Securing Offshore O&G Platforms

Wednesday, July 3, 2013 @ 09:07 AM gHale

Editor’s Note: This is an excerpt from the Practical SCADA Security blog at Tofino Security.
By Heather MacKenzie
When engineers look at security, a topic they should know about is Deep Packet Inspection (DPI) and why offshore oil and gas networks need to use it if they want to be secure.

Let me give some context. You know the critical systems managing production and safety on offshore platforms are largely based on legacy SCADA and Industrial Control System (ICS) products and protocols. Many of these products are decades old and were never designed with security in mind.

Right Tools will Secure Industrial Networks
SCADA, ICS Security: Face the Facts
More Than Discussion, Security is Vital
Securing SCADA: Compensating Controls

People like Dale Petersen and his Basecamp team have made an industry out of showing just how vulnerable these devices really are. Unfortunately these same systems are now connected to external systems using Ethernet and TCP/IP. That has been great for efficiency, but it exposes mission critical production systems to malware.

Given the 20-year lifecycle common for industrial systems, it will be many years before more secure SCADA and ICS devices and protocols are in widespread use. This leaves the thousands of legacy platform control systems open to attack from even the most inexperienced hacker, who can then disable or destroy most industrial controllers.

Problem: No Granularity
The difficulty with legacy SCADA/ICS protocols is they have no granularity. To the average security device, a data read message looks exactly like a firmware update message.

Thus if you allow data read messages from an HMI to a PLC to pass through a traditional firewall, you are also allowing programming messages to pass through. This is a serious security issue.

You are faced with an impossible choice — keep the messages flowing that make the system run, but expose it to attacks, or block everything out. Since shutting systems down is not an option, accepting high risk has been the course taken by many. In a post-Macondo (Deepwater Horizon) world, this is not acceptable.

What can an engineer do? There is a solution.

Deep Packet Inspection
The solution is to find a firewall that can dig deep into industrial protocols to understand the purpose of a message. This is beyond the capability of IT firewalls and is called Deep Packet Inspection.

Here’s how it works: After applying traditional firewall rules, the DPI firewall inspects the content of messages and applies more detailed rules. For example, it determines if a message is a read or a write message and then drops all write messages.

In addition, good DPI firewalls can also “sanity check” traffic for strangely formatted messages or unusual behaviors (such as 10,000 reply messages in response to a single request message). These sorts of abnormal messages can indicate traffic created by a hacker trying to crash a PLC and users need to block them.

DPI in Need Now
Tofino’s Eric Byres said five years ago DPI would have been a “nice-to-have” capability. However, today’s generation of worms and advanced threats make it a “must-have” technology if you want a secure SCADA or ICS system.

The reason is that today’s malware designers and attackers know firewalls and intrusion detection systems will spot the use of an unusual protocol instantly. They know if the protocols on a network are normally HTTP (i.e. web browsing), Modbus and MS-SQL (i.e. database queries) then the sudden appearance of a new protocol like FTP will put the smart system administrator on his or her guard.

Thus worm designers work to stay under the radar by hiding their network traffic inside protocols that are already common on the network they are attacking. For example, many worms now hide their outbound communications in what appear to be normal HTTP messages.

Even if you suspected something was wrong, you would be stuck if all you had was a normal firewall. The simple blocking of all Modbus traffic would impact production. Without deep packet inspection, (i.e. tools to inspect the contents of messages and block suspicious traffic), your hands would end up tied.

DPI technology is a very powerful tool in the security tool box. It allows the engineer to block the bad stuff, yet avoid needless impact on the control system. Without it, the designers of modern worms clearly have the upper hand.

Certainly DPI is not a silver bullet for security – no technology is.
Heather MacKenzie is with Tofino Security, a Belden company. Click here to read the full version of the Practical SCADA Security blog.

Leave a Reply

You must be logged in to post a comment.