Designing secure networks for substation automation and control systems

Size: px
Start display at page:

Download "Designing secure networks for substation automation and control systems"

Transcription

1 Designing secure networks for substation automation and control systems Niculescu Eliodor Sorin, Rusta Constantin, Mircea Paul Mihai, Ruieneanu Liviu and Daianu Adrian Abstract Development of the energy systems and utilities (water, gas) and the process information related to them but also their interconnection with other equipments and information systems led to increasing the risk and vulnerability; thus occurring the access possibility to the command /control systems and data for an unauthorized persons that may influence the operational safety. It also results need to take measures to increase security systems by removing all data connections or linkages that are not necessary for the operative management of the energy system. This paper focuses on describes a possible solution to increase safety for better management as well as to obtain more precise information (accurate) about events that occur while also reducing the vulnerability of the systems. Keywords Network security planning, process information system, risk, safety data, SCADA systems. I. INTRODUCTION NFORMATION systems security process is a relatively new I IT technology, and was released as a result of the inherent diversification of communication in modern society based on efficiency and speed in decision making processes. services, web, data transfer, etc. is based on a sense of security often false, which can generate potential gains rapid access to information, but can cause major losses due to theft of data or insert false or misleading [1]. Command-control systems and automation in power systems are a special category of information process, which combined with the computer systems of the utilities (water, gas) are the backbone of technical civilization. Power systems are a special category of industrial systems with high sensitivity and can go in case of errors / mistakes in the states of partial or total unavailability (the blackout) as E. S. Niculescu, Romanian National Power Grid Company Transelectrica Co., SCADA and Substation Control Systems Dept. Currently is PhD student at the University of Craiova, Faculty of Electrical Engineering sniculescu@pasys.ro;eli.sorin@gmail.com C. Rusta, Romanian Hydro Power Company Hidroelectrica Co., SCADA and Industrial Systems Dept. (constantin.rusta@gmail.com). P. M. Mircea, University of Craiova, Faculty of Electrical Engineering, Decebal Boulevard, no.107, Craiova, Romania; mmircea@elth.ucv.ro. L. Ruieneanu is with the University of Craiova, Faculty of Electrical Engineering, Decebal Boulevard, no.107, Craiova, Romania: lruieneanu@elth.ucv.ro. A. Daianu, Romanian Hydro Service Power Company Hydroserv Co., Automation and Protection Relay Dept. (daianuadrian@gmail.com). having a strong impact on business and everyday life. Moreover, if the decommissioning of the source system has an "intruder" external or external cause, the impact is even greater because the entire basic infrastructure is compromised, and could thus make "scenarios" different from any geographic points of the world. If until few years ago these systems automation data network operated as "isolated" (self), new communications technologies have allowed their interconnection and implementation processes and telemanagement remote, which to some extent vulnerable security systems [3]. This integration of the local computer subsystems and motivation was to achieve high coverage networks (WAN Wide Area Network) to: faster data acquisition, low propagation delay information to post-factum analysis centers, increasing the time response, optimization of decision making and maintaining a close link to the center to coordinate with various sublevels of subordination (Company / Branches / Centers / Substations / Process). II. PROCESS INFORMATION SYSTEMS - BOUNDING ENERGY DOMAIN A. Definition. Features. Requirements Process Information Systems (PIS) is an information system as part of the collection, transmission, storage and processing is done using the elements or components of IT (Information Technology) [4], means that computers and modern communications, software specialized procedures and techniques plus trained personnel. In other words, PIS is that part of the information system, including acquisition, processing and automatic transmission of data and information within a macro information system [5]. Characteristics of information systems: there any system should have as a central database in real time (RTDB - Real Time Data Base), the stored data to be interrelated among themselves from internal and external sources; an information system must be authentic, accurate, and support presentation range from management level to another; a system must include a variety of mathematical models, technical, economic, eg, optimization models, simulation models, models of efficiency; ISBN:

2 a system should be designed as a man-machine (HMI - Human Machine Interface) offering the possibility of an immediate and friendly interaction between user and system; a system must provide the highest possible degree of integration in two aspects: internal integration and external integration. Computer system requirements: To achieve systems that meet the required characteristics of systems is necessary to take into account the following requirements: a grounding system design to be made on grounds of economic efficiency; a direct participation in the design of management information system unit; ensuring a high technical level of the solutions adopted; a solution adopted in accordance with available resources and restrictions. Structuring of information systems requirements in the overall design stages: one on each level of the structure must ensure the uniqueness criterion for decomposition of the system; a structure made up later to allow the entire system by aggregating separate modules. B. SCADA Systems It was tried to delimit the scope of the above systems and their implementation to investigate how the National Power Grid System reacts. Thus, process control systems for power are known in literature as SCADA (Supervisory Control and Data Acquisition) systems. They are the "tools" based on the computers, which energy operators used to assist in controlling the operation of complex energy systems [2]. Base entire scaffold which contribute to the supervision, control and monitoring of electrical substation equipment and power networks is the control and data acquisition. The functions of SCADA Systems supervising and control of equipment or parts of the facility and power networks. an alarm to "recognition" of the system with inadequate state supervision of equipment and networks; post factum analysis maintain a running history of events in the surveillance; a graphical user interface (GUI - Graphical User Interface); a self-diagnostics for continuous monitoring of their functional parameters; planning and tracking a maintenance process. The architecture of control systems must comply with the requirements of open systems OSI - ISO (Open Systems Interconnection International Standard Organization). An open system provides opportunities that make applications such as: a system can be implemented from several suppliers of equipment; one can work with other applications made in open systems; to present a consistent style of interaction with the user; The more open open-concept system that brings in SCADA system design is the ability to distribute processing functions Fig.1 general architecture of a basic Substation Automation System ISBN:

