PLC Security for Water / Wastewater Systems

Similar documents
Belden Certified Industrial Network Provider Program

WatchGuard Technologies, Inc. 505 Fifth Avenue South Suite 500, Seattle, WA

Deploying Firewalls Throughout Your Organization

How To Buy Nitro Security

Industrial Security Solutions

Securing the Intelligent Network

Session 14: Functional Security in a Process Environment

Cisco Advanced Services for Network Security

IBM Security IBM Corporation IBM Corporation

Introducing IBM s Advanced Threat Protection Platform

Protecting Your Organisation from Targeted Cyber Intrusion

Using Tofino to control the spread of Stuxnet Malware

Symantec Enterprise Firewalls. From the Internet Thomas Jerry Scott

The Advantages of an Integrated Factory Acceptance Test in an ICS Environment

Virtualized Security: The Next Generation of Consolidation

Innovative Defense Strategies for Securing SCADA & Control Systems

IBM Advanced Threat Protection Solution

Virtual Patching: a Proven Cost Savings Strategy

Industrial HiVision Software

District Heating Network Monitoring, Control and Optimization with CyberVille IoE Application Platform

Using ISA/IEC Standards to Improve Control System Security

OPC & Security Agenda

IBM QRadar Security Intelligence April 2013

Requirements When Considering a Next- Generation Firewall

Optimizing and Securing an Industrial DCS with VMware

IT Security and OT Security. Understanding the Challenges

Industrial Network Security for SCADA, Automation, Process Control and PLC Systems. Contents. 1 An Introduction to Industrial Network Security 1

Industrial Ethernet Infrastructure Design Seminar

Testing Challenges for Modern Networks Built Using SDN and OpenFlow

McAfee Global Threat Intelligence File Reputation Service. Best Practices Guide for McAfee VirusScan Enterprise Software

White Paper. 7 Steps to ICS and SCADA Security. Tofino Security exida Consulting LLC. Contents. Authors. Version 1.0 Published February 16, 2012

The Four-Step Guide to Understanding Cyber Risk

CA Host-Based Intrusion Prevention System r8.1

How To Secure Your System From Cyber Attacks

Providing Secure IT Management & Partnering Solution for Bendigo South East College

Next-Generation Firewalls: Critical to SMB Network Security

GE Intelligent Platforms. Understanding and Minimizing Your HMI/SCADA System Security Gaps

Best Practices in ICS Security for System Operators. A Wurldtech White Paper

Full-Context Forensic Analysis Using the SecureVue Unified Situational Awareness Platform

Securing EtherNet/IP Using DPI Firewall Technology

McAfee Next Generation Firewall Optimize your defense, resilience, and efficiency.

The Importance of Cybersecurity Monitoring for Utilities

Cyber Security: Beginners Guide to Firewalls

BlackStratus for Managed Service Providers

INTEGRATING SUBSTATION IT AND OT DEVICE ACCESS AND MANAGEMENT

Der Weg, wie die Verantwortung getragen werden kann!

Secure Networking for Critical Infrastructure Using Service-aware switches for Defense-in-Depth deployment

Reasons Enterprises. Prefer Juniper Wireless

COUNTERSNIPE

Security Solutions to Meet NERC-CIP Requirements. Kevin Staggs, Honeywell Process Solutions

Industrial Control Systems Security Guide

Scott Lucas: I m Scott Lucas. I m the Director of Product Marketing for the Branch Solutions Business Unit.

nfx One for Managed Service Providers

DNP Serial SCADA to SCADA Over IP: Standards, Regulations Security and Best Practices

Work Process Management

ADDING NETWORK INTELLIGENCE TO VULNERABILITY MANAGEMENT

Ecom Infotech. Page 1 of 6

Getting Ahead of Malware

Security strategies to stay off the Børsen front page

This is a preview - click here to buy the full publication

A Systems Approach to HVAC Contractor Security

Dell SonicWALL Portfolio

Cloud and Critical Infrastructures how Cloud services are factored in from a risk perspective

Secure access to a water treatment plant s SCADA network

Meeting the Challenges of Virtualization Security

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES.

