Skip Links

Gas manufacturer defends SCADA systems

Separating industrial control network from business network reduces risk of cyberattack

By , Network World
June 12, 2008 04:15 PM ET

Network World - A large medical-grade gas firm is installing intrusion-prevention systems to circumvent security problems that the government fears are a menace to power utilities and other essential industries.

At each of Air Liquide Large Industries' 130 plants in the United States representing 4,500 users, the $323 million company can now segment its Internet-exposed business network from its supervisory, control and data acquisition (SCADA) network - the network that monitors and controls the devices that run the plants, via Top Layer IPS boxes, says Charles Neely Harper, director of national supply and pipeline operations for the company’s U.S. facilities.

The IPS gear tackles a problem that looms over power, chemical, petroleum and other plants that rely on SCADA networks - namely these networks are vulnerable to cyberattacks because they are connected to corporate networks with Internet access.

The U.S. Departments of Energy and Homeland Security have demanded policies that deal with protecting SCADA networks, but the problem has largely not been dealt with.

Earlier this year, for example, a security expert speaking at the RSA Conference in San Francisco recounted performing a penetration test at a power utility network during which he cracked the network using elementary social manipulation and drive-by malware downloads.

Even without malicious intent, SCADA failures result from this close linking with business networks. For example, in March a nuclear plant in Georgia was shut down for two days because the reboot of a PC to upgrade software zeroed out data on SCADA systems, and that was interpreted as a drop in cooling-system water levels.

And SCADA software can be vulnerable to exploits, such as the one revealed this week by Core Security, which found the buffer-overflow flaw in a commonly used commercial SCADA application.

"You can’t have your control computers be distracted from your primary business,” says U.S. Air Liquide’s Harper. “That was our model."

So the company hired a consultant to recommend what to do about its architecture. At each site, the company had a distributed control system (DCS) monitored and controlled by one or two PCs, he says. The PCs were also used by engineers to perform duties on the business network. “You’d have this exposure where I could accidentally plug in this traveling laptop into this industrial network and contaminate the system,” Harper says.

To keep the DCS and business network separate, the company initially sought Layer 3 switches that would block ports to the control network, the minimal recommendation from a consultant, Harper says.

But because engineers needed to access the network remotely, Air Liquide required scripts that would let them do so, and that was a chore the company didn’t want to tackle.

By the time Air Liquide discovered it would need the scripts, it had already agreed to buy HP ProCurve switches and set aside $1 million to do so. Then it considered IPSes and came across Top Layer, which agreed to do the job for the same budget, Harper says. That was key because the devices were designed for data centers and have far more throughput than Air Liquide needs at most of its sites.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News