3 in various knots. Each node is functionally independent of the hardware resource. Dependence between nodes is variable, however the hardware must be provided as independent as possible, this way, and it can get the opportunity to expand further or replacement. Also, the independence of processing nodes used to minimize transmission of messages and data network load. Within the node redundancy increases availability and reduces the risk of loss and loss distribution functions for other nodes. A characteristic of open systems is that nodes can be located at any distance, distributed architecture becomes a necessity, and used as a support for local data communication networks (LAN Local Area Network) and remote (WAN Wide Area Network) made using standard procedures and interfaces [7]. In Fig.1 is presented the general architecture of a distributed SCADA system, the key is to connect various components through communication networks. C. The integration concept of distributed information systems If in the early stages, information systems at power station were isolated entities, and their only external connection is made only with the dispatch center (the serial protocols IEC , invulnerable to attacks) [9], the integration of these new policies structures of complex computer systems using competitive communication protocols (based on TCP / IP) led to an increase in default and vulnerability. In order, to maximize technical and economic supervised process, the centralization of information and increase safety of National Power System were created regional information infrastructure (Control Center) which are able to download the complete information flow on all electric substations under the action of these centers. Thus, developing the concept of Wide Area SCADA (Fig. 2) which requires a full integration of these sub-control protections (SAS), in the compact and complex computer entity capable of providing a remote management of all facilities automation without the need for continuous operational tour [6]. To achieve this goal, it is necessary the use of communication protocols capable of managing the entire amount of exchange of information between control centers and the process itself. III. THE SAS SECURITY A. Network Security Planning In a computer network, there must be assurance that sensitive data is protected so that only authorized users have access to them [6]. The vulnerability of computer networks is manifested in two ways: modification or destruction of information (attack the physical integrity); a possibility of unauthorized use of information; Providing "safety data" stored in a computer network involves procedures for handling data that can not lead to the accidental distribution of their measures and / or duplication of important data to be restored if necessary. Having a secure computer network with access to data requires a user authentication procedure and / or differentiated authorization for certain resources. Any network should be protected against intentional or accidental damage. There are four major threats to the security of computer networks, as below: unauthorized access; electronic data alteration; data theft; on purpose or accidental damage. Is the responsibility of the network administrator to ensure a secure, reliable and ready to face the dangers above? It is believed that a computer system / computer network is safe(s) if all its operations are always carried out according to strictly defined rules, which results in a complete protection of entities, resources and operations. The list of threats is the defining security requirements. Once they are known that the rules should be developed to control all network operations. These operational rules are called "security services", and implementation services are by security protocols [6]. To define a secure computer network should be developed as follows: a list of security requirements; rules for protection and security. Fig. 2 wide area SCADA concept ISBN:

4 B. Defining security policies In a computer network security model assumes the existence of three levels: a physical security; a logic of security levels; a secure connection. Establish security policies and provide general orientation guidelines for network administrators and users in case of unforeseen circumstances. The most important security policies are: prevention, authentication and training. IV. ISSUES TO BE TAKEN INTO ACCOUNT IN THE DESIGN PROCESS SYSTEMS RELATED NETWORKS A. Identify all existing connections to the SCADA Systems This entails a detailed analysis of network structure of the SCADA system for assessing risk and the need for all network connections. In this stage are assessed the following types of connections: Connecting to a SCADA computer network management of LAN, WAN (business networks); Connecting SCADA Systems to the Internet; Connecting to a SCADA Systems, the certain equipment including wireless connections via satellite; An existence of modems or other dial-up connections; An adjacent connection with partners, regulatory agencies, etc. B. Disconnect from the SCADA systems all unnecessary connections To ensure the highest degree of security of SCADA systems, recommended a "containment" of networks related to other adjacent networks or connections that are not related to the process. Any connection to / with another network introduces security risks, especially in if it creates a path or connection to the Internet. Although direct interconnection with other networks / subnets can allow efficient and convenient information exchange, risk of insecure connections vulnerable to process network is large, the optimum is why the "isolation" of the SCADA network. Can be used strategies such as using the "demilitarized zones" (DMZs De Militarized Zones), and virtual sharing of computer related applications regarding managerial and process applications, but all of them, must be designed and implemented properly to avoid placing an additional risk by an incorrect configuration. C. Evaluation and strengthening of securing all remaining connections to the SCADA system This goal involves conducting penetration testing or vulnerability of all remaining links to the SCADA network to be able to assess the security of these connections [5]. In this respect, it is essential that every entry point to be used to process network firewalls and detection systems "Intruder" (IDS - Intrusion Detection Systems). Physically, the firewall can be a simple PC, workstation, router or mainframe. From a logical standpoint, the firewall determines what information or services can be accessed from outside the network and who has the right to access these resources. The firewall is located in the internal network makes the junction with the external network, called the checkpoint area. The main functional components of a firewall: a packet filtering router; an application-level proxy gateway; a circuit-level gateway. Packet filtering router is a network that transmits packets based on filtering rules implemented rules that are based on security policy. If it is known the source or destination addresses, filtering rules on the router can accept or reject a packet depending on this information. Data packets have a destination other than the IP address of those servers will not be allowed into the network. Application-level control is achieved most often through a gate (gateway) or proxy server. The gateway must be properly installed proxy code for every application that wants to pass the gate. During the dialogue between a client and a server, the proxy server acts as the client and also becomes the target server or client. For the original client, proxy server functions in a transparent but is able to monitor and filter out certain commands or information. Proxy server is a dedicated server application running on the computer network that connects our world. Because customers can access a proxy server as the client software must be modified to support proxy connection and proxy server log on. D. Avoiding possible use of proprietary protocols in SCADA systems Some SCADA systems use (purely commercial reasons) proprietary protocols for communication between the terminals in the field" and servers; this is very risky because network security is often based solely on the security of these protocols obscure low. In addition, the developer of such protocols can provide communication interfaces to other producers of some of its protocol specifications thereby increasing the vulnerability of the network indirectly through attacks backdoors. E. Remove or disable unnecessary services SCADA servers built on open operating systems are easily exposed to attacks via the default network services. To reduce the risk of direct attack is recommended to remove or disable unused network services, this is particularly important when SCADA networks to interconnect with other ISBN:

