article_264_plcgenesis
article_264_plcgenesis
article_264_plcgenesis
article_264_plcgenesis
article_264_plcgenesis

Firewall fireworks

June 4, 2007
Columnist Jeremy Pollard, CET, notes customers are concerned about malicious damage intentions, yet the more we use Microsoft software and web services, the more we expose devices to hackers.
SCADA security is a “for whom the bell tolls” story. It tolls for everyone in our biz, according to my friend Eric Byres of Byres Security Inc. Byres is working with fellow Canuck, Ian Verhappen, of MTL, to develop and market a plant-floor-configurable firewall with a bunch of goodies for industrial Ethernet, which they claim will protect all devices connected to the plant floor network.

These two industry stalwarts are friends of mine, but I need to play devil’s advocate, because almost everyone I talk to says the control network should be separate from the corporate network. Virtual LANs provide logical, not physical, separation. Should a device fail, and certain conditions apply, we’ll have a problem, just as if if a rogue Ethernet adapter went bonkers in an IT-owned computer.

There has to be a connection in this vertical world, which puts us in the hands of the IT group. For outside/remote access to happen, they probably wouldn’t come through the control network. So why can’t the IT guys lock the system down?

“A Quantitative Study of Firewall Configuration Errors” is a 2004 paper on Byres’ web site written by Avishai Wool, assistant professor at the School of Electrical Engineering in Tel Aviv. Wool suggests most IT people do not know how to configure a firewall properly. Having just had my remote access set up by a Canadian multinational, I have to disagree.

An IT colleague of mine reviewed the paper, and says claims about topics such as open-ended outbound access shouldn’t be valid now.

Regardless of the validity, Wool says the IT guys might not configure the front-end well enough to protect the network. And, says Byres, since we (in this case, the non-IT factory-floor folks, not the machine builders) don’t know how to configure and administrate the firewalls and routers ourselves, we need some magic. Enter Tofino.

Byres says his and Verhappen’s IT firewall can stop Microsoft-based hackers. Tofino sits below the IT protection, and will stop non-Microsoft-based hacks. He knows of a printer that spit out some pornographic spam, so, he says, any device with a processor needs to be secured. I think this is a bit too much fear, uncertainty and doubt (FUD).

Don’t get me wrong—end users haven’t taken the outside world into enough account in their control networks. The more we use Microsoft software and web services, the more we expose ourselves to commercial hackers.

But, look, we have enough trouble making our devices do what we want when we’re sitting right in front of them. The assumption that a hacker in Korea or Chile or Ottawa knows what he has connected to and what to do with it is off the mark.

SCADA does the control stuff. When an operator is logged in, he still should have to enter a data-change password.

If your customers are concerned about malicious damage intentions, what will they ask you to do to secure your machine controls and custom processors? I’m not convinced that machine control needs the security front end Byres talks about. Just being on the network shouldn’t be the only requirement for a security watchdog. Maybe you can be proactive in the conversation about that customer’s factory floor.

My colleague watched a hacker try to get into his network. The hacker used an IPSec hole to grab the IP address of the router used in a VPN setup, then tried to get into the corporate network. My buddy changed the router IP locally—in an hour the hacker had the new IP. The hacker couldn’t do anything because of the IT firewall setup. And for the record, AT&T, the owner of the VPN, said the intruder was looking for credit card numbers—some of their customers reported similar intrusions, and none were successful.

We’re not immune, and yes, we need to take care, heed some warnings, and collaborate with customers. But, as a machine builder, I think you’re pretty safe.

  About the Author
Jeremy Pollard, CET, has been writing about technology and software issues for many years. Publisher of The Software User Online, he has been involved in control system programming and training for more than 20 years. He’ll be pleased to hear from you, so e-mail him at[email protected].