Tuesday, November 22, 2011

SCADA Security in the Cloud - common sense design considerations

Inductive Automation just just released this white paper on Cloud Computing and SCADA and hosted an informative webinar on the topic. I wanted to provide my perspective on a few good design practices, when looking through a security prism.

How to plan for the cloud with security in mind
- Consider the tenant of "local control". This may or may not translate to "isolated network". It's better to not even think about implementation at this point. The idea is, "from where do I want to allow my operators to control equipment"?

-Decide what it is that you need to access from anywhere. This is a business decision, not a tech decision.  

- In terms of your security planning, cloud hosting is basically the same as making your application accessible via the Internet. Do not confuse this with "public". Both approaches can provide worldwide access. Both can be secured with SSL/TLS and/or even require VPN connectivity. Consider the implications of a "worst case" compromise in the back of your mind.

- "The Cloud" is probably more robust than your server. The gold star for Availability more likely goes to the cloud. Consider that you're not taxing your bandwidth or storage resources and can pay more money to scale on an as needed basis. The whitepaper refers to this as leveraging or outsourcing IT costs. This is a good thing.

- Consider separating your Internet or Cloud services from the rest of your network, including control, business, public web, etc. I am not a fan of your cloud server being able to reach out to your PLC. Why would you do that except in the case of deliberate cloud based control, which is generally not recommended? It's just as easy to have your internal control system write data out to your online (Internet or Cloud) database. You might even log data to a local database then replicate that online. Control the flow of your communication!


Example
The point is, think about your security architecture requirements from a simple perspective. Don't worry about how you will implement it. For example, your thought process might go like this: I want to be able to change setpoints from anywhere within the control network of my 3 sites, I even need a secure way of doing this remotely. If the network goes down, local operators need to be able to control the system without missing a beat. QA needs to examine our realtime process in detail and management wants to be able to access production reports from anywhere. As you come up with this you'll inevitably realize that QA and management systems don't need a path to the PLC - that's the Principal of Least Privilege (POPL) in action! Keep up on defining requirements! Availability really matters at the operator terminals, but not for control between sites - so we don't need redundancy there. Maybe QA has regulatory requirements requiring strict Integrity (prevention of unauthorized data modification). Do we care if the management reports get out? Maybe a lot, maybe not at all. If so, we'll want to protect the confidentiality of the system. Notice that I'm focusing on what and not how?

Get the idea? Now we have our business requirements, driven by operators, management, and our process. Notice that we didn't even consider technical limitations or implementation details? Now it's time to come up with a tech plan, get with IT and let them know what are objectives are. 

Your solution may be a complex multi-part system with firewalls, intrusion detection systems (IDS), VPNs, local systems and online ones. It could also be really simple.

Closing Advice
  1. First consider your business/operational requirements in the absence of naysayers who are thinking about implementation/security details.
  2.  Keep security in mind as part of your requirements. This can be done without extreme paranoia.
  3. Involve IT early on the design phase. Once you provide the what they should be able to help you out with the how.
  4. Don't forget about upgrades/updates, backups, and other ongoing support requirements.
  5. Follow the good practices that you already know. Use strong passwords, update your systems, etc. 
  6. Read this whitepaper.

On water hacking

There is a lot of ongoing publicity revolving around the recent attacks on water district SCADA systems. These cases were trivial to carry out based on gaping, easily solvable vulnerabilities. Industrial controls folk need to take it upon themselves as professionals practicing due care to step it up. It isn't difficult to adopt good security practices. This isn't much different from the transition business users had to make in going from single user systems (think DOS and Windows 3.x) to networked systems. In this case, the technology exists.

It was interesting to note that an August presentation at the Black Hat conference mentioned water attacks. Coincidence? Not likely. If you work in Industrial Automation you likely know much more vulnerable and potentially dangerous targets. Let's fix this before a tragic event and regulation requires it. 

News: CNET
Forum discussion, and at IA, and PLCTalk.
Blog posts: Tofino II, SCADAHacker

Disclaimer - this post is not affiliated with the Water Hackathon event. The author thought it was funny.

Wednesday, October 5, 2011

Ignition awarded prestigious Oracle Duke's Choice Award

Inductive Automation was awarded as one of 10 annual Duke's Choice Awards from Oracle for Ignition as an innovative use of Java technology. Congratulations!!! Press release announcement.

Thursday, September 15, 2011

Ignition 7.3 Beta available

Ignition 7.3 represents a major version increase for the Vision module and may significant changes for the others. If you've never beta tested Inductive Automation software you'll have to request access to the beta forum here.  I must say, it's fun to play with the new vector drawing capabilities.
  • Drawing tools added for vector graphics.
  • Zooming in the Designer.
  • Better grouping support for components and shapes.
  • New Symbol Factory module.
  • More efficient serialization format for windows.
  • Better color-choosing UI.
  • Internationalization in Gateway/Designer.
  • New compression algorithm for analog SQLHistorian tags.
  • New ability for SQLHistorian to create preprocessed history tables for better query performance over long time spans.
  • New query cache in the client to avoid unnecessary repeated querying of the same time span.
  • Data density histogram on the Easy Chart for SQLHistorian pens.
  • Improved memory usage for SQLTags in the Gateway.
  • Automatic SQLTag creation when dragging and dropping OPC items.
  • Improved performance and scan class settings for SQLTags (one-shot, triggered on-change, subscribed vs polled).
  • Improved memory usage for ControlLogix driver.
  • Improved performance and stability for all drivers.
  • Improved installer allows choosing individual modules on install and upgrade.
  • New graphical and command-line installer for Linux.
  • Ignition installation directory structure changed.

Wednesday, September 7, 2011

Ignition security advisory

An independent researcher from Reverse Mode disclosed a vulnerability in Ignition from Inductive Automation. Fixes are implemented in version 7.2.8.178 and above. This finding and fix was published by the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT). The fix - install the latest version of Ignition.

It's a good idea for software companies to be transparent about releasing and fixing their vulnerabilities. Remember to keep up to date with the latest version of your software! 

Friday, September 2, 2011

Interesting article - #1 ICS and SCADA Security Myth: Protection by Air Gap

Eric Byers of Tofino Security (they do SCADA security research and have a security appliance) discusses the concept of relying on air-gapping control networks for security. In a nutshell, a modern control network is unlikely to remain physically separated. Even if it is, malware can be introduced via removable media and the system is hard to keep updated and vulnerable to local (insider) attacks.

A system should be designed with security in mind and kept up to date. 

http://www.tofinosecurity.com/blog/1-ics-and-scada-security-myth-protection-air-gap


Interesting article - The Ultimate HMI

This Control Global article, The Ultimate HMI, provides interesting tips about HMI screen creation. I especially like the comments and examples of the best visual status indications containing: text, shape, and color.