5 networks. An example of such a network service is "Remote maintenance, which should always be carried out only off and on the ground and only by authorized personnel in this regard. It is also recommended that access these systems to management / administration to make only a single external point of access and only the system administrator based on the company's internal regulations. V. CONCLUSION IT security mechanisms described above is a possible solution to achieve the perspective LANs process allowing better management of facilities, a more precise and accurate information on the events run, decrease the vulnerability of computer systems, high reliability and technology tends to occupy all the industries. REFERENCES [1] K.C. Claffey, Internet measurement: myths about Internet data CAIDA, UCSD [2] E.J. Byres, Network secures process control, InTech, Instrument Society of America, pp , Oct [3] Smith, T.; Hacker jailed for revenge sewage attacks, The Register, October 31, 2001, [4] E.J. Byres and D. Hoffman; IT Security and the Plant Floor, InTech Magazine, Instrumentation Systems and Automation Society, Research Triangle Park, NC, p. 76, December [5] E.J. Byres; Designing Secure Networks for Process Control, IEEE Industry Applications Magazine, Institute of Electrical and Electronics Engineers, New York, Vol. 6, No. 5 p , September/October [6] J.C. Netzel, Network Security Across Wide Area Networks & the Internet, IndComm 2003, Melbourne Australia, May [7] S. Kunsman and M. Braemdle; Cyber security for substation automation protection and controls systems, ABB Inc., [8] F.Hohlbaum, M.Braendle, F.Alvarez, Cyber security Practical considerations for implementing IEC 62351, PAC Conference [9] International Standard IEC , Second edition , Telecontrol equipment and systems Part 5-101: Transmission protocols Companion standard for basic telecontrol tasks. ISBN:

The President s Critical Infrastructure Protection Board. Office of Energy Assurance U.S. Department of Energy 202/ 287-1808

The President s Critical Infrastructure Protection Board. Office of Energy Assurance U.S. Department of Energy 202/ 287-1808 cover_comp_01 9/9/02 5:01 PM Page 1 For further information, please contact: The President s Critical Infrastructure Protection Board Office of Energy Assurance U.S. Department of Energy 202/ 287-1808

More information

TABLE OF CONTENT. Page 2 of 9 INTERNET FIREWALL POLICY

TABLE OF CONTENT. Page 2 of 9 INTERNET FIREWALL POLICY IT FIREWALL POLICY TABLE OF CONTENT 1. INTRODUCTION... 3 2. TERMS AND DEFINITION... 3 3. PURPOSE... 5 4. SCOPE... 5 5. POLICY STATEMENT... 5 6. REQUIREMENTS... 5 7. OPERATIONS... 6 8. CONFIGURATION...

More information

SCADA SYSTEMS AND SECURITY WHITEPAPER

SCADA SYSTEMS AND SECURITY WHITEPAPER SCADA SYSTEMS AND SECURITY WHITEPAPER Abstract: This paper discusses some of the options available to companies concerned with the threat of cyber attack on their critical infrastructure, who as part of

More information

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard Payment Card Industry (PCI) Data Security Standard Security Scanning Procedures Version 1.1 Release: September 2006 Table of Contents Purpose...1 Introduction...1 Scope of PCI Security Scanning...1 Scanning

More information

E-Commerce Security Perimeter (ESP) Identification and Access Control Process

E-Commerce Security Perimeter (ESP) Identification and Access Control Process Electronic Security Perimeter (ESP) Identification and Access Control Process 1. Introduction. A. This document outlines a multi-step process for identifying and protecting ESPs pursuant to the North American

More information

Overview. Firewall Security. Perimeter Security Devices. Routers

Overview. Firewall Security. Perimeter Security Devices. Routers Overview Firewall Security Chapter 8 Perimeter Security Devices H/W vs. S/W Packet Filtering vs. Stateful Inspection Firewall Topologies Firewall Rulebases Lecturer: Pei-yih Ting 1 2 Perimeter Security

More information

Cyber Security Management for Utility Operations by Dennis K. Holstein (Opus Publishing) and Jose Diaz (Thales esecurity)

Cyber Security Management for Utility Operations by Dennis K. Holstein (Opus Publishing) and Jose Diaz (Thales esecurity) Cyber Security Management for Utility Operations by Dennis K. Holstein (Opus Publishing) and Jose Diaz (Thales esecurity) Abstract Strong identity management enforced with digital authentication mechanisms

More information

Security threats and network. Software firewall. Hardware firewall. Firewalls

Security threats and network. Software firewall. Hardware firewall. Firewalls Security threats and network As we have already discussed, many serious security threats come from the networks; Firewalls The firewalls implement hardware or software solutions based on the control of

More information

Innovative Defense Strategies for Securing SCADA & Control Systems

Innovative Defense Strategies for Securing SCADA & Control Systems 1201 Louisiana Street Suite 400 Houston, Texas 77002 Phone: 877.302.DATA Fax: 800.864.6249 Email: info@plantdata.com Innovative Defense Strategies for Securing SCADA & Control Systems By: Jonathan Pollet

More information

CYBER SECURITY: SYSTEM SERVICES FOR THE SAFEGUARD OF DIGITAL SUBSTATION AUTOMATION SYSTEMS. Massimo Petrini (*), Emiliano Casale TERNA S.p.A.

CYBER SECURITY: SYSTEM SERVICES FOR THE SAFEGUARD OF DIGITAL SUBSTATION AUTOMATION SYSTEMS. Massimo Petrini (*), Emiliano Casale TERNA S.p.A. 21, rue d Artois, F-75008 PARIS D2-102 CIGRE 2012 http : //www.cigre.org CYBER SECURITY: SYSTEM SERVICES FOR THE SAFEGUARD OF DIGITAL SUBSTATION AUTOMATION SYSTEMS Massimo Petrini (*), Emiliano Casale

More information

What would you like to protect?

