Fri Apr 8 06:49:41 PDT 2016

Zones: Sensor and actuator connections to PLCs: How should sensors and actuators be connected to PLCs?


Options:

Option A: Connect sensors and actuators to PLCs on isolated network segments.
Option B: Connect sensors and actuators to PLCs over ICS-only restricted access network zone local segments.
Option C: Connect sensors and actuators to PLCs over dedicated encrypted tunnels through intervening infrastructure to distant ICS restricted zones.
Option D: Connect sensors and actuators to PLCs over non-dedicated encrypted tunnels through intervening infrastructure using ICS-only restricted zones.
Option E: Connect sensors and actuators to PLCs over encrypted tunnels through intervening infrastructure using normal open networks.
Option F: Connect sensors and actuators to PLCs using otherwise unprotected open networks.

Decision:

Sensor and actuator connections to PLCs should be protected as follows:

Consequence Threat Other factor Approach(es)
High High-- Connect sensors and actuators to PLCs on isolated network segments
High Med- -- ANY of the above
OR Connect sensors and actuators to PLCs over ICS-only restricted access network zone local segments
Med HighExpertise Med- ANY of the above
Med HighHigh expertise ANY of the above
OR Connect sensors and actuators to PLCs over dedicated encrypted tunnels through intervening infrastructure to distant ICS restricted zones
Med Medreal-time behavior IS critical ANY of the above
Med Medreal-time behavior is NOT critical ANY of the above
OR Connect sensors and actuators to PLCs over non-dedicated encrypted tunnels through intervening infrastructure using ICS-only restricted zones
Med Lowreal-time behavior IS critical ANY of the above EXCEPT Connect sensors and actuators to PLCs over non-dedicated encrypted tunnels through intervening infrastructure ...
Med Lowreal-time behavior is NOT critical ANY of the above
OR Connect sensors and actuators to PLCs over encrypted tunnels through intervening infrastructure using normal open networks
Low ---- ANY of the above
Connecting sensors and actuators to PLCs

Basis:

The relevant part of the option space is characterized by the mix of connection locality, use restriction, and encryption. The options can be understood in terms of the expression {Direct connect | {Plant-local network {ICS-only | Mixed restricted} | {Multi-location network {ICS-only | Mixed restricted | Open}}} x {Encrypted tunnel | Open}}. This fits over the threat vs. consequence space with the addition of available expertise. Here are the basic options in detail:

Connections:
Sensors and actuators should never need to connect to anything other than programmable logic controllers (PLCs), less frequently supervisory control and data acquisition (SCADA) systems, rarely human machine interfaces (HMI)s, remote terminal units (RTUs), and in some cases data historians. To the extent that they are connected to other components, this is problematic from a security standpoint. In most cases, sensors and actuators require connection only to PLCs and should be so limited. So-called intelligent sensor and actuator connections normally require 2-way communications with PLCs, so complete isolation or one-way connections are infeasible, while simple sensors need no such protection because they are not programmable and only send what they sense and act on what they are sent.

The list of alternatives is given in order from the most sure to the least sure, with the weaknesses of each accruing to those later in the list.

  • Connect sensors and actuators to PLCs on isolated network segments: This is the normal case in which a sensors or actuator uses a local connection, typically a serial port, wire from/to a D-A/A-D converter or similar, using analog voltages or currents or a protocol like fieldbus, modbus, etc. These are point to point connections that never leave the controlled area and are either direct wired (when in close proximity) or run through patch panels and are physically separated from other connections. In some cases, multiple low bandwidth signals may be transferred through time or space division multiplexing (TDM/SDM) or other aggregation methods that allow for signal separation and fixed group delay and bandwidth for long runs or runs between physical spaces within a plant, but remaining in isolated internal networks to the plant and each running its own protocol in isolation. The key issue is that all communications paths from point to point have known behaviors that are not influenced by non-physical configurations or behaviors of other point-to-point traffic.

  • Connect sensors and actuators to PLCs over ICS-only restricted access network zone local segments: In this approach, a local IP or other similar packet switching shared connection infrastructure is used for ICS communications only, only within a local network segment, and with no non-ICS traffic within the local segment. The limitation to ICS-only traffic implies the ability to properly design the network and ICS(s) so that components cannot use enough network resources to slow or disrupt traffic between time-critical components. In essence, this replaces single wire runs and aggregators with a local unified IP-based network that can use packet switching and routing, but that can still be limited as to influences so as to meet engineering requirements. However, in such a network, if one component is maliciously altered, the entire network may be influenced, switching infrastructure configuration changes can alter point-to-point behaviors, and point-to-point traffic behaviors are influenced by other point-to-point and/or broadcast traffic.

  • Connect sensors and actuators to PLCs over dedicated encrypted tunnels through intervening infrastructure to distant ICS restricted zones: In this approach, the PLCs, sensors, and/or actuators are located in ICS-only restricted network zones, some of which are in distant locations. The links between locations are encrypted and dedicated lines, to the extent that intervening infrastructure can provide such connectivity, with service guarantees. Engineering allows for variances in the intervening infrastructure based on service contracts and service providers pay penalties (essentially a risk transfer) if and as they fail to meet those specifications. In such a network, the risk increases because of all of the challenges with local segments extended over distance plus the sharing of intervening infrastructure and non-local network management, which is typically a large-scale distributed control communications environment with non-fixed link controls for point of presence (POP) to POP dedicated communications lines.

  • Connect sensors and actuators to PLCs over non-dedicated encrypted tunnels through intervening infrastructure using ICS-only restricted zones: In this case, control over the real-time behavior is likely to be poor since the intervening infrastructure is subject to arbitrary interference by other users. Intentional actors may even create situations in which control signals are delayed to create positive feedback in a system designed to have negative feedback.

  • Connect sensors and actuators to PLCs over encrypted tunnels through intervening infrastructure using non-ICS-only restricted zones: In this case, since non-ICS systems may connect to or interact with ICS systems, a wide range of direct and indirect attacks on the ICS systems and the composite system of the entire ICS become feasible, depending on the protective mechanisms and access controls associated with all of the non-ICs systems as well as all of the ICS systems. Since distributed connectivity allows multi-hop methods, this extends to all sensors and actuators in all directly and indirectly connected environments.

  • Connect sensors and actuators to PLCs over encrypted tunnels through intervening infrastructure using normal open networks: This should never be done in a production environment because direct control over sensors and actuators by malicious outsiders is almost certainly feasible. For education or other similar purposes where only play mechanisms are in use and physical damage is acceptable, this approach may be taken.

  • Connect sensors and actuators to PLCs using otherwise unprotected open networks: This is a recipe for disaster that should never be used.

Encryption: Encryption takes substantial time. For a PLC that has to interact in real-time with sensors and actuators and with feedback times on the order of milliseconds, encryption isn't fast enough in most cases to allow both the necessary computations and the encryption to take place in time to meet the demands of signal timing.

Restricted access network zone: Such a zone reduces the sources that can be used to directly influence and observe sensor and actuator inputs and outputs. When such a zone is available, it should be used unless there is a reason not to use it. Restricted zones can often be extended over intervening infrastructure through the use of encrypted tunnels, subject to surety limits associated with the encryption and intervening infrastructures.

Note that except for the direct connect modes, "smart" IP- or other protocol-enabled devices are required for operation in this way.

Copyright(c) Fred Cohen, 1988-2015 - All Rights Reserved