THE LINESound security strategy, whethermilitary, physical, or cyber security,is the concept of “Defense inDepth”—firewalls don’t fail me nowBy Eric Byres

42 INTECH MARCH 2007 WWW.ISA.ORG

int_42-47.qxp 2/23/2007 11:20 AM Page 42

SPECIAL SECTION: NETWORKING

It is November 1918, World War I, the greatestwar the world has ever seen, has just ended,and France is reeling from the devastation. The conflict has killed over one million

French citizens, wounded a further four million,and destroyed much of the countryside ofeastern France. A fierce debate begins to rage—“how should France ensure that another inva-sion of their beautiful country by the Germanhordes never occurs again?”

While there are a number of opposing ideason how to achieve this, the one that carries theday is to build a defensive line of fortressesalong the border with Germany.

Therefore, between 1930 and 1936, the Frenchgovernment pours approximately three billionfrancs into building 400 miles of fixed concretefortifications known as the Maginot Line.

Everyone in France now can feel secureknowing their country is safe behind the mas-sive barrier of concrete and guns.

Then on 10 May 1940, Hitler attacks France.While German decoys sit opposite the Line,Hitler’s second Army Group cuts throughBelgium, the Netherlands, and the undefendedArdennes Forest. These troops completelybypass the Line, and within a week, Nazi troopsare deep inside France. A month-and-half later,France surrenders. The Line is hardly involvedin the defense of France.

What went wrong? The Line certainlyachieved its intended task, preventing a directassault against France’s eastern border.

However, France’s strategic use of the Line waspoor. The Maginot Line was only part of whatshould have been a multilayered plan, involvingother defense systems and the French Army.

Same mistake: 75 years laterToday sound security strategy, regardless ofwhether it is military, physical, or cyber security,leverages the concept of “Defense in Depth.”

Effective security comes by layering multiplesecurity solutions, so if the one fails, anothertakes up the torch of defense.

Conversely, basing a security design onhiding behind a single monolithic solution—the Bastion model—results in the possibility ofa single point of failure.

With the inevitable help of Murphy’s Law,intruders and hackers will eventually bypassthis single point (like the Maginot Line) or therewill be some sort of malfunction or untowardevent at that single point. When that happens,the system will be wide open to attack.

The Bastion model of security is all too

common in boththe information tech-nology (IT) and indus-trial controls worlds.Many companies basetheir plant floor andSCADA security solu-tions on a single fire-wall between thebusiness network and the control system network.

Even worse, others depend on single firewallbetween business and the Internet to protectthe control system. In either case, these compa-nies believe this firewall will be the ultimatesecurity filter and prevent anything evil fromever getting to the control system.

Nothing could be further from the truth.

Many roads for invading RomeTo understand why the Bastion model fails, it ishelpful to look at the Slammer Worm and how ithas affected control systems since its creation in2003.

According to records in the Industrial SecurityIncident Database, this one worm has beenresponsible for more documented incidents ofprocess disruption than any other source.

A few of its “achievements” include inter-rupting power distribution SCADA systems,infecting the safety parameter display system ina nuclear plant, and curtailing oil operations inthe Gulf of Mexico.

What is particularly interesting is theSlammer worm has used at least five differentpathways to get to its control system victims.

In one case, it got into a petroleum controlsystem via a maintenance laptop that was used athome (and infected) and then brought into theplant. In another case, it infected a papermachine’s human-machine interface (HMI) via aremote support dial-up modem. In a third case itpassed right through a poorly configured firewall.

In all these examples there were firewalls inplace, but the worm either bypassed them, a lathe Maginot Line, or took advantage of someflaw in the firewall’s deployment.

Slammer is just one example—an analysis of

FAST FORWARD● Firewalls are a fantastic tool in the

security toolbox, but industry hasmisused them.

● Effective security comes by layeringmultiple security solutions.

● Poorly patched Windows-basedcomputers abound.

INTECH MARCH 2007 43

“ ”If you entrench yourself behindstrong fortifications, youcompel the enemy to seek asolution elsewhere.

For relatedinformation, see"What happensin plant stays inplant," page 14.

int_42-47.qxp 2/23/2007 11:21 AM Page 43

75 security incidents against controlssystems between 2002 and 2006 showsover half the external attacks comethrough secondary pathways such asdial-up connections, wireless systems,and mobile devices. In these cases, likethe Maginot Line, the firewall did itsjob, but the security strategy failed.

In other cases, the firewall appearsto allow attacks to go right through it.Even this is not usually the fault of thefirewall, but the fault of poor configu-

ration. A typical IT-style firewallrequires considerable expertise todesign, commission, and maintain.The complexity of this task is too oftenunderestimated.

In a seminal paper on firewall config-uration errors, Dr. Avishai Wool showedmany IT firewalls in major corpora-tions are enforcing poorly written rule-sets and are vulnerable to attack.

