Process Control Network Security

More documents

Recommendations

Info

environment more than 10 years ago and were not changed or patched unlessthere was a specific need from the production environment to do so. This isbecause PCNs can be considered to be mission critical and high availabilitysystems. Making updates to these systems might result in a direct loss ofproduction when systems need to be taken offline, or worse, if updates areinsufficiently tested and result in failures. Therefore, the statement “don’t fix it ifit ain’t broken” is often applied for PCNs.In the office IT environment, penetration testing is a regular method to identifyvulnerabilities in the IT infrastructure. However, this is not common and evendangerous for PCNs. The result of performing security testing on these systemsmight lead to unpredictable results in the process control systems. An examplewas given in footnote 1 at page 17. The risk for loss of production is most oftenunacceptable [NISC09].5.3.5 PCN root-cause overviewIn this section, all previously identified risks and issues in this thesis have beencategorized and summarized. We were able to cluster these risks into 8 mainroot-cause categories. We will describe these 8 categories in the nextsubsections.We will make use of the STRIDE model as introduced in Section 2.4 to identifypossible threats. Based upon these threats controls will be selected in Section 6.4titled “Frameworks used for evaluation in this thesis”.5.3.5.1 Unsupported systemsThe first category of root-causes for PCNs is related to the fact that most PCNsare unsupported systems. Because these systems were not designed to meettoday’s demands, this causes problems. There is not much which can be doneabout the fact that PCNs are often unsupported systems. It is important,however, to realize that these systems are limited in their use and must behandled with care. For the lifetime of the implemented PCNs, these properties ofPCNs have to be taken into account when considering security robustness or theability to audit these systems.Process Control Network Security Page 24
The list below presents examples of issues already identified in the previouschapters and related to this root-cause category. The associated STRIDE threatcategories are indicated for each issue:SpoofingidentityTamperingwith dataRepudiationInformationdisclosureDenialofserviceElevationofprivilege• Systems whichhave been inoperation formany years arehard to secure[NIST09]• Old systemsare often notdesigned to besecure in thefirst place[NIST09]Performing auditson live PCNs byinteracting with itmay be dangerous,because thesesystems were notdesigned torespond to(automated) scansand may act onthese scans inunpredictable ways[DUG05]X X X X X XXTable 3 - Unsupported systems and STRIDE threats5.3.5.2 Increased interconnectivityThe second category of root-causes for PCNs is related to the increase inconnectivity to PCNs (refer to Section 3.4). The PCNs are interconnected, orconnected to the office network, the Internet or wireless access points forexample. This increased connectivity results in increased access to the PCNs,which increases risks for unauthorized access to these production networks. Thisis why it is important to restrict traffic between office IT systems and the PCN andassociated systems. Only those systems or people who need access from abusiness perspective should be allowed to communicate to specific anddocumented components within the PCN. Similar filtering rules and firewalls suchas implemented for mature office IT environments may also be appropriate forthis category.Process Control Network Security Page 25
Page 1 and 2: Process Control Network SecurityCom
Page 3 and 4: Table of ContentsPreface ..........
Page 5 and 6: 1 Introduction1.1 IntroductionFor t
Page 7 and 8: 2 Research ApproachThis chapter wil
Page 9 and 10: The relationship between CIA and ST
Page 11 and 12: The picture below shows some typica
Page 13 and 14: 3.4 Communication Topology (past vs
Page 15 and 16: 4 PCNs vs. Office IT4.1 Introductio
Page 17 and 18: The differences mentioned above and
Page 19 and 20: As a result, access controls design
Page 21 and 22: - unpatched machines within the PCN
Page 23: In addition, the scale on which cyb
Page 27 and 28: SpoofingidentityTamperingwith dataR
Page 30 and 31: SpoofingidentityTamperingwith dataR
Page 32 and 33: does hardly take place. Unauthorize
Page 34 and 35: The US department for Homeland Secu
Page 36 and 37: • Inadequate logical access restr
Page 38 and 39: functionality. These firewalls shou
Page 40 and 41: NIST 800-53 control AC-2 describes
Page 42 and 43: 1 Unsupported systemsThe following
Page 44 and 45: CategoryControlIncreasedinterconnec
Page 46 and 47: CategoryControlcomponents.4.5 In si
Page 48 and 49: 2 Increased interconnectivity (e.g.
Page 50 and 51: 9 ReflectionDuring the writing of t
Page 52 and 53: [GIA09][GOOD08][ITIL09][MCA09][MS09
Page 54 and 55: [TEN09][THER01]SCADA plugins for Ne
Page 56 and 57: I.2.1.4 SummaryThe table below summ
Page 58 and 59: Shared resourcesinsufficientlyaddre
Page 60 and 61: where it is stored. If an unauthori
Page 62 and 63: Replay attacks:A replay attack is a
Page 64 and 65: TCP/IP:The TCP/IP model is a descri

Process Control Network Security

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?