Remote Terminal Unit A Remote Terminal Unit is also known as an RTU. A Remote Terminal Unit is an electronic device that is controlled by a microprocessor. The device interfaces with physical objects to a Distributed Control System (DCS) or Supervisory Control and Data Acquisition (SCADA) system by transmitting telemetry data to the system. An RTU also collects information from the master device and implements processes that are directed by the master. RTUs are equipped with input channels for sensing or metering, output channels for control, indication or alarms and a communications port. SCADA SCADA is an acronym for Supervisory Control and Data Acquisition. SCADA generally refers to an industrial computer system that monitors and controls a process. In the case of the transmission and distribution elements of electrical utilities, SCADA will monitor substations, transformers and other electrical assets. SCADA systems are typically used to control geographically dispersed assets that are often scattered over thousands of square kilometres. Architecture An RTU monitors the field digital and analog parameters and transmits data to the Central Monitoring Station. It contains setup software to connect data input streams to data output streams, define communication protocols, and troubleshoot installation problems. An RTU may consist of one complex circuit card consisting of various sections needed to do a custom fitted function or may consist of many circuit cards including CPU or processing with communications interface(s), and one or more of the following:
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Remote Terminal Unit A Remote Terminal Unit is also known as an RTU. A Remote Terminal Unit is an electronic device that is controlled by a microprocessor. The device interfaces with physical objects to a Distributed Control System (DCS) or Supervisory Control and Data Acquisition (SCADA) system by transmitting telemetry data to the system.
An RTU also collects information from the master device and implements processes that are directed by the master. RTUs are equipped with input channels for sensing or metering, output channels for control, indication or alarms and a communications port.
SCADA SCADA is an acronym for Supervisory Control and Data Acquisition. SCADA generally refers to an industrial computer system that monitors and controls a process. In the case of the transmission and distribution elements of electrical utilities, SCADA will monitor substations, transformers and other electrical assets. SCADA systems are typically used to control geographically dispersed assets that are often scattered over thousands of square kilometres.
Architecture
An RTU monitors the field digital and analog parameters and transmits data to the Central Monitoring Station. It contains setup software to connect data input streams to data output streams, define communication protocols, and troubleshoot installation problems.
An RTU may consist of one complex circuit card consisting of various sections needed to do a custom fitted function or may consist of many circuit cards including CPU or processing with communications interface(s), and one or more of the following: (AI) analog input, (DI) digital input, (DO/CO) digital or control (relay) output, or (AO) analog output card(s).
Programmable Logic Controller (PLC) : DefinitionProgrammable Logic Controller (PLC)
A programmable logic controller (PLC) or programmable controller is a digital computer used for automation of industrial processes, such as control of machinery on factory assembly lines. Unlike general-purpose computers, the PLC is designed for multiple inputs and output arrangements, extended temperature ranges, immunity to electrical noise, and resistance to vibration and impact. Programs to control machine operation are typically stored in battery-backed or non-volatile memory. A PLC is an example of a real time system since output results
must be produced in response to input conditions within a bounded time, otherwise unintended operation will result.
Hence, a programmable logic controller is a specialized computer used to control machines and processes. It therefore shares common terms with typical PCs like central processing unit, memory, software and communications. Unlike a personal computer though the PLCis designed to survive in a rugged industrial atmosphere and to be very flexible in how it interfaces with inputs and outputs to the real world.
The components that make a PLC work can be divided into three core areas.
The power supply and rack The central processing unit (CPU) The input/output (I/O) section
PLCs come in many shapes and sizes. They can be so small as to fit in your shirt pocket while more involved controls systems require large PLC racks. Smaller PLCs (a.k.a. “bricks”) are typically designed with fixed I/O points. For our consideration, we’ll look at the more modular rack based systems. It’s called “modular” because the rack can accept many different types of I/O modules that simply slide into the rack and plug in.
Figure 1 Power supply and Rack
The
Figure 2 Backplane
Rack
The rack is the component that holds everything together. Depending on the needs of the control system it can be ordered in different sizes to hold more modules. Like a human spine the rack has a backplane at the rear which allows the cards to communicate with the CPU. The power supply plugs into the rack as well and supplies a regulated DC power to other modules that plug into the rack. The most popular power supplies work with 120 VAC or 24 VDC sources.
