This is the third in a series of articles on security features in the next generation of PLC’s that will mark the end of Insecure By Design. A panel at S4xEurope will highlight Secure PLC’s, and the event includes other sessions on PLC integrity and ICS secure protocols. It’s time to plan for your next ICS, or even accelerating upgrade plans, to be securable.
The lack of authentication in ICS protocols allowed an attacker with network access to spoof an engineering work station or operator station and issue any legitimate commands. This is a major part of the Insecure By Design nature of PLC and other Level 1 ICS devices. The Schneider Electric Modicon M580 is an example of a vendor in the midst of solving this problem. Some of the secure protocol solutions are available today, and others will require a firmware upgrade on the PLC and EWS/HMI software upgrade, but there is enough horsepower in the M580 and other NextGen PLC’s to run the crypto.
Today – IPsec
Communications between any Windows computer and the Modicon M580 can be secured using IPSec. This includes engineering work station (EWS) type communication where applications/logic, PLC configuration and other engineering administration takes place via Schneider’s Unity Pro (v8.1 with DTM v2.6.1 or later). It also could include any operator station / HMI communication with the PLC. IPsec has been in Windows and other operating systems for years. What’s new is that it is supported in the PLC.
The M580 has implemented a portion of IPsec in its communications modules. Support is for the authentication header (AH) protocol in transport mode only, no encryption/encapsulating security payload (ESP), and uses pre-shared keys rather than certificates. The most likely use is an asset owner enters a pre-shared key and configures IPsec in all Unity Pro computers and M580 PLC’s. This could be considered a closed user group.
Packets sent to the PLC by an attacker’s computer, or any compromised computer that did not have IPsec configured and the pre-shared key, would not be accepted by the PLC. Replay attacks would also be detected and discarded. An attacker who is able to sniff or capture IPsec protected communications would still be able to view the requests and responses. The M580 team said adding IPsec in this manner added 10ms for reading 10,000 variables.
Another implementation limitation is IPsec is not supported for communication between two or more M580 PLC’s. It is for computer to PLC communication only.
Many organizations have tried to deploy IPsec in other vendor solutions and given up. It is not intuitive or a pleasant user interface. The Modicon M580 documentation is good, and the choices made by Schneider Electric have attempted to keep it as simple as possible at the cost of foregoing some security benefits. All said, full credit to the M580 team for putting it in the PLC and giving customers an immediate choice until better solutions are available.
Future – Secure Modbus/TCP
TCP/802 has been reserved for Secure Modbus/TCP, and Schneider Electric is working on this. It’s a basic approach of wrapping the ICS protocol in TLS. This of course brings certificate management into the equation with all its potential benefits and complexity. One interesting tidbit is the potential addition of roles into the certificate that then could determine what capability the Modbus session had on the Modicon M580 PLC.
There are no announced dates when this will be available, and I don’t have even an educated guess on this timeline.
Future – Secure EtherNet/IP
The other main protocol supported in the Modicon M580 is the CIP stack. The ODVA organization behind this protocol stack has issued standard documents for adding integrity and confidentiality to EtherNet/IP, and Schneider Electric is actively involved in this protocol enhancement. Schneider Electric has not announced a release date for support of this protocol, but an ODVA interoperability event has already happened so my educated guess is late 2016 or 2017.
I’ll go into the security features in the released and planned security additions to CIP in the RA ControlLogix articles since they are the progenitor of the CIP family of protocols.