Investigation is better than inertia. So while a wall that just sits there offers some protection, a barrier that also examines and evaluates potential problems is even better.
This is some of the reasoning behind Emerson Process Management's latest efforts to develop its forthcoming Emerson Smart Firewall. Progress on this project was described by Bob Huba, DeltaV product manager and system security architect, and Nate Kube, CTO of Wurldtech Security Technologies, this week at the Emerson Global Users Exchange in San Antonio, Texas.
Emerson and Wurldtech's developers are still settling on how the smart firewall will perform some security services, but it should be released within the next year, perhaps as early as 2011's second quarter.
"When we asked customers about security and DeltaV, they asked if they could use Linux and get away from Microsoft, but we think that's pretty unlikely. They also want purpose-built security tools, so they also can get away from commercial off-the-shelf devices that are more prone to being attacked," said Huba. "But users really just want to know that their installations are secure at all times. However, they don't have time to be bothered by security because they're too busy keeping their plants up and running. Unfortunately, they say they can't afford to hire security experts. They also want lowest-cost maintenance, and they can't spend all their time patching systems, but they still want to limit their IT department's efforts in this area."
Huba reported another major problem is that most users simply are not installing software patches to repair security vulnerabilities and defend against viruses and other malicious software. "We hear that no one is installing Microsoft's patches because they're worried the patches will cause problems and delays in their operations and production. They're worried the cure will be worse than the disease."
Consequently, the overall security objectives for DeltaV are to provide reliable and robust security solutions that:
- Don't impact DeltaV's stability and also meet or exceed the relevant sections of the ISA SP99 security standards.
- Are easy for operators to deploy, support, maintain and use, and also reduce the need for IT support to implement and maintain DeltaV.
- Allow operators to take primary responsibility for their security.
Over the past couple of years, DeltaV Easy Security has developed and now provides:
- Hardened software templates that remove basic security vulnerabilities from systems.
- Secure-user versions that restrict user privileges.
- Wurldtech's Achilles services for robust security responses.
- The ability to make affected systems easier to lock down.
Huba explained that Emerson and Wurldtech's present security efforts for DeltaV are focused on perimeter protection, where intrusions can come via serial, Ethernet, wireless and Level 3 interfaces. He added that serial security is fairly simple because serial interfaces—such as Modbus RTU, Profibus DP, DeviceNet, Foundation fieldbus and others—are generally implemented in closed, proprietary systems. Likewise, securing Ethernet is easier because real-time Ethernet interfaces—such as Modbus TCP/IP, Profinet and EtherNet/IP and others—go through VIMs (virtual I/O modules) and are considered secure. And wireless security is relatively easy because IEC 62591 field wireless security is accepted by even the toughest IT departments.
"Level 3 is what we're most concerned about now because problems can come from above when users connect to their plant's local area network," said Huba. "The solution is to use secure web services like OPC Xi and install a firewall. Emerson has added OPC Xi tools from the OPC Foundation to aid security because they are firewall-friendly, allow specifically configured client connections and are encrypted."
In addition, the Emerson Smart Firewall's primary functions that will not require any security expertise include:
- Boots locked out of the box.
- Easy setup of permitted communications.
- Communication only allow through recognized secure services.
- Packet inspection for added security.
"Firewalls can be tricky because many allow the world to come in unsolicited, and then they differentiate and decide what data to allow in," explained Huba. "In our cause, we're not letting in everything, and this will make things less complex. For example, setup for Emerson Smart Firewall will use a web interface that's built right into the firewall and then allow users to point and click to establish connections, select secure services they want to employ and then pick the specific workstations that will use them."
Also, Emerson Smart Firewall will eliminate the need for IT to support to maintain DeltaV's security by performing updates via Guardian Service that mitigates security risks without jeopardizing system availability. "Users can access security experts, so they don't have to do it," said Kube. "Wurldtech monitors the global threat landscape, identifies those with the potential to impact DeltaV's environment, and then crafts rule-sets to protect at-risk systems, validates for system compatibility and forwards the results to Guardian for deployment. Because we're working directly with Emerson, we can do even more, including more data packet inspections and pushing fixes up to the firewall. "
While most firewalls have policy-based rules that govern the ports and other addresses where data packets can originate, this only mitigates problems in the head portion of those packets. As a result, policy-based firewalls can miss problem in the tail section or payload of data packets. "This is why signature-based firewalls are emerging to check what data packets are saying and see if it's bad stuff," added Kube. "Smart Firewall will let users see where they're pulling data from and push their firewall up to the perimeter of their systems."