February 2012, Vol. 239 No. 2

Features

Unbreakable SCADA Security Essential For Pipelines

Frank Dickman, Piping Design Consultants, Inc.

Located In the heart of Russia, the rich Samotlor hydrocarbon field was discovered in the 1960s. It is the largest oil and gas field in the country. It lies in Western Siberia where temperatures can range from minus 58°F in winter to 95°F in summer.

In this area, a subsidiary of one of the top 10 privately owned oil companies in the world operates 8,300 production wells and 2,700 injection wells fitted with the latest equipment, spread over an area of 1,750 square km of the field, with 1,100 km of oil pipeline, 1,200 km of water pipelines and 2,100 km of surfaced roads. Production exceeds 22 million tons of hydrocarbons, and transportation of 5 billion cubic meters of natural gas. Think Houston or Tulsa, the oil boomtowns of the early 1900s. The once sleepy town of Nizhnevartovsk is now one of the wealthiest cities in Russia.

The parent company is far more vertically integrated than its American market-guided counterparts in that it controls exploration, construction, production, transportation, processing and distribution all the way to the retail level, including 1,500 filling stations.
The Russian subsidiary’s method for centrally monitoring flow, pressure, temperature, viscosity, composition, water content and other sampling data from the gathering fields, and SCADA systems responsible for command and control of valves, pumps and compressors, has been via radio communications. This methodology suffers from slow communication speed and lack of security. Anyone with an antenna can monitor radio signals.

The Russians face the same potential risks to their critical hydrocarbon infrastructure as people everywhere. Fuel distribution is vital to the Russian economy. Pipelines need to be monitored and maintained. Like the Alaskan pipeline, many Russian pipelines run long distances aboveground through remote areas. Where there is contempt for the rule of law, there always exists the threat of malfeasance, malware, malcontents and mischief — whether by homegrown or foreign terrorists, competitor states, countries or companies, for purposes of sabotage, espionage or extortion.

To Russia With Love
Since August 2011, these oil field networks are being upgraded from insecure radio modems to the WiMAX standard, short for Worldwide Interoperability for Microwave Access. WiMAX is a wireless communication technology for delivering high-speed Internet service to large geographic areas. Applied to cellular communications here in the USA, it is part of the fourth generation – “4G” – network being marketed by cellular providers to allow all the advanced Internet features available on the latest cellular devices. Think of WiMAX as being Wi-Fi on steroids. While that free Wi-Fi node at your coffee shop has a range of 30 yards, WiMAX has a range of up to 30 miles.

High-speed digital cellular communication has big advantages over slow and insecure radio modems. But as any perusal of the latest celebrity news will show, Internet-capable cell phones can be intercepted, infected, cloned, hacked and diverted. So the Russians were looking for an appropriate technology to provide ironclad security from eavesdropping or manipulation by competitors, foreign or domestic, state-supported or freelance. Protection from infection by malware was also a consideration. Any connection to the Internet risks penetration into an industrial network, even those behind corporate firewalls.

Unbreakable Security
While searching for a simple, economical, commercially available solution, the Russians examined what was available in the marketplace and chose the use of a proven “factory level” device, the FL mGuard® from Phoenix Contact, developed by Innominate Security Technologies. The system was specifically designed for harsh environments and includes small, economical, industrial-rated modules that incorporate router, firewall, encryption, authentication and other functions that can be installed without disturbing production.

An FL mGuard creates secure data communication via Virtual Private Network tunnels (VPN). VPN provides high security over public telecom networks, such as the Internet, replacing the need for requisitioning and maintaining expensive dedicated leased-line circuits in wide area networks. Among other features, the mGuard provides the Internet Security Protocol (IPsec), with all message traffic encrypted at the highest level of the Advanced Encryption Standard (AES-256), the same standard adopted by the U.S. government and others.

