Network Power

Internet-protocol systems can offer another layer of protection

• By Frank Madren
• Dec 04, 2007

Since 2001, communities have increased their investment in water security efforts. The U.S. Environmental Protection Agency gave $51 million in grants in fiscal 2002 for vulnerability assessments and has since provided more than $150 million for tools, training, and technical assistance to the water sector, states, and other groups, according to Jennifer B. Nuzzo, a senior analyst for the Center for Biosecurity at the University of Pittsburgh Medical Center.

Those funds have been spent on physical barriers and monitoring equipment in an attempt to answer the needs of physical and cyber security. In these areas, the plant communications network can be a powerful ally in security strategies.

Physical security
Water utilities are adopting high-speed industrial, Internet protocol-based networks to manage, monitor, and collect data about plant operations. As hardened network switches and routers are deployed, their high bandwidths support multiple streams of data that, in turn, support various applications, including physical security.

The physical security of water facilities— from reservoirs to pipelines to treatment plants—is a critical bulwark against attack. If terrorists cannot gain access to the infrastructure, the chances of a stealth attack diminish significantly. While most reservoirs are protected by some level of physical barrier such as fencing or walls, their sheer size and remoteness require other measures. Internet protocolenabled video surveillance cameras can monitor overhead approaches and access via tunneling, with appropriate placement of stationary and pan-tilt-zoom camera equipment. Whether a facility chooses to store recorded images for later review, employ alarms in real time based on pattern recognition, or simply use selective real-time viewing, networked Internet-protocol (IP) cameras provide an inexpensive and effective means of physical monitoring.

DEFINING CYBER TERMS Internet Group Management Protocol (IGMP) enables a source, such as a video camera, to multicast packets of information, such as streaming video, to selected destinations using a single virtual connection, thus reducing bandwidth demand and cost. However, IGMP can add complexity and expense because it requires routers (ISO Layer 3), which are typically installed in central offices and are less likely to be hardened for industrial environments. IGMP-L2, a new technology, enables simple hardened Ethernet switches (ISO Layer 2) to provide much the same capability as IGMP. Power over Ethernet (PoE) IEEE 802.3af PoE provides the ability to transmit power and data across the same wire. Shared use of cabling simplifies and reduces installation costs, and in some applications, is the only viable solution for extending high-availability DC power to distant devices in industrial operations. Today, max power for standard PoE-connected devices is 13 watts. Most modern industrial sensors and security devices require 5 to 10 watts. Redundancy A critical component of any security system, network redundancy offers fast recovery when one or more network faults occur. Ethernet networks have a number of capabilities to enhance redundancy and resiliency, from industry-standard Rapid Spanning Tree Protocol (which is designed to repair faults in an Ethernet ring or mesh topology by rerouting data using standards-based techniques), to Dual-Homing, Link Loss Learn, and S-Ring, to proprietary vendor techniques that optimize fault recovery on specific topology types, such as rings. Redundancy needs to be planned to suit the variables of each industrial network, looking at each of the redundancy options for the best cost-benefits.

Ethernet networking is at the core of IPenabled physical surveillance. With practically unlimited bandwidth, it is the only affordable protocol available to support modern physical security devices. High-bandwidth Ethernet switches can support multiple streaming video devices on a single wire or fiber cable, and techniques such as Internet Group Management Protocol (IGMP and IGMP-L2) optimize bandwidth use by directing video images only to active viewing sites. Access control to physical facilities through other IP-enabled devices such as identity card readers, keypad entry systems, and fingerprint or iris readers, provides protection against unauthorized entry.

Ethernet technology that supports power over the same cable as the data traffic makes physical security even more feasible. Until recently, security equipment deployment was hindered by the limited availability of reliable AC power to security devices. In areas where laying electrical wiring was too difficult or too expensive to justify the cost, security could wind up playing second fiddle to other priorities. Power over Ethernet (PoE) makes it possible to cost-effectively power many local security devices, such as video cameras and wireless access boxes for laptop PCs, when used at remote sites.

Many automated water treatment facilities have supervisory control and data acquisition (SCADA) systems in place for 24/7 monitoring and control of plant operations, which include wastewater collection systems, water distribution systems, pump stations, weather monitoring, and programmable logic controllers (PLCs). With sophisticated equipment in place, the central operations site of an Ethernet-based SCADA network already has high-resolution screens with which to view diagnostics, trends, alarms, and status displays, as well as access dynamic system control points, historical data, and event logging. PoE and standard media connections to IP-enabled cameras provide internal and external surveillance. Ring architectures provide redundancy, protecting against singlefault loss of connectivity among network devices, whether from attack or simply physical failure.

Cyber security
As water facilities automate, they become subject to cyber attacks that can disrupt operations, alter vital monitoring and control data, and disable physical security functions. Any deployment of IP-based industrial networks requires awareness of cyber risks as well as physical security risks. Ethernet and the Internet have been used in commercially sensitive operations, such as ATMs at banks and wire transfers, for decades. Today’s industrial network deployments follow the example laid forth by financial and commercial institutions in protecting data and combating cyber attacks.

The overarching reasons for cyber security investment are the real and perceived threats from current and former employees and contractors and from direct and indirect activities of cyber terrorists or hackers.

Firewalls are the first line of protection from cyber attacks. The first step in cyber security is establishing an electronic security perimeter (ESP). All network connections across this defined perimeter must have, at a minimum, a firewall that permits only authorized connections and traffic to enter the secured zone. Access requests are encrypted and authorized. In addition, all physical and software-defined ports to devices and applications within the electronic perimeter must be identified and secured, and all unused ports must be disabled.

Secure access control enables on-demand interactive access to devices within the ESP on a remote basis but only to rigorously authorized and authenticated users and applications. A centralized access management system (AMS) can provide proxied access that routes user requests to an intermediary point to check and double-check specific authorizations before enabling a user to connect to a remote location. The AMS also enhances security by logging all activities, including every keystroke or transaction executed by the user.

Especially where IP networking protocols are used, end-to-end accountability includes being able to monitor and ensure secure communications with no weak links. Facilities also must provide logging and alerting on events and assist in real-time analysis and periodic security audits that can correlate events and find inconsistencies and exceptions.

Looking ahead
Securing water facilities will require constant vigilance; it is not a one-time job. The good news is that there are technologies available to keep water supplies and other vital infrastructure secure. Industrial networks using IP protocols are the ideal basis from which to build or expand a secure system due to bandwidth— and ubiquity. With bandwidth growing and with an installed base of millions of interoperable products over a wide range of commercial and industrial applications, these technologies will provide the best solutions as the security industry continues to evolve.

A version of this article first appeared in the September 2007 issue of Security Products.

This article originally appeared in the 12/01/2007 issue of Environmental Protection.