Transcription
SecurityStrictly noadmittanceKeeping an eye on IT security in the plantMarkus Brändle, Thomas E. Koch, Martin Naedele, Rolf VahldieckElectronic attacks on the automation systems of industrial and utility plants are rare. Nevertheless, whenthey do occur, the consequences can be severe.Strategies used to protect office networks (for example) are not always directly applicable to the specificneeds of industrial and utility plants. Whereas traffic on an office network is largely arbitrary from a monitoring point of view, and intrusion detection is often restricted to scanning data packets for specific attributes, network traffic in a plant is normally easy to correlate to the system’s activity. Significant deviationsfrom expected patterns can be an indicator of intrusions. ABB’s System 800xA Security Workplace usesthis to add security functionality to System 800xA control systems. Because the approach builds on proven System 800xA concepts, operators do not require special IT-security training to be able to make gooduse of this tool.ABB Review 1/200871
Strictly no admittanceSecurityIn view of the continuous evolutionin the capabilities of computers,and also the multiplicity of means ofaccess (network connections, modems, memory sticks, CDs, laptops,etc), it is no surprise that new vulnerabilities are continually being discovered and exploited. No security mechanism can guarantee absolute invulnerability against attacks and intrusions. A polyvalent security architecture therefore relies not only on preventive mechanisms such as firewallsand antivirus tools, but also includestechnology and process elements todetect ongoing attacks and intrusionsand is able to react to them.may make this approach unsuitable:These can be related to security, (external access would have to be provided) or to safety (can the externalservice provider be trusted to properlyappreciate the peculiarities of industrial plants and the related hazards?).For these situations, ABB offers athird alternative – the integration ofIT security monitoring in the overallprocess control structure.Process operators, thanksto their training and everyday work experience inmonitoring hundreds ofprocess indicators, arevery good at detectinganomalies in values andtheir correlations.One option for such detection capability is a dedicated team of humansthat monitors and analyzes intrusions.Operating such a team around theclock implies a significant and continuous financial investment, which maybe hard to justify. Moreover, attractingand retaining qualified team memberscan prove difficult in an environmentthat only very rarely encounters anactual attack.Security monitoring and process controlMany companies have technical attackdetection capabilities, such as network-based intrusion detection systems, host-based intrusion detectionsystems, or scanners analyzing logmessages from firewalls and hosts.However, many of these companiesdon’t make effective use of thesetechnical capabilities because theylack the staff resources to monitorthe output of such tools around theclock.A more cost-efficient alternative for aplant would be to subscribe to theservices of a managed security serviceprovider, using central monitoringfacilities with highly qualified staff tocontinuously and concurrently monitor the networks of multiple clients.While significantly less costly than thein-house equivalent, the external service provider approach may still betoo costly for low risk plants. Furthermore, there are other concerns thatWhereas IT security for automationsystems has to overcome a number ofData flow for the System 800xA Security Workplace.Network traffic data is collected from various nodes and analyzedfor anomalous behavior.12specific challenges, some of them differing from those faced in IT securityin offices [1], it also has certain advantages: One of these is that, very often,a process operator is available tomonitor system behavior at all times.The availability of the process operator suggests that ideally he shouldalso act as a kind of “first responder”with regard to IT security.One objection to this approach maybe that such a first responder rolewould require IT and IT-securityknowledge, which is often not foundamong process operation staff. Thislack of expertise is being addressedthrough increased automation of theanalysis and detection function usingcomplex rule-bases [2]. The removalof the human with his lack of expertise from the loop permits the derivation of fast and deterministic decisionsproviding clear responses in clearsituations. Many real-life situationsare, however, ambiguous: The environment is too dynamic for a fixedattack detection rule-base, and anapproach based on dynamic updatingof the rule-base would bring back therequirement for continuously availableexperts. ABB’s approach, in contrast,is that process operators, thanks totheir training and everyday work experience in monitoring hundreds ofprocess indicators, are very good atdetecting anomalies in values andtheir correlations. These people canuse common sense to decide whetherthere is an uncritical explanation foranomalies – both in control parameters and in security-related areas.Overview of the architecture of the 800xA Server with SecurityWorkplace800xA server nodeAspect server800xA server nodeABB OPC server (PNSM)SyslogSyslogWMISSHWindows sPNSMscriptsWMISSHclientSNMPSSHSSHNetwork nodeUnix nodeWindowseventlogSyslog toEventLogA more detailed view of the server node is shown in722.SyslogWMIABB Review 1/2008
