white paper on industrial automation security in fieldbus and

More documents

Recommendations

Info

12Information needs to be available if requested.Denials of Service attacks for instance areattacks against the availability of information.Especially in industrial automation systems it iscrucial that the machines are working and thatinformation can be retrieved from them.Availability can be achieved by creating robustsystems with multiple layers of redundancy.Protection against Denial of Service attacks haveto be put into place.Integrity refers to protecting information againstunauthorized modification. It is necessary to beable to detect if the given information isqualitatively valuable or not. If an attacker isable to alter information this represents animportant threat which can be, depending on thecase, even worse than deletion of information.Integrity therefore guarantees that if theinformation has been altered, then this can bedetected. Different approaches can achieveintegrity, depending on the need. A simple hashfunction can be used to calculate the hash overinformation. In other cases asymmetriccryptography might be employed in order to signdata with a private key. In both cases thelegitimate receiver will have the certainty thatthe information has or has not been alteredduring transit.Confidentiality means that information shouldbe protected against unauthorized access. Thiscan for instance be achieved by encrypting theinformation. An attacker who is able to receivethe encrypted information is not able to disclosethe content of the information (if properlyencrypted and the secret keys are kept secret).Therefore the confidentiality is guaranteed.A further concept which could be added to theCIA triad is called accountability. The intentionof accountability is to be able to attribute a givenaction to a known actor. Furthermore, it mightbe necessary to know the time and activityperformed by the actor.2.1 Attacks and scenariosConcerning industrial automation systems,essentially two types of attacks seem to be themost important: Information leaking attacks andtampering attacks. First, information leaking canhave an important impact on advantages forcompetitors and may also affect the trust of thecustomers. Second, tampering can directly affecta customer and therefore represents an equallycritical threat. If an attacker is able tosuccessfully alter an industrial automationsystem, the consequences will inevitably damagethe manufacturer. Sections 3.2 and 4.1 of this<strong>white</strong><strong>paper</strong> will explain the detailedconsequences.2.2 Security programUnless a security program already exists in anorganization, it is of high importance that one isestablished. A security program commonlydefines the objectives, policies, and guidelinesregarding information security, and is alsoconcerned with the practices used to analyze,implement, and maintain security in anorganization and its systems. The securityprogram should concern IT systems, industrialcontrol systems, as well as the links betweenthese two.The security objectives, policies, and guidelinesare important tools for employees and partnercompanies for understanding why informationsecurity is important and how security isachieved in the organization. By helping peopleto understand their role in creating informationsecurity, it is easier for them to act securely intheir daily tasks.A crucial aspect of the security program is thecontinuous assessment of threats and risks,prevention and countermeasures, and constantmonitoring and improvement. The securityprogram must be viewed as a continuous process
13which maintains the information security in theorganization at the required level.In the field of industrial systems, the IEC 62443standard presents terminology, models, andguidelines for establishing a security program.3 Security in communicationbetween devicesThis section of the <strong>white</strong> <strong>paper</strong> describessecurity issues in the communication betweendevices, e.g. SCADA to PLC or field device,PLC to field device, or between field devices.3.1 Purpose of communicationCommunication between devices in an industrialcontrol system enables real-time monitoring andcontrol of the target system and devices.Additionally, auxiliary functions such asparameterization and configuration, assetmanagement, and potentially firmwareupgrading may take place in the communication.Higher level systems such as SCADA can beconsidered to have more of a “coordinating” role,acquiring data from the PLC and field devicelevel and utilizing this information to supervise,control and optimize the overall functionality ofthe system. Basic, non-real-time controlexecuted by the SCADA might include changingor overriding setpoint values. Acquired data isoften illustrated in a graphical user interface.When discussing communication protocols andlinks, the OSI reference model is commonlyused to represent the layers of abstractionprovided by different protocols. The figurebelow illustrates the OSI model, in which acommunication relationship between devices Aand B is viewed as consisting of multiple layers.The application layer on top has the highest levelof abstraction, providing functionality which isrelated to the main functionality of the device.It is interesting to note that in the OSI model,which was introduced in the late 1970s and early1980s, no layer explicitly considers the need forany security. Although this can be (and is)implemented inside layers in different protocols,the below illustration as commonly presenteddoes not detail the need for security functionality.If, in some systems, intermittent layers do notaddress security specifically, then thiscommonly has to be implemented in theapplication layer.Figure 2 The OSI seven-layer reference model.
Page 1 and 2: 1WHITE PAPER ON INDUSTRIAL AUTOMATI
Page 3 and 4: 3Table of Contents1 Introduction an
Page 5: 55.1.3 Bluetooth...................
Page 8 and 9: 8professional attackers are able to
Page 10 and 11: 10Table 1. A list of published IEC
Page 14 and 15: 14Depending on the communication li
Page 16 and 17: 16observed with the purpose of reve
Page 18 and 19: 18Table 2. An overview of a few fie
Page 20 and 21: 20When the bus system starts, maste
Page 22 and 23: 22As with e.g. Modbus RTU, an intru
Page 24 and 25: 24malicious activity. The Physical
Page 26 and 27: 26filtering is another barrier for
Page 28 and 29: 28Table 4. An overview of a few ind
Page 30 and 31: 303.4.7.3 EtherCATEtherCAT is a rea
Page 32 and 33: 32devices should be assessed, prefe
Page 34 and 35: 344.4 Embedded devices withgeneral-
Page 36 and 37: 36not intended for the end-user sha
Page 38 and 39: 385 Security in wirelesscommunicati
Page 40 and 41: 40possibilities for a device sniffi
Page 42 and 43: 427 References[1] F-Secure Corporat

white paper on industrial automation security in fieldbus and

Create successful ePaper yourself

Delete template?

Save as template?