Three-zone security

Arrival of the latest Microsoft patches reminds us that it is time to lock the doors and bar the windows in our factories. But Microsoft isn't the only technology company weathering security issues these days. There are security holes in almost all software, including Linux, the Firefox browser, Oracle databases, Cisco servers, and Sun's Java Web Proxy Server.

06/01/2005


Related reading

Arrival of the latest Microsoft patches reminds us that it is time to lock the doors and bar the windows in our factories. But Microsoft isn't the only technology company weathering security issues these days. There are security holes in almost all software, including Linux, the Firefox browser, Oracle databases, Cisco servers, and Sun's Java Web Proxy Server. The U.S. Department of Energy Computer Incident Advisory Capability at www.ciac.org/ciac posts a list of current vulnerabilities.

Most recent electronic attacks have shown that Internet-based intrusions are reaching a new level of sophistication. Cyber criminals are using root kits (ready-made software packages used for hacking and/or spreading viruses), spoofing (using another's email address to send out virus-laden messages), server redirecting, and zombie computers (PCs infected by malware to allow control by a hacker) to do their dirty work.

Up to now, most attacks have been in the financial industry, but cyber crime in manufacturing and cyber terrorism will not be far behind. Intellectual property theft in manufacturing is on the rise, especially from countries that do not have the strong IP protection laws of the U.S. and Europe. Cyber attacks are becoming easier to launch and harder to detect.

In the face of these growing threats, it is important to put robust protection for manufacturing assets in place. A February 2005 report by the British organization NISCC (National Infrastructure Security Coordination Centre), titled 'Firewall Deployment for SCADA and Process Control Networks' provides invaluable help for system protection. Available at www.niscc.gov.uk/niscc/docs/re-20050223-00157.pdf , the report discusses several network configurations using routers and firewalls, and illustrates strengths and weaknesses of each approach, as well as rules for firewall configuration.

While every process control system may not need the highest level of protection defined, every system should have a minimum level of protection. The report's authors point out that non-firewall-based systems will generally not provide suitable isolation between the process control networks and enterprise networks—including VLANs (Virtual LANs) and routers to separate the control and enterprise networks.

The best-practice recommendation in the report is a three-zone approach using dual firewalls with a DMZ (demilitarized zone) between the enterprise network and the process control network. One firewall protects the HMI, PLC, and DCS systems from undesired outside influence. Above the process control firewall is a DMZ that contains data historians and other databases for shared information.

A second firewall separates the DMZ from the enterprise network. There is no direct access between the two networks; all communications run through applications in the DMZ servers. The DMZ applications are typically SQL databases, plant data historians, and scheduling and reporting applications. This provides the most secure environment by limiting the possibility of attacks from the enterprise compromising the reliability and timing of the process control network, and protects the enterprise network from infection by compromised automation systems.

The enterprise firewall blocks arbitrary packets from getting into the DMZ or control network, and the control firewall prevents communication from a compromised server from entering the control network, while preventing process control network traffic from impacting the DMZ server network. Although not discussed in the NISCC report, MES and batch execution applications should reside on the control network, with the MES and batch log databases in the DMZ.

The three-zone approach has the added advantage of limiting the number of applications in the DMZ that need to be updated with patches and virus protection. Since these applications will often be commercial products not specific to automation, they are easier to test and validate for patches and virus updates.


Author Information
Dennis Brandl, dbrandl@brlconsulting.com , is the president of BR&L Consulting, a consulting firm focusing on manufacturing IT solutions, based in Cary, N.C.




The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by Control Engineering subscribers. Vote now (if qualified)!
The System Integrator Giants program lists the top 100 system integrators among companies listed in CFE Media's Global System Integrator Database.
Each year, a panel of Control Engineering and Plant Engineering editors and industry expert judges select the System Integrator of the Year Award winners in three categories.
This eGuide illustrates solutions, applications and benefits of machine vision systems.
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
This eGuide contains a series of articles and videos that considers theoretical and practical; immediate needs and a look into the future.
Maximize ROI with integrated control system approach; Microcontrollers vs. PLCs; Power quality; Accelerate and rewire IIoT; Traits for excellent engineers
HMI effectiveness; Distributed I/O; Engineers' Choice Award finalists; System Integrator advice; Inside Machines
Women in engineering; Engineering Leaders Under 40; PID benefits and drawbacks; Ladder logic; Cloud computing
Programmable logic controllers (PLCs) represent the logic (decision) part of the control loop of sense, decide, and actuate. As we know, PLCs aren’t the only option for making decisions in a control loop, but they are likely why you’re here.
This digital report explains how plant engineers and subject matter experts (SME) need support for time series data and its many challenges.
This article collection contains several articles on how advancements in vision system designs, computing power, algorithms, optics, and communications are making machine vision more cost effective than ever before.