The CPU
The brain of the whole PLC is the CPU module. This module typically lives in the slot beside the power supply. Manufacturers offer different types of CPUs based on the complexity needed for the system.
The CPU consists of a microprocessor, memory chip and other integrated circuits to control logic, monitoring and communications. The CPU has different operating modes. In programming mode it accepts the downloaded logic from a PC. The CPU is then placed in run modeso that it can execute the program and operate the process.
Since a PLC is a dedicated controller it will only process this one program over and over again. One cycle through the program is called a scan time and involves reading the inputs from the other modules, executing the logic based on these inputs and then updated the outputs accordingly. The scan time happens very quickly (in the range of 1/1000th of a second). The memory in the CPU stores the program while also holding the status of the I/O and providing a means to store values.
Figure 3 Components of a PLC
How Does A PLC Operate?
There are four basic steps in the operation of all PLCs; Input Scan, Program Scan, Output Scan, and Housekeeping. These steps continually take place in a repeating loop.
Four Steps In The PLC Operations
1.) Input Scan
Detects the state of all input devices that are connected to the PLC
2.) Program Scan
Executes the user created program logic
3.) Output Scan
Energizes or de-energize all output devices that are connected to the PLC.
4.) Housekeeping
This step includes communications with programming terminals, internal diagnostics, etc...
These steps are continually processed in a loop.
MMI An acronym for Man Machine Interface. A MMI is a software application that present information to an operator or user about the state of a process, and to accept and implement the operators control instructions. Typically information is displayed in a graphic format (Graphical User Interface or GUI). An HMI is often a part of a SCADA (Supervisory Control and Data Acquisition) system.
Human Machine Interface Also known as an HMI. An HMI is a software application that presents information to an operator or user about the state of a process, and to accept and implement the operators control instructions. Typically information is displayed in a graphic format (Graphical User Interface or GUI). An HMI is often a part of a SCADA (Supervisory Control and Data Acquisition) system.
(Human Machine Interface) The user interface in a manufacturing or process control system. It provides a graphics-based visualization of an industrial control and monitoring system. Previously called an "MMI" (man machine interface), an HMI typically resides in an office-based Windows computer that communicates with a specialized computer in the plant such as a programmable automation controller (PAC), programmable logic controller (PLC) or distributed control system (DCS).
What is a bastion host?A bastion host is a computer that is fully exposed to attack. The system is on the public side of the demilitarized zone (DMZ), unprotected by a firewall or filtering router. Frequently the roles of these systems are critical to the network security system. Indeed the firewalls and routers can be considered bastion hosts. Due to their exposure a great deal of effort must be put into designing and configuring bastion hosts to minimize the chances of penetration. Other types of bastion hosts include web, mail, DNS, and FTP servers. Some network administrators will also use sacrificial lambs as bastion hosts, these systems are deliberately exposed to potential hackers to both delay and facilitate tracking of attempted break-ins.
Effective bastion hosts are configured very differently from typical hosts. Each bastion host fulfills a specific role, all unnecessary services, protocols, programs, and network ports are disabled or removed. Bastion hosts do not share authentication services with trusted hosts within the network so that if a bastion is compromised the intruder will still not have 'the keys to the castle.' A bastion host is hardened to limit potential methods of attack. The specific steps to harden a particular bastion host depend upon the intended role of that host as well as the operating system and software that it will be running. Access Control Lists (ACLs) will be modified on the file system and other system objects; all unnecessary TCP and UDP ports will be disabled; all non-critical services and daemons will be removed; as many utilities and system configuration tools as is practical will also be removed. All appropriate service packs, hot fixes, and patches should be installed. Logging of all security related events need to be enabled and steps need to be taken to ensure the integrity of the logs so that a successful intruder is unable to erase evidence of their visit. Any local user account and password databases should be encrypted if possible.
The last step to securing a bastion host may be the most difficult: securing whatever network application the host is running. Very often the vendor of a web or streaming media server doesn't consider security risks while developing their product. It is usually up to the system administrator to determine through testing what ACLs they need to modify to lock down the network application as thoroughly as possible without disabling the very features that make is a useful tool. It is also necessary to closely track the latest announcements from the vendor regarding security problems, workarounds, and patches. The more popular network applications also tend to inspire the creation of independent mailing lists, newsgroups, and websites that can be tracked for additional insights.
