The susceptibility of critical scada systems to security issues confronts many organisations. While it may be rare to penetrate a control system directly from the Internet, corporate intranet connections, remote support links, USB keys, and laptops can all create pathways for the typical worm or hacker. Once inside, impacting an industrial control system is not difficult – in some cases, even the most basic scanning by a hacker or worm can wreak havoc.
Unfortunately, 99% of all scada and process control devices do not support even basic authentication and authorisation functions. Thus, these devices cannot take advantage of any of the security infrastructures offered by many corporate IT departments. Complicating the matter even more, many scada end users have found the common VPN solutions to be either unbelievably complex to manage in real-time or ill-suited for handling the protocols that are found in automation networks.
Security in aerospace manufacturing
A major aerospace manufacturer faced exactly these issues when securing the systems used in the production of its long-range passenger aircraft. Large, highly mobile crawlers with extensive PLC and HMI components are vital for the assembly of new aircraft. In order to coordinate that assembly, these PLCs require secure access to each other and real-time connection to the corporate network.
Since the PLCs are installed on mobile platforms, they require wireless access to communicate. However, the models of PLCs currently on the market cannot participate in the corporate public key infrastructure (PKI) system, which is a requirement for secure wireless communications. Furthermore, the plant security solution must modify security policy (and allow PLC to PLC connections) based on information from a large variety of sources that change rapidly. For example, the position of a crawler or the card scan of an operator will determine which PLCs can interconnect.
Scadanet Endboxes secure the PLCs
The solution is an architecture called Scadanet that provides a simple and secure encryption system between control devices. Each crawler is protected by a Scadanet Endbox. These Endboxes interconnect securely with other Endboxes over a variety of secure or insecure networks, including the corporate intranet, various cellular services or even the Internet. The Endboxes interact with the corporate IT security services, including the PKI system, to provide an encrypted overlay network between the PLCs assigned to them by the crawler operators.
F-Map ties it all together
Tying all the Endboxes together in a scalable manner is a central publish/subscribe repository of network information based on the interface metadata access protocol (IF-Map) technology. This Trusted Computing Group standard allows systems from different vendors to publish information that the Endboxes can use to determine security policy in real-time. For example, if the IP address of an Endbox changes because a crawler has moved into the range of a new wireless access point, then this information can be propagated to other Endboxes so that critical communications are not disputed. Or if an operator that is not approved for a given crawler swipes into the badge reader, the crawler can be immediately disconnected from the critical control network.
The Scadanet architecture, IF-Map and Tofino Endboxes provide a framework that allows the IT department to manage access to its services and yet let the scada engineers maintain full control over their network systems and devices.
| Tel: | +27 10 055 7300/1 |
| Email: | [email protected] |
| www: | www.extech.co.za |
| Articles: | More information and articles about Extech Safety Systems |
© Technews Publishing (Pty) Ltd | All Rights Reserved
printer friendly version