FIREWALL DEPLOYMENT FOR SCADA/PCN

FIREWALL DEPLOYMENT FOR SCADA/PCN

Network Security

How closed need your network needs to be?How open can you afford your network to

be?Where from the vulnerability is coming?How to mitigate the vulnerability?How to detect that anyone un-authorized is

trying to jeopardize the network services?How the Business Continuity can be

maintained in the long run with the steps taken?

How to envisage future requirements?

Types of Attacks

1. Denial of Service2. Unauthorized Access:

Attempt to access command shell

3. Illicit command execution:

Hacking Administrator’s password

Changing IP Address Putting a Start-up Script4. Confidentiality Breach5. Destructive Attacks Data Diddling Data destruction

Network Security

Balancing act between:Keeping equipment and processes

protected.Allowing them to touch larger computing

realms via Ethernet protocols and the internet to gain new connections and capabilities.

Solution:Multiple Zone Network with Subzone.

Generic IT security goals versus ICS security goals

Assessment process flow chart

OSI Model – 7 Layers

Network Security

Network Security ToolsIntelligent Network Switches and RoutersFirewallsHardware and Software Devices for

managing network connectionsUser AuthenticationEncrypting DataDMZ

FIREWALL

FirewallFirewall is a mechanism used to control and

monitor traffic to and from a network for the purpose of protecting devices on a network.

Compares traffic passing through it to a pre-defined security criteria

Can be a hardware device (CISCO PIX or Semantic Security Gateway)

Can be a hardware/Software unit with OS based firewall capabilities (“iptables” running on a Linux Server)

Host based software solution installed on the workstation directly (Norton Personal Firewall or Sygate Personal Firewall)

Internet facing firewall protecting PC & PLC

Content of Network Traffic

Network TrafficNetwork traffic is sent in discrete group of bits,

called a packet which includesSender’s Identity (Source Address)Recipient’s Identity (Destination Address)Service to which the packet pertains (Port

Number)Network Operation and Status FlagsActual payload of data to be delivered to serviceA firewall analyzes these characteristics and

decides what to do with the packet based on a series of rules, known as Access Control Lists (ACL).

Classes of Firewall

Host Based FirewallsAvailable on Windows or Unix based

platformsPrimary function is Workstation or Server

Tasks like Database Access or Web Services

Can do little to regulate traffic destined for Embedded Control Devices

Classes of Firewall

Packet Filter FirewallSimplest class of Firewall following a set of

static rulesOnly the IP Addresses and the port

number of the packet is examinedNo intelligence to identify spoofed (Forged

source IP Address) packages

Packet Filter Firewall

Classes of Firewall

Application Proxy FirewallsOpen Packets at Application LayerProcess them based on specific

application rulesReassemble and forward to target devicesNo direct connection to external serverPossible to configure internal clients to

redirect traffic without the knowledge of the sender

Possible to apply access control lists against the application protocol

Other Firewall Services

Acting as Intrusion Detection System; Logging denied packets, Recognizing network packages specifically designed to cause problems, Reporting unusual traffic patterns

Blocking infected traffic by deploying Front-line Anti-Virus Software on firewall

Authentication services through passwords or Public Key Encryption

Virtual Private Network (VPN) gateway services by setting up an encrypted tunnel between firewall and remote Host devices

Network Address Translation (NAT) where a set of IP addresses used on one side of a firewall are mapped to a different set on the other side.

Overall Security Goals of PCN/SCADA Firewalls

No direct connection from the Internet to the PCN/SCADA Network and vice versa

Restricted access from the enterprise network to the control network

Unrestricted (but only authorized) access from the enterprise network to shared PCN/Enterprise servers

Secured methods for authorized remote support of control system

Secure connectivity for wireless devicesWell defined rules outlining the type of traffic

permittedMonitoring the traffic attempting to enter PCNSecure connectivity for management of firewall

Firewall Selection Criteria

Security: The likely effectiveness of the architecture to prevent possible attacks.Manageability: Ability of the architecture to be easily managed (both locally as well as from remote).Scalability: Ability of the architecture to be effectively deployed in both large and small systems or in large numbers.

Common SCADA/PCN Segregation Architecture

Dual-Homed Computers


Dual Homed Server with Personal Firewall Software


Packet Filtering Router/Layer-3 Switch between PCN & EN


Two Port Firewall between PCN & EN


Router/Firewall combination between PCN & EN

DMZ

DMZ is a critical part of a firewall.Neither part of un-trusted Network, nor

part of trusted networkPuts additional layer of security to

DDCMIS LANPhysical or Logical sub-network that

provides services to users outside LAN


Firewall with DMZ between PCN & EN


Paired Firewalls with DMZ between PCN & EN


Firewall with DMZ and SCADA/PCN VLAN

Comparison Chart for PCN/SCADA segregation Architecture

DDCMIS NETWORK SECURITY MEASURES TAKEN AT NTPC/TALCHER-KANIHA

Network Topology

Firewall

Gateway PC+

PI OPC Interface

Unit 3

Honeywell Experion System

Office Network

Honeywell OPC Server

Unit 6


PI Server

Port5450

Stage II Plant Network

Unit 1

KeltronOPC

Server

Unit 2

Keltron OPC

Server

Stage I Plant Network

Firewall

Gateway PC+

PI OPC Interface

ABT OPC Server + PI

OPC Interface

ABT Network

Firewall

10.0.120.202

Network Topology

Firewall-1

Gateway PC

Unit 3


Office Network (NTPC LAN)

