Presented at 2004 ASEE Annual Conference & Exposition How Secure is Your Information System? Dr. O. Geoffrey Egekwu James Madison University Harrisonburg,

Presented at 2004 ASEE Annual Conference & Exposition

How Secure is Your Information System?

Dr. O. Geoffrey Egekwu

James Madison University

Harrisonburg, VA 22807

[email protected]


Announcements

Introductions Instructor

Review Course document sites Instructor website:

https://sharepoint.cisat.jmu.edu/isat/egekwuog

Blackboard: http://bbapp2.jmu.edu (for InfoSec faculty and students)

Syllabus


Introductions:- Dr. Geoffrey Egekwu

Education: B.S. Chemical Engineering; MBA; M.S. & Ph.D. in Industrial and Systems Engineering

11 years in ISAT program at JMU, 4 years with EMU MBA program; JMU InfoSec MBA program

Teaches graduate and undergraduate courses in: production/manufacturing systems, manufacturing processes, polymer processes, automation, technology/knowledge management

11 years of industry experience as manufacturing professional (General Motors, Brunswick Defense division, Advanced Composites, and Alcoa )

Current Research: Critical Infrastructure Protection – SCADA security and RFID systems Implementation and Security.


PLANNING

ERP/MRP/CRM /

Logistics

MES

Finite Scheduling

Production

Dispatching

Tracking

Quality Management

Process Control &Monitoring

Safety

Maintenance

Production DemandMaster SchedulingBOMSOPs Routing

Process and Work InstructionsWork OrdersOps Instructions

Process Status

Material Status

Order status

Resource Usage

Labor, Materials

Process Management

PRODUCT FOCUS:Plant-Wide ManufacturingDecisions

PROCESS FOCUS:

Production Line &Process Decisions

CUSTOMER FOCUS:

Business Decisions

Data Control &Collection

Schedule Execution

Production Status

Order Status

Working Instructions

Sequencing

Labor Instruction

EXECUTION

Enterprise Information Coordination

CONTROL

Technology Planning

Organizational Planning and scheduling

Manufacturing control and monitoring

Budgeting and accounting

Strategic goal planning

Capital Equipment

facility planning

Long range planning

and forecasting

Marketresearch

FutureLong Range Present pastFuture

Manufacturing Processplanning

EngineeringAnd

design

Customer Order

servicing

Purchasing

Production,order scheduling,

Monitoring and control

Customer Order

servicing

Credit Accounting

Profit and loss

Calculation budgeting

Debit Accounting

Receiving

Raw material

inventory

PurchasedParts

inventory

PurchasedParts

inventory

FinishedParts

inventory

Assembly

Quality control

SpareParts

inventory

Finished goods

inventory

Shipping

Suppliers market

Product market

InquiryQuotationsCustomer

Orderinquiry

CustomerOrder

Materialrequirement

Order to supplier

Workpiece drawingBill of material

Control

Feedback

Feedback

Control

Shop orders

Assembly orders

Material Cost

Salaries

TaxesDepreciationInterestprofit

Product Line

Manufacturing plans

NC programs

Product Description

(technical data)

Transactions

Transa

ctions

Flow Information Flow Material Flow Funds

Field bus

Local Area Network LAN

Corporate manufacturing planning & control

Product Planning Mfg. Planning Administration Corporate Database

Engineering and CAD design Process planning CAP Quality Planning CAQ

Bill of Materials explosion Parts requirement planning Capacity scheduling

Order processing Cost accounting Finances Salaries

Master Fields Accounting Payroll Engineering Mfg. equipment

Materials Customers Etc.

Purchasing Order release

Orders Delivery dates Status of orders

Status of manufacturing units etc.

Plant Operating Planning

Mfg. Machines Transportation Other Resources Plant Database

Machine Tools Mfg. Cells Flexible mfg. Systems Measuring Equipment Assembly cells

Conveyors Chain power and free conveyors Automatically guided vehicles

Tools Fixture Programs Material Pallets

Bill of materials Process plans Mfg. Schedules Machine programs

Manufacturing alternatives Manufacturing resources Etc.

Autonomous vehicles

Status of order Machine status Etc.

Shop floor control (real time)

Storage Control Machine Control Assembly control Shop floor Database

Material Tools and fixtures Flow control of materials tools and fixtures

NC, CNC and DNC FMS Measuring equipment

Robots Flexible assembly system

Control programs for manufacturing machines Machine Status

Local machine control and monitoring (real time)

Machine controller Database Storage

NC CNC DNC

Transportation Units

Assembly Units

Measuring Units

Control parameters Control feedback

Wide Area Network WAN

To other units

Tiers Control Activity’s Assignment


Security Needs for the Enterprise Confidentiality – insure enterprise data is only accessed by

authorized users Data Integrity – protecting data from intentional and/or accidental

alteration Access Control – access to critical devices, application and data

provided to right people Authentication – managing who may access a network and what

services the one is authorized to use Can be device/hardware-based and allow legitimate devices to

connect to switch ports in network Prevent loss of proprietary and confidential information – internal

and external (value-chain) impacts.


