Industrial Network Security – A Critical Review

In advanced societies all aspects of commerce and industry are now based on networked IT systems. Failures of these systems have the potential to be extremely disruptive. The term Critical Infrastructure (CI) is used to define systems (private and public) considered vital to national interests whose interruption would have a debilitating effect on society. It is recognized cyber security threats to CIs range from malicious to state sponsored. The threats are typically continuous and evolving in sophistication. This paper is primarily focused on Process Control Networks (PCNs). PCNs are used as the basis of industrial process control in a wide range of applications (manufacturing, oil and gas, water etc.). Given the importance of this industrial sector there are a range of guidelines considered to be exemplars of best practice. However given the constantly evolving sophistication of hackers the true measure of security is penetration testing – not something that is practical in industrial systems.


Critical Infrastructure
Modern society is dependent on systems called Critical Infrastructure. There are several definitions of CI such as "systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on the security, national economic security, national health or safety, or any combination of those matters. (DCSINT H., 2006)". Critical infrastructure refers to processes, systems, facilities, technologies, networks, assets and services essential to the health, safety, security or economic well-being of Canadians and the effective functioning of government ( Government C, 2015). The nation's critical infrastructure provides the essential services that serve as the backbone of an economy. CI may be further subdivided as follows: 1. Physical -Physical assets may include both tangible property (e.g., facilities', components, real estate, animals, and products) and the intangible (e.g., information). Physical protection becomes an even more difficult task when one considers that 85% of the nation's critical infrastructures are not federally owned. Proper protection of physical assets requires cooperation between all levels of the government and within the private sector.
2. Human -Human assets include both the employees to be protected and the personnel who may present an insider threat (e.g., due to privileged access to control systems, operations, and sensitive area and information). Those individuals who are identified as critical require protection as well as duplication of knowledge and authority.
3. Cyber -Cyber assets include the information hardware, software, data, and the networks that serve the functioning and operation of the asset. Damage to our electronic and computer networks would cause widespread disruption and damage, including casualties. Cyber networks link the United States energy, financial and physical securities infrastructures (DCSINT H., 2006)

Industrial Control Systems
Process Control Networks (PCNs) are networks that mostly consist of real-time industrial process control systems (PCSs) used to centrally monitor and (over the local network) control remote or local industrial mas.ccsenet.org Modern Applied Science Vol. 11, No. 6; equipment such as motors, valves, pumps, relays, etc. PCNs are used in all kinds of (production) environments. Examples of these environments include chemical plant processes, oil and gas pipelines, electrical generation and transmission equipment, manufacturing facilities, traffic signal management and water purification and distribution infrastructure (Alvaro A. C., 2008). Process Control Systems are also referred to as Supervisory Control and Data Acquisition (SCADA) systems or Distributed Control Systems (DCS) (Australian Gov., Nov 2016). SCADA, or Supervisory Control and Data Acquisition, is just one specific piece of an industrial network, separate from the control systems themselves, which should be referred to as Industrial Control Systems (ICS), Distributed Control Systems (DCS), or Process Control Systems (PCS). Each area has its own physical and logical security considerations, and each has its own policies and concerns (Eric K., 2011). Control systems are computer-based systems that monitor and control physical processes. These systems represent a wide variety of networked information technology (IT) systems connected to the physical world. Depending on the application, these control systems are also called Process Control Systems (PCS), Supervisory Control and Data Acquisition (SCADA) systems (in industrial control or in the control of the critical infrastructures), or Cyber-Physical Systems (CPS) (to refer to embedded sensor and actuator networks). Control systems are usually composed of a set of networked agents, consisting of: sensors, actuators, control processing units, and communication devices. Most industrial control systems have a hierarchical structure (Alvaro A. C., 2008).

