Why VLAN Security isn't SCADA Security at all
Over the years I have been asked by a number of control engineers, “Our IT dept says we have VLANs, so why do I need a firewall?”
Back in the mid-90s, I was a big supporter of Virtual Local Area Networks (VLANs) for security. Unfortunately, I have seen so many issues with this technology that I no longer believe it provides effective security.
VLANS - good for traffic management
Don’t get me wrong - VLANs are great traffic management tools. VLANs work by having Ethernet switches insert a “tag” (basically a 4-byte field) in to the header of each Ethernet message. Other switches on the network can read this tag and make decisions on whether a message should be forwarded.
This allows the switches to provide limited traffic filtering, primarily for managing broadcast traffic. And managing broadcast traffic is important, as incidents like Brown Ferry Nuclear have shown us.
VLANS - not good for security
But switches with VLANs are not firewalls. They operate at layer 2 (the Ethernet layer) and don’t understand the “state” of the messages flowing through them. This makes the spoofing of VLAN tags trivial – there is no check to detect if a tag has been adjusted by a hacker. Thus the hacking community has lots of tools designed to bypass switch-based security.
Dr. Paul Dorey, the former Chief Security Officer at BP made this clear in numerous speeches to the control industry "A router (or switch) is not a firewall so don't try to use it as one."
Many IT experts have also warned of the dangers of depending on VLANs for security. For example, the SANS organization reported on this issue over a decade ago:
"Try not to use VLANs as a mechanism for enforcing security policy. They are great for segmenting networks, reducing broadcasts and collisions and so forth, but not as a security tool." - SANS Intrusion Detection FAQ
But still people think that VLANs are security solutions, resulting in this excellent blog by John Kindervag for the Payment Card Industry (PCI) on why depending on VLAN Security isn't a good idea. Now this blog is referring to security for credit card systems, but I think it is fair to say that what is good practice for protecting a credit card database is good for protecting a safety system in a refinery or a control system in a nuclear facility.
Use a Stateful or Deep Packet Inspection Firewall
If you want security for your control system AT A MINIMUM you need to use a Stateful firewall that will block all traffic EXCEPT permitted protocols between permitted hosts. Even better is to use a Deep Packet Inspection firewall like the Tofino Modbus Enforcer or Tofino OPC Classic Enforcer (these are our Tofino Security products, so note my bias). These filter the traffic at both the TCP/IP layers and at the top layer of the protocol stack, offering a really robust security solution.
Usually the interest in VLANs is because of IT teams wanting to use IT network technology to solve a plant floor security issue. VLANs are good tools, but deploying them for security reminds me of the old saying “When the only tool you have is a hammer, everything looks like a nail.” If you want good security for your control system, you need to pick the right tool, not the handiest tool.