Security Challenges to Enterprise Information Systems

Networks are large, complicated, and consist of interconnected sub-systems (web of networks)

Every application, device, wireless connection, switch, and router is a point of attack

Security risks derive from cyber and physical infrastructure vulnerabilities

Security solution attacks are now very sophisticated and multilayered – can easily defeat point security solutions

Enterprise information systems are designed for operational flexibility and ease-of-use; functionality and security are mutually exclusive in practice


Security Challenges to Enterprise Information Systems …

Personnel and business partners use modems, wireless devices, and the Web to access network and thus increase system vulnerability Worldwide mobile security software market is

expected to reach $1.27 billion in 2007 – a 71% growth from 2002 to 2007.

Organizations must protect enterprise networks against internal and external threats


Holistic Enterprise security strategy Security infrastructure must consist of redundant

security layers Provide “corporate firewalls and personal firewalls

on individual personal computers” – aggregate multiple endpoint security features

Network possess embedded security agents and have automated solution features

Provide antivirus software at the host and gateway network level

Access control must comprise of physical solutions as well as authentication, authorization, and accounting solutions


Holistic Enterprise security strategy …

Possess secure wireless LAN access – the RC4 cipher used to secure WLANs has just been reported to vulnerable

Have intrusion detection and protection elements Have a robust security policy that includes

comprehensive employee training Possess encryption capabilities that prevent

unauthorized access to company data even after it leaves the corporate secure network.

Cisco Catalyst 2955T

Private net – SUBNET 1

Programmable Logic Controllers: hardwired!

• Protected only through low-level security device (e.g. switch, hub, router)

• IP address static

Remote Terminal Unit• Laptops/tablet PCs• PDAs

internet

SCADA & I/O ServerCSA components include:• Authentication &• Session mgmt.

INTERNALDMZ Serverw/ CSA

Database serverInSQL Server• Make reports (finance, manufacturing)• Make them accessible through gateway

Gateway:• IVC camera relay server• EXTERNAL DMZ server• PC router with NAT

Generic hub/switch

Private net - SUBNET 2

Eth0 – subnet 1Eth1 – subnet 2

Assembly control

Cell control ASRS


Camera 1 Camera 2

VPN firewall

JMU Mfg Lab Internal Network (mesh configuration w/ 2 points of failures)

DMZ component of CSA can disconnect computer when intrusion detection system is activated

SCADA & I/O server

Cisco Catalyst2955T w/ NAT

RTU• Handheld computer• Laptop

DMZ Serverw/ CSA

PLC

PLC

PLC

DMZ Server:Security Distribution•Authentication through CSA; Port/ services management•Provide encryption for RTUs (check)•Intrusion detection mechanism•2nd point of failure to prevent total shutdown•Central distribution node for CSA to any node in SCADA network•Complements the gateway software in security policies

SCADA & I/O Server: • Authentication and session management through the CSA• Port & services management through Windows• Minimized monitoring services ensure less overhead and more functionality by the system• Norton Ghost highly recommended

Catalyst 2955T:• NAT to protect the private network

• IP &MAC management

• Hardware and software (if possible) Port management

VPN firewall

To databaseserver

Subnet 1

PLC


internet

Gateway:• IVC camera relay server• EXTERNAL DMZ server• PC router with NAT

Generic hub/switch

Private net - SUBNET 2


Camera 1 Camera 2

VPN firewall

To DMZ server

Database serverInSQL Server• Make reports (finance, manufacturing)• Make them accessible through gateway

Gateway: 1st level protection•A DMZ server with CSA software to protect our network from the public internet

•VPN and firewall are main features

•Configured for NAT and communicates solely with internal DMZ and database server

•IVC cameras allow us to view production remotely; attached to gateway only because IVC cameras operate through networkDatabase Server: data warehouse• InTrack software allows us to generate reports

• Reports can be accessible from anywhere

• Implement authentication & session CSA component

• Requires two Ethernet cards (one already installed) for two-way subnet connections (subnet1 and subnet2)

Subnet 2


JMU CIM Lab runs SCADA System

• Installed full commercial version SCADA system

• Physical security system implemented

• Cisco Security Agent – both network and node

protection being implemented

• Our experience similar to Cisco’s experience in oil

gas SCADA project

Documents

Presented at 2004 ASEE Annual Conference & Exposition How Secure is Your Information System? Dr. O. Geoffrey Egekwu James Madison University Harrisonburg,