FIREWALL DEPLOYMENT FOR SCADA/PCN

Network Security
How closed need your network needs to
be?
How open can you afford your network to
be?
Where from the vulnerability is coming?
How to mitigate the vulnerability?
How to detect that anyone un-authorized is
trying to jeopardize the network services?
How the Business Continuity can be
maintained in the long run with the steps
taken?
How to envisage future requirements?
Types of
Attacks
1. Denial of Service
2. Unauthorized Access:
Attempt to access
command shell
3. Illicit command
execution:
Hacking
Administrators
password
Changing IP Address
Putting a Start-up
Script
4. Confidentiality Breach
5. Destructive Attacks
Data Diddling
Data destruction
Network Security
Balancing act between:
Keeping equipment and processes
protected.
Allowing them to touch larger computing
realms via Ethernet protocols and the
internet to gain new connections and
capabilities.
Solution:
Multiple Zone Network with Subzone.
Generic IT security goals versus ICS security goals
Assessment process flow chart
OSI Model 7 Layers
Network Security
Network Security Tools
Intelligent Network Switches and Routers
Firewalls
Hardware and Software Devices for
managing network connections
User Authentication
Encrypting Data
DMZ
FIREWALL
Firewall
Firewall is a mechanism used to control and
monitor traffic to and from a network for the
purpose of protecting devices on a network.
Compares traffic passing through it to a pre-
defined security criteria
Can be a hardware device (CISCO PIX or
Semantic Security Gateway)
Can be a hardware/Software unit with OS
based firewall capabilities (iptables running
on a Linux Server)
Host based software solution installed on the
workstation directly (Norton Personal Firewall
or Sygate Personal Firewall)

Internet facing firewall protecting PC & PLC
Content of Network Traffic
Network Traffic
Network traffic is sent in discrete group of bits,
called a packet which includes
Senders Identity (Source Address)
Recipients Identity (Destination Address)
Service to which the packet pertains (Port
Number)
Network Operation and Status Flags
Actual payload of data to be delivered to
service
A firewall analyzes these characteristics and
decides what to do with the packet based on
a series of rules, known as Access Control
Lists (ACL).
Classes of Firewall
Host Based Firewalls
Available on Windows or Unix based
platforms
Primary function is Workstation or Server
Tasks like Database Access or Web
Services
Can do little to regulate traffic destined
for Embedded Control Devices
Classes of Firewall
Packet Filter Firewall
Simplest class of Firewall following a set
of static rules
Only the IP Addresses and the port
number of the packet is examined
No intelligence to identify spoofed (Forged
source IP Address) packages





Packet Filter Firewall
Classes of Firewall
Application Proxy Firewalls
Open Packets at Application Layer
Process them based on specific application
rules
Reassemble and forward to target devices
No direct connection to external server
Possible to configure internal clients to
redirect traffic without the knowledge of
the sender
Possible to apply access control lists
against the application protocol
Other Firewall Services
Acting as Intrusion Detection System;
Logging denied packets, Recognizing network
packages specifically designed to cause
problems, Reporting unusual traffic patterns
Blocking infected traffic by deploying
Front-line Anti-Virus Software on firewall
Authentication services through passwords
or Public Key Encryption
Virtual Private Network (VPN) gateway
services by setting up an encrypted tunnel
between firewall and remote Host devices
Network Address Translation (NAT)
where a set of IP addresses used on one side
of a firewall are mapped to a different set on
the other side.

Overall Security Goals of PCN/SCADA Firewalls
No direct connection from the Internet to the
PCN/SCADA Network and vice versa
Restricted access from the enterprise network to
the control network
Unrestricted (but only authorized) access from
the enterprise network to shared PCN/Enterprise
servers
Secured methods for authorized remote support
of control system
Secure connectivity for wireless devices
Well defined rules outlining the type of traffic
permitted
Monitoring the traffic attempting to enter PCN
Secure connectivity for management of firewall
Firewall Selection Criteria
Security:
The likely effectiveness of the architecture
to prevent possible attacks.
Manageability:
Ability of the architecture to be easily
managed (both locally as well as from
remote).
Scalability:
Ability of the architecture to be effectively
deployed in both large and small systems
or in large numbers.
Common SCADA/PCN Segregation Architecture
Dual-Homed Computers

Common SCADA/PCN Segregation Architecture
Dual Homed Server with Personal Firewall
Software

Common SCADA/PCN Segregation Architecture
Packet Filtering Router/Layer-3 Switch
between PCN & EN

Common SCADA/PCN Segregation Architecture
Two Port Firewall between PCN & EN

Common SCADA/PCN Segregation Architecture
Router/Firewall combination between PCN &
EN


DMZ
DMZ is a critical part of a firewall.
Neither part of un-trusted Network, nor
part of trusted network
Puts additional layer of security to
DDCMIS LAN
Physical or Logical sub-network that
provides services to users outside LAN
Common SCADA/PCN Segregation Architecture
Firewall with DMZ between PCN & EN

Common SCADA/PCN Segregation Architecture
Paired Firewalls with DMZ between PCN &
EN


Common SCADA/PCN Segregation Architecture
Firewall with DMZ and SCADA/PCN VLAN

Comparison Chart for PCN/SCADA segregation
Architecture
DDCMIS NETWORK SECURITY MEASURES
TAKEN AT NTPC/TALCHER-KANIHA
Network Topology
Firewall
Gateway PC
+
PI OPC
Interface
Unit 3
Honeywell
Experion
System
Office Network
Honeywell
OPC Server
Unit 6
Honeywell
Experion
System
PI Server
Port
5450
Stage II Plant Network
Unit 1
Keltron
OPC
Server
Unit 2
Keltron
OPC
Server
Stage I Plant Network
Firewall
Gateway PC
+
PI OPC
Interface
ABT OPC
Server + PI
OPC
Interface
ABT Network
Firewall
10.0.120.202
Network Topology
Firewall-
1
Gateway
PC
Unit 3

