IMAGINE this happening to you: 250 million tonnes of raw sewage being released because a disgruntled employee breaks into the network of a wastewater control system. This happened in Australia. But it can be worse. Russian hackers took control of a gas pipeline for 24 hours by penetrating its electronic control systems.
Imagine these same hackers having connections with criminals or terrorists; the danger would be catastrophic.
Luckily, these situations do not occur daily, or at least don’t end up attracting publicity.
According to Ruud van Drielen, product manager automation at Schneider Electric in The Netherlands, most enterprises have taken the necessary precautions at the IT level.
“Most people responsible for securing an enterprise network are, in most cases, also responsible for the industrial Ethernet,” said Van Drielen. “This is often connected to an MES or ERP system. Digital information is transferred through hubs, switches and routers from large servers all the way to the industrial PLCs, PCs and other control devices on a production level.”
All is not lost
THERE are ways to secure industrial networks, and specifically the Ethernet.
Fortunately, there are no or very few hackers active on specific industrial fieldbuses, such as ProfiBus and CANbus.
Firstly, the code is often too specific. Secondly, there’s not enough incentive for the hacker. However, the Ethernet is growing rapidly as the industrial network solution. To secure this network, the user can choose from several options.
The control layer remains unchanged, operating with PLCs and the relevant operating system, making it unnecessary to use specific security software. In addition, considerable investment can be made in firewalls, routers and anti-virus software.
Finally, “host intrusion prevention” software can be used. This last option could be a wise choice for industrial systems running on common (and therefore vulnerable) operating systems.
A VIRUS is a program that needs an operating system (OS) to run. Windows is notorious for the number of viruses, while Linux is less sensitive because fewer viruses have been developed.
However, in the industrial automation world, many PLCs are used with their own OS.
“These are often real-time, running on their own, developed by the supplier and separated from office applications,” said Van Drielen. “This OS will not be subject to, for instance, a Windows virus. No viruses are known within our organisation that hack into industrial operating systems.”
Van Drielen acknowledges that certain HMI (Human Machine Interface) applications run under a Windows environment.
“Users have to consider possible viruses. But usually these are already intercepted at a higher level.”
According to Van Drielen, while PLC control software is quite safe, a difference has to be made between PLCs and soft PLCs.
“With soft PLCs, control is realised on a Windows OS. At Schneider Electric we handle this issue by using an interface card for a PLC with its own OS. This so-called ‘slot PLC’ can then be placed in an industrial PC.”
The PLC’s OS runs fully independently from the Windows OS. In addition, the power supply is separated. Users should however remember that Windows CE is more sensitive to viruses.
“We find that a slot PLC is safer than a soft PLC,” said Van Drielen, “but that is a market discussion. We clearly choose a slot PLC for its safety, real-time behaviour and independence from PC hardware.”
ATS International recently introduced a new type of security software that is not only suitable for an office environments but also for industrial networks.
According to Roelof Kuipers, sales and marketing developer at ATS, Prevx is not another anti-virus software but a host intrusion prevention system. This software doesn’t look at specific viruses, but at unfamiliar protocols that occur between an OS and a certain industrial application.
According to Nick Ray, CEO of Prevx, based in the United Kingdom, hackers are especially interested in systems that run on the most common operating systems.
“Networks running on Windows, Linux or Solaris are favourites,” said Ray. “These types of operating systems are under heavy attack every day, and most anti-virus software suppliers are actually always running behind. With Prevx, no weekly or monthly update is required. One installation with the right protocols is sufficient.”
A host intrusion prevention system protects against an attack without knowing its actual specifications. The software looks at the behaviour of the system and at processes that match defined protocols.
“Every unfamiliar process will be blocked,” said Ray. “This offers broad protection to a wide variety of virus attacks, including ‘zero day’ attacks. These are new. Anti-virus suppliers have not yet developed patches and thus no antivirus software is available.”
Consoles and agents
PREVX is built up with a “console” and “agents”. The console is the management station and is installed centrally on the network. The agents are installed on every separate server, desktop PC, laptop or HMI. One console can manage up to 10,000 agents.
Host intrusion prevention works simply. The software installs itself between an OS and its applications, and a set of security protocols are added. The program looks at the characteristic behaviour of a virus and doesn’t depend on “signatures”, complex rules or learning techniques to trace an intruder.
Normally, a virus enters through the Internet. By applying a “buffer overflow” it will try to influence the application software. If this is successful, the virus will be able to use its own code and, for instance, modify the “system registry”, which will still be present after a re-start.
It will also be able to disable certain anti-virus “security updates”. By then, the damage will be done.
While Prevx consists of a number of standard security protocols, IT developers can add their own.
When the application “asks” the OS to perform a certain task, Prevx will intercept this request and check it according to the protocols. If it is a known action, it will be passed through to the OS.
A virus, worm or any other form of attack will be “seen” because the application will “ask” the OS to perform an unfamiliar task, which is not identified by the security protocols. A host intrusion prevention system works real-time and sees everything that happens in the system. Due to this functionality, it cannot be bypassed by coded files or by a VPN (Virtual Private Network), such as an intranet.
IF a host intrusion prevention system detects an unfamiliar action, it will be blocked and a message will be sent to the console.
According to Ray, Prevx doesn’t need to be monitored constantly.
“An attack is stopped instantly, and no immediate action is required. Experience shows that Prevx requires minimum human involvement to operate. When the software is installed for the first time, and a certain faulty code already exists in the system, a number of checks performed by the Prevx software will detect this.”
It is also recommended to install a Prevx agent on systems, such as laptops, that are disconnected from a company’s network and taken offsite.
If a laptop is connected to the network and a possible attack is detected, this will be sent to the console.
“If this same laptop is disconnected and used elsewhere, such as at home, this device will be very vulnerable to attacks,” said Ray. “In case of an attack, a message will appear on the laptop, showing the user what is happening. When the laptop is connected to the company’s network again, all events that occurred during the disconnection period will be sent to the console.”