Gas manufacturer defends SCADA systems

Separating industrial control network from business network reduces risk of cyberattack

A large medical-grade gas firm is installing intrusion-prevention systems to circumvent security problems that the government fears are a menace to power utilities and other essential industries.

At each of Air Liquide Large Industries' 130 plants in the United States representing 4,500 users, the $323 million company can now segment its Internet-exposed business network from its supervisory, control and data acquisition (SCADA) network - the network that monitors and controls the devices that run the plants, via Top Layer IPS boxes, says Charles Neely Harper, director of national supply and pipeline operations for the company’s U.S. facilities.

The IPS gear tackles a problem that looms over power, chemical, petroleum and other plants that rely on SCADA networks - namely these networks are vulnerable to cyberattacks because they are connected to corporate networks with Internet access.

The U.S. Departments of Energy and Homeland Security have demanded policies that deal with protecting SCADA networks, but the problem has largely not been dealt with.

Earlier this year, for example, a security expert speaking at the RSA Conference in San Francisco recounted performing a penetration test at a power utility network during which he cracked the network using elementary social manipulation and drive-by malware downloads.

Even without malicious intent, SCADA failures result from this close linking with business networks. For example, in March a nuclear plant in Georgia was shut down for two days because the reboot of a PC to upgrade software zeroed out data on SCADA systems, and that was interpreted as a drop in cooling-system water levels.

And SCADA software can be vulnerable to exploits, such as the one revealed this week by Core Security, which found the buffer-overflow flaw in a commonly used commercial SCADA application.

"You can’t have your control computers be distracted from your primary business,” says U.S. Air Liquide’s Harper. “That was our model."

Diagram of U.S. Air Liquide's network

So the company hired a consultant to recommend what to do about its architecture. At each site, the company had a distributed control system (DCS) monitored and controlled by one or two PCs, he says. The PCs were also used by engineers to perform duties on the business network. “You’d have this exposure where I could accidentally plug in this traveling laptop into this industrial network and contaminate the system,” Harper says.

To keep the DCS and business network separate, the company initially sought Layer 3 switches that would block ports to the control network, the minimal recommendation from a consultant, Harper says.

But because engineers needed to access the network remotely, Air Liquide required scripts that would let them do so, and that was a chore the company didn’t want to tackle.

By the time Air Liquide discovered it would need the scripts, it had already agreed to buy HP ProCurve switches and set aside $1 million to do so. Then it considered IPSes and came across Top Layer, which agreed to do the job for the same budget, Harper says. That was key because the devices were designed for data centers and have far more throughput than Air Liquide needs at most of its sites.

But it chose the oversized devices because it wanted uniform protection at each site that could be centrally managed, he says. The company has been deploying the Top Layer gear using an Air Liquide technician for about six months and will have it fully deployed by year-end. “Our commitment to this product was such that we added a full-time employee, which is a pretty big commitment,” Harper says.

With the IPS, Air Liquide gets features of firewall port blocking plus deep packet inspection that looks for protocol anomalies that might mean attacks. The device caught Harper’s unpatched Microsoft PC using nonstandard ping packets and cut it off.

It also discovered a server sandwiched between two firewalls in the company DMZ that was FTPing files to an IP address in China.

And it found machines on the network attacking other machines or pinging the network for vulnerabilities. “There is so much Windows garbage going on on the network, it’s just disgusting,” Harper says. “If this were your house it’s like having the kids’ toys thrown all over the floor all the time. Just garbage everywhere. And this box stops it all.”

At the example plant that has a DCS network and two PCs, all devices have fixed IP addresses, and the IPS device allows only designated IP addresses. “Anything else talks, it gets dumped,” says Harper. That means if someone brought in a laptop and tried to connect it to the network, its traffic would be blocked. “We’re going to dump your packets,” he says, “ all of them.”

The Top Layer gear also gets around a regulatory challenge that triggers revalidation for the entire plant’s network if there are any replacements or changes to PCs. The IPSes fall outside that requirement so revalidation is not an issue, Harper says, saving the company time and staff to process the revalidation.

Learn more about this topic

How’s Your SCADA reliability?

Experts hack power grid in no time

Group defines rules to block cyberattacks on power grid

Editors' Picks
Join the discussion
Be the first to comment on this article. Our Commenting Policies