What would you like to protect? Network Security What would you like to protect? Your data The information stored in your computer Your resources The computers themselves Your reputation You risk to be blamed for intrusions or cyber

More information

Practical Considerations for Security

Practical Considerations for Security Practical Considerations for Security Steven Hodder GE Digital Energy, Multilin 1. Introduction This paper has been prepared to outline some practical security strategies for protection & control engineers

More information

Network Security. Tampere Seminar 23rd October 2008. Overview Switch Security Firewalls Conclusion

Network Security. Tampere Seminar 23rd October 2008. Overview Switch Security Firewalls Conclusion Network Security Tampere Seminar 23rd October 2008 1 Copyright 2008 Hirschmann 2008 Hirschmann Automation and and Control GmbH. Contents Overview Switch Security Firewalls Conclusion 2 Copyright 2008 Hirschmann

More information

SFWR ENG 4C03 Class Project Firewall Design Principals Arash Kamyab 9940313 March 04, 2004

SFWR ENG 4C03 Class Project Firewall Design Principals Arash Kamyab 9940313 March 04, 2004 SFWR ENG 4C03 Class Project Firewall Design Principals Arash Kamyab 9940313 March 04, 2004 Introduction: A computer firewall protects computer networks from unwanted intrusions which could compromise confidentiality

More information

Module 8. Network Security. Version 2 CSE IIT, Kharagpur

Module 8. Network Security. Version 2 CSE IIT, Kharagpur Module 8 Network Security Lesson 3 Firewalls Specific Instructional Objectives On completion of this lesson, the students will be able to answer: What a firewall is? What are the design goals of Firewalls

More information

Security Issues with Integrated Smart Buildings

Security Issues with Integrated Smart Buildings Security Issues with Integrated Smart Buildings Jim Sinopoli, Managing Principal Smart Buildings, LLC The building automation industry is now at a point where we have legitimate and reasonable concern

More information

CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013

CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013 CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access

More information

State of New Mexico Statewide Architectural Configuration Requirements. Title: Network Security Standard S-STD005.001. Effective Date: April 7, 2005

State of New Mexico Statewide Architectural Configuration Requirements. Title: Network Security Standard S-STD005.001. Effective Date: April 7, 2005 State of New Mexico Statewide Architectural Configuration Requirements Title: Network Security Standard S-STD005.001 Effective Date: April 7, 2005 1. Authority The Department of Information Technology

More information

Dr. György Kálmán gyorgy@mnemonic.no

Dr. György Kálmán gyorgy@mnemonic.no COMMUNICATION AND SECURITY IN CURRENT INDUSTRIAL AUTOMATION Dr. György Kálmán gyorgy@mnemonic.no Agenda Connected systems historical overview Current trends, concepts, pre and post Stuxnet Risks and threats

More information

Securing Modern Substations With an Open Standard Network Security Solution. Kevin Leech Schweitzer Engineering Laboratories, Inc.

Securing Modern Substations With an Open Standard Network Security Solution. Kevin Leech Schweitzer Engineering Laboratories, Inc. Securing Modern Substations With an Open Standard Network Security Solution Kevin Leech Schweitzer Engineering Laboratories, Inc. Copyright SEL 2009 What Makes a Cyberattack Unique? While the resources

More information

1. Cyber Security. White Paper Data Communication in Substation Automation System (SAS) Cyber security in substation communication network

1. Cyber Security. White Paper Data Communication in Substation Automation System (SAS) Cyber security in substation communication network WP 1004HE Part 5 1. Cyber Security White Paper Data Communication in Substation Automation System (SAS) Cyber security in substation communication network Table of Contents 1. Cyber Security... 1 1.1 What

More information

Cornerstones of Security

Cornerstones of Security Internet Security Cornerstones of Security Authenticity the sender (either client or server) of a message is who he, she or it claims to be Privacy the contents of a message are secret and only known to

More information

SEMANTIC SECURITY ANALYSIS OF SCADA NETWORKS TO DETECT MALICIOUS CONTROL COMMANDS IN POWER GRID

SEMANTIC SECURITY ANALYSIS OF SCADA NETWORKS TO DETECT MALICIOUS CONTROL COMMANDS IN POWER GRID SEMANTIC SECURITY ANALYSIS OF SCADA NETWORKS TO DETECT MALICIOUS CONTROL COMMANDS IN POWER GRID ZBIGNIEW KALBARCZYK EMAIL: KALBARCZ@ILLINOIS.EDU UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN JANUARY 2014

More information

Firewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA

Firewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA Firewalls Securing Networks Chapter 3 Part 1 of 4 CA M S Mehta, FCA 1 Firewalls Learning Objectives Task Statements 1.3 Recognise function of Telecommunications and Network security including firewalls,..

More information

Firewall Architecture

Firewall Architecture NEXTEP Broadband White Paper Firewall Architecture Understanding the purpose of a firewall when connecting to ADSL network services. A Nextep Broadband White Paper June 2001 Firewall Architecture WHAT

More information

INTERNET SECURITY: THE ROLE OF FIREWALL SYSTEM

INTERNET SECURITY: THE ROLE OF FIREWALL SYSTEM INTERNET SECURITY: THE ROLE OF FIREWALL SYSTEM Okumoku-Evroro Oniovosa Lecturer, Department of Computer Science Delta State University, Abraka, Nigeria Email: victorkleo@live.com ABSTRACT Internet security

More information

Firewalls. CEN 448 Security and Internet Protocols Chapter 20 Firewalls

Firewalls. CEN 448 Security and Internet Protocols Chapter 20 Firewalls CEN 448 Security and Internet Protocols Chapter 20 Firewalls Dr. Mostafa Hassan Dahshan Computer Engineering Department College of Computer and Information Sciences King Saud University mdahshan@ccis.ksu.edu.sa

More information

Industrial Network Security for SCADA, Automation, Process Control and PLC Systems. Contents. 1 An Introduction to Industrial Network Security 1

Industrial Network Security for SCADA, Automation, Process Control and PLC Systems. Contents. 1 An Introduction to Industrial Network Security 1 Industrial Network Security for SCADA, Automation, Process Control and PLC Systems Contents 1 An Introduction to Industrial Network Security 1 1.1 Course overview 1 1.2 The evolution of networking 1 1.3

