A

s a demonstration recently, a device was

connected to the Internet with direct port

forwarding and no firewall to control or block

traffic. Within a few seconds the device had auto-

matically locked down all of its access interfaces,

including – not only unsecure interfaces such asTel-

net – but secure interfaces such as SSH. This ser-

vice lockdown was caused by an overload of incor-

rect login attempts from various locations around

the world. These login attempts were not targeted,

but simply a way to show howmany

automated software programs are

running 24/7 around the world,

and randomly testing different

connections for unprotected ac-

cess interfaces. This was a small

yet highly effective demonstration

of just how unsecure the modern day In-

ternet has become, and why having strong

security measures in place is essential for

even small office networks, never mind

large scale control networks.

Background

The introduction of Ethernet networking

into the utility and industrial worlds was

a definite milestone and brought about

the ability to fully control huge enterprises across

large geographical locations without the need for

thousands of individual hardwired connections

and additional hardware such as signal repeaters

or amplifiers. Ethernet allows for much more gran-

ular remote control and monitoring of both digital

and analogue data over a single infrastructure. As

the standards were widely adopted, the rest of

the industry followed closely, with IEDs, PLCs and

other end devices quickly being developed to di-

rectly support various Ethernet based control tech-

nologies, such as ModbusTCP (for the industrial

side) or IEC61850 [1] (for use in utility networks).

At first these networks were mostly isolated,

smaller networks servicing just a single plant,

substation or factory, but this quickly expanded

to interconnect these smaller sites, with the end

goal being a single network to cover all of a com-

pany’s assets. In some cases this interconnection

is accomplished through company-owned infra-

structure, such as long distance fibre optic cabling

between sites. In most cases the cost required for

these large scale WANs greatly exceeds feasible

budgets, not to mention the hassle required in

installing, monitoring and maintaining such infra-

structure. In these cases the only other options are

to use existing infrastructure from an existing ISP.

Security Requirements

on

Mission Critical Control

Networks

Tim Craven, H3iSquared

The modern day Internet has become unsecure, and having strong security meas-

ures in place is essential for small office networks, and certainly, for large scale

control networks.

Network security is the

most important aspect

to consider when plan-

ning Mission Critical

Networks.

No network will ever be

completely secure from

outside attacks.

In planningMission Criti-

cal Networks, one needs

to think like an attacker

and decide whether the

payoff is worth the effort

involved in implementing

the security.

Take Note!

1

2

3