Secure industrial protocols, protocol whitelisting, and communication server fortification to increase the security of industrial communications.

One of the most important differentiating features between IT and OT networks is the use of what is called industrial protocol in the operation networks to communicate field devices with each other (PLC, RTU, controllers horizontally) or to communicate these devices with real-time systems (such as HMI, SCADA, MES vertically).

These protocols, which include, for example, Modbus, Profibus, OPC, Ethernet/IP, DNP3, etc., are characterized, among other things, by being very heterogeneous (unlike what happens in the field of information technologies in the corporate environment, where organizations such as IETF and ISCO, through their RFCs, standardize almost all protocols; in the industrial field, each manufacturer defines its own) and by not being secure.

In other words, communications in OT environments through most industrial protocols lack the possibility of authentication, authorization, encryption, and/or auditability. This makes industrial communication technologies and architectures a clear target for attacks that can mainly affect the integrity and availability of control systems, negatively affecting the normal execution of production processes. Impersonation between masters and slaves that speak a certain protocol, “sniffing” protocols to alter the typical functions or objects of a protocol, performing unauthorized actions, or denial-of-service attacks are just some of the threats associated with the insecure behavior of industrial communications.

Considering this context, the industry has three basic ways to secure industrial communications:

1. Use specifications associated with secure industrial protocols.
2. Incorporate specific technologies that provide security to non-secure industrial protocols.
3. Fortify the servers that centralize industrial communications.

Currently, the best-known specifications in the industrial field that provide security to protocols are the following: The one carried out by the OPC Foundation through OPC UA (Open Connectivity Unified Architecture) and the one carried out by the IEC (International Electrotechnical Commission) through the IEC 62351 series, which in turn provides security to the TC 57 protocol series, which includes the IEC 60870-5 series, IEC 60870-6 series, IEC 61850 series, IEC 61970 series, and the IEC 61968 series.

Regarding the specific technologies that provide security to insecure industrial protocols, it is possible to carry out network segregation and/or ensure the integrity of the protocols using what is called protocol whitelisting. In other words, it involves including technologies that ensure that communication between field devices with each other or between devices and real-time systems is carried out using a specific protocol in which a whitelist of specific functions and objects associated with the selected protocol has been created. On the other hand, the use of standards traditionally linked to IT environments such as OpenVPN can be a good practice to encrypt and authenticate industrial protocols. In this case, the solution involves creating virtual private networks (VPNs) between field devices and real-time systems so that this communication is not carried out in the clear. At this point, it will be crucial to evaluate the delay in communication latencies. There are also technologies that allow encrypting and authenticating industrial traffic using symmetric keys such as AES256, making it secure.

Regarding fortifying communication servers, it is known that servers dedicated to centralizing industrial communications are increasingly being deployed. With the emergence of the OPC specification/technology, this is a common practice. These servers, which are deployed in both traditional and virtualized formats, must be physically and logically protected. Their alteration, attack, or malfunction would affect the visibility of the plant and processes. A traditional way to ensure the availability of communication servers is to resort to procedures that allow the servers to be fault-tolerant. Among them, the best known is to deploy redundant communication server architectures. In parallel, it happens that no type of antimalware solution has been installed on these dedicated industrial communication servers because the OPC server manufacturer does not recommend and/or support it, they are critical, and in many cases, they cannot be stopped or restarted to perform updates and/or they are isolated and cannot be updated over the network. In these cases, the use of malware scanning tools performed manually and non-invasively (without installing agents) or the installation of specific software that allows “whitelisting” or “lockdown” of applications are solutions that also allow fortifying industrial communication servers.