More information

Basic Network Configuration

Basic Network Configuration Basic Network Configuration 2 Table of Contents Basic Network Configuration... 25 LAN (local area network) vs WAN (wide area network)... 25 Local Area Network... 25 Wide Area Network... 26 Accessing the

More information

Understanding SCADA System Security Vulnerabilities

Understanding SCADA System Security Vulnerabilities Understanding SCADA System Security Vulnerabilities Talking Points Executive Summary Common Misconceptions about SCADA System Security Common Vulnerabilities Affecting SCADA Networks Tactics to Strengthen

More information

Firewalls. Ola Flygt Växjö University, Sweden http://w3.msi.vxu.se/users/ofl/ Ola.Flygt@vxu.se +46 470 70 86 49. Firewall Design Principles

Firewalls. Ola Flygt Växjö University, Sweden http://w3.msi.vxu.se/users/ofl/ Ola.Flygt@vxu.se +46 470 70 86 49. Firewall Design Principles Firewalls Ola Flygt Växjö University, Sweden http://w3.msi.vxu.se/users/ofl/ Ola.Flygt@vxu.se +46 470 70 86 49 1 Firewall Design Principles Firewall Characteristics Types of Firewalls Firewall Configurations

More information

SCADA/Business Network Separation: Securing an Integrated SCADA System

SCADA/Business Network Separation: Securing an Integrated SCADA System SCADA/Business Network Separation: Securing an Integrated SCADA System This white paper is based on a utility example but applies to any SCADA installation from power generation and distribution to water/wastewater

More information

Agenda. Understanding of Firewall s definition and Categorization. Understanding of Firewall s Deployment Architectures

Agenda. Understanding of Firewall s definition and Categorization. Understanding of Firewall s Deployment Architectures Firewall Agenda Unit 1 Understanding of Firewall s definition and Categorization Unit 2 Understanding of Firewall s Deployment Architectures Unit 3 Three Representative Firewall Deployment Examples in

More information

DATA SECURITY 1/12. Copyright Nokia Corporation 2002. All rights reserved. Ver. 1.0

DATA SECURITY 1/12. Copyright Nokia Corporation 2002. All rights reserved. Ver. 1.0 DATA SECURITY 1/12 Copyright Nokia Corporation 2002. All rights reserved. Ver. 1.0 Contents 1. INTRODUCTION... 3 2. REMOTE ACCESS ARCHITECTURES... 3 2.1 DIAL-UP MODEM ACCESS... 3 2.2 SECURE INTERNET ACCESS

More information

Chapter 9 Firewalls and Intrusion Prevention Systems

Chapter 9 Firewalls and Intrusion Prevention Systems Chapter 9 Firewalls and Intrusion Prevention Systems connectivity is essential However it creates a threat Effective means of protecting LANs Inserted between the premises network and the to establish

More information

Banking Security using Honeypot

Banking Security using Honeypot Banking Security using Honeypot Sandeep Chaware D.J.Sanghvi College of Engineering, Mumbai smchaware@gmail.com Abstract New threats are constantly emerging to the security of organization s information

More information

SCADA System Security. ECE 478 Network Security Oregon State University March 7, 2005

SCADA System Security. ECE 478 Network Security Oregon State University March 7, 2005 SCADA System Security ECE 478 Network Security Oregon State University March 7, 2005 David Goeke Hai Nguyen Abstract Modern public infrastructure systems

More information

JK0-022 CompTIA Academic/E2C Security+ Certification Exam CompTIA

JK0-022 CompTIA Academic/E2C Security+ Certification Exam CompTIA JK0-022 CompTIA Academic/E2C Security+ Certification Exam CompTIA To purchase Full version of Practice exam click below; http://www.certshome.com/jk0-022-practice-test.html FOR CompTIA JK0-022 Exam Candidates

More information

Networking Basics for Automation Engineers

Networking Basics for Automation Engineers Networking Basics for Automation Engineers Page 1 of 10 mac-solutions.co.uk v1.0 Oct 2014 1. What is Transmission Control Protocol/Internet Protocol (TCP/IP)------------------------------------------------------------

More information

How To Protect Power System From Attack From A Power System (Power System) From A Fault Control System (Generator) From An Attack From An External Power System

How To Protect Power System From Attack From A Power System (Power System) From A Fault Control System (Generator) From An Attack From An External Power System Network Security in Power Systems Maja Knezev and Zarko Djekic Introduction Protection control Outline EMS, SCADA, RTU, PLC Attacks using power system Vulnerabilities Solution Conclusion Introduction Generator

More information

By David G. Holmberg, Ph.D., Member ASHRAE

By David G. Holmberg, Ph.D., Member ASHRAE The following article was published in ASHRAE Journal, November 2003. Copyright 2003 American Society of Heating, Refrigerating and Air-Conditioning Engineers, Inc. It is presented for educational purposes

More information

We will give some overview of firewalls. Figure 1 explains the position of a firewall. Figure 1: A Firewall

We will give some overview of firewalls. Figure 1 explains the position of a firewall. Figure 1: A Firewall Chapter 10 Firewall Firewalls are devices used to protect a local network from network based security threats while at the same time affording access to the wide area network and the internet. Basically,

More information

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection. A firewall is a software- or hardware-based network security system that allows or denies network traffic according to a set of rules. Firewalls can be categorized by their location on the network: A network-based

More information

System insecurity ± firewalls

System insecurity ± firewalls Mayur S. Desai Assistant Professor, School of Business, Indiana University Kokomo, Kokomo, Indiana, USA Thomas C. Richards Professor, Business Computer Information Systems Department, The University of

More information

Firewall Design Principles Firewall Characteristics Types of Firewalls

Firewall Design Principles Firewall Characteristics Types of Firewalls Firewall Design Principles Firewall Characteristics Types of Firewalls Special Thanks to our friends at The Blekinge Institute of Technology, Sweden for providing the basis for these slides. Fall 2008

More information

SCADA Security Measures

SCADA Security Measures Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA SCADA Security Measures

