices (Up to 10 devices per port).
3.5.4.
SCADA System
SCADA, or Supervisory Control and Data Acquisition systems are heavily used in
industrial control for data collection, human interface, and data analysis.
Schneider’s Vijeo Citect is an example of this functionality. SCADA systems, due
to their typical PC-based architecture, simple access to process control functions
and criticality to the process, are one of the most vulnerable devices on the
control system network. Steps required to harden the SCADA system are:
62
3-Schneider Electric Cyber Security Defense

Limit the viewable areas by configuring roles.

Use web clients instead of internet display clients.

Use multiple digital signatures.

Carefully configure privileges without interfering with the process.

Implement MS windows authentication.
SCADA System Guidelines

Routinely track and monitor audit trails especially in the critical areas to
identify suspicious activity and remedy the activity immediately.

Configure mirrored servers such as the historian in the DMZ for external
access. Do not allow direct access on the control system network.

Validate that there are no foreign IP addresses on the access list.

Keep the anti-virus software current. This can often conflict with
production and may require a risk assessment.

Maintain Passwords.

No email or web access.

Disable or remove CD-ROM and diskette drive.

Disable USB ports not used by the keyboard or mice.

Do not leave remote units available.

Secure in locked cabinets if possible.

Dual firewalls are recommended.
SCADA Vulnerabilities
SQL Injection is a code injection technique that occurs in the database layer of an
application. The attacker executes unauthorized SQL commands by taking
advantage of poorly secured code on a system connected to the Internet. Most of
the security issues center around the login and url string.
SQL injection attacks are used to steal information from a database and/or to gain
access to an organization's host computers through the computer that is hosting
the database.
63
3-Schneider Electric Cyber Security Defense
SCADA Risk Mitigation
Assign Roles
Limit access to plant areas to prevent unauthorized access to areas of nonresponsibility. If an intruder is able to penetrate, access will be to a specific area
and not the entire plant.
64
3-Schneider Electric Cyber Security Defense
Web Servers
Internet Display Clients (IDC) are configured using FTP. As stated before, FTP is
an untrusted protocol and should be avoided. Highly recommend that
CitectSCADA web client be used instead of IDCs.
Multiple Digital Signatures
Whenever possible use multiple digital signatures for task that require a higher
authorization such as modifying thresholds.
3.5.5.
Device Hardening for Legacy Devices
In many cases, the devices in the control system are older and were not equipped
with sufficient device hardening features. In this case, an external device can be
applied in combination with the installed end device to improve the hardening.
Schneider recommends use of the Hirschmann Eagle Tofino firewall to provide
these features. It is recommended to configure the firewall to use the same IP
address as the end device so the combination of the two units appears as a single
end device to the rest of the network
The single combined unit can also take advantage of the Eagle’s ability to limit
network traffic, restrict access to allow only data requests from specific originating
devices and even limit access to specific data register areas or use of specific
function codes.
3.6.
Monitoring
Security monitoring on the control system network is critical. No system is fully
protected due to the continuous evolution of new cyber attacks. By monitoring the
system, immediate action can be taken to block intrusion attempts before damage
is done.
3.6.1.
Methods of Monitoring Networks
There are several methods of monitoring the network for suspicious activity:

Monitoring of log files.

Usage of authentication traps.
65
3-Schneider Electric Cyber Security Defense

Use of an Intruder Detection System (IDS) - Monitors activity on the
network such as traffic patterns, file access, changes in port status,
invalid password entries, equipment detected failure …
There are two types of IDS:

Network Intruder Detection System (NIDS) – Monitors traffic to and from
all devices on the network.

Host Intrusion Detection Systems (HIDS) – Run on individual host or
devices on the network.
3.6.2.
Monitoring Recommendations
SNMP Authentication Traps
Enable SNMP Authentication traps to monitor for unauthorized login attempts.
Monitor Event Log
Monitor Event logs for devices for unusual activity.
Monitor MS Windows Event Viewer
Monitor MS Windows Event Viewer (Control Panel/Administrative tools/Event
Viewer/Application Log) for unusual activity.
Monitor Network Load
Using network diagnostic tools like HiVision from Hirschmann Electronics, monitor
and immediately investigate unusual traffic load.
Monitor Device Log
Monitor Device Log FileMonitor log files produced by devices. For example:

