Viruses and hackers and worms ... oh my!

Computer viruses and worms are big topics in the IT world. Recent worms and viruses have infected company LANs (local area networks) and even shut down businesses. While these concerns were already important in the IT environment, they had not been as important in the control system environment. With the increasing use of standard Ethernet and Microsoft operating systems in control systems, inf...

11/01/2003


Computer viruses and worms are big topics in the IT world. Recent worms and viruses have infected company LANs (local area networks) and even shut down businesses. While these concerns were already important in the IT environment, they had not been as important in the control system environment. With the increasing use of standard Ethernet and Microsoft operating systems in control systems, infection concerns now have to be considered in control system design and support. As proof of this, several companies have had to stop production because of recent attacks and because of actions taken in response to the attacks.

Part of the modern control system engineer's skill set must include knowledge of how to protect networked control systems. The ISA TR99.01 Technical Report on Security Technologies for Manufacturing and Control systems is a good place to read about technologies you will need to apply.

IT systems generally follow three rules for protection: Defend at the edges, detect in the interior, and protect at each system. Defending at the edges means stopping viruses and worms from entering the local network. This includes establishing firewalls, installing email scanners, closing unused ports, and requiring security access control on any communication through the firewall. Detecting in the interior is scanning of network traffic for suspect and non-normal activity. Detection can also involve scanning server systems to make sure that approved applications, and only the approved applications, are running. Protecting each system uses virus protection software and personnel firewalls or each system. These same rules can be applied to networked control systems with one important exception. The exception is "protecting at each system." Virus protection software requires continual updates of virus and worm electronic signatures. This usually involves downloading identification files and often requires installing software updates. Unfortunately, it is unacceptable to make these changes without extensive testing and revalidation on validated or critical control systems. Updates can occur several times per week, but testing and validation can take weeks, so it is nearly impossible to have current up-to-date virus protection software on validated or critical control systems.

Since we cannot follow the third rule on many networked control systems, the first two rules should be strengthened to take up the load. We can strengthen the first rule by adding firewalls between the control system networks and the rest of the corporate networks. Unprotected control systems are prime targets for infection, and they need multiple layers of protection. Control system networks which connect directly to other business system networks are at risk from viruses and worms and put other corporate systems at risk. Firewalls with limited ports provide one level of protection. Firewalls should be two-way—in addition to protecting control systems from infection by corporate systems, they must protect corporate systems from the control systems. Access control routers can also be added to augment firewall protection. Access control routers allow only specified systems on one side to access systems on the other side. The control system network can also be designed as a Virtual Local Area Network (VLAN) using intelligent switches. VLAN isolates traffic on the VLAN from other LANs, providing an additional measure of protection against broadcast storms and other denial of service (DOS) attacks.

Detection within the control system network should also be applied. This includes using Intrusion Detection Systems on the VLAN.

The cost of adding infection protection to control systems is small and available with off-the-shelf software. Control system professionals need to understand the technologies of infection protection and must work with IT departments to implement secure interfaces between the control networks and the corporate networks.


Author Information

Dennis Brandl is the president of BR&L Consulting, a consulting firm focusing on manufacturing IT solutions, based in Cary, N.C. dbrandl@brlconsulting.com




No comments
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by...
The System Integrator Giants program lists the top 100 system integrators among companies listed in CFE Media's Global System Integrator Database.
The Engineering Leaders Under 40 program identifies and gives recognition to young engineers who...
This eGuide illustrates solutions, applications and benefits of machine vision systems.
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
This eGuide contains a series of articles and videos that considers theoretical and practical; immediate needs and a look into the future.
Sensor-to-cloud interoperability; PID and digital control efficiency; Alarm management system design; Automotive industry advances
Make Big Data and Industrial Internet of Things work for you, 2017 Engineers' Choice Finalists, Avoid control design pitfalls, Managing IIoT processes
Engineering Leaders Under 40; System integration improving packaging operation; Process sensing; PID velocity; Cybersecurity and functional safety
This article collection contains several articles on the Industrial Internet of Things (IIoT) and how it is transforming manufacturing.

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

SCADA at the junction, Managing risk through maintenance, Moving at the speed of data
Flexible offshore fire protection; Big Data's impact on operations; Bridging the skills gap; Identifying security risks
The digital oilfield: Utilizing Big Data can yield big savings; Virtualization a real solution; Tracking SIS performance
click me