Utilities - securing the automation network
13 September 2011
CEE looks at how one utility company has ensured security of its SCADA control networks.
In 2006, the global water industry was made aware of the need to ensure system security, following the conviction of a hacker who seized control of a water treatment facility’s SCADA system in Australia. This security breach resulted in the dumping of millions of gallons of raw sewage onto a resort hotel’s grounds for a period of three months.
It made water providers realise that many industrial controls would benefit from Virtual Private Network (VPN) connectivity and diverse firewalls behind the front-office firewalls. United Water, for example, made the decision to secure the industrial control networks of its extensive network infrastructure.
The company operates and manages water and waste water systems that serve about 7 million people across the USA. They are a subsidiary of SUEZ ENVIRONNEMENT, a global environmental services company that supplies drinking water to 90 million people and provides wastewater treatment services for 58 million people around the world.
United Water supports over 300 remote field sites company-wide. Traditionally, it used a variety of methods to connect to its remote sites, including modems, leased lines, dry pairs, and licensed radio.
In 2009, the company began to proactively plan to increase the security of its SCADA control networks. The systems engineering group, corporate IT department and an outside consulting firm were involved in the project and the security product evaluations.
Initially, a leading IT network solution was initially considered, as this path reflected the corporate office network standard. But there were other considerations. Keith Kolkebeck, systems engineering project manager for United Water, explains: “We needed an industrial solution, particularly for our remote sites,”. “We needed a solution that was easy to configure, powered by 24 VDC, met our IT security standards, and could hold up to years of operation in a harsh environment. In the past, we had mixed results using office network-grade products that were expensive, required special skills to configure, and failed frequently.”
Early in 2010, United Water was introduced to mGuard industrial network security devices from Phoenix Contact -created and developed by its subsidiary Innominate Security Technologies. The system includes small, industrial-rated modules that incorporate router, firewall, encrypted VPN tunnels, filtering of incoming and outgoing connectivity, authentication and other functions to provide layers of distributed “defense-in-depth,” economically and without disturbing production.
Availability is in various industrial-rated designs; for DIN-rail mounting, for 19in rack mounting in cabinets, as PCI cards or as dongle-style patch cords for roaming technicians. The hardened, industrial version of mGuard has been in production since 2005 and has been proven to be effective in many demanding installations. Rated IP 20 for mounting in factory enclosures, they are easily installed and enabled by technicians, rather than network administrators.
After a thorough review of the technology, the United Water IT Department was receptive to the concept as it would allow process personnel to deploy and maintain their own networks, freeing up IT for other tasks. United Water installed 12 devices as a test bed.
Kolkebeck continues:“The ability for the mGuard to do AES-256 encryption along with its industrial design was key. Again, the appliance was easy to deploy, cost effective, and met our standards. By default, the mGuard is configured in its most secure configuration. Previously, it would require a day’s time of an experienced IT technician, whereas now we can rollout a new VPN device in 10 minutes.”
In ‘Stealth Mode’ the products are transparent, automatically assuming the MAC and IP address of the equipment to which they are connected. No additional addresses are required for the management of the network devices. This was a feature that appealed to the, initially skeptical, IT personnel at United Water. No changes need to be made to the network configuration of the existing systems involved. Yet the devices operate invisibly and transparently, monitoring and filtering traffic to the protected systems by providing a Stateful Packet Firewall according to rules that can be configured via templates from a centrally located server. And with bi-directional wire speed capability, the devices will not add any perceptible bottlenecks or latency to a 100 Mb/sec Ethernet network.
The security of networked equipment can be further enhanced. Configuration of specific user firewall rules can restrict the type and duration of access to authorized individuals, who may login and authenticate themselves from varying locations, PCs, and IP addresses. VPN functions provide for secure authentication of remote stations, and the encryption of data traffic. CIFS Integrity Monitoring functionality can protect file systems against unexpected modifications of executable code by sending alerts to administrators.
“We were implementing multiple measures into our SCADA network in order to activity monitor our system. We utilise network segmentation, VLANS, and centralized firewalls and were looking to introduce intrusion detection (IDS) and intrusion prevention (IPS) systems into our network. The mGuard is a tool that allows us to perform these functions,” said Kolkebeck.
United Water needed to protect RTUs and PLCs remote card access and video systems. As industrial systems migrate toward an IP network, more timely information and control is available. All new PLCs have IP capability. Power monitoring is another example. All new variable frequency drives for motors, switchgear, pumps and generators have power monitoring capabilities that need to be tied into the SCADA systems. Following field trials, the mGuard appliances were utilised to provide protection from vulnerabilities through firewall, VPN, routing and trap functions.
“We currently have mGuard security modules deployed in multiple locations throughout the Northeast. We have used the products both for our SCADA networks and our security networks at remote unmanned locations. We have interfaced the mGuard devices with our existing CISCO infrastructure. We are saving money on remote support from our staff and outside contractors and site visits are no longer required for minor code changes and troubleshooting,” concludes Kolkebeck.
Contact Details and Archive...
Most Viewed Articles...