News
Securing Offshore O&G Platforms - Advanced Threats need Advanced Firewalls
June 2013 by Heather MacKenzie
One of the industries major oil and gas trade shows, the Offshore Technology Conference (OTC) was held last month. Belden and Tofino Security had a very busy booth there, as both safety and security were hot topics with attendees. It is good to see that security is finally making the list of corporate priorities.
Now when engineers look at security, a topic they should know about is Deep Packet Inspection (DPI) and why offshore networks need to use it if they want to be secure.
Let me give you some context. You know that the critical systems managing production and safety on offshore platforms are largely based on legacy SCADA and Industrial Control System (ICS) products and protocols. Many of these products are decades old and were never designed with security in mind.
People like Dale Petersen and his Basecamp team have made an industry out of showing just how vulnerable these devices really are. Unfortunately these same systems are now connected to external systems using Ethernet and TCP/IP. That has been great for efficiency, but it exposes mission critical production systems to malware.
Nowadays Offshore Production Facilities need firewalls with Deep Packet Inspection to protect against advanced attacks.
Given the 20-year life cycle common for industrial systems, it will be many years before more secure SCADA and ICS devices and protocols are in widespread use. This leaves the thousands of legacy platform control systems open to attack from even the most inexperienced hacker, who can then disable or destroy most industrial controllers.
The Problem: SCADA/ICS Protocols Have no Granularity
The difficulty with legacy SCADA/ICS protocols is that they have no granularity. To the average security device, a data read message looks EXACTLY like a firmware update message.
Thus if you allow data read messages from an HMI to a PLC to pass through a traditional firewall, you are also allowing programming messages to pass through. This is a serious security issue.
You are faced with an impossible choice - keep the messages flowing that make the system run, but expose it to attacks, or block everything out. Since shutting systems down is not an option, accepting high risk has been the course taken by many. In a post-Macondo (Deepwater Horizon) world, this is not acceptable.
What can an engineer do about this? Well, fortunately, there is a solution.
The Solution: Deep Packet Inspection
The solution is a firewall that can dig deep into industrial protocols to understand the purpose of a message. This is beyond the capability of IT firewalls and is called Deep Packet Inspection.
Here’s how it works: after traditional firewall rules are applied, the DPI firewall inspects the content of messages and applies more detailed rules. For example, it determines if a message is a read or a write message and then drops all write messages.
In addition, good DPI firewalls can also “sanity check” traffic for strangely formatted messages or unusual behaviours (such as 10,000 reply messages in response to a single request message). These sorts of abnormal messages can indicate traffic created by a hacker trying to crash a PLC and they need to be blocked.
An example of a DPI firewall is Tofino Modbus TCP Enforcer, a product that uses patented Tofino Security technology for securing Modbus communications.
Tofino Security’s Deep Packet Inspection for industrial protocols and Hirschmann’s zero failover RSP Switches on display at OTC 2013. These products work together to provide high availability offshore networks.
Why DPI is Needed Now
According to Eric Byres, five years ago he would have said that DPI is just a nice-to-have capability. However today’s generation of worms and advanced threats make it a must-have technology if you want a secure SCADA or ICS system.
The reason is that today’s malware designers and attackers know that firewalls and intrusion detection systems will spot the use of an unusual protocol instantly. They know that if the protocols on a network are normally HTTP (i.e. web browsing), Modbus and MS-SQL (i.e. database queries) then the sudden appearance of a new protocol like FTP will put the smart system administrator on his or her guard.
Thus worm designers work to stay under the radar by hiding their network traffic inside protocols that are already common on the network they are attacking. For example, many worms now hide their outbound communications in what appear to be normal HTTP messages.
Even if you suspected something was wrong, you would be stuck if all you had was a normal firewall. The simple blocking of all Modbus traffic would impact production. Without deep packet inspection, (i.e. tools to inspect the contents of messages and block suspicious traffic), your hands would be tied.
DPI technology is a very powerful tool in the security tool box. It allows the engineer to block the bad stuff, yet avoid needless impact on the control system. Without it, the designers of modern worms clearly have the upper hand.
Safe, Secure, Reliable Offshore Production
Certainly DPI is not a silver bullet for security – no technology is. At Belden we are working hard to make our cable, connectors, switches and cyber security products work together for a complete solution – a solution that provides safe, secure and reliable offshore production.