More information

SECURING AN INTEGRATED SCADA SYSTEM. Technical Paper April 2007

SECURING AN INTEGRATED SCADA SYSTEM. Technical Paper April 2007 SECURING AN INTEGRATED SCADA SYSTEM Network Security & SCADA Systems Whitepaper Technical Paper April 2007 Presented by: Scott Wooldridge Managing Director of Oceania Citect 1 Abstract This paper discusses

More information

Chapter 20. Firewalls

Chapter 20. Firewalls Chapter 20. Firewalls [Page 621] 20.1 Firewall Design Principles Firewall Characteristics Types of Firewalls Firewall Configurations 20.2 Trusted Systems Data Access Control The Concept of Trusted Systems

More information

Improving SCADA Control Systems Security with Software Vulnerability Analysis

Improving SCADA Control Systems Security with Software Vulnerability Analysis Improving SCADA Control Systems Security with Software Vulnerability Analysis GIOVANNI CAGALABAN, TAIHOON KIM, SEOKSOO KIM Department of Multimedia Hannam University Ojeong-dong, Daedeok-gu, Daejeon 306-791

More information

Firewalls (IPTABLES)

Firewalls (IPTABLES) Firewalls (IPTABLES) Objectives Understand the technical essentials of firewalls. Realize the limitations and capabilities of firewalls. To be familiar with iptables firewall. Introduction: In the context

More information

AUDITOR GENERAL S REPORT. Protection of Critical Infrastructure Control Systems. Report 5 August 2005

AUDITOR GENERAL S REPORT. Protection of Critical Infrastructure Control Systems. Report 5 August 2005 AUDITOR GENERAL S REPORT Protection of Critical Infrastructure Control Systems Report 5 August 2005 Serving the Public Interest Serving the Public Interest THE SPEAKER LEGISLATIVE ASSEMBLY THE PRESIDENT

More information

Security Design. thm@informatik.uni-rostock.de http://wwwiuk.informatik.uni-rostock.de/

Security Design. thm@informatik.uni-rostock.de http://wwwiuk.informatik.uni-rostock.de/ Security Design thm@informatik.uni-rostock.de http://wwwiuk.informatik.uni-rostock.de/ Content Security Design Analysing Design Requirements Resource Separation a Security Zones VLANs Tuning Load Balancing

More information

ISACA rudens konference

ISACA rudens konference ISACA rudens konference 8 Novembris 2012 Procesa kontroles sistēmu drošība Andris Lauciņš Ievads Kāpēc tēma par procesa kontroles sistēmām? Statistics on incidents Reality of the environment of industrial

More information

Secure Networking for Critical Infrastructure Using Service-aware switches for Defense-in-Depth deployment

Secure Networking for Critical Infrastructure Using Service-aware switches for Defense-in-Depth deployment Secure Networking for Critical Infrastructure Using Service-aware switches for Defense-in-Depth deployment Introduction 1 Distributed SCADA security 2 Radiflow Defense-in-Depth tool-set 4 Network Access

More information

Overview - Using ADAMS With a Firewall

Overview - Using ADAMS With a Firewall Page 1 of 6 Overview - Using ADAMS With a Firewall Internet security is becoming increasingly important as public and private entities connect their internal networks to the Internet. One of the most popular

More information

Overview - Using ADAMS With a Firewall

Overview - Using ADAMS With a Firewall Page 1 of 9 Overview - Using ADAMS With a Firewall Internet security is becoming increasingly important as public and private entities connect their internal networks to the Internet. One of the most popular

More information

On the use of Honeypots for Detecting Cyber Attacks on Industrial Control Networks

On the use of Honeypots for Detecting Cyber Attacks on Industrial Control Networks CIBSI 2013 Panama City, Panama, October 30 th, 2013 On the use of Honeypots for Detecting Cyber Attacks on Industrial Control Networks Paulo Simões, Tiago Cruz, Jorge Gomes, Edmundo Monteiro psimoes@dei.uc.pt

More information

Proxy Server, Network Address Translator, Firewall. Proxy Server

Proxy Server, Network Address Translator, Firewall. Proxy Server Proxy Server, Network Address Translator, Firewall 1 Proxy Server 2 1 Introduction What is a proxy server? Acts on behalf of other clients, and presents requests from other clients to a server. Acts as

More information

8. Firewall Design & Implementation

8. Firewall Design & Implementation DMZ Networks The most common firewall environment implementation is known as a DMZ, or DeMilitarized Zone network. A DMZ network is created out of a network connecting two firewalls; i.e., when two or

More information

Information Security Assessment and Testing Services RFQ # 28873 Questions and Answers September 8, 2014

Information Security Assessment and Testing Services RFQ # 28873 Questions and Answers September 8, 2014 QUESTIONS ANSWERS Q1 How many locations and can all locations be tested from a A1 5 locations and not all tests can be performed from a central location? central location. Q2 Connection type between location

More information

Introduction to Computer Networks and Data Communications

Introduction to Computer Networks and Data Communications Introduction to Computer Networks and Data Communications Chapter 1 Learning Objectives After reading this chapter, you should be able to: Define the basic terminology of computer networks Recognize the

More information

Cyber Security for SCADA/ICS Networks

Cyber Security for SCADA/ICS Networks Cyber Security for SCADA/ICS Networks GANESH NARAYANAN HEAD-CONSULTING CYBER SECURITY SERVICES www.thalesgroup.com Increasing Cyber Attacks on SCADA / ICS Systems 2 What is SCADA Supervisory Control And

More information

CS 665: Computer System Security. Network Security. Usage environment. Sources of vulnerabilities. Information Assurance Module

CS 665: Computer System Security. Network Security. Usage environment. Sources of vulnerabilities. Information Assurance Module CS 665: Computer System Security Network Security Bojan Cukic Lane Department of Computer Science and Electrical Engineering West Virginia University 1 Usage environment Anonymity Automation, minimal human

