[foxboro] Foxboro I/A OPC - Security - foxboro

[foxboro] Foxboro I/A OPC - Security

From: "Lieven Taleman" <lieven.taleman@xxxxxxxxx>
To: <foxboro@xxxxxxxxxxxxx>
Date: Sat, 11 Mar 2006 13:49:43 +0100
Hi List,

Security is also one of my hot topics. Based on my experience on building a
more secure Foxboro I/A system for a large Plant, I would like to make some
basic comments :

1. What is security in automation ?
Prevent unwanted and uncontrolled actions made by human interaction. This
can be any type of interaction (manual on the field,local software, remote
software,...)

2. Determine all possible input sources
An automation plant is controlled by operators, production
leaders,engineers,external engineers and others. Each of them has a specific
task and responsability. In actual plants software guides and limits the
handlings based on each persons profile.
Besides the "control guys" administration people requires process parameters
to see what has been processed and make an inventory of the profits. For
this the control system is linked to the administration network and here
comes the pittfall...

3. Roots of the control system
A control system needs access to external devices. For this some background
processes require full access (say root) to all components of the computer.
A software guy loves to work under full access (say root) because than he
does not has to worry about "permission denied" issues.
On the other hand a control system is rather an "old system" and in the
beginning security was an unknown word.

4. How secure is your system ?
Because many of us is not aware of how the control system really works, it
is installed by default. Well this is the same type of security as buying a
wireless router for your home. Unpacking and installing it by using the
default settings. If your neighbour has already done this, you can easy use
his wireless router and internet connection. Its an open world!

Just a little test for your own system : If you have a Unix IA system and it
is connected to the administrative network without firewall or IPSEC zone.
Just try to setup a telnet session to the IP adress of your unix box type in
"root" as login and its default password. Once you get your unix prompt you
can do anything.
So please start by changing the default password !!

5. Security guidelines
- Install a router or firewall between the administrative and control
system. Create a seperate IPSEC zone
- Do not let anyone gets access to the unix shell or command prompt as root.
Only the single administrator can have this privilege. Create an individual
login for those who needs access.
- Log every action. On Unix BSM is an easy and great feature.
- Create different environments and put only the required functions in it
(avoid VT100 local!!)
- Log your control changes, alarms, operator action, system messages,...
- Make regularly backups both full and incremental of file backups.
- Investigate your system regularly.
- Investigate the firewall logs and see which IP-addresses makes access.
A company spends a lot of money to capture and store all process parameters,
with a little extra effort the same can be done with the system itself.

6. Return on investment.
This is the main problem of the security issue. No one can put a price on
it. I have the experience that if you have a good logging interface, you
have a very good instrument to attack problems.
In regulations "Measuring is knowing". Well its worth to investigate some
time in how to interprete the loggings and you will see that occuring
problems can be much better understood and prevented in the future. Thats
your real return on investment.

Security is not needed in an ideal world with angles, but we live in a world
with angles AND devils!!!

Greetings,
Lieven Taleman
lieven.taleman@xxxxxxxxxx
Talsoft - Belgium


 
 
_______________________________________________________________________
This mailing list is neither sponsored nor endorsed by Invensys Process
Systems (formerly The Foxboro Company). Use the info you obtain here at
your own risks. Read http://www.thecassandraproject.org/disclaimer.html
 
foxboro mailing list:             //www.freelists.org/list/foxboro
to subscribe:         mailto:foxboro-request@xxxxxxxxxxxxx?subject=join
to unsubscribe:      mailto:foxboro-request@xxxxxxxxxxxxx?subject=leave
[foxboro] Foxboro I/A OPC - Security

Other related posts:
