Network Power
Internet-protocol systems can offer another layer of protection
- By Frank Madren
- Dec 04, 2007
Since 2001, communities
have increased their investment
in water security
efforts. The U.S. Environmental
Protection
Agency gave $51 million
in grants in fiscal 2002 for vulnerability assessments
and has since provided more than $150
million for tools, training, and technical assistance
to the water sector, states, and other
groups, according to Jennifer B. Nuzzo, a senior
analyst for the Center for Biosecurity at the University
of Pittsburgh Medical Center.
Those funds have been spent on physical
barriers and monitoring equipment in an
attempt to answer the needs of physical and
cyber security. In these areas, the plant communications
network can be a powerful ally in
security strategies.
Physical security
Water utilities are adopting high-speed industrial,
Internet protocol-based networks to manage,
monitor, and collect data about plant operations.
As hardened network switches and
routers are deployed, their high bandwidths
support multiple streams of data that, in turn,
support various applications, including physical
security.
The physical security of water facilities—
from reservoirs to pipelines to treatment
plants—is a critical bulwark
against attack. If terrorists cannot
gain access to the infrastructure,
the chances of a
stealth attack diminish significantly.
While most reservoirs
are protected by some level of
physical barrier such as fencing
or walls, their sheer size
and remoteness require other
measures. Internet protocolenabled
video surveillance
cameras can monitor overhead
approaches and access
via tunneling, with appropriate
placement of stationary
and pan-tilt-zoom camera
equipment. Whether a
facility chooses to store
recorded images for later
review, employ alarms in real
time based on pattern recognition,
or simply use selective
real-time viewing, networked
Internet-protocol (IP) cameras
provide an inexpensive and effective means
of physical monitoring.
DEFINING CYBER TERMS
Internet Group Management Protocol
(IGMP) enables a source, such as a video camera,
to multicast packets of information, such as
streaming video, to selected destinations using a
single virtual connection, thus reducing bandwidth
demand and cost. However, IGMP can add
complexity and expense because it requires
routers (ISO Layer 3), which are typically installed
in central offices and are less likely to be hardened
for industrial environments. IGMP-L2, a
new technology, enables simple hardened Ethernet
switches (ISO Layer 2) to provide much the
same capability as IGMP.
Power over Ethernet (PoE) IEEE 802.3af
PoE provides the ability to transmit power and
data across the same wire. Shared use of cabling
simplifies and reduces installation costs, and in
some applications, is the only viable solution for
extending high-availability DC power to distant
devices in industrial operations. Today, max
power for standard PoE-connected devices is 13
watts. Most modern industrial sensors and security
devices require 5 to 10 watts.
Redundancy A critical component of any
security system, network redundancy offers fast
recovery when one or more network faults
occur. Ethernet networks have a number of
capabilities to enhance redundancy and
resiliency, from industry-standard Rapid Spanning
Tree Protocol (which is designed to repair
faults in an Ethernet ring or mesh topology by
rerouting data using standards-based techniques),
to Dual-Homing, Link Loss Learn, and
S-Ring, to proprietary vendor techniques that
optimize fault recovery on specific topology
types, such as rings. Redundancy needs to be
planned to suit the variables of each industrial
network, looking at each of the redundancy
options for the best cost-benefits. |
Ethernet networking is at the core of IPenabled
physical surveillance. With practically
unlimited bandwidth, it is the only affordable
protocol available to support modern physical
security devices. High-bandwidth Ethernet
switches can support multiple streaming video
devices on a single wire or fiber cable, and techniques
such as Internet Group Management
Protocol (IGMP and IGMP-L2) optimize
bandwidth use by directing video images only
to active viewing sites. Access control to physical
facilities through other IP-enabled devices
such as identity card readers, keypad entry systems,
and fingerprint or iris readers, provides
protection against unauthorized entry.
Ethernet technology that supports power
over the same cable as the data traffic makes
physical security even more feasible. Until
recently, security equipment deployment was
hindered by the limited availability of reliable
AC power to security devices. In areas where
laying electrical wiring was too difficult or too
expensive to justify the cost, security could
wind up playing second fiddle to other priorities.
Power over Ethernet (PoE) makes it possible
to cost-effectively power many local security
devices, such as video cameras and wireless
access boxes for laptop PCs, when used at
remote sites.
Many automated water treatment facilities
have supervisory control and data acquisition
(SCADA) systems in place for 24/7 monitoring
and control of plant operations, which
include wastewater collection systems, water distribution
systems, pump stations, weather monitoring,
and programmable logic controllers
(PLCs). With sophisticated equipment in place,
the central operations site of an Ethernet-based
SCADA network already has high-resolution
screens with which to view diagnostics, trends, alarms, and status displays, as well as access
dynamic system control points, historical data,
and event logging. PoE and standard media connections
to IP-enabled cameras provide internal
and external surveillance. Ring architectures
provide redundancy, protecting against singlefault
loss of connectivity among network devices,
whether from attack or simply physical failure.
Cyber security
As water facilities automate, they become subject
to cyber attacks that can disrupt operations,
alter vital monitoring and control data,
and disable physical security functions. Any
deployment of IP-based industrial networks
requires awareness of cyber risks as well as physical
security risks. Ethernet and the Internet
have been used in commercially sensitive operations,
such as ATMs at banks and wire transfers,
for decades. Today’s industrial network
deployments follow the example laid forth
by financial and commercial institutions in
protecting data and combating cyber attacks.
The overarching reasons for cyber security
investment are the real and perceived threats
from current and former employees and contractors
and from direct and indirect activities
of cyber terrorists or hackers.
Firewalls are the first line of protection from
cyber attacks. The first step in cyber security
is establishing an electronic security perimeter
(ESP). All network connections across this
defined perimeter must have, at a minimum,
a firewall that permits only authorized connections
and traffic to enter the secured zone.
Access requests are encrypted and authorized.
In addition, all physical and software-defined
ports to devices and applications within the
electronic perimeter must be identified and
secured, and all unused ports must be disabled.
Secure access control enables on-demand
interactive access to devices within the ESP on
a remote basis but only to rigorously authorized
and authenticated users and applications.
A centralized access management system
(AMS) can provide proxied access that routes
user requests to an intermediary point to check
and double-check specific authorizations before
enabling a user to connect to a remote location.
The AMS also enhances security by logging
all activities, including every keystroke or
transaction executed by the user.
Especially where IP networking protocols
are used, end-to-end accountability includes
being able to monitor and ensure secure communications
with no weak links. Facilities also
must provide logging and alerting on events
and assist in real-time analysis and periodic
security audits that can correlate events and
find inconsistencies and exceptions.
Looking ahead
Securing water facilities will require constant
vigilance; it is not a one-time job. The good
news is that there are technologies available to
keep water supplies and other vital infrastructure
secure. Industrial networks using IP protocols
are the ideal basis from which to build
or expand a secure system due to bandwidth—
and ubiquity. With bandwidth growing and
with an installed base of millions of interoperable
products over a wide range of commercial
and industrial applications, these technologies
will provide the best solutions as the
security industry continues to evolve.
A version of this article first appeared in the September 2007 issue of Security Products.
This article originally appeared in the 12/01/2007 issue of Environmental Protection.
About the Author
Frank Madren, president of GarrettCom Inc. for more than 10 years, is an innovator in networking solutions for the industrial sector. He has more than 30 years’ experience in the computing and networking industries.