Communication with control devices is only allowed from designated locations via unbreakable software security keys (imagine a password on steroids), and authentication via certificates of authority that verify the communication origin is from specific command-and-control individuals at specific workstations. The mGuard device filters all outgoing as well as incoming data packets. Any attempted forms of communication without specific handshake protocols will be intercepted and discarded. This highly secure method blocks hacking, virus transmission, and unauthorized access to data streams of information because the module screens and rejects any unauthorized packets, including malware and hacker probes.

 width=
Figure 2: The FL mGuard from Phoenix Contact, a manufacturer of industrial controls.

In “Stealth Mode” these products are completely transparent, invisible while automatically assuming the Internet Protocol (IP) address of the equipment to which they are connected, so that no additional addresses are required for the management of the network devices. No changes need to be made to the network configuration of the existing systems.

The devices provide a highly secure Stateful Packet Firewall, according to rules that can be configured via templates from a centrally located server, or by using the default configurations. Specific user firewall rules can restrict the type and duration of access. Optional Integrity Monitoring functionality can even protect system files against unexpected modifications of executable code, by Stuxnet-derived malware for instance, by recognizing changes in data traffic patterns, and sending alerts to administrators.

The mGuard solution is a robust industrial automation technology particularly suitable for remote sites, and has been previously deployed successfully to protect stationary and mobile satellite communication uplinks in desert and jungle areas where no other communication was available. It is a solution that is easy to configure, meets rigorous IT security standards, is powered by low voltage, and can hold up for decades of operation in harsh environments. The rated Mean Time Between Failure (MTBF) is 23.6 years.

Installation is as simple as mounting the device, providing low voltage DC power, and plugging in between the communication device and the local network signal interface. In this case, these were Programmable Logic Controllers (PLCs) equipped with simple two-pair RS485 Modbus Remote Terminal Units (RTUs) common to industrial automation environments.

Using Internet connectivity, with a password-protected login, the security device can be set up in the field and enabled in moments from a template on the manufacturer’s website. Such onsite configuration does not require experienced IT personnel. It can be performed by a novice technician. By default, the device is configured in its most secure configuration. Alternatively, as in this instance, Innominate Device Manager (IDM) mGuard software installed on a customer control server is being used to set up and enable large groups of mGuard devices via pre-created application templates.
I have looked at other systems as described previously in Pipeline & Gas Journal. This one is the best. It is effective and the cost of implementation is cheap. It often requires less than a dozen units to secure an entire facility, or a city-sized piping network, at a purchase cost of roughly $5,000. The FL mGuard RS VPN model fits in your hand. Installing it is as easy as installing an extra wall phone in a new home. It takes about 10 minutes.

The client in this article initially ordered a quantity of 650 FL mGuard units, and has since ordered another 250 units, giving some idea of the size, commitment and extent of the project to date. And their decision to import foreign technology paid for with hard currency should not be overlooked. By the time you read this, 1,000 units will have been installed.

A Recent Wake-Up Call
Some may still believe that their distributed control systems (DCS) are not susceptible to eavesdropping, hacking or virus propagation because SCADA systems are relatively obscure or “air-gapped.” It is not true. Access to the programmable logic controllers (PLCs) used throughout your pipeline or refining networks is possible from indeterminate remote locations outside your home country, without ever visiting your site, through multiple routes into the heart of your network. Despite corporate IT firewalls, all SCADA networks have open backdoors.

SCADA was never developed with security in mind. SCADA was developed with efficiency, cost reduction, automation, and staff reduction in mind. And then, just as now, various engineers, programmers and software consultants routinely inserted backdoor access for their convenience, so they would be able to fix a glitch remotely whenever possible. And as described in my previous articles in Pipeline & Gas Journal, even semi-technological people can find and identify those backdoors to enter, map and control your SCADA system over the Internet. Security consultants consider SCADA to be “insecure by design.”

In August 2011, Dillon Beresford of NSS Labs presented a demonstration at a security conference in Las Vegas. Beresford had no previous industrial control system expertise and limited resources. Working primarily from his apartment, within a few weeks he identified a “maintenance” backdoor with a permanent, hard-coded password within Siemens Simatic Step7 300 Series PLCs. Hundreds of thousands are installed. They are widely used in the energy sector.

