Industrial Control System Security Status and Protection Strategy Analysis
In recent years, with the continuous advancement of the deep integration strategy of the two companies and the application of emerging technologies such as the Internet of Things in the industrial field, the safety of industrial control systems has also attracted the attention of enterprises. As an important infrastructure for the national vital energy industry, such as energy, manufacturing, and military industries, industrial control systems are faced with an operating environment in which security risks continue to climb under the shadow of information and defense. According to statistics, in the past year, the National Information Security Vulnerability Sharing Platform has collected more than 100 software security vulnerabilities affecting China's industrial control systems that are widely influential to China, which has increased by nearly 10 times compared with 2010, involving Siemens, Beijing AMC and Beijing 3D Forces Control. And other well-known industrial control system manufacturers at home and abroad. The emergence of security vulnerabilities has undoubtedly increased the risk for industrial control systems, which will affect normal production order and even endanger the safety of personnel and public property.
I. Status Quo and Challenges of Industrial Control System Security
The development of dual-integration and Internet of Things has made TCP/IP protocol and OPC protocol more and more widely used in industrial control networks. The ensuing communication protocol vulnerabilities have also become increasingly prominent. For example, the OPC Classic protocol (OPCDA, OPHADA, and OPCA&E) is based on Microsoft's D protocol. The D protocol was designed before the network security problem was widely recognized. It is vulnerable to attacks and OPC communication uses a non-fixed port number, resulting in almost no current Use a traditional IT firewall to ensure its security. Therefore, ensuring the safety and reliability of the industrial control system using the OPC communication protocol brings great challenges to engineers.
Industrial control system security is not an "old system encounters new problems" but an extension of traditional information security issues in the field of industrial control. Currently, information technology has been widely used in many fields such as petroleum, chemical industry, and electric power, providing important support for the optimization and upgrading of traditional industrial control systems. At the same time, it also brings information security problems under the network environment, worms, Trojans, hacker attacks and other networks. The impact of threats on industrial control systems has shown a growing trend of development.
Referring to industrial control security issues, many people may simply understand the security of real-time operating system devices that are used directly for control. However, from the perspective of the entire architecture, the industrial control system is a network system composed of servers, terminals, and front-end real-time operating systems. It also involves traditional information security issues such as the physical layer, network layer, host layer, and application layer. In the entire industrial control system, most of the industrial control software is running on a general operating system. For example, the operator station generally uses the Linux or Windows platform. Due to the stability of the system, the general system will not run on Linux after running. Or Windows platform patches; In addition, most of the industrial control network is a dedicated internal network, not connected to the Internet, even if the installation of anti-virus software, can not be updated in a timely manner virus database, and anti-virus software for unknown viruses and malicious code can do nothing. Operating system vulnerabilities cannot be avoided, and the lag in traditional defense techniques and methods leaves room for the spread and spread of viruses and malicious code.
It is understood that in the “Stokes Network” incident that broke out in 2010, the virus caused some centrifuges used for uranium enrichment to fail to run and hit the Iranian nuclear industry. It can be seen that the attack on industrial control systems has had a profound impact on the country’s economic and social development. In fact, not only the “Stuxnet” virus, but also the well-known malwares that have emerged in recent years, such as “Duqu” and “Flame”, have also focused their attacks on oil and electricity. In countries such as the lifeline sector, the security situation faced by industrial control systems has become increasingly severe.
Second, industrial control system security risk analysis
1. Risk Analysis
The industrial control system is the basic component of the important infrastructure automation production in China. The importance of security is evident. However, due to the limitations of core technologies, complex system structure, and lack of security and management standards, the data and operations in the ICS system are affected. At any time, instructions may suffer from the destruction of hostile forces, commercial espionage, and cybercrime gangs. According to the Notice of the Ministry of Industry and Information Technology on Strengthening the Information Security Management of Industrial Control Systems, the key areas of information security management in China's industrial control systems include nuclear facilities, iron and steel, non-ferrous metals, chemicals, petroleum and petrochemical, electric power, natural gas, advanced manufacturing, water conservancy hubs, and environmental protection. , railways, urban rail transit, civil aviation, urban water supply and heating, and other areas closely related to national economy and people's livelihood. Once the industrial control system in these areas is destroyed, it will not only affect the sustainable development of the industrial economy, but will also cause great damage to the national security.
Through analysis, it can be found that there are two main reasons for the increased security risks in industrial control systems:
First, the emergence of traditional industrial control systems was earlier than the Internet. It required the use of dedicated hardware, software and communication protocols. The design was based on armed security, and basically did not consider the communication security issues that must be considered in the interconnection.
Second, the emergence of Internet technology has led to the widespread adoption of general TCP/IP technology in industrial control networks. Industrial control systems have been able to collaborate with various business systems. Various applications, industrial control devices, and office PCs are increasingly used in smart ICS networks. The system gradually forms a complex network topology.
