Upload
carmel-obrien
View
216
Download
1
Tags:
Embed Size (px)
Citation preview
Presented at 2004 ASEE Annual Conference & Exposition
How Secure is Your Information System?
Dr. O. Geoffrey Egekwu
James Madison University
Harrisonburg, VA 22807
Presented at 2004 ASEE Annual Conference & Exposition
Announcements
Introductions Instructor
Review Course document sites Instructor website:
https://sharepoint.cisat.jmu.edu/isat/egekwuog
Blackboard: http://bbapp2.jmu.edu (for InfoSec faculty and students)
Syllabus
Presented at 2004 ASEE Annual Conference & Exposition
Introductions:- Dr. Geoffrey Egekwu
Education: B.S. Chemical Engineering; MBA; M.S. & Ph.D. in Industrial and Systems Engineering
11 years in ISAT program at JMU, 4 years with EMU MBA program; JMU InfoSec MBA program
Teaches graduate and undergraduate courses in: production/manufacturing systems, manufacturing processes, polymer processes, automation, technology/knowledge management
11 years of industry experience as manufacturing professional (General Motors, Brunswick Defense division, Advanced Composites, and Alcoa )
Current Research: Critical Infrastructure Protection – SCADA security and RFID systems Implementation and Security.
Presented at 2004 ASEE Annual Conference & Exposition
PLANNING
ERP/MRP/CRM /
Logistics
MES
Finite Scheduling
Production
Dispatching
Tracking
Quality Management
Process Control &Monitoring
Safety
Maintenance
Production DemandMaster SchedulingBOMSOPs Routing
Process and Work InstructionsWork OrdersOps Instructions
Process Status
Material Status
Order status
Resource Usage
Labor, Materials
Process Management
PRODUCT FOCUS:Plant-Wide ManufacturingDecisions
PROCESS FOCUS:
Production Line &Process Decisions
CUSTOMER FOCUS:
Business Decisions
Data Control &Collection
Schedule Execution
Production Status
Order Status
Working Instructions
Sequencing
Labor Instruction
EXECUTION
Enterprise Information Coordination
CONTROL
Technology Planning
Organizational Planning and scheduling
Manufacturing control and monitoring
Budgeting and accounting
Strategic goal planning
Capital Equipment
facility planning
Long range planning
and forecasting
Marketresearch
FutureLong Range Present pastFuture
Manufacturing Processplanning
EngineeringAnd
design
Customer Order
servicing
Purchasing
Production,order scheduling,
Monitoring and control
Customer Order
servicing
Credit Accounting
Profit and loss
Calculation budgeting
Debit Accounting
Receiving
Raw material
inventory
PurchasedParts
inventory
PurchasedParts
inventory
FinishedParts
inventory
Assembly
Quality control
SpareParts
inventory
Finished goods
inventory
Shipping
Suppliers market
Product market
InquiryQuotationsCustomer
Orderinquiry
CustomerOrder
Materialrequirement
Order to supplier
Workpiece drawingBill of material
Control
Feedback
Feedback
Control
Shop orders
Assembly orders
Material Cost
Salaries
TaxesDepreciationInterestprofit
Product Line
Manufacturing plans
NC programs
Product Description
(technical data)
Transactions
Transa
ctions
Flow Information Flow Material Flow Funds
Field bus
Local Area Network LAN
Corporate manufacturing planning & control
Product Planning Mfg. Planning Administration Corporate Database
Engineering and CAD design Process planning CAP Quality Planning CAQ
Bill of Materials explosion Parts requirement planning Capacity scheduling
Order processing Cost accounting Finances Salaries
Master Fields Accounting Payroll Engineering Mfg. equipment
Materials Customers Etc.
Purchasing Order release
Orders Delivery dates Status of orders
Status of manufacturing units etc.
Plant Operating Planning
Mfg. Machines Transportation Other Resources Plant Database
Machine Tools Mfg. Cells Flexible mfg. Systems Measuring Equipment Assembly cells
Conveyors Chain power and free conveyors Automatically guided vehicles
Tools Fixture Programs Material Pallets
Bill of materials Process plans Mfg. Schedules Machine programs
Manufacturing alternatives Manufacturing resources Etc.
Autonomous vehicles
Status of order Machine status Etc.
Shop floor control (real time)
Storage Control Machine Control Assembly control Shop floor Database
Material Tools and fixtures Flow control of materials tools and fixtures
NC, CNC and DNC FMS Measuring equipment
Robots Flexible assembly system
Control programs for manufacturing machines Machine Status
Local machine control and monitoring (real time)
Machine controller Database Storage
NC CNC DNC
Transportation Units
Assembly Units
Measuring Units
Control parameters Control feedback
Wide Area Network WAN
To other units
Tiers Control Activity’s Assignment
Presented at 2004 ASEE Annual Conference & Exposition
Security Needs for the Enterprise Confidentiality – insure enterprise data is only accessed by
authorized users Data Integrity – protecting data from intentional and/or accidental
alteration Access Control – access to critical devices, application and data
provided to right people Authentication – managing who may access a network and what
services the one is authorized to use Can be device/hardware-based and allow legitimate devices to
connect to switch ports in network Prevent loss of proprietary and confidential information – internal
and external (value-chain) impacts.
