Background
Since the trend of IoT (Internet of Things), energy sectors all over the world have been frequently the main targets for deliberate malware as consequences of planned attacks can highly devastate reliability, serviceability and public trust. One of the recent incidents was the power cut during Christmas season in Ukraine, 2015, followed by a series of cyber attacks to local energy companies. Large parts of the state were under power black-out. This incident revealed that ICS systems today are practically vulnerable to deliberate attacks.
The main reason of such vulnerability is the adoption of mainstream hardware and standard operating systems. These IT equipment are implemented for increased automation; however, they are so common that professional attackers are very familiar with their weakness. In addition, most of the security measures for ICS (Industrial Control System) and SCADA today are still traditional and old-fashioned against modern attacks because these were built before advanced malwares.
The accumulated incidents have served as a warning sign that there is a need for more sophisticated, multi-layer prevention measure in order to protect energy sectors from deliberate malicious attacks like spear-phishing and social engineering made common due to IoT and cloud computing.
Requirements
Although there are many computing solutions available, they are all made of mainstream hardware and OS, which are easy for attackers. What’s really needed is a reliable platform solely oriented to provide visibility and detection to unauthorized behaviors over the whole network system, including Internet, Intranet, DNPs, private cloud and corporate VPNs. The platform must reinforce potential blind spots or loop holes such as network traffic, local device, or even human beings. It must be able to detect all unauthorized changes to hardware, software and firmware. A practical solution is to implement a hardware firewall/UTM with the following requirements to conduct security measures:
Performance and Power Balanced Processor
Due to the heavy loading of control activity over the ICS network, the firewall should be engineered with a low-power and reliable performance CPU to conduct prevention policies and instructions.
Multiple Ethernet Connectivity
As the firewall is connected to operational technologies like PLCs, HMIs, and SCADAs, there should be multiple LAN ports for network connections in order to conduct monitoring. In fact, it is even more ideal if the LAN port can supply power as industrial environments sometimes lack of stable power supply.
ESD and Surge Protection
It is possible that power surge may take place in the energy operation environment. Therefore, the required firewall must be built with some degree of protection for its I/O ports.
Wide Operating Temperature
Extreme temperatures may be encountered in energy operation environments; therefore, the firewall must be able to work under wide operating temperature.
Lanner’s Firewall Solution
Lanner’s LEC-6032 is purposely made to address the cyber threats targeting on energy sectors. LEC-6032 is driven by Intel® Atom™ E3845 1.91GHz SoC CPU, a low power consumption processor with steady performance for network traffic management. In addition, the CPU is programmed with AES-NI (Advanced Encryption Standard – New Instruction), virtualization technology as well as Execute Disable Bit to reinforce system security and network defense. The CPU is scalable for instruction and policy implementation to detect unauthorized behaviors and malware, as well as conduct validation and authentication processes.
LEC-6032 comes with multiple LAN ports and SFP ports for Ethernet connections with other networked devices like PLCs, HMIs or SCADAs. Once connections established, LEC-6032 can act as the firewall/UTM in the center to monitor and control the network traffic of the operating environment. Besides, some LAN ports of LEC-6032 provide PoE (Power-over-Ethernet) and bypass functions to ensure serviceability.
By taking ruggedness into consideration, LEC-6032 is built with Magnetic Isolation Protection up to 1.5 KV for LAN ports and ESD Protection up to 15KV for other I/O ports to prevent electrical and ESD surges. In addition, LEC-6032 supports wide operating temperature -40~70ºC and dual power inputs as required for deployment in energy sectors.