Bastion Host
A system that has been hardened to resist attack, and which is installed on a network in such a way that it is expected to potentially come under attack. Bastion hosts are often components of firewalls, or may be "outside" Web servers or public access systems. Generally, a bastion host is running some form of general purpose operating system (e.g., Linux, VMS, Windows) rather than a ROM-based or firmware operating system like commercial routers do. Bastion hosts are also referred to as ''gateway hosts.''
Types of FirewallThere are several types of firewalls that work on different layers of the OSI model. Depending on the kind of service and security you need for your network, you need to choose the right type of firewalls. The following are the list of some most useful types of firewalls that are widely used in the security industries.
Screened host firewalls Screened subnet firewalls Packet filer firewalls Stateful inspection firewalls Hybrid firewalls Proxy server firewalls Application level (gateway) firewalls
Screened host firewalls:
There are two types of screened host-one is single homed bastion host and the other one is dual homed bastion host. In case of single homed bastion host the firewall system consists of a packet
filtering router and a bastion host. A bastion host is basically a single computer with high security configuration, which has the following characteristics:
Traffic from the Internet can only reach the bastion host; they cannot reach the internal network.
Traffic having the IP address of the bastion host can only go to the Internet. No traffic from the internal network can go to the Internet.
This type of configuration can have a web server placed in between the router and the bastion host in order to allow the public to access the server from the Internet. The main problem with the single homed bastion host is that if the packet filter route gets compromised then the entire network will be compromised. To eliminate this drawback we can use the dual homed bastion host firewall system, where a bastion host has two network cards- one is used for internal connection and the second one is for connection with the router. In this case even if the router got compromised, the internal network will remain unaffected since it is in the separate network zone.
Screened subnet firewalls
This is one of the most secured firewall configurations. In this configuration, two packet filtering routers are used and the bastion host is positioned in between the two routers. In a typical case, both the Internet and the internal users have access to the screened subnet, but the traffic flow between the two subnets (one is from bastion host to the internal network and the other is the sub-network between the two routers) is blocked.
Packet filtering firewalls
The type of firewall is the most common and easy to deploy in small scale network. A router functions as a firewall by examining every packet passing through the network. Based on access control list, the router either forward or drop packets. Normally, the IP address of the source and destination, port number and type of traffic are taken into account when the router processes each data packet. Since a router cannot check packet in the application layer, this type of firewall cannot defend attacks that use application layers vulnerabilities. They also fail to fight against spoofing attacks. You can use this configuration if you need higher network speed and do need limited login and authentication capacity.
Stateful inspection
Stateful inspection firewall works at the network layer in the OSI model. It monitors both the header and contents of the traffic. The main difference between the packet filtering and the stateful inspection is that it the later one not only analyze packet header but also inspect the state of the packet along with providing proxy services. SI maintains a state table and a set of instructions to inspect each packet and stored the information based on the type of traffic. It also monitors each TCP connection and remembers which ports are being used by that connection. If there is any port not required by the connection get closed.
Hybrid firewalls
They function almost the same way stateful inspection type firewalls work, which means they can work both in network and in application level. Normally, in a hybrid system some hosts reside inside the firewall while the others reside outside of the firewall. To communicate with the machine outside the central network IPsec tunnels are used. An example where this type of configuration is suitable is a major site connected with its branch sites via VPN. One distinct feature of this configuration is the firewall administration at the major site distribute the security policy to its branch site so as a uniform security is maintained throughout the organization.
Proxy server firewalls
Proxy allows running specific program of type of connection by enforcing authentication, filtering and logging. For specific server there will be a specific proxy. For example, if you want to allow only HTTP connection to the Internet for your internal network users, then you must allow only HTTP proxy, nothing else. Users who need to go to Internet create a virtual circuit with the proxy server and send the request to connect to a specific site. Proxy server changes the IP of the request so as the Internet or the outside world can see only the IP of the proxy server. Thus proxy server hides the internal network behind it. When a proxy receives the data from the Internet it sends the data back to its intended internal user via the virtual circuit. The main advantage of using proxy is the it is fully aware of the type of data it handles and can give protection to it. One disadvantage of proxy is that if there is an update protocol that is used by the Internet, then the proxy software also needs to be updated to allow a specific service related to that protocol.
