ICS Information Security Assurance Framework 20

ICS Information Security Assurance Framework 20

March 10, 2020 | Adeline Zhang

Petroleum and Petrochemical Industry

  • Overview

System introduction

Oil field exploitation is field work featuring strong fluidity, large quantities of scattered points, and a long distance. In the process of oil field exploitation, out of management requirements, the oil and gas management center connects to the gathering and transportation control center, gas processing plant control center, gas transmission initial station, and field control layer through an industrial network. Therefore, the system needs a large number of wired and wireless networks for data transmission and remote system management.

Overall network situation of oil and gas branches

The core network of the production network of oil and gas branch companies usually connects to their secondary units in different regions through a self-built optical cable. In terms of network redundant connections, each secondary unit deploys two routers as mutual backups, which respectively connect to the core of GMC and core of BGMC. The network communication is implemented via the OSPF protocol. Therefore, the entire production network forms a reliable architecture with high redundancy.

From the perspective of network links, GMC and BGMC of oil and gas branches connect their secondary units in different regions through a dedicated oil link, and the core router is used as a backup link of secondary units by satellite. Currently, for those geographically remote central stations or field stations without cables, satellites, wireless bridges, and 3G/4G are used for data transmission.

  • Protection Solutions for Industrial Control Network Security

On the premise of ensuring the system availability, it is necessary to protect the industrial control system of the production network by “vertical layering and horizontal zoning”.

  • Division of security zones

“Vertical layering and horizontal zoning” is to vertically divide industrial control systems into four layers, namely, the field device layer, field control layer, supervisory control layer, and production management layer, and horizontally separate networks of each industrial control system, making them belong to different security zones.

  • Vertical layering

According to the idea of information security protection of industrial control systems, each industrial control system should be in a separate zone. Detailed division is as follows:

① The office network and production network of the branch are two separate security zones, which are isolated via GAP.

② The security zone of the branch production network is subdivided into the branch GMC security zone, gas transmission DCC security zone (branch BGMC security zone), DCC security zone in
region A, DCC security zone in region B, DCC security zone in region C, DCC security zone in region D, and DCC security zone in region E.

③ According to the preceding division, the branch production network is vertically divided into security zones by administrative level.

  • Horizontal zoning

The branch company is divided into five layers by administrative level, with each layer containing multiple units. Horizontally, units of the same level are divided into different zones. A secondary unit is divided into seven horizontal zones, namely, five mines, one division, and one factory. Hydrologic institutes are isolated by dividing zones. According to the idea of information security protection based on security zones, an industrial control system is divided into five zones at one layer, namely, the data server zone, security support zone, core switch zone, user access zone, and branch access zone. Hydrologic stations and lower-level units can select security zones as required.

The data server zone is mainly used to plan and deploy servers related to the industrial control production at this layer. Threats in this zone mainly come from internal personnel’s overstepping and abusing power, internal personnel’s maloperations, software and hardware failures, internal personnel’s tampering with data, internal personnel’s repudiation. Main protection methods include application and service development and maintenance security, application-based audits, identity authentication, and behavior audits. Auxiliary protection methods include anomaly detection and access control.

The security support zone is used to plan and deploy security O&M, security detection, and security management devices related to industrial control production at this layer. Threats in this zone mainly come from network transmission leakage, unauthorized access and abuse, internal personnel’s repudiation. Protection methods include out-of-band management and network encryption, identity authentication and access control, and audits and tests.

The core switch zone is mainly used to plan and deploy core switch devices related to industrial control production at this layer. Threats in this zone mainly come from network device failures, network leakage, and physical environment threats. Protection methods include the availability (backup and redundancy), confidentiality (network transmission encryption), and integrity (network-based authentication) of the basic network.

The user access zone is mainly used to plan and deploy user terminals related to industrial control production at this layer. Threats in this zone come from internal personnel’s malicious behavior and internal information disclosure. Main protection methods include terminal behavior control and access control.

The branch access zone is mainly used to plan and deploy outreach devices related to industrial control production at this layer. Threats in this zone come from hacker attacks (external intrusion), malicious code (viruses and worms), and unauthorized access. Protection methods include access control (industrial control firewall), intrusion detection (IDS), and malicious code protection (antivirus).