Bridging the gap between COTS tool alerting and raw data analysis

SANS Top 20 Critical Controls for Effective Cyber Defense

How To Create An Intelligent Infrastructure Solution

Network Access Control in Virtual Environments. Technical Note

Network Instruments white paper

Security for. Industrial. Automation. Considering the PROFINET Security Guideline

NX 9500 INTEGRATED SERVICES PLATFORM FOR THE PRIVATE CLOUD

A Closer Look at Wireless Intrusion Detection: How to Benefit from a Hybrid Deployment Model

Technology Brief Demystifying Cloud Security

Preparing your network for the mobile onslaught

Endless possibilities

1110 Cool Things Your Firewall Should Do. Extending beyond blocking network threats to protect, manage and control application traffic

References NYS Office of Cyber Security and Critical Infrastructure Coordination Best Practices and Assessment Tools for the Household

Security all around. Industrial security for your plant at all levels. siemens.com/industrialsecurity. Answers for industry.

Ease Server Support With Pre-Configured Virtualization Systems

ACI SELF-SERVICE BANKING

Industrial Control System Cyber Situational Awareness. Robert M. Lee* June 10 th, 2015

Comparison of Firewall, Intrusion Prevention and Antivirus Technologies

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

How To Protect A Web Application From Attack From A Trusted Environment

SYMANTEC MANAGED SECURITY SERVICES. Superior information security delivered with exceptional value.

Cyber Security Beginners Guide to Firewalls A Non-Technical Guide

SECURITY IN THE INTERNET OF THINGS

IBM QRadar Security Intelligence Platform appliances

Transcription:

INDUSTRIAL INTERNET IN ACTION CASE STUDY PLC Security for Water / Wastewater Systems EXECUTIVE SUMMARY You have likely never worried about the possibility of a high school geek doing some programming that affects your home water quality. Well, neither had I until I learnt that some municipal networks have no security between the network their schools use and the one that runs their water/wastewater facility. This was the situation in a mid-sized city in the Eastern U.S. In 2012, the Department of Water Resources upgraded their SCADA network to industrial Ethernet. At the time, there was little protection or separation of the SCADA network from the city s IT network. While this provided many benefits, it also made the controls network susceptible to malware attacks and traffic storms. Figure 1 Water / wastewater facilities, such as this one in San Francisco, typically may not have prioritized cyber security. Nowadays, however, attacks on PLC-based systems are increasing. Fortunately, the team involved, particularly the plant electronics technician, recognized the issue and took the initiative to review the situation and look for ways to improve security. What unfolded next is a great example of how multiple industry players, that is, a standards organization, a cyber security services group and a vendor were able to work together to provide a robust solution. THE CHALLENGE In the city in question, the Department of Water Resources oversees the city s water and wastewater treatment facilities, as well as the local reservoir, water lines, storm sewers, sanitary sewers and water meter reading. The system is complex: October 30, 2015-1 -

24 buildings house more than 500 pieces of equipment that run the 15 processes needed to treat the 13 million gallons of wastewater each day. And that s 24 hours a day Possible solutions included locking the wastewater treatment network down and adding air gaps to physically separate the control and business networks. The operations team, however, needed a networked solution that allowed them to share data interdepartmentally, maintain remote support capabilities and secure wastewater operations. THE SOLUTION Parts 1 and 2: ISA Industrial Cyber Security Course and Tofino Security products The proactive plant electronics technician attended the International Society of Automation s (ISA) Water/Wastewater and Automatic Controls Symposium and participated in a one-day security course that taught him the fundamentals of the ISA/IEC 62443 cyber security standards. In addition, a neutral third party presented Belden s EAGLE Tofino product portfolio. After reviewing several other options, the city staff selected to move forward with Belden s solution due to some specific benefits it could provide. These included: The ease with which the Tofino Security products can be installed. The ability to significantly restrict traffic on the programmable logic controllers (PLCs). The test mode option that allows for testing before pushing live onto the system. In the end, the local team purchased a Tofino Central Management Platform (CMP) and 13 Tofino Security Appliances with firewalls to secure each PLC on the network. If a PLC crashes, so does the entire system. The city has now specified that all processors will be protected by a Tofino firewall moving forward. They also keep spare products on hand for new PLCs in need of similar protection. Part 3: Simple Installation and Expert Training from exida After purchasing the products, the plant found the Tofino solution intuitive to install. Working with an electrician, the Tofino Security Appliances were easily wired into the network, but support was required when it came to configuring and managing the quantity of traffic their network was facing. Through Belden s strategic partnership with exida a firm specializing in industrial automation safety and cyber security services Senior Cyber Security Engineer Eric Persson arrived on-site for two days of training and testing. The training included everything from baseline networking knowledge to hands-on installation and trouble-shooting. - 2 -

