Industrial Protocols & Cyber

lostcontrol

Lifetime Supporting Member
L
Join Date
May 2009
Location
NeverSayNever
Posts
1,071
- Industrial Networks & Cyber Security -

Hi,
We are all well versed in IT security, windoze risks & Stuxney etc..

What do we know about the risks to our industrial protocols , compliance with IT policies & the like.?
Im referring specifically to EthernetIP, Profinet, EtherCAT, as well as ModbusTCP…

I guess that all of them are ‘published’ to a certain extent (open/odva/membership), there are quite high risks if exploited.?

What I am seeing is that we have gone almost full circle in our ‘battles’ with IT/IS providers.
In the early days they were very restrictive & wanted control/management etc to working with us & accepting we were implementing the best possible solution, to now wanting complete control again .


LC
 
Streaming serial data security

There are SOME situations where one-direction of data flow can work well. Lets say you have a water plant where you want to be able to see what is going on from home and get alerted on alarms. IF you don't need to be able to change anything from home then streaming serial may be an answer. It's one-way transmission through an RS-232 serial port that is only hooked up in one direction. The data is passed to a computer that is on the internet. It can have the usual VLAN setup. The internet-side computer can be 'hacked' but the gap between the computers cannot be jumped. In the case of a water plant the data is probably not confidential and you may only need to secure the system from remote control.

The advantage of this primitive brute-force method is that it is a hardware thing that is not dependent on software versions. etc. It seems that the same IT people that bless your software solution this week will be blasting it as unsecure next week. In SOME situations streaming serial may be an answer to the data security problem that does not result in an endless process of meetings and evaluations and discussions and revision and opinions. Life is too short to spend with IT people in conference room meetings that you probably are not getting paid for.

Streaming serial can be done a lot of ways. PM me if you are interested in our implementation.
 
Instead of talking about protocol, company should have a reality check.
1. Many PLC programmers or integrators know very little about information technology, they keep calling RJ45 port ethernet port. Some of them even buy device with RJ45 port that do not support ethernet, and wish to use ethernet connection.
2. Small companies management know nothing about IT or automation, as long as it works, they are happy.
3. Operator or tech always ask for convenient but care or know nothing about security.
The list go on and on....
Human and hardware is big part of security. If companies are not prioritize security, it do not what protocol you use, you are exposed.
 
Corsair said:
There are SOME situations where one-direction of data flow can work well. Lets say you have a water plant where you want to be able to see what is going on from home and get alerted on alarms. IF you don't need to be able to change anything from home then streaming serial may be an answer. It's one-way transmission through an RS-232 serial port that is only hooked up in one direction. The data is passed to a computer that is on the internet. It can have the usual VLAN setup. The internet-side computer can be 'hacked' but the gap between the computers cannot be jumped. In the case of a water plant the data is probably not confidential and you may only need to secure the system from remote control.

The advantage of this primitive brute-force method is that it is a hardware thing that is not dependent on software versions. etc. It seems that the same IT people that bless your software solution this week will be blasting it as unsecure next week. In SOME situations streaming serial may be an answer to the data security problem that does not result in an endless process of meetings and evaluations and discussions and revision and opinions. Life is too short to spend with IT people in conference room meetings that you probably are not getting paid for.

Streaming serial can be done a lot of ways. PM me if you are interested in our implementation.
Click to expand...

Most IT guys, or IS guys know nothing about automation, it was so funny, they even asked to update PLC and all automation device firmware regularly. WTF!
 
They also upgraded programming station(PC), then old automation software no longer work, no backup what-so-ever. Companies end up with downtime and new system upgrade, cost ton of money and time.
The fact is that some PLC2, PLC5 ran for 20, 30 years without any major problem. They are so well built, extremely high quality.
 
I am going through the Homeland Security CISA (Cybersecurity and Infrastructure Security Agency) online courses now. It is training on the vulnerabilities of industrial control systems (ICS) to cyber threats. It is good too in that it touches on the different needs of the IT world versus the controls world. Something that would certainly help the IT people better understand why the controls side has different requirements.