Border Protection

In-depth protection security policies should be provided for branch industrial networks. Among these policies, border security protection is the most important link. It can not only ensure a strict control of access between networks, but also cut off the transmission paths of various viruses and malicious code, thereby guaranteeing the border security at all levels.

ICS firewalls are deployed at branch companies, gas transmission stations, secondary units, and between secondary units and hydrological stations. By deploying special firewalls applicable to industrial environments, configuring industrial protocol-based access control policies, combing the existing security policies of traditional firewalls in the network, and improving the granularity of packet filtering policies, we can combine industrial security protocol-based protection methods with traditional security policies and divide security zones according to security levels, so as to improve the capability of protecting borders, regions, and terminals, and effectively reduce the risk of network intrusion and security threat migration and spreading.

In the aspect of the overall network service structure, we can configure ACLs on core network devices, establish point-to-point, point-to-multipoint, and multipoint-to-point service access relationships, and forcibly regulate business data flow paths, thereby strengthening business process management and reducing security risks on business data flow paths.

Comprehensive Security Protection Solution

Security audit

  • Enhancing current devices

Enable the built-in system logging and security logging functions to record information about the device running status, network traffic, user behaviors, event dates, users, and event types, so as to help administrators to fully understand the device running status and make security events traceable.

  • O&M personnel audit (industrial control O&M OSMS)

Currently, some O&M management regulations have been developed in branch companies and their subordinate units, but these regulations cannot completely eliminate risks. This is partly due to the fact that these regulations are not perfectly carried out. Another main reason is that most station attendants are professionals in the field of automation who have little knowledge about information security, databases, and related software and therefore are unable to audit O&M personnel’s operations.

In addition, in traditional security and industrial security cases, a large number of security events are caused by illegal operations of O&M personnel or internal personnel. Therefore, professional and industrial environment-based O&M audit devices are needed for audits. Mobile O&M audit systems are deployed at branch hydrologic stations and central stations for onsite maintenance of PLCs, DCSs, industrial switches, HMIs, operator workstations, engineering workstations, data historian, and real-time databases in industrial control systems.

  • Intrusion detection

The following attacks should be monitored at network edges: port scanning, brute force attack, Trojan backdoor, DoS, and IP fragment attack. When an attack is detected, the source IP address and attack type should be recorded. In the case of a critical intrusion event, alerts should be promptly generated and such intrusion should be immediately blocked.

Unlike traditional network application protocols, control protocols used in industrial control systemsare often proprietary protocols. Intrusion detection systems based on traditional seven-layer network protocols cannot effectively monitor the security of industrial control systems. It is necessary to understand special industrial control protocols used in industrial control systems and configure specific industrial control network detection policies, so as to effectively detect intrusions in industrial control network systems. An ICS anomaly detection system is deployed on core networks of branch companies, secondary units, hydrological stations, and stations. Meanwhile, a comprehensive signature database and efficient signature matching algorithms applicable to industrial control networks are employed to effectively detect malicious code and viruses.

Security management

  • Industrial control vulnerability discovery system

In order to effectively detect and investigate security risks hazards in industrial control systems, it is necessary to deploy the vulnerability scanning system of industrial control systems to detect potential security defects or vulnerabilities in industrial control systems. Based on the signatures of known vulnerabilities (such as SCADA/HMI software vulnerabilities, vulnerabilities in embedded software like PLC and DCS controllers, vulnerabilities in mainstream fieldbus protocols such as Modbus and Profibus, and SCADA/HMI software vulnerabilities) in industrial control systems, the system scans and identifies control devices, operation workstations, engineering workstations, servers, databases, and middleware in industrial control systems such as SCADA, DCS and PLC, so as to provide perfect vulnerability analysis and detection capabilities for industrial control systems.

For unknown vulnerabilities in industrial control systems, with a fuzzing test tool for vulnerability discovery, we can detect vulnerabilities existing in the tested object by sending crafted attack test data to the SCADA/HMI software, DCS system, and PLCs and then checking the returned results.

To be continued.