Unbreakable SCADA security

Paul Boughton

Protecting hydrocarbon facilities and pipeline networks. Frank Dickman reports.

Located in the heart of Russia, the rich Samotlor hydrocarbon field was discovered in the 1960s. It is the largest oil and gas field in the country. It lies in Western Siberia where temperatures can range from -58°F in winter to 95°F in summer.

In this area, a subsidiary of one of the top ten privately owned oil companies in the world operates 8,300 production wells and 2,700 injection wells fitted with the latest equipment, spread over an area of 1,750 square kilometres of the field, with 1,100 kilometres of oil pipeline, 1,200kilometres of water pipelines and 2,100kilometres of surfaced roads. Production exceeds 22million tons of hydrocarbons, and transportation of 5billion cubic meters of natural gas.

The parent company is far more vertically integrated than its American counterparts, in that it controls exploration, construction, production, transportation, processing and distribution all the way to the retail level, including 1,500 filling stations.

The Russian subsidiary's method for centrally monitoring flow, pressure, temperature, viscosity, composition, water content and other sampling data from the gathering fields, and SCADA systems responsible for command and control of valves, pumps and compressors, has been via radio communications. This methodology suffers from slow communication speed and lack of security. Anyone with an antenna can monitor radio signals.

The Russians face the same potential risks to their critical hydrocarbon infrastructure as we do here. Fuel distribution is vital to the economy. Pipelines need to be monitored and maintained. Like the Alaskan pipeline, many Russian pipelines run long distances aboveground through remote areas. There always exists the threat of malfeasance, malware, malcontents and mischief.[Page Break]

To Russia, with love

Since August 2011, these oil field networks are being upgraded from insecure radio modems to the WiMAX standard, short for Worldwide Interoperability for Microwave Access. WiMAX is a wireless communication technology for delivering high-speed Internet service to large geographic areas. Applied to cellular communications here in the USA, it is part of the fourth generation '4G' network being marketed by cellular providers to allow all the advanced internet features available on the latest cellular devices.

High-speed digital cellular communication has big advantages over slow and insecure radio modems. But as any perusal of the latest celebrity news will show, Internet-capable cell phones can be intercepted, infected, cloned, hacked and diverted. So the Russians were looking for an appropriate technology to provide ironclad security from eavesdropping or manipulation by competitors, foreign or domestic.[Page Break]

"Factory level' device

While searching for a simple, economical, commercially available solution, the Russians examined what was available in the marketplace and chose the use of a proven 'factory level' device, the FL mGuard from Phoenix Contact, created and developed by Innominate Security Technologies. The system was specifically designed for harsh environments and includes small, economical, industrial-rated modules that incorporate router, firewall, encryption, authentication and other functions; and it can be installed without disturbing production.

An FL mGuard creates secure data communication via Virtual Private Network tunnels (VPN). VPN provides high security over public telecom networks, such as the Internet, replacing the need for requisitioning and maintaining expensive dedicated leased-line circuits in wide area networks. Among other features, the mGuard provides the Internet Security Protocol (IPsec), with all message traffic encrypted at the highest level of the Advanced Encryption Standard (AES-256), the same standard adopted by the US government and others.

Communication with control devices is only allowed from designated locations via unbreakable software security keys (imagine a password on steroids), and authentication via certificates of authority that verify the communication origin is from specific command-and-control individuals at specific workstations.

The mGuard device filters all outgoing as well as incoming data packets. Any attempted forms of communication without specific handshake protocols will be intercepted and discarded. This highly secure method blocks hacking, virus transmission, and unauthorized access to data streams of information because the module screens and rejects any unauthorized packets, including malware and hacker probes.[Page Break]

In 'Stealth Mode' these products are completely transparent, invisible while automatically assuming the internet protocol (IP) address of the equipment to which they are connected, so that no additional addresses are required for the management of the network devices. No changes need to be made to the network configuration of the existing systems. The devices provide a highly secure Stateful Packet Firewall, according to rules that can be configured via templates from a centrally located server, or by using the default configurations. Specific user firewall rules can restrict the type and duration of access. Optional Integrity Monitoring functionality can even protect system files against unexpected modifications of executable code, by Stuxnet-derived malware for instance, and sending alerts to administrators.

The mGuard solution is a robust industrial automation technology particularly suitable for remote sites, and has been previously deployed successfully to protect stationary and mobile satellite communication uplinks in desert and jungle areas where no other communication was available. It is a solution that is easy to configure, meets rigorous IT security standards, is powered by low voltage, and can hold up for decades of operation in harsh environments. The rated mean time between failure (MTBF) is 23.6years.

Installation is as simple as mounting the device, providing low voltage DC power, and plugging in between the communication device and the local network signal interface. In this case, these were Programmable Logic Controllers (PLCs) equipped with simple two-pair RS485 Modbus Remote Terminal Units (RTUs) common to industrial automation environments.[Page Break]

Internet connectivity

Using Internet connectivity, with a password protected login, the security device can be set up in the field and enabled in moments from a template on the manufacturer's website. Such onsite configuration does not require experienced IT personnel. It can be performed by a novice technician. By default, the device is configured in its most secure configuration. Alternatively, as in this instance, Innominate Device Manager (IDM) mGuard software installed on a customer control server is being used to set up and enable large groups of mGuard devices via pre-created application templates.

The system is effective and the cost of implementation is cheap. It commonly requires less than a dozen units to secure an entire facility. The FL mGuard RS VPN model fits in your hand.

The client in this article initially ordered a quantity of 650FL mGuard units, and has since ordered another 250 units, giving some idea of the size, commitment and extent of the project to date. And their decision to import foreign technology paid for in hard currency (Euros) should not be overlooked. By the time you read this, 1,000 units will have been installed.

Frank Dickman is an engineering consultant based in Chicago, USA. Innominate Security Technologies AG is based in Berlin, Germany. www.innominate.com

Recent Issues