Over the past few years, the need to protect Industrial Control Systems (ICS) from cyber threats has greatly increased. The integration of industrial Ethernet infrastructure with business networks (and the outside world) has exposed once proprietary systems to attacks no one ever thought they would have to withstand.
At the same time, the cyber threat level, especially threats aimed at the energy industry, has increased dramatically. Control systems have become a key target for security researchers, hackers, and government spy agencies, resulting in exponential growth in security alerts for Supervisory Control and Data Acquisition (SCADA) and ICS products.
Add it up: vital networks with large numbers of hard-to-secure nodes, integrated with business systems and operating 24 hours a day – it’s a significant security challenge. Combine this with the heavily regulated environment and safety concerns of offshore processing platforms, and the task is even harder.
Project: improve reliability, security, availability
This was the situation facing one fixed natural gas and oil gathering and processing platform, located on the US continental shelf. Designed to process a large volume of natural gas and oil from multiple wells, its operating company placed a heavy emphasis on reliability. Any downtime, whether caused by accidental or malicious forces, interrupts field production and is costly.
Complicating matters, the platform is both MTSA (Maritime Transportation Security Act) and TWIC (Transportation Worker Identity Credential) regulated, due to its large production volumes. This meant that the required level of security was significantly more stringent on this platform. Physical security included card readers, closed circuit TV and local/remote monitoring. The company wanted to extend this level of security to include cyber related risks.
So with the goal of maximizing the reliability and uptime, the operating company embarked on a project to improve cyber security on the platform.
Securing Platform Control Systems
The network on the platform spanned across business, operations, and safety systems. As is common on offshore facilities, a wireless backbone connected the platform to the office and control facilities “on the beach.”
Control system networks interconnected a large quantity of programmable logic controllers (PLCs), instrumentation, “smart” automated equipment, and packaged process control equipment. Additionally, the facility communicated with subsea systems and virtual flow meters using the OPC protocol.
Consequently, there was the potential for large amounts of network traffic and crosstalk. Some PLCs used a UDP broadcast/multicast protocol, which further increased the volume of network traffic. Since many automation devices cannot ignore or filter out extraneous network messages, it was necessary to protect those devices from excessive traffic.
The cyber security solution thus had to protect systems from malware and excessive/malformed network traffic to minimize the possibility of unintended network or automation system shutdowns.
A Cyber Security Solution
A “Defense in Depth” network architecture was developed, in accordance with guidelines recommended by the Department of Homeland Security and the ISA/IEC62443 standards. This architecture separated layers of the business and process control network, using firewalls to permit only necessary traffic between these layers.
The first step was to install an IT firewall to protect the entire platform. However, this would do little to defend against problems such as worms introduced via laptops or USB drives. So the automation and business networks were next separated using managed switches and firewalls. Demilitarized Zones (DMZ) were there to protect the process control system from the Internet and the business network.
After careful review of available security products, the engineering team selected an Industrial Security Solution for the control system firewalls. The reasons for this decision included:
Design and Installation
The PLCs at Level 1 in the Process Control Network (PCN), as well as switchgear and various packaged process units, were protected with security appliances loaded with a ySCADA specific firewall module. Only the necessary operating protocols were allowed through the firewalls, determined by a data exchange strategy.
Reliability of the system was a core requirement. Redundant security appliances were installed in front of redundant Allen-Bradley PLCs. The security appliances were then configured and tested to assure that the failover of the primary PLC processor to the backup processer would not impact control communications, and that the security appliances in turn would maintain security functionality, regardless of the switchover state of the PLCs.
In total, 12 security appliances were used on the platform. All were loaded with a Firewall Loadable Security Module. The Central Management Platform, which manages all of the security appliances from a central location, was installed on a server in the facility.
Challenges and Outcomes
As with many IT devices deployed into an automation environment, a challenge during the project was the perception that firewalls make the job of operations and maintenance more difficult. Initially staff had a “knee jerk” reaction to blame the firewalls any time there were network problems. With a thorough testing regime, however, it was shown that the proper protocols were enabled to accommodate all operations.
The cyber security solution has now been in operation for five years. The result has been increased reliability and availability of the platform. A virus outbreak (introduced by a contractor) was contained by the separation strategy. The project is widely seen as a good example of how a well-designed security solution can actually reduce costs and improve productivity on offshore platforms.
Eric Byres is a leading expert in the field of critical infrastructure security. He is CTO and VP Engineering at Tofino Security, a Belden brand. His email is [email protected]. |