Supervisory control and data acquisition systems (SCADA), or industrial control systems (ICS), have been monitoring and controlling our industrial, power and refinery world since the 1960s.
SCADA started out analog, focused on monitoring physical qualities, such as pressure, temperature, viscosity, voltage levels, liquid flow, wind/air speed, and salinity. SCADA systems typically operated as an independent system, telling human operators if the system they were monitoring was working within correct parameters. The systems then report back to computers that calculated if everything was okay; if not, it makes the decision to either change parameters or shut down the systems that were in danger.
Industrial control system (ICS) describes the critical infrastructure network connectivity of hardware and software integration in industrial environments. ICS includes supervisory control and data acquisition (SCADA) and distributed control systems (DCS), industrial automation and control systems (IACS), programmable logic controllers (PLCs), programmable automation controllers (PACs), remote terminal units (RTUs), control servers, and intelligent electronic devices (IEDs) and sensors.
At one time, SCADA and ICS systems were considered completely independent from each other, and each had different human interface, reporting programs/methods, communications methods, languages, alert/failure alarm systems, and methods. Today, with the adoption of Ethernet and the internet are becoming part of the industrial system operation and a sub-assembly of the Internet of Things (IoT).
Ethernet Introduces SCADA Vulnerabilities
Ethernet brings interoperability, bandwidth efficiency, and finer granularity to SCADA environments, which results in greater savings or earnings (depending on your organization’s goals). Industrial environments now also face the same vulnerabilities from the networking world as the rest of us—an IP doorway in.
Once an IP address is identified, these systems—including sensors, controls, and human machine interface displays (HMI)—are hackable.
Four Visibility Solutions for Securing SCADA
Arguably the most important aspect for securing your Industrial environment is network visibility. Putting expensive security and monitoring appliances in place and investing in employee training won’t help defend if the network isn’t designed with visibility in mind. Like traditional network security, packets are delivered to out-of-band solutions by either Network TAPs or SPAN, which can then be coupled with Network packet brokers (NPBs) to aggregate and groom packet data for out-of-band solutions.
When critical infrastructures are involved, companies can’t afford blindspots, drop packets, traffic bottlenecks or suffer network downtime. Deploying network TAPs throughout the Industrial framework ensures uptime and eliminates the packet delivery issues that SPAN/Mirror ports inevitably introduce. Unfortunately many engineers may know they need a TAP but cannot find the right one for their environment. Here are four unique tapping options for your SCADA environment.
1) Providing Visibility for PC104 Command and Control Networks
The solution brings visibility from the traditional Ethernet arena to the PC104 command and control network. The PC104 or PC/104 is the interconnect standard for embedded industrial technology. The standard allows consumers to stack together boards from a variety of manufacturers to produce a customized embedded system.
The other boards are the access to the RTU (remote terminal unit), meaning they interpret what is being monitored (for example, heat/temperature, pressure, flow, etc). Here the processors in the stack interpret the RTU’s report and take action, which could be in the form of either alerts or reports. By being able to monitor the interconnect via Ethernet, we will have visibility and will know about attacks or failures.
A network TAP with a stack design like Garland’s AggergatorTAP, can be integrated into the PC104 to provide a visibility plane. These TAPs are passive, and are used to capture 100% full duplex traffic that can then be sent to multiple monitoring appliances to analyze your network.
2) Passive Visibility For Legacy
Legacy equipment wasn’t designed to communicate beyond its isolated system. When you start to push legacy equipment to transfer data outside of these proprietary systems, you open the industrial network to security vulnerabilities.
The need for passive, real-time monitoring is stronger than ever in an Industrial Ethernet environment saddled with legacy equipment. Passive network TAPs are an essential connectivity solution in Industrial Ethernet settings, and are available in passive fiber and passive 10/100M copper. Security and monitoring appliances receive 100% of the traffic without introducing new or manipulated traffic to the stream.
3) Regenerating Visibility
We have seen many scenarios where there is the need to replicate data streams to multiple tools or destinations. We have recently seen situations where specific regulation requires the same data to be captured by separate devices for analysis or the data may be “owned” by separate teams. SPAN replication and TAP regeneration provides the simple solution and can provide multiple copies of Tx/Rx traffic from a single link, with failsafe or passive OEO design [optical to electrical to optical] options.
4) Visibility for Unidirectional Gateways
For specific industries, new regulations enforce physical unidirectionality coupled with software that replicates databases and emulates protocol servers to handle bi-directional communication and contains a broad range of cybersecurity features like, secure boot, certificate management, data integrity, forward error correction (FEC), and secure communications.
Data diodes are a network appliance or device, similar to a network TAP, that allows raw data to travel only in one direction, and are used in guaranteeing information security or protection of critical digital systems, such as SCADA/industrial control systems, from inbound cyber attacks. Garland Technology’s Data Diode TAPs offer “no injection” tap aggregation for 10/100/1000M copper networks. These will help you create unidirectional monitoring solutions that capture every bit, byte, and packet and ensure copied packets don’t go back in and disrupt the industrial network—all in a package that’s purpose-built and unhackable.
Have a unique environment that needs visibility, but are having connectivity or architecture issues? Book a brief Design-IT meeting with our engineering team today and we'll work it out together. No obligation - it’s what we love to do.