Process Control Protection Mechanisms Internet Draft James Cupps Document: draft-cupps-control-protecmech-00.txt Expires: October 2002 Status of this Memo This document is an internet-draft and is in full conformance with all provisions of Section 10 of RFC2026. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet- Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. Abstract This document provides mechanisms and details on ways to protect IP connected Process Control Devices in a Manufacturing Facility. The proliferation of IP connected process controls systems has resulted in significant savings and efficiency gains in many manufacturing organizations. The added safety risks and security vulnerabilities must be addressed. Addressed in this document are definitions and useful logical tools in protecting these systems. Overview Connecting manufacturing control systems to site and company local and wide area networks via Internet Protocol (IP) is a growing trend in the manufacturing industry. It has provided manufacturers with an unprecedented ability to control, monitor, troubleshoot and optimize internal manufacturing facilities. It has also exposed companies to a significant security and safety threat. Situation Analysis With IP connected control systems it is possible to easily gain access to these systems and associated information proprietary to a companies processes. If improperly applied there is significant potential for an unauthorized individual to remotely gain control of physical equipment. This presents a safety threat in that equipment could operated outside intended parameters and times. The misuse of this equipment could be intentional or unintentional. There is indication that these vulnerabilities may exist in all manufacturing organizations. The issues involved in the implementation of these systems should be addressed rapidly worldwide. Technical Details and Description of Threat Manufacturing companies currently use several products that should be reviewed. PLC systems provide actual control and feedback information on mill equipment. Systems from many common vendors have similar security issues. The following is a technical summary of the potential security vulnerabilities of IP connected process control devices: Accessibility û The addition of Transmission Control Protocol/Internet Protocol (TCP/IP) to the control devices suggests that they can be accessed from any TCP/IP network connected to a company network. Most manufacturing organizations have access via the Internet as well as direct dial-in facilities. Because of this the potential exists for anyone in the world to gain access to these control functions. Edge protections (firewalls, Network Address Translation [NAT] and Dial in authentication) provide some level of protection from the open Internet. These edge protections often do not exist between sites or regions within a company. Default Settings û The default settings of these control systems are designed to ease implementation. TCP access is to specific ports depending on the vendor. Connection to these ports is often possible without authentication by default. A data tag specific to the type of Controller is required to establish an exchange of information. These data tags are usually in clear text and are available in the technical documentation provided by the vendor. Communication Mechanisms û One of the common initiation of the sessions is by ICMP Ping. The responding server then identifies itself and provides information relating to its function. This means that it is possible to rapidly identify all available services by performing a ping to the network address of the subnet that the device is on. Findings and Recommendations There is a significant legitimate risk to manufacturing facilities from IP connected control systems. These risks can be successfully mitigated by careful design and periodic review. At risk systems can be divided into three groups. Direct Control Systems û systems and devices that directly control functions in the physical world such as variable speed motors, on/off switches etc.(i.e. Ethernet I/O, variable speed drives, smart sensors, etc...) Indirect Control Systems and metadata manipulation û Systems that process and route information that is used as input to Direct Control Systems (i.e. programming terminals, data acquisition, high level supervisory control, etc...) Business Integration Systems û Systems that receive data from Direct and Indirect Control Systems and process it to make it available to business systems. Direct Control Systems were determined to pose the greatest safety and financial risk for several reasons. IP Connected Direct Control Systems rarely (almost never) have integrated access control mechanisms instead they typically rely upon proprietary communication protocols to limit the possibility of access. This is ineffective because communication on an IP network is not limited to specific devices and by definition it is possible for any system to send data to and from any port if properly configured. There are actually tools (called fuzzers) designed to do this randomly in attempts to gain illegitimate access to systems. Direct Control Systems provide control or feedback of physical equipment. This means if they are triggered at inappropriate times there is a physical risk to personnel and a possibility of interrupting production resulting in significant safety and financial risk. Indirect Control Systems are the second most significant risk. They typically have the ability to authenticate users but this capability is not always activated. There is a cost associated with restricting access to their control and information capabilities because the vendors often provide the security integration mechanisms as a separate product. The primary risk on these systems is intentional or unintentional changes to the data they coordinate. Another risk of these systems is a denial of service scenario in which for some reason the device becomes unavailable. Business Integration Systems pose the least significant risk and have roughly the same security requirements and concerns as other business systems. They should be viewed no differently than other important business systems. Recommendations Where possible authentication mechanisms will be used to provide access to PCN equipment and software. Manufacturers should develop layer three plus filtering and logging on the Wan and each sites LAN (Specifically the PCN). There are significant design requirements associated with this recommendation and other mechanisms could be used to mitigate the same risks. A standardized documentation method should be used at least at the site level if not at the corporate level. This documentation should be available for audit. Guidelines It is essential that the ability to implement these designs and guidelines be provided to all sites in one way or another. The Process Control Networks should be developed with multiple layers. Funding and/or time need to be made available to allow this effort to succeed. 1. One layer that has no inherent routing capabilities (or tightly filtered routing) for Direct Control Systems. 2. One layer with tightly controlled routing for metadata used by PCN devices for Indirect Control Systems. 3. Finally the open layer where normal business systems interact with the PCN network with lightly controlled access and logging. Firewalls and other layer3+ filtering mechanisms should be used to facilitate these recommendations. The protection of process control networks within manufacturing organizations should be given the same priority as the protection of high value financial networks within financial organizations.(perhaps more considering the safety issues) Conclusion The potential risks to personnel and companies make it essential that these issues be addressed within an organization on a continuing basis. Continuing review of designs and equipment must be maintained to ensure that risks are mitigated. Network connected control systems provide significant material and financial opportunities to all manufacturing companies and the proper implementation of them should be strongly supported. The nature of networked equipment means that it can never be completely protected but risks can be significantly reduced with proper diligence. Comments to: James B Cupps Senior Network Security Engineer SFPNA SPP james.cupps@na.sappi.com