One of the points that they keep driving home is that ICS lived for so long as isolated proprietary systems that they were essentially safe from outside threats. Sort of security via obscurity. They didn't connect to larger networks and they used proprietary protocols. You really needed physical access to do harm. Your fence was your security. And now today we have taken those same systems and connected them to the corporate networks (sometimes even the Internet) and use common, insecure protocols like TCP/IP. Or, even take old, insecure protocols and wrap them in TCP/IP (Modbus TCP). The fence has been kicked over and the threat is now the world.

A PLC-5 may be bulletproof and run for 20+ years but it was developed in a world where cyberattacks weren't a thing. The product, the networks, and the systems just weren't designed for it.

By pushing for the control systems to integrate with the larger corporate systems we have inherently insecure systems that are now vulnerable. There are great benefits to doing this integration, but we have introduced risk that wasn't there.

How many of our controllers don't even use a simple password? How many HMIs use a common password that everyone knows and uses? How many of our switches will allow anyone to plug a computer into it and let you access the network?

Rockwell makes a 1756-EN2TSC module to enable more secure connections between CLX type chassis. For those of us that use RA, have any of us thought to use it? Why aren't there more products like that? Why aren't we clamoring for more types of products like that so I can use it with a CompactLogix or Flex/Point I/O? If we don't demand it, they won't build it.

The timing of me taking this training with the current events in Ukraine is really interesting because we know how exposed so much of our infrastructure is and there is little to no willingness to do anything about it.

OG
 
I looked at the EN2TSC once as on the surface it looked like a great idea, but I found it should not used for connecting outside the local network. Just on the same side (or zone) of the Firewall.

If it could tunnel across the internet in a secure fashion unique to the modules hardware signatures, that could be useful - though I still doubt many would trust it enough to use it across the internet.

For that reason I couldn't find a lot of point to that module. I'm sure there is some case where it makes sense, but for the majority I can't see it.
 
And I haven't used it either. To me it seems like primarily a way to secure/encrypt your data. As it stands now, our data is being transmitted in essentially clear text. So these modules would prevent someone on your network from being able to sniff out your data. This device would only operate behind your firewall. Basically sort of like a VPN between the devices.

I would think at some point, when we configure communications, we should have an option to encrypt the data. If I setup a MSG or produce and consume. That should be an option. This module is a way in hardware to do that. But it has a lot of limitations.

OG
 
I was in the IS/IT department at my last job.
We were all Engineers, no joke.
We did all the plc programming, hmi's, Wonderware, cisco phones and ap's, virus software, pc updates.
we kept the plant network away from corporate except for web pages that we programmed for them. we also used a 3rd party interface to call into from home or while on vacation if we had to remote into the plant.
james
 

Similar Topics

T
Another industrial ethernet\different protocols question
Hello. I am trying to understand how different protocols over industrial Ethernet work and I had this doubt. I would like to know if the...
Replies
3
Views
3,226
rdrast
rdrast
D
I buy surplus PLCs, automation controls, industrial and MRO.
What's the best way to connect with more suppliers?
Replies
0
Views
68
Devlin
D
S
Remote Access Solutions for Industrial Devices
Hello, I am looking for a solution to remotely access any kind of device securely across the internet. I know this has been done in piecemeal...
2
Replies
22
Views
2,238
durallymax
D
M
Career in Industrial IT/OT
Hey Everybody, I resigned from teaching, to pursue an IT career, and my original objective was to prepare for and pass a few entry level certs...
Replies
4
Views
580
dummy_bit
dummy_bit
K
Industrial Display Suggestions (-40 C Storage)
I'm working on an application and have hit a bit of a snag. I need to find an industrial touchscreen display that can: - Tolerate down to -40C...
Replies
7
Views
760
Circiter
C
Back
Top Bottom