Benefits Of Network Level Security At RTU Level

By Kevin Finnan, Vice President of Marketing, Semaphore and Philippe Willems, Research and Development Manager, Semaphore | February 2014, Vol. 241 No. 2

In this firewall example, access to the RTU is allowed only to access a PC with a specified IP address.

Buyer's Guide

New security capabilities at the remote terminal unit (RTU) level are substantially easing implementation of cybersecurity measures in SCADA systems.

Traditionally, technology has been a problem with SCADA security. SCADA technology differs from that in the PC and networking world. RTU platforms are often proprietary and incompatible with PCs. Common SCADA communications protocols are unknowns in the IT world. Those add up to expensive treatment of the SCADA system as an uncommon entity when it comes to cybersecurity.

New technology at the RTU level is making a major difference. New-generation RTUs reside on IP networks and support the same security measures as those that are familiar to the computer and networking world. They allow implementation of common, proven, network-level security measures instead of customized, local-level measures. The result is much quicker and considerably less expensive implementation of cybersecurity measures for SCADA systems.

The most common RTU security features include the following:

A firewall is a device or software capability designed to allow or deny network transmissions based upon a set of rules. The firewall is used to protect networks from unauthorized access while allowing legitimate communications to pass. A firewall provides a good first line of defense in a secure SCADA system. Using a firewall at each RTU simplifies protection of wireless SCADA networks which cover large, geographical areas that are impossible to secure physically.

The firewall provides access protection for any incoming or outgoing IP connection. Ethernet ports and cellular, such as GPRS or 3G connections, can be protected. Menu interaction allows the user to define one or more rules to allow or deny access. In a simple example, an RTU firewall can allow access-only to a device with a specified IP address. That could be the SCADA host or “master” PC.

Typically, a combination of criteria is specified. An example is “packet filtering” which would be based on port numbers, protocol and the source IP address. This setup provides a defense against an array of threats, including “ping flooding,” denial-of-service and “spoofing.”

A major threat to SCADA systems is that third parties can gain remote access to RTUs and operate process equipment such as compressors and pumps. Equipment can be operated in a manner that causes damage, creates safety risks, disrupts the process, increases power use and reduces service life.

Authentication is a reasonable measure to address such threats. It presents little additional loading in terms of network bandwidth and processing power. However, authentication does not provide data security.