In the study, Wool defined 12 seriousfirewall configuration errors (each very

general in nature) and then inspectedthe firewall configurations of 37 majorcorporations. He found on averageseven serious errors per firewall, withsome having as many as 12 errors.

“Almost 80% of firewalls allow boththe ‘Any’ service on inbound rules andinsecure access to the firewalls. Theseare gross mistakes by any account,”Wool said.

When bad guys (and bugs) get inOnce a virus or hacker does get past thebusiness or control system firewall, thetypical control system is an easy targetfor attack. Poorly patched Windows-based computers abound, and anti-virus software is the exception ratherthan the rule.

For example, during a securitysurvey conducted at a major refinery,we discovered only 55% of the Windows2000/XP Machines in control roomshad the patch that prevented Blasterinfections, and even fewer (38%) hadthe patch for the Sasser Worm installed.

Yet both these patches had beenavailable for over two years, and thecontrol system vendor had approvedthem at the time of the survey. Even themost inexperienced hacker could havetaken over this control system in amatter of hours.

The actual control devices, such as theprogrammable logic controller (PLC) orRemote Terminal Unit (RTU) are even

SPECIAL SECTION: NETWORKING

44 INTECH MARCH 2007 WWW.ISA.ORG

A security device like this can mountinside the firewall and between

a control apparatus and the network. It protects

specific, criticaldevices.

now offers affordable, compact, entry-level, industrial Ethernetswitches. These unmanaged four orfive port copper Ethernet switches areideal candidates for network expansionand are designed for use in mission critical data acquisition, control , andEthernet I/O applications. Housed in arugged steel DIN-Rail mount enclosure,the compact size provides a smallerfootprint allowing multiple switches to fitin tight spaces. The 104TX and 105TXcarry and impressive operating temperature rating of -40˚C to 80˚C.With over two million hours MTBF thesehearty little switches are built to lastthereby increasing the economic value.

• $119 OEM Price for 104TXFour Port Unmanaged Switch

• $139 OEM Price for 105TXFive Port Unmanaged Switch

• -40˚C to 80˚C Operating Temp

• > 2 Million Hours MTBF

• Supports Full or Half DuplexOperation with up to 1.0Gb/s Maximum Throughput

• Redundant Power Inputs (10-30VDC)

• ESD Protection Diodes on all Ports

• Surge Protection Diodes on all Power Inputs

Visit us on the web @ www.n-tron.com, or call (251) 342-2164

int_42-47.qxp 2/23/2007 3:38 PM Page 44

softer targets than the unpatched PCs. Ina study by CERN, Europe’s laboratory forhigh energy physics, 25 industrial con-trol devices (mostly PLCs) were testedusing standard IT security tools (such asNessus and Netwox) that are available tothe average attacker.

Almost half of the devices failed thetests, usually due to communicationsfailures, system crashes, and unpro-tected services. For experts in the field,these results were not very surprisingbecause the vast majority of the PLCsand RTUs currently in use offer noauthentication, integrity, or confiden-tiality mechanisms and are subject tocomplete control by any individual thatcan “ping” the device. Nor can oneeasily update them or add security fea-tures to them.

Defense in depth: The perimeterAt this point, one might be thinkingfirewalls are bad technology.

This is not the case. Firewalls are afantastic tool in the security toolbox,but industry has misused them. Thesolution to securing the plant floor is tobuild a proper defense-in-depthstrategy that does not over rely on anysingle technology. It also means firstcreating a proper electronic perimeteraround the control system and thenhardening the devices within.

The security perimeter for a controlsystem is both policy and technology.First, policy sets out what truly belongson the control system network andwhat is outside. Next, a primary controlsystem firewall acts as the choke pointfor all traffic between the outside worldand the control system devices.

Proper design and deployment ofthis control system firewall is critical—ideally, it should be deployed in theappropriate multi-layer architecturedescribed in guidelines like the “NISCCGood Practice Guide on FirewallDeployment for SCADA and ProcessControl Networks.”

Often this is not the case. Paul Dorey of BP noted in his

keynote speech at the Process ControlSecurity Forum in June 2006 that com-ments like “My networks aren’t con-nected” and “My server uses a separate

network card to connect to the PCNand the corporate network,” do notindicate a secure network design andare simply a great way to infect bothbusiness and control system networks.

Similarly, using routers or switchesin place of true firewalls is generally notacceptable. Detailed reasons for usingproper firewalls and the basics ofdesigning multi-layer architecturesdescribed in the NISCC Good PracticeGuide.

Defense in depth: Plant floorOnce the electronic perimeter of thecontrol system is secure, it is necessaryto build the secondary layers of defenseon the control system itself.

For those control components (suchas HMIs and data historians) that sit on traditional IT operating systemssuch as Windows and Linux, thisshould take advantage of the proven ITstrategies of Patch and Anti-Virus (A/V)Management.

Many control engineers mistakenlybelieve patching or anti-virus deploy-ment is not possible on control sys-tems. While one cannot blindly deploynew A/V signatures or patches into theindustrial control environment, thesafe deployment of anti-virus softwareor patches on control systems is veryachievable.