Strictly no admittanceSecurityStarting from these requireFor example: A visualization3 800xA Security Workplace showing the overview of the IT networkments, ABB has developed aof the hosts in the automasecurity and system healthtion network displays themonitoring and visualizationnumber of logged-in users.solution for process controlIn the process operator’ssystems based on the Systemexperience over past weeks,800xA framework – Systemthis number is constant. It is800xA Security Workplace.not necessary for him toknow that the actual valueSystem 800xA Securityresults from logged-in humanWorkplaceusers (on some hosts) andSystem architectureservice accounts for certainSystem 800xA Securityapplications. Suddenly, heworkplace consists of severobserves that on one host theal faceplates and scripts thatuser count is one higher thanare loaded into the Systemnormal. Typically, this would800xA at runtime. The secube a highly critical sign ofrity workplace thus useshost compromise, indicatingand builds upon the 800xAthat an attacker has brokenbase libraries and frameinto a user account. In thiswork, illustrating how thespecific case, however, thehigh flexibility and straightprocessor operator can easilyforward integration capabilicorrelate the initial appearIT security related information hasties of the 800xA architecture can beance of the additional user on histo be presented to the process operextended to such specific purposes asmonitoring system with the fact that aator using the same presentationsecurity monitoring.technician has recently entered theparadigms he is used to from procontrol room to effect engineeringcess monitoring. This includes proThe 800xA Security Workplace incorwork. This type of plausibility checkcess graphics, colors, symbols, figporates data from different sourcesis essentially impossible to codify in aures, and trend charts, and excludesand accessed by different technolofully automated system and the corremessages containing cryptic “hackergies. 1 shows a high level overviewsponding false alarms are among theof the systems involved and the dataterminology”.main reasons of the poor reputationThe process operator should notflows between them. The current proautomated intrusion detection systemsneed any specific IT or IT-securitytotype collects data from Windowshave [3].knowledge in order to detect annodes using Syslog messages, Winattack and react to it in a meaningdows Management InstrumentationABB’s vision is to provide the processful way. Possible reactions could(WMI). Data from network nodes (eg,operator with the tools and methodsinclude isolating the automationfirewalls, switches, or routers) isto deal with plant IT security probsystem from external connections,accessed using Simple Network Manlems similar to process deviations [4].activating predefined networkagement Protocol (SNMP) and SyslogThe realization of this vision dependsislands inside the automationmessaging. The current product extenon the following prerequisites:IT security related information hassystem, starting a vulnerabilitysion does not include Unix nodes.to be presented to the process opercheck, collecting additional dataHowever, accessing data from Unixator as part of his normal processaccording to predefined procedures,nodes is simple using SNMP, SSH, orrelated work environment.or calling for expert help.Syslog messaging.4The icon (from3) showing the status of a computer system in the networkSystem: shows the type of the system, i.e. clientor server and the overall status of the system.A red icon indicates that some critical value,e.g. status of the antivirus software, is not inthe desired state.Network utilization: shows the utilization of thenetwork interface.File integrity: shows integrity status of definedset of files, i.e. shows if a certain files havechanged.Antivirus status: shows if the antivirus processis running and if on-access scan is enabled.ABB Review 1/2008Memory and CPU usage: trends showing CPUand memory usage.73
