Network Segmentation and the Fragile PLC. exida performs a Cybersecurity Vulnerability Assessment on an oil refinery.
A Cybersecurity Vulnerability Assessment was recently performed on an oil refinery. The main PCS in place was a form of redundant Ethernet. The main communication was broadcast and multicast traffic from all devices in a producer/subscriber configuration. It was one very busy network.
In a significant number of cabinets there was a PLC and some other devices directly connected to one of the redundant legs.
The technician was asked if they were having any communication issues, due to the amount of traffic the PCS generated. It was then revealed that the system dropped off line every month or so, sometimes more often and required a hard reset to get it back. What might these dropouts occur?
Many PLCs do not like excessive traffic on their Ethernet ports. They simply can’t handle it, they have been known to lock up, corrupt, stop communicating, stop processing IO, etc. The fix is to put a barrier device in place in front of the PLC. This barrier device has to accomplish two tasks. First, limit the traffic to only what is needed by the PLC, and second, rate limit traffic should a broadcast storm occur. However, the way the PCN operates, the PLC is under continuous attack in a constant state of broadcast storm as it did not use the native traffic the PCN used, but rather in this case used Modbus/TCP.
Working with a local PCN group, a very simple yet effective set of implementation options were developed. All of which would reduce the traffic to the safety PLCs.
The first option was to place an Industrial switch in the line then putting a barrier device in front of the switch.
The benefit is simplicity of design and minimal cost impact.
The second option was to place a barrier device in front of each device.
Network segmentation is extremely important and comes in all shapes and sizes. Sometimes you are talking about major network sections being segmented to improve reliability and distribute communications. Sometimes however you need to focus on the essential operations, such as the above example. The SIS was losing communication, the reliability and safety of the process was then called into question. While the remediation was rather simple, it took looking at the network architecture design with a view and the knowledge of how PLCs can be fragile when exposed to inappropriate or excessive network traffic