A number of leading companies havedemonstrated that careful A/V andpatching policy can balance the needfor system reliability with the need forsystem security.

For example, at ISA EXPO 2006,industry giants Dow Chemical,Proctor and Gamble, and AstrazenecaPharmaceutical all described how theysuccessfully deployed anti-virus tech-nology and patch management ontheir control systems.

In the power industry, the EdisonElectric Institute has detailed recom-mendations on a tiered approach topatch management for control systems.

Finally, most major control equip-ment vendors now offer guidance onboth patch management and A/Vdeployment for their control products.Thus, there is little reason for controlsystems not to have hardened com-

puters on the plant floor through goodpatch and A/V programs.

Defense in depth: The controllerFor those devices like PLCs, RTUs, andDCS controllers where patching orantivirus solutions are not readilyavailable, the use of industrial securityappliances is a good idea.

This rapidly evolving security solu-tion rests on the use of low-cost secu-rity modules deployed directly in frontof each control device (or group ofdevices) that needs protection.

SPECIAL SECTION: NETWORKING

46 INTECH MARCH 2007 WWW.ISA.ORG

Terminology

Murphy’s Law is a popular adage inWestern culture that broadly states,“Things will go wrong in any given situ-ation, if you give them a chance.”

Slammer worm: The SQL slammer wormis a computer worm that caused a denialof service on some Internet hosts anddramatically slowed down generalInternet traffic on 25 January 2003. Theworm was possible because of softwaresecurity vulnerability in SQL Server firstreported by Microsoft on 24 July 2002.A patch had been available fromMicrosoft for six months prior to theworm’s launch, but many installationsneglected to install the patch, includingsome at Microsoft.

Sasser worm is a computer worm thataffects computers running vulnerableversions of the Microsoft operatingsystems Windows XP and Windows 2000.It spreads by exploiting the systemthrough a vulnerable network port. Thus,it is particularly potent in that it can spreadwithout the help of the user, but a proper-ly configured firewall can easily stop it.

PLC: A programmable logic controller is anelectronic microprocessor device thatstores and executes automatically a seriesof programmed commands that produce amachine’s sequence of operation.

RTU is a remote terminal unit. In SCADAsystems, an RTU is a device installed at aremote location that collects data, codesthe data into a format that is transmit-table, and transmits that data back to acentral station, or master.

int_42-47.qxp 2/23/2007 11:22 AM Page 46

Industrial security appliances pro-vide local protection for critical con-trol devices, similar to the waypersonal firewalls (like Windows fire-wall), antivirus software, or intrusiondetection systems (like TripWire) pro-vide local protection for desktopcomputers.

This way if a hacker or virus managesto get through the electronic perimeterfirewall, it will still need to breach anarmy of control-focused securitydevices before it can do any damage.

Two examples of this type of securitysolution are the Honeywell C300 fire-wall and the MTL Instruments TofinoSecurity Solution.

The first is a small module that is pre-configured to protect Honeywell con-trollers from possible attack. Its focuson a specific control device and itsindustrial design results in a firewallsolution that is simple for field per-sonnel to install correctly.

The Tofino Solution is equally simpleto install, avoiding the complexity ofthe typical IT firewall. Field technicianssimply connect it between the controldevice and the rest of the network,apply power and walk away, yet it canalso be configured, monitored, andmanaged from a Central ManagementPlatform located somewhere on thecorporate network.

Because of their focus on protectinga small number of critical devicesrather than a whole network, both ofthese appliances can specifically tuneto meet the security needs of the devicethey are protecting.

Finally and metaphorically, recall that:“The Maginot Line did not fail France,but the ‘Maginot mentality’ did causeher defeat.”

Industrial security designs thatassume all evil traffic will flow througha single choke point are succumbing tothe same dangerous set of beliefs.Depending on a single firewall isbuilding a security solution based on asingle point of security failure.

Only a proper defense in depthdesign where the control devices andsystems are hardened, both individu-ally and collectively, can provide reli-able security for the plant floor.

ABOUT THE AUTHOR

Eric Byres (Eric@byressecurity.com) is the

CEO of Byres Security, a registered P.Eng.,

and a senior member of ISA. He is a

member of ISA-SP99: Manufacturing and

Control Systems Security. He founded the

Critical Infrastructure Research Center at

the British Columbia Institute of

Technology.

View the online version at www.isa.org/intech/20070306.

SPECIAL SECTION: NETWORKING

INTECH MARCH 2007 47

RESOURCES

The Jericho Forumhttp://www.JerichoForum.org

Uncovering Cyber Flawswww.isa.org/link/Uncovercyber

SP99 counterattackswww.isa.org/link/SP99counter

Who’s the enemy? Don’t look at ITwww.isa.org/link/enemywho

int_42-47.qxp 2/23/2007 3:11 PM Page 47