Honeywell
Experion
System
Office Network (NTPC LAN)
Honeywel
l WAN
Server
Unit 6

Honeywell
Experion
System
PI
Server
Port
545
0
Stage II Plant Network
PI Client
Firewall-2
ABT OPC
Server
(Redundant)
+ PI OPC
Interface
ABT Network
Firewall
-3
10.0.120.202
OPC
Server
Standby

OPC
Server
Main

Unit 1
DDCMS
Unit 2
DDCMS
L-3 Switch
L-3 Switch
CONTROL
SYSTEM
UNIT HMI SERVERS
OWS
in PR
& CER
STATION LAN SWITCH STN LAN
SERVER
MOR
PC
Unit 1 Unit 2
GATEWAY
PC
ESP
PCs
#
3,4,5,6
SERVER PR SWITCH
SWAS C&I shift
PC Incharge PC
PT PLANT SWITCH SERVICE BLDG SWITCH
Ash handling fire proof AC CPU
PLC PLC PLC PLC
CHP-1 CHP-2 DM PLANT PT PLANT COOLING PC
PLC PLC PLC PLC TOWER2 HEAD
PLC OF
PROJ
HEADS OF PLC COOLING
- O&M TOWER-1
- OPER -C&I SHIFT M/C
- BOILER/TURBINE M/C ENGR
etc -C&I M/C ENGR

PC1 .. P C n
IT
LA
N
UNIT HMI
LAN
UNIT-3
Typical
FIREWALL
UNIT
-5
UNIT
-6
UNIT
-4
U#3 SWITCH
OWS /
LVS
in CCR
OWS
in PR
& CER
Station LAN of Talcher-II
before PI connectivity
BPOS system
U#3,4,5 &6
DMZ
CONTROL
SYSTEM
UNIT HMI SERVERS
OWS
in PR
&
CER
STATION LAN SWITCH STN LAN
SERVER
MOR
PC
Unit 1 Unit 2
GATEWAY
PC
ESP PCs
#
3,4,5,6
PI-
SERVER
PR SWITCH
SWAS C&I shift
PC Incharge PC
PT PLANT SWITCH SERVICE BLDG SWITCH
Ash handling fire proof AC CPU
PLC PLC PLC PLC
CHP-1 CHP-2 DM PLANT PT PLANT COOLING PC
PLC PLC PLC PLC TOWER2 HEAD
PLC OF
PROJ
HEADS OF PLC COOLING
- O&M TOWER-1
- OPER -C&I SHIFT M/C
- BOILER/TURBINE M/C ENGR
etc -C&I M/C ENGR

PC1 .. P C n
IT
LA
N
UNIT
HMI LAN
UNIT-3
Typical
FIREWALL
UNIT
-5
UNIT
-6
UNIT
-4
U#3 SWITCH
OWS
/ LVS
in
CCR
OWS
in PR
&
CER
Station LAN of Talcher-II
after PI connectivity
BPOS system
U#3,4,5 &6
PI-
Interface
PI-
Server
PI-
Interface
NTPC
Office LAN
- -
-
PI system connectivity
at Talcher-II
Network Testing Methodology
Steps:
1. Review the existing LAN of NTPC/Talcher
Kaniha
2. Perform a Bandwidth Assessment Test
3. Perform a Vulnerability Test
4. Conduct a Penetration Test
5. Conduct a Security Audit
6. Conduct a CCTV Demo between Talcher
Kaniha & EOC-NOIDA
7. Recommendation and Suggested Up-
Gradation


Vulnerability Test on Servers
Finding Vulnerability on the Operating System
Vulnerability of Servers
Tools:
NMAP: To Map Open Ports
NESSUS: To find the application running on Target
Servers.
MBSA: To find the missing patches on the
operating system and applications
Port Scanning and Network Mapping
Used Traceroute, Hping2, Xprobe2 and Nmap
tools.
Fingerprinting and Vulnerability Mapping
Server Operating system (Gateway PC)
Fingerprinting
Security Patch Review using Microsoft
Baseline Security Analyzer (MBSA)


LAN Capacity Testing
Bandwidth Testing:
To find out used Bandwidth of the
Network
Identifying potential bottlenecks
Tool Used:
PRTG
Methodology:
Port Mirroring: All Tx/Rx Traffics of WAN
Server, MOR Server and Gateway PC are
mirrored into the Grapher




Penetration Test
Testing of Network and Components for
security weaknesses.
Flowchart:

NMA
P
Ness
us
Ether
eal
Hping2/
Firewalk
Password Cracking
Tool/Web Server
Scanner/OS
Fingerprinting/SNMP
Tests
Penetration Tools
Ethereal: Sniffs Network Traffic to find clear-
text username and passwords
Hping2: Command line oriented TCP/IP
Packet assembler/analyzer. Used for Firewall
Testing/Advanced Port Scanning, Remote OS
Fingerprinting
Firewalk: Used to enumerate the rules of the
firewall and ACLs
Cain & Abel,John the ripper, L0phtcrack:
Password auditing tool
Brutus: Password Cracker
Network Security
Network Security To Do List:
Turn ON Virus Protection software and be vigilant
about installing patches
Use Complex Passwords that includes numbers
and mixed characters
Install Firewall. Monitor them to check who is
accessing them and what software they are
using.
Turn off unnecessary ports and devices
Turn down and lock down PCs as much as
possible
Train staff to follow security policies.

Information Security Team Structure

Chairman(HOD-C&I)
Information Security Coordinator
Database
Administrator
Information Security Manager
System
Administrator
Network
Administrator