white paper on industrial automation security in fieldbus and

More documents

Recommendations

Info

303.4.7.3 EtherCATEtherCAT is a real-time Ethernet-based protocolin which the Ethernet frame moves similar to atrain along rails from the master, through allslave devices and back to the master devicewithout stopping. Slave devices process theEthernet frame “on-the-fly”, causing only a tinydelay in each slave device. Devices take datafrom and put data to different sections of theEtherCAT frame, depending on how theEtherCAT master has configured the slaves atstartup. The “on-the-fly” processing requires aspecialized hardware in the slave devices, whilethe master implementation can utilize virtuallyany Ethernet network interface such as PCnetworking cards. As a result, compromisedslaves could spoof at least data in the parts of theEtherCAT frame which they are configured toprocess. A compromised master, or one which isthe subject of a man-in-the-middle attack, couldresult in spoofed data and altered configurationof the slaves.Depending on the implementation, theEtherCAT master can be configured to checkvarious aspects of the slave device, e.g. vendorID, product code, revision numbers and serialnumber at startup. These features are commonlyoptional and can be disabled.EtherCAT supports different subprotocols whichare tunneled in EtherCAT frames; examples ofsuch are CAN-over-EtherCAT (CoE) andEthernet-over-EtherCAT (EoE). The CoEprotocol is an integral part of EtherCAT and isused to identify, configure and control the slaves.The EoE protocol is optional and allows non-EtherCAT devices to be added to the systemusing switchports, which “de-tunnel” theEthernet frames from the EtherCAT frames. It ispossible to tunnel Ethernet frames through themaster PLC if such a feature is implemented andenabled.Logging of the EtherCAT traffic may bepossible in case there is a switch in the networkwhich is configured to forward messages to anunused port. If the switch is not a real-timeswitch, the real-time attributes of the EtherCATcommunication may not be evident from the log.It may also be possible to log the EtherCATcommunication via the EtherCAT master, whichmay e.g. be PC-based running Windows.The EtherCAT protocol diagnoses the networkand provides indications regarding e.g. networkor slave problems. Additionally, the protocolsupports redundancy such that if the network isconstructed like a ring, a broken or disconnectedcable or node somewhere in the ring does notprevent the operation of other nodes.Furthermore, EtherCAT features timesynchronization between master and slaves.It is possible that an intruding device whichgains access to the network transmits messagesinto the network, which easily disrupts theEtherCAT communication. This will interferewith both control and monitoring of the processand equipment, as data exchange is hindered andfurthermore time synchronization-dependentfunctionality is disrupted.3.4.7.4 EtherNet/IPEtherNet/IP is an Ethernet-based protocol whichimplements the Common Industrial Protocol(CIP) which is also used in DeviceNet.EtherNet/IP uses the UDP and TCP protocols forcommunication. EtherNet/IP follows the masterslaveand peer-to-peer communication models ascommon in other protocols.The EtherNet/IP protocol presents the same“Identity” object as DeviceNet, thus thisinformation can be used for detection and studyof EtherNet/IP devices. An EtherNet/IP mastermay check the information of a device, e.g.vendor ID and product ID, in order toauthenticate the device. Another similarity to
31DeviceNet is the heartbeat mechanism by whichthe network device states are monitored.EtherNet/IP devices are subject to the genericthreats which face essentially all Ethernet-baseddevices, e.g. espionage by logging of thenetwork communication, denial-of-serviceattacks, potential man-in-the-middle attacks, orattacks on a specific layer in the OSI model.3.5 Recommendations forenhancing securityA large number of recommendations forenhancing the security in communicationsbetween devices can be identified, but it is notpractical nor is it the purpose of this document toexhaustively list these. It must be rememberedthat no system is 100 % secure so that it couldnot be broken, given enough resources, time andmotivation; this also holds true forcommunication networks in industrial controlsystems. The set of feasible improvements tothis kind of security depends largely on theindividual characteristics of a system, and themodeled threats, tolerated risk and derivedpriority for addressing vulnerabilities shall guidethe implementation of security improvements.Physical security can be considered of keyimportance concerning access to thecommunication networks, especially in the caseof traditional fieldbuses, in which physicalaccess to the bus is necessary for maliciousbehavior. This is an important aspect also forEthernet-based networks, although attentionmust be paid in these networks also to remoteaccess. In terms of the security at the plant, oneitem to consider includes the cabling of the bus;the possibilities for an intruder to trace thecabling and document the system could bereduced. Also, locking devices inside cabinets orelectrical rooms discloses fewer clues about theiruse, connections and configurations, comparedto devices which are not enclosed. The accessrights to physical locations in which criticalsystems are operating should be assessed and, ifdeemed necessary based on vulnerability andtolerated risk, restricted appropriately. It is alsopossible to implement critical communicationlinks using optical fiber, which are not easilyintercepted.Unused Ethernet ports in e.g. network equipment(switches, hubs) or in field devices (withintegrated switch functionality) can be protectedfrom unauthorized use e.g. with plug guards,which are physically plugged into the port. Theplug guard requires a key to be removed, thuspreventing anyone not possessing the key fromconnecting to the network.Functionality which is password-protected couldattempt to ensure that the factory-defaultpassword is changed to some other password.More importantly, such password-protectionshould require that the selected password fulfillscertain requirements regarding strength, such asrequiring a mix of letters, numbers and specialcharacters, and having a minimum length of e.g.six or eight characters.Care should be taken to improve security also atthe lowest layers in the OSI model. As anexample, if the data link layer is compromisedfor instance by a falsified source address ortampered data, the layers above in the OSImodel are also affected although they might notbe aware of the situation.When selecting communication protocols for theprocess control network, but also e.g. for remoteconnections, attention should be paid to thesecurity features which are provided by theprotocols. As examples can be mentioned thestrength of encryption or the protection againstreplay attacks using sequence numbering and theease of circumventing these mechanisms. Also,when procuring equipment for networks, thesecurity functionality offered by different
Page 1 and 2: 1WHITE PAPER ON INDUSTRIAL AUTOMATI
Page 3 and 4: 3Table of Contents1 Introduction an
Page 5: 55.1.3 Bluetooth...................
Page 8 and 9: 8professional attackers are able to
Page 10 and 11: 10Table 1. A list of published IEC
Page 12 and 13: 12Information needs to be available
Page 14 and 15: 14Depending on the communication li
Page 16 and 17: 16observed with the purpose of reve
Page 18 and 19: 18Table 2. An overview of a few fie
Page 20 and 21: 20When the bus system starts, maste
Page 22 and 23: 22As with e.g. Modbus RTU, an intru
Page 24 and 25: 24malicious activity. The Physical
Page 26 and 27: 26filtering is another barrier for
Page 28 and 29: 28Table 4. An overview of a few ind
Page 32 and 33: 32devices should be assessed, prefe
Page 34 and 35: 344.4 Embedded devices withgeneral-
Page 36 and 37: 36not intended for the end-user sha
Page 38 and 39: 385 Security in wirelesscommunicati
Page 40 and 41: 40possibilities for a device sniffi
Page 42 and 43: 427 References[1] F-Secure Corporat

white paper on industrial automation security in fieldbus and

Create successful ePaper yourself

Delete template?

Save as template?