Honeywell WAN

Server

Unit 6


PI Server

Port545

0

Stage II Plant Network

PI Client

Firewall-2

ABT OPC Server

(Redundant) + PI OPC Interface

ABT Network

Firewall-3

10.0.120.202

OPC Server

Standby

OPCServer Main

Unit 1DDCMS

Unit 2DDCMS

L-3 Switch L-3 Switch

CONTROL SYSTEM

UNIT HMI SERVERS

OWS in PR & CER

STATION LAN SWITCH STN LANSERVER

MORPC

Unit 1 Unit 2

GATEWAY PC

ESP PCs # 3,4,5,6

SERVER PR SWITCH

SWAS C&I shift PC Incharge PC

PT PLANT SWITCH SERVICE BLDG SWITCH

Ash handling fire proof AC CPU PLC PLC PLC PLC

CHP-1 CHP-2 DM PLANT PT PLANT COOLING PC PLC PLC PLC PLC TOWER2 HEAD

PLC OF PROJ

HEADS OF PLC COOLING - O&M TOWER-1 - OPER -C&I SHIFT M/C - BOILER/TURBINE M/C ENGR etc -C&I M/C ENGR

PC1 … .. P C n

IT LAN

UNIT HMI LAN

UNIT-3

Typical

FIREWALL

UNIT-5

UNIT-6

UNIT-4

U#3 SWITCH

OWS / LVS in CCR

OWS in PR & CER

Station LAN of Talcher-IIbefore PI connectivity

BPOS systemU#3,4,5 &6

DMZ

CONTROL SYSTEM

UNIT HMI SERVERS

OWS in PR

& CER

STATION LAN SWITCH STN LANSERVER

MORPC

Unit 1 Unit 2

GATEWAY PC

ESP PCs # 3,4,5,6

PI-SERVER PR SWITCH

SWAS C&I shift PC Incharge PC

PT PLANT SWITCH SERVICE BLDG SWITCH

Ash handling fire proof AC CPU PLC PLC PLC PLC

CHP-1 CHP-2 DM PLANT PT PLANT COOLING PC PLC PLC PLC PLC TOWER2 HEAD

PLC OF PROJ

HEADS OF PLC COOLING - O&M TOWER-1 - OPER -C&I SHIFT M/C - BOILER/TURBINE M/C ENGR etc -C&I M/C ENGR

PC1 … .. P C n

IT LAN

UNIT HMI LAN

UNIT-3

Typical

FIREWALL

UNIT-5

UNIT-6

UNIT-4

U#3 SWITCH

OWS / LVS

in CCR

OWS in PR

& CER

Station LAN of Talcher-IIafter PI connectivity

BPOS systemU#3,4,5 &6

PI-Interface

PI-Server

PI-Interface

NTPC Office LAN

- - -

PI system connectivity at Talcher-II

Network Testing Methodology

Steps:1. Review the existing LAN of NTPC/Talcher

Kaniha2. Perform a Bandwidth Assessment Test3. Perform a Vulnerability Test4. Conduct a Penetration Test5. Conduct a Security Audit6. Conduct a CCTV Demo between Talcher

Kaniha & EOC-NOIDA7. Recommendation and Suggested Up-

Gradation

Vulnerability Test on Servers

Finding Vulnerability on the Operating SystemVulnerability of ServersTools:NMAP: To Map Open PortsNESSUS: To find the application running on Target

Servers.MBSA: To find the missing patches on the operating

system and applicationsPort Scanning and Network Mapping Used Traceroute, Hping2, Xprobe2 and Nmap tools.Fingerprinting and Vulnerability Mapping Server Operating system (Gateway PC)

Fingerprinting Security Patch Review using Microsoft Baseline

Security Analyzer (MBSA)

LAN Capacity Testing

Bandwidth Testing:To find out used Bandwidth of the NetworkIdentifying potential bottlenecksTool Used:PRTGMethodology:Port Mirroring: All Tx/Rx Traffics of WAN

Server, MOR Server and Gateway PC are mirrored into the Grapher

Penetration Test

Testing of Network and Components for security weaknesses.

Flowchart:NMA

PNessus

Ethereal

Hping2/ Firewalk

Password Cracking Tool/Web Server

Scanner/OS Fingerprinting/SNMP

Tests

Penetration Tools

Ethereal: Sniffs Network Traffic to find clear-text username and passwords

Hping2: Command line oriented TCP/IP Packet assembler/analyzer. Used for Firewall Testing/Advanced Port Scanning, Remote OS Fingerprinting

Firewalk: Used to enumerate the rules of the firewall and ACLs

Cain & Abel,John the ripper, L0phtcrack: Password auditing tool

Brutus: Password Cracker

Network Security

Network Security To Do List:Turn ON Virus Protection software and be vigilant

about installing patchesUse Complex Passwords that includes numbers

and mixed charactersInstall Firewall. Monitor them to check who is

accessing them and what software they are using.Turn off unnecessary ports and devicesTurn down and lock down PCs as much as possibleTrain staff to follow security policies.

Information Security Team Structure

Chairman(HOD-C&I)

Information Security Coordinator

Database Administrator

Information Security Manager

System Administrator

Network Administrator

Thank You

Documents

FIREWALL DEPLOYMENT FOR SCADA/PCN