Application firewall
An application firewall is a form of firewall which controls input, output, and/or access from, to, or by an application or service. It operates by monitoring and potentially blocking the input, output, or system service calls which do not meet the configured policy of the firewall. The application firewall is typically built to control all network traffic on any OSI layer up to the application layer. It is able to control applications or services specifically, unlike a stateful network firewall which is - without additional software - unable to control network traffic regarding a specific application. There are two primary categories of application firewalls, network-based application firewalls and host-based application firewalls.
An application firewall is an enhanced firewall that limits access by applications to the operating system (OS) of a computer. Conventional firewalls merely control the flow of data to and from the central processing unit (CPU), examining each packet and determining whether or not to forward it toward a particular destination. An application firewall offers additional protection by controlling the execution of files or the handling of data by specific applications.
For best performance, a conventional firewall must be configured by the user. The user must know which ports unwanted data is likely to enter or leave through. An application firewall prevents the execution of programs or DLL (dynamic link library) files which have been tampered with. Thus, even though an intruder might get past a
conventional firewall and gain entry to a computer, server, or network, destructive activity can be forestalled because the application firewall does not allow any suspected malicious code to execute.
Network-based application firewalls
network-based application layer firewall is a computer networking firewall operating at the application layer of a protocol stack,[1] and is also known as a proxy-based or reverse-proxy firewall. Application firewalls specific to a particular kind of network traffic may be titled with the service name, such as a web application firewall. They may be implemented through software running on a host or a stand-alone piece of network hardware. Often, it is a host using various forms of proxy servers to proxy traffic before passing it on to the client or server. Because it acts on the application layer, it may inspect the contents of traffic, blocking specified content, such as certain websites, viruses, or attempts to exploit known logical flaws in client software.
Virtualization
Virtualization, in computing, refers to the act of creating a virtual (rather than actual) version of something, including but not limited to a virtual computer hardware platform, operating system (OS), storage device, or computer network resources.
Operating system virtualization is the use of software to allow a piece of hardware to run multiple operating system images at the same time. The technology got its start on mainframes decades ago, allowing administrators to avoid wasting expensive processing power.
Network virtualization is a method of combining the available resources in a network by splitting up the available bandwidth into channels, each of which is independent from the others, and each of which can be assigned (or reassigned) to a particular server or device in real time. The idea is that virtualization disguises the true complexity of the network by separating it into manageable parts, much like your partitioned hard drive makes it easier to manage your files.
Storage virtualization is the pooling of physical storage from multiple network storage devices into what appears to be a single storage device that is managed from a central console. Storage virtualization is commonly used in storage area networks (SANs).
Server virtualization is the masking of server resources (including the number and identity of individual physical servers, processors, and operating systems) from server users. The intention is to spare the user from having to understand and manage complicated details of server resources while increasing resource sharing and utilization and maintaining the capacity to expand later.
DMZ (demilitarized zone)In computer networks, a DMZ (demilitarized zone) is a computer host or small network inserted as a "neutral zone" between a company's private network and the outside public network. It prevents outside users from getting direct access to a server that has company data. (The term comes from the geographic buffer zone that was set up between North Korea and South Korea following the UN "police action" in the early 1950s.) A DMZ is an optional and more secure approach to a firewall and effectively acts as a proxy server as well.
In a typical DMZ configuration for a small company, a separate computer (or host in network terms) receives requests from users within the private network for access to Web sites or other companies accessible on the public network. The DMZ host then initiates sessions for these requests on the public network. However, the DMZ host is not able to initiate a session back into the private network. It can only forward packets that have already been requested.
Users of the public network outside the company can access only the DMZ host. The DMZ may typically also have the company's Web pages so these could be served to the outside world. However, the DMZ provides access to no other company data. In the event that an outside user penetrated the DMZ host's security, the Web pages might be corrupted but no other company information would be exposed. Cisco, the leading maker of router s, is one company that sells products designed for setting up a DMZ.
ProblemYou need to keep a web server secure and available from the Internet and from an internal private network.
SolutionThis solution protects and provides access to the web server by:• Installing the web server on a DMZ (demilitarized zone) network separate from your internal network that exposes the web server to the Internet and the internal network.• Connecting the DMZ network to a FortiGate interface (the DMZ interface or any other available interface). • Creating a destination NAT (DNAT) security policy that includes UTM protection and that allows users on the Internet to access the web server. • Creating a route mode security policy that allows users on the internal network to access the web server.
Related Documents
