Secure access to a water treatment plant s SCADA network



Similar documents
Security appliances with integrated switch- Even more secure and more cost effective

Remote Maintenance with Security Appliances FL MGuard RS2000 and RS4000. Economic and Reliable Service

Guideline for setting up a functional VPN

Optimizing and Securing an Industrial DCS with VMware

Innovative Defense Strategies for Securing SCADA & Control Systems

Technical papers Virtual private networks

Using Innominate mguard over BGAN

TYLER JUNIOR COLLEGE School of Continuing Studies 1530 SSW Loop 323 Tyler, TX

STRATEGIC POLICY. Information Security Policy Documentation. Network Management Policy. 1. Introduction

Technology Spotlight on Cellular Data Networking for SCADA system networks. Presented by Teamwork Solutions, Inc.

Secure Communication Made Easy

NEW GENERATION PROGRAMMABLE AUTOMATION CONTROLLER

SCADA Systems. Make the most of your energy. March 2012 / White paper. by Schneider Electric Telemetry & Remote SCADA Solutions

Building Secure Networks for the Industrial World

Visualize, Document & Keep Your Network Running!

Remote-Access VPNs: Business Productivity, Deployment, and Security Considerations

Security Issues with Integrated Smart Buildings

Secure Networking for Critical Infrastructure. Ilan Barda March 2014

Chapter 6 Configuring the SSL VPN Tunnel Client and Port Forwarding

Configuring High Availability for Embedded NGX Gateways in SmartCenter

Secure Networking for Critical Infrastructure Using Service-aware switches for Defense-in-Depth deployment

Cloud Computing for SCADA

Security Technology: Firewalls and VPNs

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

Security for. Industrial. Automation. Considering the PROFINET Security Guideline

Highly available embedded server for secure teleservices Kontron KISS servers in use as a high-end firewall & VPN gateway for industrial teleservices

DSL-2600U. User Manual V 1.0

White Paper. Complementing or Migrating MPLS Networks

How to Choose the Right Industrial Firewall: The Top 7 Considerations. Li Peng Product Manager

Industrial Firewalls Endpoint Security

What you don t know about industrial GSM/GPRS modem communications

SCADA System Security. ECE 478 Network Security Oregon State University March 7, 2005

DATA SECURITY 1/12. Copyright Nokia Corporation All rights reserved. Ver. 1.0

Network Security Infrastructure Testing

Innominate mguard Version 6

Using a VPN with CentraLine AX Systems

Directed Circuits Meet Today s Security Challenges in Enterprise Remote Monitoring. A White Paper from the Experts in Business-Critical Continuity TM

High Performance, Secure VPN Servers for Remote Utility, Industrial Automation Systems:

Industrial Security Solutions

WATCHMAN Reliability Services Enhance OEM Service Center Revenue

SGUL VPN Connection Guide for Windows 10

Configuring Routers and Their Settings

Education & Training Plan IT Network Professional with CompTIA Network+ Certificate Program with Externship

Education & Training Plan IT Network Professional with CompTIA Network+ Certificate Program with Externship

"Charting the Course to Your Success!" MOC D Windows 7 Enterprise Desktop Support Technician Course Summary

SCADA SYSTEMS AND SECURITY WHITEPAPER

Using a VPN with Niagara Systems. v0.3 6, July 2013

DNP Serial SCADA to SCADA Over IP: Standards, Regulations Security and Best Practices

Firewall and UTM Solutions Guide

Overcoming IP Address Issues with GPRS Remote Monitoring and Alarm Systems

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 6 Network Security

Monitoring and diagnostics. Field data integration to control room solution guide

Firewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA

Providing Secure IT Management & Partnering Solution for Bendigo South East College

PLC Security for Water / Wastewater Systems

Local Area Networks (LANs) Blueprint (May 2012 Release)

RuggedCom Solutions for

INTRODUCING KERIO WINROUTE FIREWALL

Complete SCADA solution for Remote Monitoring and Control

Data Network Security Policy

Magnum Network Software DX

Remote Services. Managing Open Systems with Remote Services

Windows 7, Enterprise Desktop Support Technician

A Model Design of Network Security for Private and Public Data Transmission

Experiment # 6 Remote Access Services

Off-the-shelf Packaged Software Systems And Custom Software Analysis By Gamal Balady MASS Group, Inc.

CLOUD BASED SCADA. Removing Implementation and Deployment Barriers. Liam Kearns Open Systems International, Inc.

