Protecting SCADA devices from threats and hackers
Filtering options
Many SCADA protocols now have variations that run over Ethernet or TCP/IP. Modbus
can run over TCP/IP and ProfiNET is a standard for Profibus over
Ethernet. To protect these devices the SCADA firewall must provide
filtering of Ethernet and TCP/IP traffic.
There are three main types of filtering a firewall can perform.
- Static filtering or rules-based filtering: Compares each packet to a set of rules to determine if the packet should be blocked or allowed. All decisions are made based on the information in the packet.
- Stateful packet inspection or dynamic filtering: Maintains information on the state of each connection (dynamic information) and uses the information to make filtering decisions.
- Threshold-based filtering: Keeps statistics on packets received and monitors for threshold crossings to detect packet floods and Denial of Service (DoS) attacks.
Rules-based filtering
Rules-based filtering (Figure 3)
provides a simple and effective tool to enforce closed communication,
and is generally the only filtering needed for some devices. Any communication from a non-trusted IP or MAC address will be blocked, isolating the device from attack.
Figure 3. Rules-based filtering is generally the only filtering needed to enforce closed communications, during which any non-trusted IP or MAC address will be blocked, isolating the device from attack.
Rules-based filtering provides an important layer of defense. Since virtually all embedded devices are closed for at least some protocols, rules should be configured to enforce any communication not allowed with the device.
If rules-based filtering does not provide sufficient protection, then Stateful Packet Inspection (SPI) or threshold-based filtering may be added for additional protection. Stateful packet inspection provides protection against packets received with invalid TCP state information, a common Internet-based attack.
Threshold-based filtering is complex and requires significant system processing time and memory, but provides a powerful tool for detecting packet floods and DoS attacks.
Static Filtering
Static
filtering works by allowing a set of rules to be configured specifying
the filtering field (IP or MAC address, protocol number, port value,
etc.), the filtering type (whitelist vs. blacklist), and the values to
be matched. A whitelist is a list of allowed values. If a packet is received and the value is on the list, it is allowed. If not, it is blocked. A blacklist is the opposite, any values on the list are blocked and all other values are allowed.
For example, a rule set could look like the following:
Rule 1, WHITELIST, IP source address, {192.168.0.0 – 192.168.0.255}
Rule 2, WHITELIST, IP protocol, {1,2,6,17}
Rule 3, BLACKLIST, UDP destination port, {700-799}
Static filtering requires the ability to specify the rules set and a filtering engine to evaluate each packet against the configured rules. With the rules show in this example, the filtering engine first checks the IP address of each packet. If the IP source address is not in the range of 192.168.0.1 – 192.168.0.255, the packet will be blocked. Otherwise the filtering engine will proceed to the next rule.
The second rule specifies that the IP protocols of ICMP, IGMP, TCP and UDP (protocol numbers 1, 2, 6 and 17) are allowed. Packets received with any other protocol value will be blocked, even if it is from a whitelisted IP address. The third rule specifies that UDP ports 700-799 are blacklisted. Any UDP packets received for these ports are blocked.
Stateful Packet Inspection (SPI) maintains information on the state of each connection and uses it to make filtering decisions. Connection-oriented protocols such as TCP use the protocol connection state. In contrast, for connectionless protocols such as UDP, the connection state is either CLOSED or ESTABLISHED based on how recently a packet was sent or received for a given IP address and UDP port. This requires a state table that is updated as connections are established, proceed through the connection states, and closed. As packets are received, the firewall validates them based on the current state of the connection and then updates the state table as needed. SPI is protocol specific and therefore the SPI engine must implement a state transition and state validation routine for each supported protocol.
Threshold-based filtering
Threshold-based filtering (Figure 4)
works by keeping statistics on the packets received and monitoring for
threshold crossings based on configured time intervals and threshold
levels. If the number of packets received from a specific
IP address during any time interval exceeds the configured high-water
threshold, future packets from that IP address will be blocked. Once
the traffic from that IP address falls below the configured low-water
threshold, the filter is disabled and packets from that IP address are
again allowed. Implementing threshold-based filtering
requires a database to maintain packet counts and a monitoring module to
detect and enforce threshold crossings.
Figure 4. Threshold-based filtering works by keeping statistics on the packets receive. If the number of packets received from a specific IP address exceeds the configured high-water threshold, future packets will be blocked.
SCADA firewalls vs. desktop firewalls
Firewall technology is standard in home and corporate networks and is a proven and reliable technology. So why not just use one of these existing solutions to create a SCADA firewall? First,
for the same reasons desktop operating systems are not used in embedded
devices; they are slow, big, and are not easily ported to a low cost,
special purpose device. To build a SCADA firewall requires a small,
low-cost solution that will work on inexpensive hardware. The solution must also be customizable to support filtering of SCADA protocols. An embedded firewall (see video) can
run on devices as small as an 8-bit MCU, provide customizable
filtering, and support user configurable filtering rules, allowing the
firewall to be configured for any SCADA network deployment.
Other features of a SCADA firewall
In
addition to providing filtering, there are a number of important
requirements for a SCADA firewall. It is crucial to provide users with a
flexible and easy to use, yet secure, configuration interface. If
the firewall configuration can be compromised, then the firewall can be
reconfigured and bypassed, or possibly even disabled.
The firewall should also provide statistics, logging, and reporting capability to allow security audits to determine if the device has been attacked, what IP address the attack originated from, and other relevant details. Integration with a management system to allow centralized policy management and configuration is also critical for large scale deployments.
Summary
Firewalls
provide a simple and effective layer of security and have long been
used to protect home and enterprise networks. A cost-effective SCADA
aware firewall can provide a critical layer of defense for SCADA
devices, protecting them devices from a wide range of cyber attacks. By controlling who/what the SCADA device talks to, most attacks can be blocked before a connection is even established.
Alan Grau is President and co-founder of Icon Labs www.iconlabs.com, a provider of security software for embedded devices and the architect of the company’s Floodgate Firewall. Alan has 20 years of embedded software experience. Prior to founding Icon Labs he worked for AT&T Bell Labs and Motorola. Alan has an MS in computer science from Northwestern University.
References:
- Source: John Gantz, The Embedded Internet: Methodology and Findings, IDC, January 2009.
- Source: Cui, Song, Phatap and Stolfo, Brave New World: Pervasive Insecurity of Embedded Network Devices, Intrusion Detection Systems Lab, Columbia University
Loading comments... Write a comment