More information

Endless possibilities

Endless possibilities Endless possibilities ENDLESS POSSIBILITIES 03 Endless possibilities Iskra Sistemi is a developer and provider of process automation, communications and security systems for power distribution, telecommunications

More information

Network Security Administrator

Network Security Administrator Network Security Administrator Course ID ECC600 Course Description This course looks at the network security in defensive view. The ENSA program is designed to provide fundamental skills needed to analyze

More information

Security for. Industrial. Automation. Considering the PROFINET Security Guideline

Security for. Industrial. Automation. Considering the PROFINET Security Guideline Security for Industrial Considering the PROFINET Security Guideline Automation Industrial IT Security 2 Plant Security Physical Security Physical access to facilities and equipment Policies & Procedures

More information

ICANWK406A Install, configure and test network security

ICANWK406A Install, configure and test network security ICANWK406A Install, configure and test network security Release: 1 ICANWK406A Install, configure and test network security Modification History Release Release 1 Comments This Unit first released with

More information

SCADA and Security Are they Mutually Exclusive? Terry M. Draper, PE, PMP

SCADA and Security Are they Mutually Exclusive? Terry M. Draper, PE, PMP SCADA and Security Are they Mutually Exclusive? Terry M. Draper, PE, PMP Today s Topics SCADA Overview SCADA System vs. IT Systems Risk Factors Threats Potential Vulnerabilities Specific Considerations

More information

PROFESSIONAL SECURITY SYSTEMS

PROFESSIONAL SECURITY SYSTEMS PROFESSIONAL SECURITY SYSTEMS Security policy, active protection against network attacks and management of IDP Introduction Intrusion Detection and Prevention (IDP ) is a new generation of network security

More information

PCI Security Scan Procedures. Version 1.0 December 2004

PCI Security Scan Procedures. Version 1.0 December 2004 PCI Security Scan Procedures Version 1.0 December 2004 Disclaimer The Payment Card Industry (PCI) is to be used as a guideline for all entities that store, process, or transmit Visa cardholder data conducting

More information

Firewalls. ITS335: IT Security. Sirindhorn International Institute of Technology Thammasat University ITS335. Firewalls. Characteristics.

Firewalls. ITS335: IT Security. Sirindhorn International Institute of Technology Thammasat University ITS335. Firewalls. Characteristics. ITS335: IT Security Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 25 October 2013 its335y13s2l08, Steve/Courses/2013/s2/its335/lectures/firewalls.tex,

More information

Firewalls. Contents. ITS335: IT Security. Firewall Characteristics. Types of Firewalls. Firewall Locations. Summary

Firewalls. Contents. ITS335: IT Security. Firewall Characteristics. Types of Firewalls. Firewall Locations. Summary 2 : IT Security Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 25 October 2013 its335y13s2l08, Steve/Courses/2013/s2/its335/lectures/firewalls.tex, r2958

More information

Network Technologies

Network Technologies Network Technologies Career Cluster Information Technology Course Code 10101 Prerequisite(s) Introduction To Information Technology Careers (Recommended), Computer Applications (Recommended), Computer

More information

Basics of Internet Security

Basics of Internet Security Basics of Internet Security Premraj Jeyaprakash About Technowave, Inc. Technowave is a strategic and technical consulting group focused on bringing processes and technology into line with organizational

More information

White Paper. Cyber Security. Power Industry Locks Down. What s Inside:

White Paper. Cyber Security. Power Industry Locks Down. What s Inside: Invensys is now White Paper Cyber Security Authors: Ernest Rakaczky, Director of Process Control Network Security, Invensys Paul Dacruz, Vice President, Power Industry Solutions What s Inside: 1. Introduction

More information

GE Measurement & Control. Cyber Security for NEI 08-09

GE Measurement & Control. Cyber Security for NEI 08-09 GE Measurement & Control Cyber Security for NEI 08-09 Contents Cyber Security for NEI 08-09...3 Cyber Security Solution Support for NEI 08-09...3 1.0 Access Contols...4 2.0 Audit And Accountability...4

More information

Security Solutions to Meet NERC-CIP Requirements. Kevin Staggs, Honeywell Process Solutions

Security Solutions to Meet NERC-CIP Requirements. Kevin Staggs, Honeywell Process Solutions Kevin Staggs, Honeywell Process Solutions Table of Contents Introduction...3 Nerc Standards and Implications...3 How to Meet the New Requirements...4 Protecting Your System...4 Cyber Security...5 A Sample

More information

Top-Down Network Design

Top-Down Network Design Top-Down Network Design Chapter Five Designing a Network Topology Copyright 2010 Cisco Press & Priscilla Oppenheimer Topology A map of an internetwork that indicates network segments, interconnection points,

More information

Fig. 4.2.1: Packet Filtering

Fig. 4.2.1: Packet Filtering 4.2 Types of Firewalls /DKo98/ FIREWALL CHARACTERISTICS 1. All traffic from inside to outside, and vice versa, must pass through the firewall. This is achieved by physically blocking all access to the

More information

Deploying Firewalls Throughout Your Organization

Deploying Firewalls Throughout Your Organization Deploying Firewalls Throughout Your Organization Avoiding break-ins requires firewall filtering at multiple external and internal network perimeters. Firewalls have long provided the first line of defense

More information

Chapter 7. Firewalls http://www.redhat.com/docs/manuals/enterprise/rhel-4-manual/security-guide/ch-fw.html

Chapter 7. Firewalls http://www.redhat.com/docs/manuals/enterprise/rhel-4-manual/security-guide/ch-fw.html Red Hat Docs > Manuals > Red Hat Enterprise Linux Manuals > Red Hat Enterprise Linux 4: Security Guide Chapter 7. Firewalls http://www.redhat.com/docs/manuals/enterprise/rhel-4-manual/security-guide/ch-fw.html

More information

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 6 Network Security

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 6 Network Security Security+ Guide to Network Security Fundamentals, Fourth Edition Chapter 6 Network Security Objectives List the different types of network security devices and explain how they can be used Define network

More information

NETWORK ACCESS CONTROL AND CLOUD SECURITY. Tran Song Dat Phuc SeoulTech 2015

NETWORK ACCESS CONTROL AND CLOUD SECURITY. Tran Song Dat Phuc SeoulTech 2015 NETWORK ACCESS CONTROL AND CLOUD SECURITY Tran Song Dat Phuc SeoulTech 2015 Table of Contents Network Access Control (NAC) Network Access Enforcement Methods Extensible Authentication Protocol IEEE 802.1X

More information

Designing a security policy to protect your automation solution

Designing a security policy to protect your automation solution Designing a security policy to protect your automation solution September 2009 / White paper by Dan DesRuisseaux 1 Contents Executive Summary... p 3 Introduction... p 4 Security Guidelines... p 7 Conclusion...