Stable and Secure Network Infrastructure Benchmarks

PLCs and SCADA Systems

SCADA and Security Are they Mutually Exclusive? Terry M. Draper, PE, PMP

Windows 7, Enterprise Desktop Support Technician Course 50331: 5 days; Instructor-led

Overview. Firewall Security. Perimeter Security Devices. Routers

Efficient remote access to machines and plants with SIMATIC

MCSA Objectives. Exam : TS:Exchange Server 2007, Configuring

AUDITOR GENERAL S REPORT. Protection of Critical Infrastructure Control Systems. Report 5 August 2005

A Real Time, Object Oriented Fieldbus Management System

A 360 degree approach to security

INTEGRATING SUBSTATION IT AND OT DEVICE ACCESS AND MANAGEMENT

ADSL MODEM. User Manual V1.0

Chapter 1 Personal Computer Hardware hours

WIRELESS REMOTE MONITORING OF CATHODIC PROTECTION SYSTEMS. John Hawkyard MICorr Deputy General Manager Rawabi Corrosion Technology Co Ltd Al-Khobar

Essential Curriculum Computer Networking 1. PC Systems Fundamentals 35 hours teaching time

Introduction. Technology background

AutoLog ControlMan. Remote Monitoring & Controlling Service

HMS Industrial Networks

Linksys Gateway SPA2100-SU Manual

1 ABSTRACT 3 2 CORAL IP INFRASTRUCTURE 4

Niagara IT Manager s Guide

Network Virtualization Network Admission Control Deployment Guide

ION Networks. White Paper

Chapter 1 Configuring Internet Connectivity

The evolution of data connectivity

Transcription:

Secure access to a water treatment plant s SCADA network Sharp reduction in maintenance times The systems integrator Morehouse Engineering has helped users operating in many different industries implement SCADA (Supervisory Control and Data Acquisition) systems for more than 20 years. Phoenix Contact security appliances are installed at a water treatment plant for the purpose of providing service technicians with remote access to the on-site SCADA network (lead image). Morehouse Engineering is located in Hopewell, New Jersey, around 100 kilometers southwest of New York City. Since its founding in 1993, the company has been involved in a variety of control projects. The solutions it has developed as part of these projects range from a basic pump control to instructional tools for laparoscopic surgery. The company provides its clients with a full range of services, from research, analysis, and design to fabrication, programming, installation, and troubleshooting of plant process systems. One of Morehouse Engineering s specialties is designing proprietary SCADA systems that control and monitor processes. These processes in the field of water management could be something as simple as a small pump station or as complex as a distribution system that covers thousands of square kilometers. SCADA systems are used in many industrial fields, including water/wastewater treatment facilities, as well as in the oil and gas, electricity, and transportation sectors.

Online troubleshooting The SCADA systems typically consist of one or more programmable logic controllers (PLCs) and a graphic user interface (GUI). This means a single appliance can serve as a control system that provides a limited number of inputs and outputs. The solution could likewise consist of several hundred PLCs with a matching number of I/Os either located on a single system or installed across a widely distributed area. The operator controls and monitors the process via the GUI that serves as the visual interface. The graphic user interface is frequently a software solution run on a central operating station. Users are increasingly demanding small user interfaces that can be installed near the process components. All of the controllers and operating stations must be interconnected in order to enable data to be exchanged. This is generally done using an Ethernet network that delivers a standardised, resilient, and low-cost communication platform used today in all industrial sectors (figure 1). Figure 1 - In any SCADA system, there is typically one or more PLCs and a GUI (Graphical User Interface). The GUI is the visual interface that the operator uses to monitor and control the process. The SCADA systems from Morehouse Engineering are designed to maximize controller and GUI performance. Our solutions enable online troubleshooting and full Web-based access, comments Matt Maloney, systems engineer at Morehouse Engineering. Historical databases are often integrated into the SCADA systems. The information is recorded and saved to the databases with a time stamp, providing the basis for extensive analysis.

Hackers and malware present major security risk The sturdy, reliable, and configurable SCADA systems from Morehouse Engineering are used in a wide range of applications. The time and cost involved in maintaining and resolving potential faults that arise would be quite high if the service technicians had to travel across the entire U.S. on assignment. This is why we remotely access the SCADA systems either via the Internet or by phone, states Matt Maloney. After all, our customers expect Morehouse Engineering to deliver fast, comprehensive support. With many customers in the past, the systems integrator would dial into the system via an Ethernet modem and thus connect the controller to the Internet. This approach has proven difficult for some time now as the copper telephone lines grow older and become more prone to interference and connection problems. This is particularly the case when exchanging data. While static or a small amount of noise is not really a problem when two people are talking on the phone, says Matt Maloney, it can distort data communications (figure 2). Figure 2 - Morehouse Engineering needed to help the customer to manage the facility remotely as well as to remote-connect to the PLCs with programming software and to protect the system from Internet threats. Another issue is low transfer speeds. We need faster transfer rates and more reliable communication in order to deliver our customers the best possible service, points out Maloney. A water treatment plant operator who uses a Morehouse solution agreed to allow Web-based remote access to its SCADA system. The corresponding network was already linked directly to the Internet, allowing the operator s staff to easily monitor the water treatment plant from home using a remote software product. Being connected directly to the Internet, however, exposes the system to a number of major security risks, both from hackers and in the form of malware and viruses. The programming software was also unable to properly connect to the distributed control systems, as it is not designed to cope with the complexity of data traffic over the Internet.