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

Control room technology innovation; Practical approaches to corrosion protection; Pipeline regulator revises quality programs
Cloud, mobility, and remote operations; SCADA and contextual mobility; Custom UPS empowering a secure pipeline
Infrastructure for natural gas expansion; Artificial lift methods; Disruptive technology and fugitive gas emissions
Automation Engineer; Wood Group
System Integrator; Cross Integrated Systems Group
Jose S. Vasquez, Jr.
Fire & Life Safety Engineer; Technip USA Inc.
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by Control Engineering subscribers. Vote now (if qualified)!
The System Integrator Giants program lists the top 100 system integrators among companies listed in CFE Media's Global System Integrator Database.
Each year, a panel of Control Engineering and Plant Engineering editors and industry expert judges select the System Integrator of the Year Award winners in three categories.
This eGuide illustrates solutions, applications and benefits of machine vision systems.
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
This eGuide contains a series of articles and videos that considers theoretical and practical; immediate needs and a look into the future.
Maximize ROI with integrated control system approach; Microcontrollers vs. PLCs; Power quality; Accelerate and rewire IIoT; Traits for excellent engineers
HMI effectiveness; Distributed I/O; Engineers' Choice Award finalists; System Integrator advice; Inside Machines
Women in engineering; Engineering Leaders Under 40; PID benefits and drawbacks; Ladder logic; Cloud computing
Programmable logic controllers (PLCs) represent the logic (decision) part of the control loop of sense, decide, and actuate. As we know, PLCs aren’t the only option for making decisions in a control loop, but they are likely why you’re here.
This digital report explains how plant engineers and subject matter experts (SME) need support for time series data and its many challenges.
This article collection contains several articles on how advancements in vision system designs, computing power, algorithms, optics, and communications are making machine vision more cost effective than ever before.

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

Control room technology innovation; Practical approaches to corrosion protection; Pipeline regulator revises quality programs
Cloud, mobility, and remote operations; SCADA and contextual mobility; Custom UPS empowering a secure pipeline
Infrastructure for natural gas expansion; Artificial lift methods; Disruptive technology and fugitive gas emissions
Automation Engineer; Wood Group
System Integrator; Cross Integrated Systems Group
Jose S. Vasquez, Jr.
Fire & Life Safety Engineer; Technip USA Inc.
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by Control Engineering subscribers. Vote now (if qualified)!
The System Integrator Giants program lists the top 100 system integrators among companies listed in CFE Media's Global System Integrator Database.
Each year, a panel of Control Engineering and Plant Engineering editors and industry expert judges select the System Integrator of the Year Award winners in three categories.
This eGuide illustrates solutions, applications and benefits of machine vision systems.
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
This eGuide contains a series of articles and videos that considers theoretical and practical; immediate needs and a look into the future.
Maximize ROI with integrated control system approach; Microcontrollers vs. PLCs; Power quality; Accelerate and rewire IIoT; Traits for excellent engineers
HMI effectiveness; Distributed I/O; Engineers' Choice Award finalists; System Integrator advice; Inside Machines
Women in engineering; Engineering Leaders Under 40; PID benefits and drawbacks; Ladder logic; Cloud computing
Programmable logic controllers (PLCs) represent the logic (decision) part of the control loop of sense, decide, and actuate. As we know, PLCs aren’t the only option for making decisions in a control loop, but they are likely why you’re here.
This digital report explains how plant engineers and subject matter experts (SME) need support for time series data and its many challenges.
This article collection contains several articles on how advancements in vision system designs, computing power, algorithms, optics, and communications are making machine vision more cost effective than ever before.

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

Control room technology innovation; Practical approaches to corrosion protection; Pipeline regulator revises quality programs
Cloud, mobility, and remote operations; SCADA and contextual mobility; Custom UPS empowering a secure pipeline
Infrastructure for natural gas expansion; Artificial lift methods; Disruptive technology and fugitive gas emissions
Automation Engineer; Wood Group
System Integrator; Cross Integrated Systems Group
Jose S. Vasquez, Jr.
Fire & Life Safety Engineer; Technip USA Inc.
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
click me