Remote SCADA security - best practices

[jakerjaker 0]

I'm wondering if anyone has advice on security for a remote SCADA system that will be accessed over the internet via DSL connection (static IP). Specifically, I'm wondering if certain PLCs and associated HMI software are considered more secure. I met with an AB rep who mentioned that Wonderware was now considered vulnerable while RSView\RSLinx was not. From looking around it seems like this might just be some salesmanship on his part, but I was wondering what people thought. Is a router with firewall and VPN capability in front of PLC sufficient security? Are there PLCs with built in firewall/VPN capability? Do people use point to point connection services (I imagine this is costly)? Any other considerations I'm missing? Thanks.

[Dan_S 0]

Hi Jaker, I'll take a crack at some of your questions. In the interest of full disclosure, I work for a company that makes industrial networking gear, including a firewall/router/VPN appliance; but I'll yank off the ol' marketing hat and give you an objective answer: I'll recuse myself from the specifics about which PLCs/HMIs are more vulnerable than others, but suggest you to read up on Project Basecamp (http://www.digitalbond.com/2011/09/01/project-basecamp-hacking-plcs/) which is an on-going project researching ICS vulnerability. Security is analog, not binary so you can't go from "totally open" to "totally secure" by flipping a switch. Putting a router with firewall/VPN is an excellent start though, so long as you take a little time to configure it properly. That is, you can get the best firewall in the world and still set it to "accept all" and you've not made yourself any more secure. The firewall will allow you to restrict traffic by IP address and type of traffic (Modbus, HTTP, etc) and often MAC address as well (a lot more work to manage this though). It is better to be more restrictive and then just open what you need to make it work, than to open everything to make it work and then try and "tighten it down" later. I don't know of any PLCs built with a firewall in them (yet), but its a great idea that will one day come to pass. Point to point like T1 lines are much less common now because a. they are really expensive, b. its easy to get 5 or 10mb from a Comcast or Verizon type ISP for like $30/month and c. the technology to do this securely has come a long way. A lot of our customers use VPN as a way to secure their inexpensive "public" connection. With a VPN, it's like you have a 1000 mile patch cable that connects you to your remote network. And many VPNs let you go site to site (in addition to single user to site) so that a single connection can give a team of engineers/technicians the access they need. One last point about security - make sure that whatever firewall and other security you use, take the time to setup its logging and to then review those logs. It's a great way to ensure there isn't anything malicious (or even accidental) going on on your network. Best of luck, Dan

[Michael Lloyd 85]

In addition to T1/MPLS, DSL, and even wireless DSL, we also use cell modems and VSAT. The cell modem, depending on the coverage area, tends to be faster than the VSAT connection by at least a factor of 10 so that is my preferred method of comm in remote areas. The provider set up a VPN tunnel into our WAN so the connection isn't "visible" to the internet. Ie I can't ping any of our modems from my personal machine but if I am on our network (hard line or VPN) I can connect to the PLC, HMI, or whatever else as long as I have set up port forwarding in the modem (as well as the required connection to the tunnel). I can even set the cell modem up as a DHCP server for the site. All of our connections are behind a firewall of some kind. Edited 27 Oct 2012 by Michael Lloyd

[Nathan 7]

Dan's advice is good. To echo what's already been said - "sufficient security" is really about how much risk you're willing to assume. I wouldn't trust typical industrial vendors (PLC or SCADA) to be your only/strongest link. I think you're headed in the right direction by looking for a VPN appliance. Heck, Dan's product may be exactly what you're looking for. A few general tips: Don't make your system directly Internet accessible Do use a layered "defense in depth" approach Do use reasonable length passwords/keys without reusing/sharing them Do - keep your hardware and software reasonably up to date

[BobLfoot 281]

I'll add one other key learning we've come across recently if your particular flavor of PLC has one of those nice RUN/REMOTE/PROGRAM keyswitches. Leave the thing in RUN. The added security of the Maintenance Man having to go to the PLC and place it in REMOTE for you to remote troubleshoot is better than the kiddie scripts that float out there attacking a unit you left in REMOTE.

[Nathan 7]

Great point Bob! You should design and maintain your system with this sort of overall mentality.