Fieldbus & Industrial Networking

Resist cyber attack: securing integrated scada systems

September 2007 Fieldbus & Industrial Networking

Until relatively recently, scada systems were physically isolated from other systems. Plant control networks operated independently of business networks. Scada systems are now integrated into larger company networks to leverage their valuable data. Their security is often only as strong as the security of the overall network.

Written security policy

The process of protecting scada networks starts with the creation of a written security policy. Failure to have a policy in place exposes the company to attacks, loss of revenue and legal action. The security policy should be a living document. The management team needs to draw very clear and understandable objectives, goals, rules and formal procedures to define the overall position and architecture of the plan.

The security policy should also cover the following key components:

* Roles and responsibilities of those affected by the policy.

* Actions, activities and processes that are allowed and disallowed.

* Consequences of non-compliance.

Vulnerability assessment

Prior to completing the written policy a vulnerability assessment must be undertaken to identify the potential risks associated with the different aspects of the scada-related IT infrastructure, and the priority of the different aspects of the infrastructure. The vulnerability assessment helps to identify flaws in the understanding of system architecture and sources of threats.

To complete a vulnerability assessment, a physical audit of all the computer and networking equipment, associated software and network routings needs to be performed. A clear and accurate network diagram should be used to depict the infrastructure following the audit.

The results can be presented in a hierarchical manner, which sets the priority of security concerns and the level of related funding associated with each vulnerability. For example, within a typical scada environment, key items and the related hierarchy could be as follows:

* Operational availability of operator stations.

* Accuracy of realtime data.

* Protection of system configuration data.

* Interconnection to business networks.

* Availability of historical data.

* Availability of casual user stations.

After defining the hierarchy and auditing the different system components, the options with regard to security measures need to be considered. For scada networks there are some common security mechanisms that apply to all networks that have any form of wide area (WAN) or Internet-based access requirements. These include:

* Network design.

* Regulating physical access.

* Firewalls.

* Intrusion detection systems (IDSs).

* Virtual private networks (VPNs).

* IP security (IPSpec).

* Demilitarized zones (DMZs).

Network design - keep it simple

Simple networks are at less risk than more complex networks. Keep the network simple and well-documented from the start.

A key factor in ensuring a secure network is the number of contact points. These should be limited as far as possible. While firewalls have secured access from the Internet, many existing control systems have modems installed to allow debugging access for remote users. These modems are often connected directly to controllers in the substations. Required access should be through a single point that is password protected and where user action logging can be performed.

Regulating physical access

The benefits of a simply designed network can easily be dissipated if some basic protection strategies are not followed. Physical access to your network should be closely monitored. Do not allow anyone that does not belong to your organisation to connect to your network Ethernet or to have physical access to your IT server room. Use built-in Microsoft Windows features such as NTFS to require user authentication when perusing network shares. Monitor your network regularly for activity that may be suspicious and note the IP addresses when running sniffing software or hardware on the network. Ensure that there are no foreign IP addresses on the list. If you find one, trace route to the IP address. Once you locate its origin you can take action. If you are unsure physically, then disconnect the segment where the potential intruder may be on the network.


A firewall is a set of related programs, located at a network gateway server that protects the resources of a private network from outside users. A firewall, working closely with a router program, examines each network packet to determine whether to forward it toward its destination. It also includes or works with a proxy server that makes network requests on behalf of workstation users. A firewall is often installed in a specially designated computer separate from the rest of the network, so that no incoming request can get directly at private network resources.

It is imperative to utilise a secured firewall between a corporate network and the Internet. As the single point of traffic into and out of a corporate network, a firewall can be effectively monitored and secured. It is important to have at least one firewall and router separating the network from external networks not in the company's dominion.

On larger sites the control system needs to be protected from attack within the scada network. Implementing an additional firewall between the corporate and scada network is highly recommended.

Intrusion detection

Firewalls and other simple boundary devices currently lack some degree of intelligence when it comes to observing, recognising and identifying attack signatures that may be present in the traffic they monitor and the log files which they collect. This deficiency explains why intrusion detection systems are becoming increasingly important for network security.

An IDS is a specialised tool that knows how to read and interpret the contents of log files from routers, firewalls, servers and other network devices. It often stores a database of known attack signatures and can compare patterns of activity, traffic or behaviour in the logs it is monitoring against those signatures. In this way it can recognise when a close match between a signature and current or recent behaviour occurs.

