#White Papers
Industrial Ethernet Switches Enhance Cyber Security at No Cost - Part 2
If you are more comfortable programming PLCs than implementing cyber security measures this series of blogs is for you
Its goal is to give you an overview of the security functions built into network devices so you can implement the ones that are appropriate for your application.
In the first blog, I briefly discussed Defense in Depth and how it is important to implement multiple types of defenses at different points in the control network. This best practice maximizes protection from cyber security incidents, whether they are accidental or intentional.
Part 1 also looked at ways to control access to specific devices, such as industrial Ethernet switches. In today’s blog, we look at ways to control the types of messages any device or computer can send or receive on a network.
Authentication and Port Security
In the category of “basic, but easily overlooked controls,” is the simple matter of turning off or disabling the unused ports on managed network devices. This prevents unauthorized users or devices from connecting to the network.
Now, let’s consider other means of network access. This is usually controlled using an authentication standard called 802.1x. The “x” refers to different sections of the standard.
There are numerous implementations of this standard, the most common of which is the RADIUS protocol.
802.1x defines these roles:
Supplicant: The device that wants access to the network.
Authenticator: A device on the network, such as a switch that allows or blocks messages from the supplicant. It uses information from the Authentication Server (such as a RADIUS server) to determine whether or not to accept transmissions from the supplicant. RADIUS allows access depending on the log-in credentials of a device or the device’s MAC address.
If log-in is not possible – such as the case with IO, a drive or other device that does not have a user interface device to enter log-in credentials – then the device’s MAC address is used. To facilitate ease of replacement, the first three bytes that are used to identify the manufacturer can be used. For example, all network devices sold by Schneider Electric have the same first three bytes in their MAC addresses.
If configured to allow traffic to and from MAC addresses that contain Schneider’s first three bytes, then you have a network access rule that permits all Schneider Electric devices. If a PLC fails, you can replace it with one from the same manufacturer and it will be allowed to transmit packets right away. All traffic from non-conforming devices will be blocked.
An additional means of deploying security in an existing network is to take advantage of port security, which allows a user to define the MAC or IP address of a device allowed to connect to a given port. The ability to allow access by common first three bytes or IP address range allows for easy device replacement and deployment. Any violation can lock down the port and trigger an alarm (relay output and/or SNMP trap).
Preventing DHCP-Based Network Attacks
DHCP servers distribute network configuration parameters, such as IP addresses, for interfaces and services. Here are some types of attacks that target DHCP communications:
Adding another DHCP server to the network that distributes false IP addresses, “DHCP server spoofing”
Requesting all available IP addresses, “DHCP Exhaustion Attack”
Taking over the IP address of an existing device, “IP Address Hijacking”
Such attacks can be prevented by:
Accepting only DHCP server packets from trusted ports
Comparing the client hardware address in the DHCP tables with the source MAC address of the packet
Comparing DHCP release communications from untrusted ports with settings in the “bindings table”
The bindings table is a table that correlates the IP and MAC addresses of devices. If someone is hijacking an IP address, the bindings table will show that the MAC address of the hijacker is not what it is supposed to be.
Some network devices, such as Hirschmann industrial Ethernet switches with the Hirschmann Operating System (HiOS) provide additional IP address spoofing through a capability called “IP Source Guard.” When an IP packet is received on an untrusted port, it is compared with the entries in the binding tables. If the source IP address is not located on the port, or optionally if the source MAC address is not located on the port, the packet is discarded.
Access Control Lists
Another way of regulating network access and traffic is to use the Access Control List (ACL) feature common in switches and routers. This feature filters IPv4 packets based on a number of parameters, such as source and destination IP address. ACLs can also filter Ethernet frames based on criteria, including the source and destination MAC address.
ACLs and firewalls can both filter on:
Source and destination address
Source and destination port
Protocol
There is, however, a major difference between them – only firewalls can do Stateful Inspection. In brief, Stateful Inspection involves interpreting a communication using data from the previous information exchange. This includes things like which device started the session, which device last sent a message and was the last message rejected because of error.
While ACLs evaluate a packet based on its real-time evaluation of it, firewalls look at bigger picture information exchanges and then determine which communications are valid and which are not.
Even though ACLs provide a piece of the cyber security puzzle, they do not replace firewalls.