Rugged solution for an industrial environment We needed a solution we could use to connect to the plant s SCADA network via the Internet, one that also offered protection against unauthorised access, reports Matt Maloney. If at all possible, it should be designed for use in an industrial environment. Most of the security applications available on the market are, however, developed with an eye towards the office environment, adds the systems engineer. Morehouse Engineering has now found security appliances that meet all of the requirements for use in an industrial environment with devices from Phoenix Contact s FL MGuard product line. FL MGuard is a family of security devices that provides all-in-one firewall, routing, and VPN (virtual private network) capability for industrial networks. The devices meet the requirements of the IT system while providing rugged Figure 3 - The FL MGuard RS2000 can be mounted on a DIN rail and uses 24 V DC power, making it better suited for industrial installation than VPNs designed for commercial use. hardware installed in a metal housing for use in the harsh industrial environment (figure 3). The FL MGuard RS2000 model we use can be rail-mounted and uses a 24 V DC power supply, making it better suited for industrial applications than the previously installed components, states Matt Maloney. The SCADA network can be linked directly with the Internet because the device acts as a secure gateway that protects the system from unauthorised access. The service technicians use a VPN software client to connect to the SCADA network, in which case the VPN function restricts communication to authorised users with the corresponding access credentials. Once the VPN connection has been set up, it is like you are connected directly to the local network. The controller s programming software detects the security appliances and can connect them with ease. All processes are fully masked Our original goal was to be able to easily initiate and disconnect the VPN connection via a signal at the FL MGuard RS2000 input, reports Matt Maloney. However, this feature can only be used if the security appliance is configured as a client and not as a server, as had been our plan. This is where the stealth mode offered with FL MGuard comes in handy. If the appliance is operated in stealth mode (the factory-default setting), clients that are connected to the internal interface of the security (the local SCADA network) do not have to be reconfigured. The user simply installs FL MGuard between the clients that need to be protected and the network with an Internet connection. When operating in stealth mode, the appliance is fully transparent. The client s IP addresses remain unchanged. The VPN feature ensures that all data is heavily encrypted and, as a result, all processes that could be intercepted by hackers operating outside the network via the TCP/UDP ports are masked. Even a port scanner cannot detect the processes. Unwanted and unauthenticated/unauthorised data traffic can therefore not infiltrate the SCADA network.

Using FL MGuard s stealth mode allows the main Internet-connected network of the water treatment plant to interact with the SCADA sub-network. We configured the internal and external ports in stealth mode so that employees can securely access the SCADA network from remote computers, even if the PCs are in different networks, explains Matt Maloney. The firewall, antivirus protection, and VPN settings can be configured using a Web browser, so that no changes need to be made on individual computers. Morehouse Engineering can also configure the appliances for all Internet-based connections between different SCADA networks, in cases where a computer is not required. Comprehensive manufacturer support The initial installation took us longer than we had expected, says Matt Maloney, describing his experience with FL MGuard. This was partially due to my lack of experience with the new developments in network design. We faced a number of problems when configuring the client s network during the second installation. However, thanks to the help and support of Gus Vargas, Figure 4 - With the installation of the FL MGuard RS2000, Morehouse Engineering can quickly and securely connect to the plant network. The industrial VPN has a more reliable connection and has proven easier to use than a dial-up connection. connection, helping reduce day-to-day service work (figure 4). Automation Sales Engineer at Phoenix Contact USA, we were able to overcome these issues. Soon after the security appliances went into service, an employee at the water treatment plant contacted Matt Maloney regarding a problem he was experiencing. I was able to quickly connect to the plant network, allowing me to securely access the controller at the facility, says the systems engineer in closing. The new procedure is easier and more reliable than a dial-up For further information, visit: www.phoenixcontact.co.uk If you are interested in publishing this article, please contact Becky Smith: marketing@phoenixcontact.co.uk or telephone 0845 881 2222.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information