Kazio Networks

Here is a list ¹ of (currently known) control system security vulnerabilities from 2007- present ². (more…)

The ISA99.02.01 standard (Security for Industrial Automation and Control Systems: Establishing an Industrial Automation and Control Systems Security Program) was approved by ANSI as an American National Standard on 13 January 2009. ANSI/ISA-99.02.01-2009 is available for free to all ISA members here.

This standard describes the elements contained in a cyber security management system for use in the industrial automation and control systems environment and provides guidance on how to
meet the requirements described for each element.

This is an important note to those who are still using the older Rockwell Automation (Allen Bradley) 1756 ENBT/A bridge for Ethernet/IP — there seems to be a “Potential Security Vulnerability” for the module.

Here is the full description of the vulnerability (per Rockwell’s official support site):

• The potential for cross-site scripting, which could allow the Product to be used in a social engineering attack.

• An attacker could potentially craft a URL that looked as if it would take a user to the Product, but would instead execute script from a different location. A successful attack would require the attacker to transmit the crafted URL to a user with access to the web interface of the Product and to convince that user to open the URL.

• The potential for web redirection, which could allow the Product to be used in a social engineering attack.An attacker could potentially craft a URL that looked as if it would take a user to the Product, but would actually direct the browser to a different location. A successful attack would require the attacker to transmit the crafted URL to a user with access to the web interface of the Product and to convince that user to open the URL.

• The potential for exposure of some of the Product’s internal web page information. While this does not directly present a functional vulnerability, it does expose some internal information about the module.

The new firmware scheduled for July 2009 will fix this vulnerability. They have suggested the possible use of IE8 (beta) and Firefox may help prevent the cross site scripting attacks.

US-CERT reports it with Vulnerability Note VU#882619 here.

[Update: US-CERT also reports VU#619499 Rockwell Automation ControlLogix 1756-ENBT/A EtherNet/IP Bridge URL Redirection Vulnerability]

Full list of control system vulnerabilities from 2007-present can be seen here.

Layer 2 switches and Layer 3 switches – you may have heard the terms before.

So what exactly are they?

Both switch types have the capability of linking network devices together from one port to another. Unlike hubs, switches distribute data more intelligently as it interprets them and sends it out to the right destination.

Layer 2 and Layer 3 terms comes from the OSI seven Layer model (a theoretical way of dividing a network architecture up with functionality, service, dependence and application). Within the model, Layer 2 represents the “Data Link Layer” while Layer 3 represents the “Network Layer”.

Layer 2 switches have the capability of moving packets around a single network. As the reference to the OSI Layer holds true, this switch facilitates data only (and) within the physical layer (also known as Layer 1 e.g. cables and connectors). It is intelligent enough to learn the MAC addresses of each device, source/ destination of each packet and routes each packet within the single domain (at wire speed). While it breaks up a collision domain, it does not have the ability to transport the data packet from one network to another nor can it prioritize packets to guarantee bandwidth. Putting devices on a Layer 2 switch makes one entire large local segment (or what some people might call a “broadcast domain”).

Layer 3 switches act like a traditional router – it enables different network segments to be linked together. With this, data can be inter-networked from one network subnet to another. Prioritization of packets can be setup and the Layer 3 switch is intelligent enough to learn which routes are the best between the networks. While the Layer 2 switch routes packets based on MAC, Layer 3 switches route data packets based on IP. Going a step further, Layer 3 switches have the capability to logically separate networks into two or more VLANs (Virtual LANs), enhancing security and unauthorized access between networks. A Layer 3 switch typically sits above Layer 2 switches and governs the routes/ access between the different networks.

An example of this would be within a water treatment facility. Being a big treatment plant, each separate department (Clorination, Aeration, Distillation, Filtration, Waste Generation etc.) is split up into smaller/mini networks. Each mini network (consisting of PLC, I/O modules, monitors, sensors, HVAC, Historian stations and more) is controlled by its own Layer 2 switch. As all departments need the ability to synchronize, coordinate and share data with each other to perform the relevant operations, there needs to be a device that allows each data to move from one department’s network to another. That is where the Layer 3 switch comes in. All Layer 2 switches essentially converges to the Layer 3 switch facilitating inter-network data transport with the ability to prioritize packets, allow/ limit access to certain networks at any given time.

The Cisco IE-3000 switch and Transition Networks’ Milan SM801PST are examples of Layer 2 switches. The Cisco Catalyst 3750 would be a good example of a Layer 3 switch.

EtherChannel is a technology used for port trunking (or “link aggregation” as Cisco calls it). It is used mostly in Cisco switches. The technology allows physical Ethernet ports to be grouped, forming one logical port/ connection. With that, only one connection is seen with the same MAC and IP address being shared, regardless of application(s) or user(s).

This is useful as a failsafe measure in the event that a link or several links are down makes it great for mission-critical applications — the technology redistributes traffic across the remaining active links with total transparency and speed. Distribution of loads across ports is based on Cisco’s proprietary algorithm which is calculated on the source/ destination IP, MAC and TCP/UDP port numbers.

EtherChannel is normally used within a network backbone rather than direct connections with end user devices/ machines. Connecting up end user devices would require the NIC / adapter of that particular device to be EtherChannel compatible. As of today, I don’t believe there is any PLC or embedded end user manufacturing/ control system device supporting EtherChannel, but that may change if the demand arises.

The maximum active number of ports that you can use with EtherChannel is eight (min. is two), regardless of the type of cable or whether it is Fast Ethernet, Gigabit Ethernet or 10 Gigabit Ethernet; with another one to eight ports acting as failover ports. The bandwidth is directly proportional to the ports and speed you use e.g.  5 ports running EtherChannel would give you 500 Mbit/s, 5 Gbit/s or 5 Gbit/s at Fast Ethernet, Gigabit Ethernet and 10 Gigabit Ethernet speeds respectively. This makes it very scalable as your traffic grows — a huge benefit.

When using EtherChannel, three things must apply:

1) All ports must be set to the same speed throughout

2) All links must comply with the IEEE 802.3 standard

3) All connected devices must support EtherChannel as well

One may argue the fact of why you would want to use EtherChannel when STP (Spanning Tree Protocol) is available. The answer would be that STP essentially limits the multiuse of links between switches and sends packets down one path at a time i.e. STP shuts down the extra redundant links. The use of EtherChannel allows the use of all available links between two devices at all times. You can use STP with EtherChannel to have a loop free topology and to prevent flooding of a network.

With all the good things being said, there is a drawback … EtherChannel is only limited to devices that support the proprietary technology. Therefore, you are bound by certain device manufacturers (mainly Cisco and Intel*). IEEE does have a similar open standard equivalent called IEEE 802.3AX (formerly IEEE 802.3ad).

*Intel has the capability to implement either the EtherChannel or IEEE 802AX within their Intel® PRO/100, PRO/1000, PRO/10GbE, Gigabit, and 10 Gigabit server adapters.