The security solution based on identification and control of the industrial control protocol alone can not meet the requirements of the ICS network operation and maintenance under the new situation under the combined forces of two factors, and ensuring the application layer security is the basic prerequisite for the stable operation of the current ICS system. Utilizing industrial control equipment vulnerabilities, TCP/IP protocol flaws, and industrial application vulnerabilities, attackers can build more targeted attack channels. Taking the Stuxnet worm as an example, it fully exploited the security vulnerabilities of industrial PCs and control systems in industrial networks of Iranian Bushehr Nuclear Power Station (LIK file processing vulnerabilities, printer vulnerabilities, RPC vulnerabilities, WinCC vulnerabilities, S7 project file vulnerabilities, and Autorun.inf vulnerabilities. ), provides seven hidden channels for attackers to invade.
2, vulnerability analysis
The safety and importance of industrial control systems directly affect the implementation of national strategic security. However, in order to take into account the industrial application scenarios and implementation efficiency, users often passively reduce ICS systems in the pursuit of high availability and business continuity of ICS systems. Security defense needs. Identifying the risks and safety hazards of the ICS and implementing corresponding security assurance strategies are effective means to ensure the stable operation of the ICS system.
2.1 Vulnerability of Security Policies and Management Processes
Pursuing availability and sacrificing safety is a common phenomenon in many industrial control systems. The lack of complete and effective security policies and management processes is the biggest problem in China's current industrial control systems. Many ICS networks that have implemented security defense measures will still manage or Operational errors have caused potential security shortcomings in the ICS system. For example, the use of mobile storage media in industrial control systems and non-strict access control strategies.
As an important part of information security management, the development of security policies that meet the needs of business scenarios and the development of management processes based on tactics are the basis for ensuring the stable operation of ICS systems. Referring to international standards such as NERCCIP, ANSI/ISA-99, and IEC 62443, the vulnerability of China's current security policies and management processes are:
(1) lack of ICS security strategy;
(2) Lack of ICS safety training and awareness raising;
(3) Lack of security architecture and design
(4) Lack of formal, documentable security processes based on security policies;
(5) Lack of ICS security auditing mechanism;
(6) Lack of business continuity and disaster recovery plan for ICS
(7) Lack of configuration change management for ItS.
2.2 The vulnerability of industrial control platform
With the introduction of common control protocols and development standards such as TCP/IP into industrial control systems, an open and transparent industrial control system has also opened up vast areas of imagination for emerging technologies such as the Internet of Things, cloud computing, and mobile Internet. In theory, absolute physical isolation networks are no longer practical because of changes in demand and business models.
At present, most ICS networks only guarantee the relative isolation of industrial networks and office networks through the deployment of firewalls. There is a lack of reliable and secure communication mechanisms between industrial automation units. For example, the 0PC interface based on the DCOM programming specification is almost impossible to use traditional IT firewalls. Make sure it's safe. The data encryption effect is not good, the recognition ability of the industrial control protocol is not ideal, and in addition to the lack of industry standard specification and management system, the industrial control system's security defense capability is very limited.
The international standard NERC CIP, designed to protect the safety of power production and transportation control systems, clearly requires that the implementation of safety strategies to ensure the safety of assets is the most basic requirement for ensuring the stable operation of the control system. The control devices with the same function and safety requirements are divided into the same area. Pipeline communication is performed between the regions. The communication content in the pipeline between the control regions is a generally recognized security defense measure in the field of industrial control.
Another easy-to-neglect situation is that due to different application scenarios in different industries, the requirements for the division of functional areas and security defenses are also different, and the maliciousness is spread for exploiting vulnerabilities in targeted communication protocols and application layer protocols. Attacks are even more powerless. Even more serious is that the patch management effect of industrial control systems is always unsatisfactory. Considering the operating platform and software version limitations of the ICS patch upgrade and the rigid requirements of system availability and continuity, the ICS system administrator will never It will easily install upgrade patches specified by non-ICS device manufacturers. At the same time, the patch release cycle of the industrial system, which lasts half a year, also allows the attacker more time to use the existing loopholes to launch attacks. Siemens, the famous provider of industrial automation and control equipment, was questioned because of the lack of timely disclosure.
Whether it is an attack against industrial systems or a more persistent and threatening APT attack, information security solutions based on blacklists or single feature comparisons cannot be effectively defended, not to mention the use of 0day exploits. The active defense technology widely used in the IT field, because of its large risk of manslaughter, does not apply to high-performance operations of industrial control systems. At present, only the security monitoring technology based on the white list mechanism is a common solution for all users of industrial control systems.
2.3 The vulnerability of the network
The introduction of generic Ethernet technology has made ICS smart, and it has made industrial control networks more transparent, open, and interconnected. The threat of TCP/IP is also reappearing in industrial networks. In addition, the proprietary control protocol of the industrial control network provides the attacker with an opportunity to understand the internal environment of the industrial control network. To ensure the safe and stable operation of industrial networks, we must implement an integrated protection mechanism for “discovery, detection, removal, restoration, and auditing” of abnormal behavior in real time for the ICS network environment. The main vulnerability of the current ICS network is concentrated in:
(1) The lack of border security strategy;
(2) The system security defense mechanism is missing;
(3) The management system is missing or incomplete;
(4) The lack of network configuration specifications;
(5) The lack of monitoring and emergency response system;
(6) The lack of network communication guarantee mechanism;
(7) The wireless network access authentication mechanism is missing;
(8) The lack of infrastructure availability guarantee mechanism.