Most commercial environments use some combination of network- and host- and/or application-based IDS systems to observe what is happening on the network while also monitoring key hosts and applications.

Virtual private network

One of the main security issues facing complex networks is remote access. VPN is a secured way of connecting to remote scada networks. With a VPN, all data paths are secret to a certain extent, yet open to a limited group of persons, such as company employees. A VPN is a network constructed using public wires to connect nodes. There are a number of systems that allow the creation of networks using the Internet as the transport medium. These systems use encryption and other security measures to ensure only authorised users access the network and data cannot be intercepted.

IP security

IPsec is a set of protocols developed by the Internet Engineering Task Force to support the secure exchange of packets at the IP layer. IPsec can be deployed within a network to provide computer-level authentication and data encryption. It can also be used to create a VPN connection between two remote networks using the highly secured Layer Two Tunneling Protocol with Internet Protocol security (L2TP/IPSec).

Demilitarised zones

The use of DMZ buffers is becoming increasingly common as a method of segregating business applications from scada networks and is a highly recommended additional security measure. DMZs are buffers between trusted networks (scada network) and corporate networks or the Internet, separated through additional firewalls and routers.

For more information contact Niconette du Toit, Citect, +27 (0)11 699 6600,,

Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

EtherCAT interoperability removes industrial networking barriers
Fieldbus & Industrial Networking
Selecting the right communication technology is one of the most important decisions engineers make, and interoperability helps with that decision. Key development tools and standards ensure interoperability among many EtherCAT devices and manufacturers.

Condition monitoring to go
Turck Banner Southern Africa Fieldbus & Industrial Networking
Anyone who wants to efficiently monitor the climate in control cabinets will find a comprehensive range of control cabinet monitors for the DIN rail in Turck Banner’s cabinet condition monitoring family.

Standardising information in process automation applications
Fieldbus & Industrial Networking
The co-owners of the Process Automation Device Information Model have released the PA-DIM Version 1.1 specification. This release, a testament to collective efforts, includes expanded device-type support for process analysers, and an enhanced basic hierarchy structure with new extensions, benefiting the industrial user and vendor manufacturing community.

Enabling multiple applications on a unified TSN network
RJ Connect Fieldbus & Industrial Networking
A leading global manufacturer of industrial machinery wanted to aggregate multiple applications into its CNC machines. Due to the use of different proprietary networks, integrating the networks and maintaining the components required substantial effort.

Smart and easy wiring with IO-Link
ifm - South Africa Fieldbus & Industrial Networking
A leading global machine manufacturer in the food and beverage industry has put its automation concept, based on parallel wiring, to the test with the aim of achieving higher efficiency, lower costs, more flexibility, and standardisation. All requirements can be successfully implemented with IO-Link solutions from ifm.

Flexible EtherCAT communication interface for DALI-2
Beckhoff Automation Fieldbus & Industrial Networking
The EL6821 EtherCAT Terminal from Beckhoff allows up to 64 DALI/DALI-2 slaves and 64 DALI-2 input devices to be connected. The TwinCAT 3 System Manager makes it easy to configure and parameterise DALI devices flexibly.

Modularity for future scalability
RJ Connect Fieldbus & Industrial Networking
When it comes to managed switches, industrial-grade reliability, multicast availability and security enhancements based on the IEC 62433 standards are crucial features. There are a number of vertical markets where these switches can be used.

TwinCAT runtime for real-time Linux
Beckhoff Automation Fieldbus & Industrial Networking
With TwinCAT runtime for real-time Linux, Beckhoff is opening up new application possibilities for real-time control. The ability to execute several TwinCAT runtimes on a single industrial PC means users can now combine different system parts on one high-performance computer to streamline programming and diagnostics.

EtherCAT terminals for the connection of load cells
Beckhoff Automation Fieldbus & Industrial Networking
Beckhoff is offering a compact and cost-effective solution for integrating weighing functions into control systems. The integration of the supply voltage for the load cells is particularly advantageous.

Affordable building management system product range
Fieldbus & Industrial Networking
Schneider Electric has unveiled its EasyLogic Building Management System range, designed for basic building architectures, to the local marketplace. This is a complete and cost-effective range of field controllers and sensors that are both easy to install and scalable.