Crash log file (i.e. Quantum PAC)

Alarm log files (i.e. PAC)

Diagnostic log files (i.e. ConneXium Switch)
66
4 – Appendix
4. Appendix – Methods of Attack
4.1.
IP Spoofing
IP Spoofing is a method used to disguise the identity of the attacker in the attempt
to perform various malicious attacks such as denial of service and man-in-themiddle. IP spoofing is accomplished by manipulating the IP address.
The Internet Protocol (IP) is the main protocol used to communicate data across
the Internet. The IP header of the data contains the information necessary to
transport data from the source to the destination. The header contains information
about the type of IP datagram, how long the datagram remains active on the
network, special flags indicating any special purpose the datagram is supposed to
serve such as whether or not the data can be fragmented, the destination and
source addresses, and several other fields.
The receiver of the packet is able to identify the sender by the source IP address.
IP does not validate the source’s IP address. In IP spoofing, the attacker
manipulates the datagram. The most common manipulation is creating a false
source IP address to hide identity.
The primary motives of the attack are to:
To gather information about open ports, operating systems, or applications on the
host from the replies. For example: a port 80 response may indicate that the host
is running a web server. Using telnet, the attacker may be able to see the banner
and determine the Web server version and type. Now the attacker can try to
exploit any vulnerability associated with that Web server.
To uncover the sequence-number. TCP requires the use of sequence number for
every byte transferred and requires an acknowledgement from the recipient. An
67
4 – Appendix
attacker will send several packets to the victim in hopes of determining the
algorithm. Once the algorithm is determined, the attacker tricks the target in
believing its legitimacy and begins to launch various attacks.
Hijacking an authorized session by monitoring a session between two
communicating host and then injecting traffic that appears to be coming from one
host. By doing so the hijacker steals the session from one host and terminates its
session. The hijacker continues the same session with the same access
privileges to the other legitimate host.
4.2.
Denial of Service Attacks
Denial of Service (DoS) is an attempt to prevent legitimate users access to
computer services either temporarily or permanently. One common method of
attack involves saturating the victim’s computer with external communications
requests to either block responses or respond so slowly that the system is
considered ineffective. The attacker usually accomplishes this by:
Step
Description
1
Crashing the system.
2
Deny communication between
systems.
3
Bring the network or the system
down or have it operate at a reduced
speed affecting productivity.
4
Hang the system, which is more
dangerous than crashing since there
is no automatic reboot. Productivity
can be disrupted indefinitely.
There are several variations of DoS. The most popular are:
TCP SYN flood attack
Land attack
ARP spoofing
ICMP smurf attack
Ping of death
UDP flood attack
Teardrop attack
68
4 – Appendix
4.3.
TCP SYN Flood Attack
A TCP SYN flood is a form of denial-of-service attack in which an attacker sends
a succession of SYN requests to a target's system.
In a TCP SYN attack, the client attempts to start a TCP connection to a server,
the client and server exchange information in the following sequence:
Step
Description
1
The client requests a connection by
sending a SYN (synchronize)
message to the server.
2
The server acknowledges the
request by sending SYN-ACK back
to the client.
3
The client responds with an ACK
and the connection is established.
This is called the TCP three-way handshake.
There is a limit to available resources. Once the limit has been reached, all other
requests are dropped. Older operating systems are more vulnerable than newer
operating systems. Newer operating systems manage resources better making it
more difficult to overflow tables, but still are vulnerable.
69
4 – Appendix
70
4 – Appendix
4.4.
Land Attack
In a land attack a spoofed TCP SYN packet is sent in which the source IP
addresses and the source port number are identical to the target IP address and
port number. The target machine replies to itself in an endless loop until the idle
timeout value is reached.
71
4 – Appendix
4.5.
ARP Spoofing
Address Resolution Protocol (ARP) is a Layer 2 protocol that maps an IP address
to a MAC address stored in a table (ARP cache) residing in memory.
Step
Description
1
ARP checks the local ARP cache for an entry for
destinations IP address. If a match is found, then the