2.4 Potential Threat Analysis
The
As a basic component of the country’s critical infrastructure automation control, because it carries a large amount of operational data, and can achieve the target control system by tampering with the logic controller control instructions, targeted attacks against industrial control networks are currently becoming hostile. Forces and cybercrime groups implement key targets for infiltration and profit-taking. Inadvertently, it may cause damage to important infrastructure that involves the national economy and people's livelihood. The main threats that can cause ICS systems to be destroyed are:
(1) Denial of service in the control system;
(2) inject malicious code into the control system;
(3) illegal operation of the programmable controller;
(4) Penetration of wireless APs;
(5) Loopholes in the industrial control system;
(6) Wrong policy configuration;
(7) Missing personnel and process control strategies.
Third, industrial control system security strategy
1, white list mechanism
The white list active defense technology restricts the exchange of network data by planning a good protocol rule in advance, and determines the dynamic behavior between the control network and the information network. Through the analysis of the characteristics of the agreement protocol and port restrictions, the operation and propagation of unknown malware are controlled from the root.
The "white list" security mechanism is a kind of security specification. It is not only applied to the setting rules of firewall software, but also the principle to be followed in actual management. For example, in the actual operation of equipment and computers, it is necessary to use a designated notebook or U disk. And so on, managers trust identifiable identities and unauthorized actions will be rejected.
2, physical isolation
The technology of network physical isolation was born early. It was originally used to solve the problem of secure data exchange between classified networks and non-secret networks. Later, because of its high security, network physical isolation began to be widely used in government, military, power, railway, finance, and other industrial sectors. Its main function support: file data exchange, HTTP access, WWW service, FTP access, send and receive E-mail, relational database synchronization, and TCP/UDP customization.
In the field of industrial control, network physical isolation has also begun to be applied and promoted. The "2+1" three-module architecture is usually adopted. A dual-host system is built in. The isolation unit establishes a secure channel through the bus technology to safely implement fast data exchange. The application of network physical isolation is specifically aimed at controlling the security of the network. Therefore, it only provides the common communication functions of the control network, such as OPC, Modbus, etc., and does not provide the common Internet function. Therefore, it is more suitable for controlling the network and the office network and controlling the isolation between the individual subsystems of the network.
Its main features are several:
1) Independent computing units and storage units, each running an independent operating system and application system;
2) The private isolation data exchange technology is adopted in the security isolation zone, and the data exchange does not depend on the TCP/IP protocol;
3) Industrial communication protocols, OPC/Modbus/60870-5-104, etc.;
4) When data is uploaded with the information layer, disconnection buffering and continuous transmission can be realized;
5) Real-time data exchange, delay time less than 1ms;
6) access control, identity authentication, and security audit and log management;
10) Security event search, tracking and preprocessing capabilities;
3, deep analysis of industrial agreements
A commercial firewall is a firewall designed according to office network security requirements. It can perform full packet filtering on most common network protocols (such as http, ftp, etc.) used in office networks and provide effective protection for office networks. However, for network packets of industrial communication protocols (application layer protocols such as Modbus and OPC) used on industrial networks, commercial firewalls can only perform shallow packet filtering at the network layer and transport layer. It cannot use application layer data in network packets. Conducting a physical inspection, therefore, commercial firewalls have certain limitations and cannot meet the requirements of industrial networks. Therefore, in the automation industry, there is an urgent need for a dedicated industrial firewall that can perform effective filtering checks against industrial communication protocols to ensure the safety of industrial control systems.
4, vulnerability scanning
The
Through the scanning of the network, network administrators can understand the security settings of the network and the application services running, detect security vulnerabilities in time, and objectively assess the network risk level. Network administrators can correct network security vulnerabilities and system error settings based on the results of the scan to prevent attacks before hackers. If firewalls and network monitoring systems are passive defenses, then security scanning is an active preventive measure that can effectively prevent hacking attacks and prevent them from escalating.
5, cloud management service platform
To build a plant-wide risk identification model that satisfies industrial control systems, in addition to the need to refine the risk factors of industrial control systems, it is also necessary to establish a safety management domain based on industrial control systems, implement a hierarchical infrastructure, take into account the interruptions and links, Functional considerations such as threats and anomalies, security, and availability.
The requirements for establishing a security management private cloud service platform include:
1) Easily deploy, monitor and manage all safety equipment modules, controllers and workstations in the entire system;
2) Rules assist production, guide applications to quickly and easily create rules for firewalls from privilege and authorization management reports;
3) Automatically block and report any rules that do not match the system traffic;
4) Receive, process and record the alarm information uploaded by the security module;
5) The entire network traffic is the area and identification capabilities;
6) White list-based terminal control capabilities;
7) Real-time ICS protocol and content identification capabilities;
8) The ability to simulate abnormal behavior;
9) Visual configuration and configuration;