1、IndustrialNetwork SecuritySecond EditionIndustrialNetwork SecuritySecond EditionBy David J. TeumimCopyright 2010 The International Society of Automation (ISA)All rights reserved. Printed in the United States of America. 10 9 8 7 6 5 4 3 2ISBN 978-1-936007-07-3No part of this work may be reproduced,
2、stored in a retrieval system, or transmitted inany form or by any means, electronic, mechanical, photocopying, recording or other-wise, without the prior written permission of the publisher.ISA67 Alexander DriveP.O. Box 12277Research Triangle Park, NC 27709www.isa.orgLibrary of Congress Cataloging-i
3、n-Publication Data in processNoticeThe information presented in this publication is for the general education of the reader. Because neither the author nor the publisher have any control over the use of the information by the reader, both the author and the publisher disclaim any and all liability o
4、f any kind arising out of such use. The reader is expected to exercise sound professional judgment in using any of the information presented in a particular applica-tion.Additionally, neither the author nor the publisher have investigated or considered the effect of any patents on the ability of the
5、 reader to use any of the information in a particular application. The reader is responsible for reviewing any possible patents that may affect any particular use of the information presented.Any references to commercial products in the work are cited as examples only. Nei-ther the author nor the pu
6、blisher endorse any referenced commercial product. Any trademarks or tradenames referenced belong to the respective owner of the mark or name. Neither the author nor the publisher make any representation regarding the availability of any referenced commercial product at any time. The manufacturers i
7、nstructions on use of any commercial product must be followed at all times, even if in conflict with the information in this publication.AcknowledgmentsMy appreciation is expressed for the people who helped and inspired me to write the second edition of this book.Once again, my special thanks go to
8、my ISA editor, Susan Colwell.John Clem, from Sandia National Laboratories, contributed content on Red Teaming for the new Chapter 9, New Topics in Industrial Network Security.My good friend from college, Andy Hagel, provided content and review for Chapter 3, COTS and Connectivity.As with the first e
9、dition, Dave Mills of Procter 2. takes a pipe wrench and breaks a liquid level sight glass on a storage tank, causing the liquid to leak out on the floor; and 3. pries open the door to a SIS system controller box and disables the overpressure shutdown by installing jumpers between iso-lated conducto
10、rs and bypassing the audible alarms. By our definition, acts 1 and 3 fall within our definition of industrial network security. Act 2 is deliberate sabotage, but it is physical sabotage of a mechanical indicating instrument, not of an industrial network. Act 3 involves some physical actions, such as
11、 breaking the lock and install-4 INDUSTRIAL NETWORK SECURITYing jumpers, but the jumpers then alter the electrical flow within an industrial network, a SIS system.We acknowledge and stress the importance of physical protection of industrial network components, and also the personnel security that ap
12、plies to the operators of these networks. However, physical and per-sonnel security protective measures have been around for a long time, and information about these protective measures is readily available elsewhere. Chapter 2 introduces physical and personnel security as part of the entire securit
13、y picture; however, the majority of this book covers the electronic security of industrial networks.The ISA99 committee also acknowledges that these other branches of security, such as physical and personnel security, are necessary but simi-larly states that its standards are mainly concerned with t
14、he “electronic security” of industrial automation and control systems. 1.3 The Big Picture: Critical Infrastructure ProtectionIt is best to introduce the subject of Critical Infrastructure Protection from a historical perspective. In 1996, President Clinton issued PDD63 (Presidential Decision Direct
15、ive 63) on Critical Infrastructure Protec-tion(5), declaring that the United States had critical infrastructure that is vital to the functioning of the nation and must be protected. PDD63 identified eight critical infrastructure sectors, including these infrastruc-tures using industrial networks: Ga
16、s and Oil Storage orthe factory he was visiting had a “company escort required” physical security policy, preventing the salesman from wander-ing into the production area alone; orthe factory had active network security measures that prevented the salesman from entering the PLC network and downloadi
17、ng a modified ladder logic program?If any of these physical, personnel, or cybersecurity measures had been in force, the final event in the chain, the conveyors mysterious mal-function, might have been prevented.2.2 Risk Assessment and IT CybersecurityRisk assessment is the process by which you and
18、your management team make educated decisions about what could harm your business (threats), how likely they are to occur (likelihood), what harm they would do (consequences), and, if the risk is excessive, what to do to lower the risk (countermeasures). Lets say you are the owner of a large factory
19、making widgets in a Midwestern state, which happens to be in “Tornado Alley.” Your plant building and attached business office building are as shown in Figure 2-1:For instance, for risks to the office building and its contents, such as the business computer systems, we can illustrate what one type o
20、f risk assessmenta quantitative risk assessmentlooks like. In this example A SECURITY BACKGROUNDER 15we will consider one physical and one cyber threat to the office build-ing and its computer system, per Figure 2-2.The first, a mild-to-moderate tornado, represents a physical risk to the office buil
21、ding and its contents. Lets say the likelihood of a mild-to-moderate (known as category F0 to F2) tornado hitting the office build-ing is once every 20 years (a fairly dangerous neighborhood!). The figure assumes the consequence of the threat or average damage to the asset (office building) is $5 mi
22、llion. Therefore, the annual risk from mild-to-moderate tornado damage is:1 event/20 years $5 million/event =0.05 5 =$0.25 million/year at risk from this type of tornado.Now we have a measure of annual risk in terms of dollars. We can com-pare it with the very different risk of, lets say, a particul
23、ar type of cyber attack by an industrial spy who seeks to download your carefully guarded database of best customers and what they typically order from you.Figure 2-1. Widget Enterprises, Inc.FACTORYBUSINESS OFFICE16 A SECURITY BACKGROUNDERFigure 2-2. Office Building Physical and Cyber Risk Assessme
24、ntStrengthen business officecyber defenses0.33/year X $10 million= $3.3 million$10 million per theftLost salesCustomer databaseOne event/ three years or 0.33/yearCYBER (INDUSTRIALSPY)Reinforced concreteconstruction to limitdamage0.05/year X $5 million= $0.25 million$5 millionper eventDamage tobuilding + contentsOffice buildingOne event/ 20 years, or .05/yearPHYSICAL (TORNADO)COUNTER MEASURERISK (in $ per year)CONSEQUENCE (in $)CONSEQUENCEASSETLIKELIHOOD(in number of events per year)THREAT