Cyber Security Threats
In the USA the President's Commission on Critical Infrastructure Protection (PCCIP) defined critical infrastructure as "a network of independent, mostly privately-owned, man-made systems and processes that function collaboratively and synergistically to produce and distribute a continuous flow of essential goods and services" (W.D. Wilde and M.J.Warren, 2008). According to Lean E Panetta (Former US secretary of defense) "A Cyber-attack perpetrated by nation or violent extremist group could be as destructive as the terrorist attack in 9/11' (Garamone J., 2012). Some of the world's biggest companies have also been victims of cyber-attacks. In August 2012, Saudi Aramco, the Gulf kingdom's national oil producer, reported an attack that damaged 30,000 computers on its network (Garamone J., 2012). As the sophistication of cyber-attacks increases, understanding how to defend critical infrastructure systems-energy production, water, gas, and other vital systems-become more important, and heavily mandated (Eric K., 2011). To evaluate the degree of vulnerability of cyber threats to Industrial Control Systems penetration tests were performed on approximately 100 North American electric power generation facilities, resulting in more than 38,000 security warning and vulnerabilities which were then analyzed to help identify common attack vectors and, ultimately, to help improve the security of these critical systems against cyber-attack (Eric K., 2011). The results suggested a security climate that was lagging behind other industries (Eric K., 2011). To assist in 'hardening' Process Control Networks vendors have provided a wide range of guidelines for implementing network security measures (Tino H., @2012). This paper is an analysis of these guidelines.

Method
Guidelines are designed to address system vulnerabilities. Identifying these vulnerabilities may then be used to evaluate vendor guidelines. The top ten of vulnerabilities for control networks are (Security D.H., 2008): 1. Inadequate policies, procedures and culture governing control system security.
2. Poorly designed PCNs that fail to compartmentalize communication connectivity fail to employ sufficient "defense-in-depth" mechanisms, fail to restrict "trusted access" to the control system network, that rely on "security through obscurity" as a security mechanism.
3. Badly configured operating systems and embedded devices that allow unused features and functions to be exploited; untimely (or impossible) implementation of software and firmware patches; inadequate or impossible (refer to example with robotic arm) testing of patches prior to implementation.
4. Use of inappropriate or inadequately secured wireless communication.
5. Use of non-dedicated communication channels for command and control and non-deterministic communication such as Internet-based PCNs. A lack of adequate authentication of control system communication-protocol traffic.
6. Lack of mechanisms to detect and restrict administrative or maintenance access to control system components; inadequate identification and control of modems installed to facilitate remote access; poor password standards and maintenance practices; limited use of VPN configurations in control system networks.
7. Lack of quick and easy tools to detect and report on anomalous or inappropriate activity among the mas.ccsenet.org Vol. 11, No. 6;2017 26 volumes of appropriate control system traffic.
8. Dual use of critical control system low-bandwidth network paths for noncritical traffic or unauthorized traffic.
9. Lack of appropriate boundary checks in control systems that could lead to "buffer overflow" failures in the control system software itself.
10. Lack of appropriate change management or change control on control system software and patches.
In addition to the above security threats may be not only external, but internally based (Security D.H., 2008).

Results
The four main international vendors of industrial process control systems are Yokogawa, Honeywell, Siemens and Schneider Electric. Guidelines provided by each of these vendors were analyzed (table 1). • Always apply and maintain the latest Invensys-authorized Operating System (OS) and application patches.
• Always use current anti-virus definitions • Update authorized application software

• Enable Network / Intrusion Prevention System
• Do not use a USB stick unless it has been scanned and confirmed that is free of problems with dat file.
• Harden Servers and Workstations. Hardening Non-DCS assets is a requirement and typically will not have a negative effect on the DCS. Hardening DCS assets may be performed and will vary from Non-DCS assets hardening.
• Control user rights

• Always implement Backup and Restoration
• Take inventory of network assets • Use physical network isolation when possible • Use logical network segmentation (secure zones) when possible with restrict Firewall Rules • Enable Firewall logging • Use Network Management System (NMS) • Don't click links or files that aren't verified • Create incident response plan

Discussion
One of the main problems with Cyber Security is that the threats are constantly evolving in frequency and sophistication ( Artur A., 2014) . Whilst guidelines may be adhered to, informed by best practices standard operating procedures it can be concluded that threats may still exist in the real world of CIs PCNs. Security experts agree that, given adequate time and resources, any system -even hardened, relatively segregated, industrial control systems -can be penetrated by determined external hackers or careless or disgruntled employees. However, clearly, there are ways to reduce the risk to an acceptable level (as low as reasonably practical) and to do so without compromising the basic functionality of the system (Arc AG., 2014).
One of the major drawbacks is that none of the major vendors recommend Intrusion test of the PCN. Performing network penetration testing on Industrial Control Systems (ICS) should not be taken lightly. There are many things that can go wrong. These systems were designed and built to control and automate some real world process or equipment. Given the wrong instructions, they could perform an incorrect action causing waste, equipment damage, injury, or even deaths (Duggan, David P., 2005).