By Frank Dickman
United Water operates and manages water and wastewater systems that serve about 7 million people across the US. Over the past 30 years the company has used a variety of methods to connect to remote sites, including modems, leased lines, dry pairs, and licensed radio. United Water supports over 300 remote field sites company-wide.
In 2009, the company was proactively planning to increase the security of its SCADA control networks. The systems engineering group, corporate IT department and an outside consulting firm were involved in the project and the security product evaluations.
“We needed an industrial solution, particularly for our remote sites,” said Keith Kolkebeck, systems engineering project manager for United Water. “We needed a solution that was easy to configure, powered by 24 vDC, met our IT security standards, and could hold up to years of operation in a harsh environment. In the past, we had mixed results using office network-grade products that were expensive, required special skills to configure, and failed frequently.”
In early 2010, United Water was introduced to the mGuard® family of industrial network security devices from Phoenix Contact, created and developed by their subsidiary Innominate Security Technologies. The system includes small, industrial-rated modules that incorporate router, firewall, encrypted VPN tunnels, filtering of incoming and outgoing connectivity, authentication and other functions to provide layers of distributed “defense-in-depth.”
The devices are available in various industrial-rated designs for DIN-rail mounting, for 19-inch rack mounting in cabinets, as PCI cards or as dongle-style patch cords for roaming technicians. The hardened, industrial version of mGuard has been in production since 2005 and has proven effective in thousands of demanding installations. Rated IP 20 for mounting in factory enclosures, they can be installed and enabled by technicians, rather than network administrators.
After review of the technology, the United Water IT Department was receptive to the concept as it would allow process personnel to deploy and maintain their own networks, freeing up IT for other tasks. The company initially installed a dozen devices as a test bed.
“The ability for the mGuard to do AES-256 encryption along with its industrial design was key,” Kolkebeck said. “By default, the mGuard is configured in its most secure configuration. Previously, it would require a day’s time of an experienced IT technician, whereas now we can roll out a new VPN device in 10 minutes.”
In “Stealth Mode” these products are completely transparent, automatically assuming the MAC and IP address of the equipment to which they are connected, so that no additional addresses are required for the management of the network devices. No changes need to be made to the network configuration of the existing systems involved. The devices operate invisibly and transparently, monitoring and filtering traffic to the protected systems by providing a Stateful Packet Firewall according to rules that can be configured via templates from a centrally located server.
And with bi-directional wire speed capability, the devices will not add any perceptible bottlenecks or latency to a 100 Mb/s Ethernet network.
If required, the security of networked equipment may be further enhanced. Configuration of specific user firewall rules can restrict the type and duration of access to authorized individuals, who may login and authenticate themselves from varying locations, PCs, and IP addresses. Virtual Private Network functions provide for secure authentication of remote stations, and the encryption of data traffic. CIFS Integrity Monitoring functionality can protect file systems against unexpected modifications of executable code, by Stuxnet-derived malware for instance, by sending alerts to administrators.
“We were implementing multiple measures into our SCADA network in order to actively monitor our system. We utilize network segmentation, VLANS, and centralized firewalls and were looking to introduce intrusion detection (IDS) and intrusion prevention (IPS) systems into our network. The mGuard is a tool that allows us to perform these functions,” Kolkebeck said.
Following field trials, the mGuard appliances were used to provide protection from vulnerabilities through firewall, VPN, routing and trap functions.
“We currently have mGuard security modules deployed in multiple locations throughout the Northeast,” Kolkebeck said. “We are saving money on remote support from our staff and outside contractors. Site visits are no longer required for minor code changes and troubleshooting.”
About the Author: Frank Dickman is an engineering consultant based in Chicago. He can be reached at [email protected] . Circle No. 250 on Reader Service Card
For more information about current threats to networked industrial equipment, a comprehensive 18-page White Paper “Hacking the Industrial Network,” including footnotes, clickable Internet research links and detailed references, is available for download at www.innominate.com. An accessible discussion of “Post-Stuxnet Industrial Security” is also available.
“We will begin to focus more on underground and collection projects while still completing relatively minor plant upgrades and equipment replacements.”
“We expect to only do what is absolutely needed to stay within state and federal guidelines due to the poor economy.”