Presented at 2004 ASEE Annual Conference & Exposition
Security Challenges to Enterprise Information Systems
Networks are large, complicated, and consist of interconnected sub-systems (web of networks)
Every application, device, wireless connection, switch, and router is a point of attack
Security risks derive from cyber and physical infrastructure vulnerabilities
Security solution attacks are now very sophisticated and multilayered – can easily defeat point security solutions
Enterprise information systems are designed for operational flexibility and ease-of-use; functionality and security are mutually exclusive in practice
Presented at 2004 ASEE Annual Conference & Exposition
Security Challenges to Enterprise Information Systems …
Personnel and business partners use modems, wireless devices, and the Web to access network and thus increase system vulnerability Worldwide mobile security software market is
expected to reach $1.27 billion in 2007 – a 71% growth from 2002 to 2007.
Organizations must protect enterprise networks against internal and external threats
Presented at 2004 ASEE Annual Conference & Exposition
Holistic Enterprise security strategy Security infrastructure must consist of redundant
security layers Provide “corporate firewalls and personal firewalls
on individual personal computers” – aggregate multiple endpoint security features
Network possess embedded security agents and have automated solution features
Provide antivirus software at the host and gateway network level
Access control must comprise of physical solutions as well as authentication, authorization, and accounting solutions
Presented at 2004 ASEE Annual Conference & Exposition
Holistic Enterprise security strategy …
Possess secure wireless LAN access – the RC4 cipher used to secure WLANs has just been reported to vulnerable
Have intrusion detection and protection elements Have a robust security policy that includes
comprehensive employee training Possess encryption capabilities that prevent
unauthorized access to company data even after it leaves the corporate secure network.
Cisco Catalyst 2955T
Private net – SUBNET 1
Programmable Logic Controllers: hardwired!
• Protected only through low-level security device (e.g. switch, hub, router)
• IP address static
Remote Terminal Unit• Laptops/tablet PCs• PDAs
internet
SCADA & I/O ServerCSA components include:• Authentication &• Session mgmt.
INTERNALDMZ Serverw/ CSA
Database serverInSQL Server• Make reports (finance, manufacturing)• Make them accessible through gateway
Gateway:• IVC camera relay server• EXTERNAL DMZ server• PC router with NAT
Generic hub/switch
Private net - SUBNET 2
Eth0 – subnet 1Eth1 – subnet 2
Assembly control
Cell control ASRS
Eth0 – subnet 1Eth1 – subnet 2
Camera 1 Camera 2
VPN firewall
JMU Mfg Lab Internal Network (mesh configuration w/ 2 points of failures)
DMZ component of CSA can disconnect computer when intrusion detection system is activated
SCADA & I/O server
Cisco Catalyst2955T w/ NAT
RTU• Handheld computer• Laptop
DMZ Serverw/ CSA
PLC
PLC
PLC
DMZ Server:Security Distribution•Authentication through CSA; Port/ services management•Provide encryption for RTUs (check)•Intrusion detection mechanism•2nd point of failure to prevent total shutdown•Central distribution node for CSA to any node in SCADA network•Complements the gateway software in security policies
SCADA & I/O Server: • Authentication and session management through the CSA• Port & services management through Windows• Minimized monitoring services ensure less overhead and more functionality by the system• Norton Ghost highly recommended
Catalyst 2955T:• NAT to protect the private network
• IP &MAC management
• Hardware and software (if possible) Port management
VPN firewall
To databaseserver
Subnet 1
PLC
Presented at 2004 ASEE Annual Conference & Exposition
internet
Gateway:• IVC camera relay server• EXTERNAL DMZ server• PC router with NAT
Generic hub/switch
Private net - SUBNET 2
Eth0 – subnet 1Eth1 – subnet 2
Camera 1 Camera 2
VPN firewall
To DMZ server
Database serverInSQL Server• Make reports (finance, manufacturing)• Make them accessible through gateway
Gateway: 1st level protection•A DMZ server with CSA software to protect our network from the public internet
•VPN and firewall are main features
•Configured for NAT and communicates solely with internal DMZ and database server
•IVC cameras allow us to view production remotely; attached to gateway only because IVC cameras operate through networkDatabase Server: data warehouse• InTrack software allows us to generate reports
• Reports can be accessible from anywhere
• Implement authentication & session CSA component
• Requires two Ethernet cards (one already installed) for two-way subnet connections (subnet1 and subnet2)
Subnet 2
Presented at 2004 ASEE Annual Conference & Exposition
JMU CIM Lab runs SCADA System
• Installed full commercial version SCADA system
• Physical security system implemented
• Cisco Security Agent – both network and node
protection being implemented
• Our experience similar to Cisco’s experience in oil
gas SCADA project