hardware address of the destination is added to the
frame header and the frame sent.
2
If a match is not found, then an ARP request
broadcast is sent to the local network (remember it
knows the destination is on the local network by
working out the Network ID from the IP address and
the subnet mask). The ARP request contains the
senders IP address and hardware address, the IP
address that is being queried and is sent to
255.255.255.255 (everyone, but it won't get routed).
3
When the destination host receives the broadcast, it
sends a ARP reply with its hardware address and IP
address.
72
4 – Appendix
4
When the source receives the ARP reply, it will update
its ARP cache and then create a frame and send it.
ARP flood spoofing, also known as ARP poisoning or ARP routing, sends fake
ARP messages on the network. The intent is associate the attacker’s MAC
address of another node (i.e. gateway) by poisoning the ARP caches of the
system to intercept traffic.
73
4 – Appendix
4.6.
ICMP Smurf
In a Smurf attack the attacker spoofs the target IP address, sending an ICMP
Echo Request (pings) to the broadcast address on an intermediary network. As a
result, the target host is flooded with replies and resources become exhausted so
legitimate users can not access the server. The ICMP Smurf attack is the same as
an ICMP flood attack except Smurf attacks uses other networks to multiply the
number of request.
74
4 – Appendix
4.7.
The PING of Death
A feature of TCP/IP is to allow fragmentation by separating a single IP packet into
smaller segments. When fragmentation is performed, each IP fragment needs to
carry information about which part of the original IP packet it contains. This
information is kept in the Fragment Offset field, in the IP header.
The PING of death attack sends an ICMP Echo Request (pings) request multiple
fragmented packets that are larger than the maximum IP packet size (63, 535
bytes). Since the received ICMP echo request packet is larger than the allowed IP
packet size, the remote system crashes while attempting to reassemble the
packet.
75
4 – Appendix
4.8.
UDP Flood Attack
A UDP flood attack is similar to the ICMP flooding. The difference is that UDP
datagrams of different sizes are used. In the UDP flood attack, the attacker sends
a UDP packet to a random port on the victim’s system. When the victim’s system
receives a UDP packet, it checks to see if there is an application listening at that
port. If not, then it will reply with an ICMP Destination Unreachable packet to an
unreachable spoofed IP address. If enough UDP packets are delivered to enough
ports on victim, the system will go down.
The primary motivation of the UDP flood attack is not to break into a system but to
make the target system deny the legitimate user giving service.
4.9.
Teardrop Attack
Teardrop attack is the most popular fragment attack method. It involves inserting
false offset information into fragmented packets. As a result, during reassembly,
there are empty or overlapping fragments that can cause the system to crash.
The primary motivation of the teardrop attack is to hang or crash a system.
76
5-References
5. References
US Department of Homeland Security:
http://www.us-cert.gov/control_systems/
Catalog of Control Systems Security: Recommendations for Standards
Developers - 2008
Guide to Industrial Control Systems (ICS) Security - National Institute of
Standards and Technology (NIST), Keith Stouffer, Joe Falco, Karen Scarfone
– 2008
Common Cyber Security Vulnerabilities Observed in Control System
Assessments by the INL NSTB Program - U.S. Department of Energy Office
of Electricity Delivery and Energy Reliability, National SCADA Test Bed
(NSTB) - 2008
Control Control Systems Cyber Security: Defense in Depth Strategies – Idaho
National Laboratory – May 2006
The Instrumentation, Systems and Automation Society (ISA):
Intrusion Detection and Cyber Security Monitoring of SCADA and DCS
Networks - 2004
Mitigations for Security Vulnerabilities Found in Control System Networks 2006
2008 CSI Computer Crime & Security Survey - Robert Richardson, CSI
Director
Design Secure Network Segmentation Approach - SANS Institute InfoSec
Reading Room – 2005
VLAN Best Practices – White paper FLUKE networks -2004
OPC Security Whitepaper #3 Hardening Guidelines for OPC Hosts - Digital
Bond,
British Columbia Institute of Technology, Byres Research – 2007
http://www.vicomsoft.com/knowledge/reference/firewalls1.html
77
Schneider Electric Industries SAS
Due to evolution of standards and equipment, characteristics indicated in texts and images
in this document are binding only after confirmation by our departments.
Head Office France
35 rue Joseph Monier
Print:
92506 Rueil-Malmaison Cedex
www.schneider-electric.com
Version 1.2 – 03 2011
78