Strictly no admittanceSecurityThe architecture of the 800xA servernode needed to access the data fromthe different sources is shown in 2 .The data is accessed using a System800xA PC, Network and SoftwareMonitoring (PNSM) scripts and provide the interfaces to connect to thevarious data sources1).PNSM (PC, Network, Software Monitoring), which is used as the backbone of the security workplace, is aset of 800xA features for monitoringthe hosts and network elements in anautomation network. PNSM provides apre-configured library of IT Assetsrepresenting devices and system processes widely used within industrialbusinesses today. Through PNSM,Security Workplace incorporates datafrom the complete IT system: datafrom network devices such as firewalls and switches, from networksegments and from computer systemsattached to the network. The datacollected consists of general IT data,such as CPU load, and security specific data, such as information on antivirus installation. Some of these moresecurity related IT assets and information sources were added for SecurityWorkplace.Overall, the easy integration of information sources and the increasingautonomous behavior of componentswill lead to the implementation offully automated and secured plantmanagement. [5].Operator perspectiveSecurity Workplace is tailored to beused by a “normal” 800xA operator,ie, a person who does not necessarilyhave an IT-security background andin-depth knowledge of IT networksand systems. The data displayedshould therefore not require skilledinterpretation – Security Workplacemust be capable of highlighting signsof possible attacks. It is not the inten5a74tion that the operator should be ableto identify the type of attack preciselyor to react to possible attacks fromwithin the framework of SecurityWorkplace.The look and feel of Security Workplace resembles a standard 800xAworkplace. It contains standard elements such as faceplates, trend displays or alarm lists. Having this seamless integration into the well knownworking environment fosters acceptance by the operators and does notintroduce the additional complexity ofa new user interface that a dedicatedsecurity monitoring software from anexternal supplier would introduce.shows the Security Workplace for ademonstration system. It consists of aprocess control network (PCN), a demilitarized zone (DMZ) and an external insecure network (eg, the Internetor business network). These zones areseparated by firewalls and the PCNand DMZ have managed switches toconnect the different nodes. The DMZholds a proxy server that allows thePCN to be connected to from the outside. The PCN holds four differentwindows systems, an 800xA Aspectserver, and 800xA Aspect Optimization server, a Windows Domain serverand an 800xA Operator Workplace.3The depiction of the IT system withinthe Security Workplace resembles theactual physical setup. This will makeit easier for the operator to understand what he is looking at. In case oflarger systems, which cannot fit ontoa single screen, the network can, as iscommon for complex process pictures, be displayed at different levelsof detail on different displays.For Microsoft Windows-based systems,the workplace overview of the 800xASecurity Workplace depicts a summaryof the health of the system. 4 showsIcons representing firewalls and their statuses, as displayed within the network overviewsuch a system icon explaining themost important information depictedin the icon.The overview of the 800xA SecurityWorkplace also contains icons for allnetwork devices. It shows basic information for the devices, ie, type of thenetwork device, IP address, name, andstatus of the ports. 5 shows icons fora firewall (left) and a router with firewall capabilities (right). The firewallhas two ports that are both connected,the router has one port connected tothe outside network and six ports connected to the inside network. The iconshows that out of the six ports facinginside, three are connected. The colorsof the ports indicate their status, greenfor correctly connected ports, grey forcorrectly unconnected ports and redfor misconfigured ports, ie, ports thatare connected but should not be connected or vice versa.The security workplace also showsinformation on the network usage onvarious links. Small trend displaysshow eg, the amount of data receivedand sent by a network device or thenumber of packets received that werediscarded 6 .All icons shown in the overview arelinked to faceplates offering moreextensive information. For networkdevices, the faceplates show the network usage of all interfaces individually and contain detailed trends foreach interface showing the number ofFootnote1)The different methods of accessing the data aredescribed in detail in technical documentation6Icons showing network loads (green is datareceived, yellow is data sent)3bABB Review 1/2008