The goal of our training was twofold first, to have fully functional Tofinos in place to protect the critical areas and assets of the plant from malicious traffic and activity, and second, to have our customer fully competent and comfortable in the networking and configuration knowledge necessary to maintain these devices moving forward, said Persson. During the configuration, several key steps were taken to ensure no disruption to the active network. This included notifying the control room that maintenance was underway on the network and using the test and passive modes to see the traffic flowing through the Tofino before pushing in operational mode. The training, commissioning and testing process also included the creation of custom rules to manage the facility s network traffic. Firewall and traffic rules were set up to meet their specific needs. Finally, the exida team ensured that the security implementation met the recommendations of the ISA/IEC 62443 cyber security standards. Figure 2: The SCADA wastewater network in this mid-sized U.S. city is segmented according to ISA/IEC 62443 standards and is secured using Belden s Tofino Security Appliances. Downloadable Image RESULTS Trained Staff and a Cyber Secure Facility The local team s willingness to learn, coupled with exida s expertise on cyber security, Belden products, and interactive training, made for a successful installation. As a result of the training and installation: There is significantly less traffic on the plant s network. The Tofinos are operational and have been tested to confirm they are passing what is needed and blocking what is not. The team feels secure in managing the traffic themselves. The Department of Water Resources is on the forefront of cyber security for industrial facilities. The network is very secure, making it impossible for even the internal IT department to impact the PLCs. The plant is also meeting the guidelines and mandates for general wastewater practices and will be well prepared when those guidelines become law. - 3 -

Into the Future Deep Packet Inspection There is an expression in the security business: Security is a journey, not a destination. Cyber threats to a city s water system are constantly evolving, as new PLC vulnerabilities are discovered and new attacker s toolkits are released. The team at this particular plant is aware of these concerning facts and knows they cannot rest on their laurels. One of the next steps for them will be the addition of Deep Packet Inspection (DPI) technology to their firewalls. This technology provides superior security over what can be achieved with conventional firewall solutions by performing multi-level analysis and filtering of network messages at the upper layers of the protocol. And unlike intrusion detection and prevention technologies, it offers very fast message forwarding for time sensitive applications, like SCADA control. (For more information on this, see the Deep Packet Inspection Technical Kit available for download here.) While this city s water systems are now secure, facilities across the country and around the world likely are not. The good news is that securing them is not rocket science; it just takes one keen employee and good industry and vendor resources to call upon. ABOUT BELDEN Belden Inc. designs, manufactures, and markets cable, connectivity, and networking products in markets including industrial automation, enterprise, transportation, infrastructure, and consumer electronics. It has approximately 6,800 employees, and provides value for industrial automation, enterprise, education, healthcare, entertainment and broadcast, sound and security, transportation, infrastructure, consumer electronics and other industries. Belden has manufacturing capabilities in North America, South America, Europe, and Asia, and a market presence in nearly every region of the world. Belden was founded in 1902, and today is a leader with some of the strongest brands in the signal transmission industry. For more information, visit www.belden.com. ABOUT THE INDUSTRIAL INTERNET CONSORTIUM Belden has been a member of the Industrial Internet Consortium since June 2105. The Industrial Internet Consortium is a global public-private organization of over 140 members, formed to accelerate the development, adoption and wide-spread use of interconnected machines and devices, intelligent analytics, and people at work. Founded by AT&T, Cisco, General Electric, IBM - 4 -

and Intel in March 2014, the Industrial Internet Consortium catalyzes and coordinates the priorities and enabling technologies of the Industrial Internet. Visit www.iiconsortium.org. 1 2015 1 The Industrial Internet Consortium logo is a registered trademark of Object Management Group. Other logos, products and company names referenced in this document are property of their respective companies. - 5 -

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information