More information

Com.X Router/Firewall Module. Use Cases. White Paper. Version 1.0, 21 May 2014. 2014 Far South Networks

Com.X Router/Firewall Module. Use Cases. White Paper. Version 1.0, 21 May 2014. 2014 Far South Networks Com.X Router/Firewall Module Use Cases White Paper Version 1.0, 21 May 2014 2014 Far South Networks Document History Version Date Description of Changes 1.0 2014/05/21 Preliminary 2014 Far South Networks

More information

Rajan R. Pant Controller Office of Controller of Certification Ministry of Science & Technology rajan@cca.gov.np

Rajan R. Pant Controller Office of Controller of Certification Ministry of Science & Technology rajan@cca.gov.np Rajan R. Pant Controller Office of Controller of Certification Ministry of Science & Technology rajan@cca.gov.np Meaning Why is Security Audit Important Framework Audit Process Auditing Application Security

More information

OPERATIONS CAPITAL. The Operations Capital program for the test years is divided into two categories:

OPERATIONS CAPITAL. The Operations Capital program for the test years is divided into two categories: Filed: September 0, 00 EB-00-0 Tab Schedule Page of OPERATIONS CAPITAL.0 INTRODUCTION Operations Capital funds enhancements and replacements to the facilities required to operate the Hydro One Transmission

More information

Firewalls. Ingress Filtering. Ingress Filtering. Network Security. Firewalls. Access lists Ingress filtering. Egress filtering NAT

Firewalls. Ingress Filtering. Ingress Filtering. Network Security. Firewalls. Access lists Ingress filtering. Egress filtering NAT Network Security s Access lists Ingress filtering s Egress filtering NAT 2 Drivers of Performance RequirementsTraffic Volume and Complexity of Static IP Packet Filter Corporate Network The Complexity of

More information

Network Virtualization Network Admission Control Deployment Guide

Network Virtualization Network Admission Control Deployment Guide Network Virtualization Network Admission Control Deployment Guide This document provides guidance for enterprises that want to deploy the Cisco Network Admission Control (NAC) Appliance for their campus

More information

What is a Firewall? Computer Security. Firewalls. What is a Firewall? What is a Firewall?

What is a Firewall? Computer Security. Firewalls. What is a Firewall? What is a Firewall? What is a Firewall? Computer Security Firewalls fire wall 1 : a wall constructed to prevent the spread of fire 2 usually firewall : a computer or computer software that prevents unauthorized access to

More information

Security issues in Voice over IP: A Review

Security issues in Voice over IP: A Review www.ijecs.in International Journal Of Engineering And Computer Science ISSN:2319-7242 Volume 3 Issue 2 February, 2014 Page No. 3879-3883 Security issues in Voice over IP: A Review Rajni a, Preeti a, Ritu

More information

87-01-30 Secure External Network Communications Lynda L. McGhie Payoff

87-01-30 Secure External Network Communications Lynda L. McGhie Payoff 87-01-30 Secure External Network Communications Lynda L. McGhie Payoff Large organizations must be able to communicate with external suppliers, partners, and customers. Implementation of bidirectional

More information

Implementation of Virtual Local Area Network using network simulator

Implementation of Virtual Local Area Network using network simulator 1060 Implementation of Virtual Local Area Network using network simulator Sarah Yahia Ali Department of Computer Engineering Techniques, Dijlah University College, Iraq ABSTRACT Large corporate environments,

More information

RuggedCom Solutions for

RuggedCom Solutions for RuggedCom Solutions for NERC CIP Compliance Rev 20080401 Copyright RuggedCom Inc. 1 RuggedCom Solutions Hardware Ethernet Switches Routers Serial Server Media Converters Wireless Embedded Software Application

More information

13 Ways Through A Firewall

13 Ways Through A Firewall Industrial Control Systems Joint Working Group 2012 Fall Meeting 13 Ways Through A Firewall Andrew Ginter Director of Industrial Security Waterfall Security Solutions Proprietary Information -- Copyright

More information

Getting started. Creating a Web Server support application

Getting started. Creating a Web Server support application Getting started Creating a Web Server support application Document revision Date Edition Comments 08/09/2010 1.0 - Sielco Sistemi srl via Roma, 24 I-22070 Guanzate (CO) http://www.sielcosistemi.com Getting

More information

12. Firewalls Content

12. Firewalls Content Content 1 / 17 12.1 Definition 12.2 Packet Filtering & Proxy Servers 12.3 Architectures - Dual-Homed Host Firewall 12.4 Architectures - Screened Host Firewall 12.5 Architectures - Screened Subnet Firewall

More information

Protecting Critical Infrastructure

Protecting Critical Infrastructure Protecting Critical Infrastructure SCADA Network Security Monitoring March 20, 2015 Table of Contents Introduction... 4 SCADA Systems... 4 In This Paper... 4 SCADA Security... 4 Assessing the Security

More information

CAISO Information Security Requirements for the Energy Communication Network (ECN)

CAISO Information Security Requirements for the Energy Communication Network (ECN) Page 1 of 11 REVISION HISTORY VERSION DATE DESCRIPTION DRAFT 0.1 11/27/2002 Initial Draft 1.0 10/13/2003 Initially Released Version 1.1 11/15/2005 Minor clean-up. 1.2 05/30/2006 New logo and appendix change

More information