He was able to obtain full control, delete files, dump memory and execute commands, retrieve sensitive information, capture passwords, report false data back to the operator, lock the operator out of the PLC, and completely disable the PLC at will. Similar security weaknesses were found in Siemens Simatic Step7, 200, 300, 400 and 1200 Series. Security consultants believe that PLCs from other manufacturers also have security weaknesses.

A bulletin board posting on the Internet last year by an Italian security researcher (name withheld) with zero previous SCADA experience, provides 34 free exploits for common SCADA software produced by Siemens, Iconics, 7-Technologies, and Datac. Iconics systems are often used in the oil and gas industry in North America. Datac is popular in the water and wastewater sector.

A SCADA exploit toolbox currently offered for sale on the Internet by (name withheld) consolidates all known SCADA hacker exploits into one package.

Beresford’s experimentation had been deliberately conducted at home on a limited budget following the numerous technical reports regarding Stuxnet, the complex worm believed created by programming teams in one or more nations, to attack Iranian SCADA systems, aimed to damage physical equipment and interfere with their nuclear program. Beresford intended to demonstrate that unlimited finances and manhours were not necessarily required.

“It’s not just the spooks who have these capabilities. Average guys sitting in their basements can pull this off,” Beresford said, and he proved it.

Most PLCs shipped in the last decade are Web-enabled with default passwords. Many have Web, ftp, SNMP, Telnet or other communication services available on them. More than 50% of PLCs contain hard-coded, fixed passwords according to renowned SCADA security expert and author Joe Weiss. Some default and backdoor PLC passwords have already been posted online and subsequently found in hacker software. Yet even the best, brand new, fully featured, most expensive PLC on the market does not offer simple source verification and data authentication, or encryption of commands or data traffic. If all this does not yet make you nervous, consider the consequences if some disgruntled nutjob deliberately triggers a catastrophic disaster like Bhopal.

At the same conference, researchers from iSec Partners demonstrated how they had opened and started automobiles equipped with different security systems, using only text messages from a cell phone for access. The manufacturers integrating new devices every year are using smaller chipsets that don’t have the encryption or processing capability for validating that commands are coming from a trusted source.

Three other security researchers demonstrated that they could potentially open prison cell doors controlled by industrial PLCs at a high-security facility after observing a guard on duty using the door control PC to check his e-mail. A common e-mail attack with a self-executing payload could be used to infect and allow remote or programmed control of his computer while spoofing what appears on his screen. SCADA networks are not secure and are not “air-gapped.”

The Russians know all this and now you do too.

Summary
A simple industrial network security solution is readily available and being deployed to protect oil fields and transportation in Russia. These are proven “defense-in-depth” security products available to provide protection for refineries, utilities and critical transportation pipelines and industrial networks. The mGuard network security appliances described here have been widely utilized to protect industrial automation equipment and processes running the newest and oldest operating systems.

 width=
Figure 3: Various forms of mGuard devices from Innominate Security Technologies.

There are other mGuard security applications beyond the scope of this article. For more information about current threats to networked industrial equipment, a comprehensive 18-page White Paper “Hacking the Industrial Network,” including footnotes, clickable Internet research links and detailed references, is available for download at www.innominate.com .

An accessible discussion of “Post-Stuxnet Industrial Security” is also available. An educational industrial SCADA security slide presentation with audio is available at www.phoenixcontact.com/securitywebinar.

 width=
Figure 4: How Secure Are They? — The Major North American Oil and gas Pipeline Networks.

(Author’s Note: The end-user name and specific application details of this story have been withheld for security purposes, as have the names of integration and management personnel, and the aforementioned SCADA hacker resource information.)

Author
Frank Dickman
is an engineering consultant based in Chicago and can be reached at frankdickman@yahoo.com.The licensed professional engineers at Piping Design Consultants (www. PDC1. com) contributed their extensive oil and gas pipeline design expertise to this story.

Related Articles

Comments

{{ error }}
{{ comment.comment.Name }} • {{ comment.timeAgo }}
{{ comment.comment.Text }}