Strictly no admittanceSecuritypackets received, the number of packets sent, the number of dropped packets, the number of erroneous packetsetc. For Microsoft Windows systemsthe faceplates contain detailed information on the operating system (eg,version, installed service pack), theactive sessions, the status of runningthreads, and trends on CPU usage,memory usage and thread activity.Example of detection of irregularityAs mentioned above, Security Workplace was designed to detect signs ofattacks and to alert the operator. Animportant part of detecting attacks isfirst defining a “normal” system state.The workplace allows the definition789Possible attack on a firewallA switch icon showing an illegal portuse (red)A Windows system icon with antivirusturned offof thresholds for various values that,when exceeded, will trigger an alarm.In this respect the arrangement is similar to standard process supervision.In contrast to other intrusion detectionsystem (IDS) approaches, however,thresholds are not predefined but it isup to the operator to decide what isnormal and what is not.Network loads, for instance, are constantly monitored; a sudden increase ofnetwork traffic will result in an alert.Deviations from normal network loadscan be a sign for a security incident,eg, network scanning or a malwaretrying to send data. 7 shows a scenarioin which network traffic seen at a firewall is abnormal and one-sided, ie,traffic is only arriving at the firewalland not being re-transmitted. In addition, the network load has crossed thethreshold (indicated by the exclamation sign) and some of the packets areerroneous (indicated by the red dataplot). The fact that almost no traffic issent from the firewall on either interface suggests that someone is eitherscanning the firewall or trying to senddata to the PCN that is blocked by thefirewall. Both would be a clear sign ofan attack. Alternatively, it could be thata technician is uploading a file ontothe firewall, eg, a new firmware, causing the abnormal traffic load. However,the high number of erroneous packetsmakes this unlikely.actually performing a firmware updateof the firewall or that the technicians’laptop is infected with eg, a wormthat is trying to spread through thefirewall.A different scenario is shown in 9 .The monitored Windows system hasits antivirus functions turned off andthe CPU load is very high. The disabled antivirus software would havetriggered an alarm. Similarly to theprevious scenario the operator mighthave additional knowledge to understand the event, eg, someone doing asoftware update on that machine.However, the antivirus softwareshould typically never be disabled andthis scenario would thus have to beclassified as a security incident regardless of the circumstances.The System 800xA Security Workplace and associated integration services are available from ABB ConsultIT Security Consulting Services. Contact Rolf Vahldieck (rolf.vahldieck@ch.abb.com) or the otherauthors of this article.Markus BrändleThomas E. KochMartin NaedeleABB Corporate ResearchBaden-Dättwil, h.abb.commartin.naedele@ch.abb.comRolf VahldieckWhereas the information shown in 7gives indications on the type of attack, it is still unclear where the attackis originating from. This informationhas to be found elsewhere in SecurityWorkplace: 8 shows the networkswitch residing in the DMZ that is alsoconnected to the outside interface ofthe firewall. Shortly before the attackthe rightmost port in the graphic started to blink in red. This means that adevice, eg, a laptop, has been connected to this physical port eventhough the port should not be connected to anything.ABB Automation GmbHMinden, Germanyrolf.vahldieck@de.abb.comReferences[1] Naedele, M. Addressing IT Security for CriticalControl Systems, 40th Hawaii Int. Conf. on System Sciences (HICSS-40), Hawaii, January 2007.[2] /logiic-project.html (November 2007)[3] IDS is dead, Gartner 2003.[4] M. Naedele, Biderbost, O. Human-AssistedIntrusion Detection for Process Control Systems2nd Int. Conf. on Applied Cryptography andNetwork Security (ACNS) Tunxi/Huangshan,China, June 2004.[5] Koch, T. E., Gelle, E., Ungar, R., Hårsta, J.,The correlation of the information andthe fact that the operator knows that atechnician is performing maintenanceof the DMZ network allows the operator to assume that the irregularity iscaused by the technician’s laptop. Itcan either be that the technician isABB Review 1/2008Tingle, L. Autonomic computing, ABB Review1/2005, 55–57.Further readingNaedele, M., Dzung, D., Vahldieck, R., Oyen, D.Industrial information system security (tutorial in threeparts), part 1: ABB Review 2/2005, 66–70, part 2:3/2005, 74–78, part 3: 4/2005, 69–74.75
Syslog WMI SNMP SSH 800xA server node ABB OPC server (PNSM) Aspect server WMI SSH client Windows eventlog Syslog to EventLog PNSM scripts PNSM scripts PNSM scripts PNSM scripts 1 Data flow for the System 800xA Security Workplace. Network traffic data is collected from various nodes and analyzed for anomalous behavior. Syslog Syslog WMI SSH SSH .
