SCADA Vendors Use Public Routable IP Addresses By Default
Friday, September 16, 2011 at 9:26AM Most IT Professionals understand the difference between public routable IP addresses and private IP addresses. Unfortunately, we still find many SCADA and Industrial Control System vendors that ship their product to their clients with public IP addresses as the default build. System Integrators and Control System Engineers may not know the impact of implementing TCP/IP based control systems with public addressable IP ranges, so they accept the default public IP addresses and simply build the system around the core system blocks that were provided to them by the vendor.
Since we run into this situation in almost every field assessment, I thought it was a good time for a quick primer on private IP address ranges and why SCADA and Industrial Control Systems should never be configured with public IP addresses. For many of you, this briefing will be a review of some basics that you already know... for others, this may be helpfiul, so let's begin...
For internal systems that should never be accessable directly from the Internet, there are only three IP address ranges that are reserved by the RFC 1918 and 4193 as private address spaces. They are classified as private because they are not allocated to any specific organiztion, and IP traffic addressed by these IP address ranges can not be transmitted over the public Internet.
|
RFC1918 name |
IP address |
number of addresses |
classful description |
CIDR block |
|
24-bit block |
10.0.0.0 – 10.255.255.255 |
16,777,216 |
Class A |
10.0.0.0/8 |
|
20-bit block |
172.16.0.0 – 172.31.255.255 |
1,048,576 |
Class B |
172.16.0.0/12 |
|
16-bit block |
192.168.0.0 – 192.168.255.255 |
65,536 |
Class C |
192.168.0.0/16 |
The network ranges shown in the above table are reserved for use for internal private networks, and most of us are familiar with the 192.168 range from configuring our home and small business routers. When designing and implementing private networks, these are the only ranges of IP addresses that should be used. Unfortunately, there are several major SCADA and Industrial Control System vendors that do not ship their systems configured to operate in these IP address ranges, and we find SCADA systems that are publically routable over the Internet in almost every one of our field assessments. When we bring this point up, some SCADA and Control Engineers simply reply that it is how their system came from the vendor, or they will justify it and say that the address range does not matter because they are behind a firewall.
Using public routable IP addresses on the inside of sensitive mission-critical SCADA systems is not a good practice, since the firewall(s) protecting these systems are the only line of defense from malicious packets and payloads being routed from anywhere on the Internet into these environments. Configuring firewalls to protect public routable addresses on the inside is also much more complicated because you can not take advantage of built in features for routing classless routes to the outside interface for Internet-bound traffic. Also, if any component of the system is inadvertantly exposed to the Internet, then the system is exposed to attacks that can be routed into the system from anywhere in the world.
Hopefully SCADA and Industrial Control System vendors can start shipping their systems with private IP addresses as the default, and system integrators and asset owners can start implementing these systems with private IP addreses from the start. If the system is up and running in a live state actively controlling production systems, converting from public to private IP addresses is a challenge that may not be possible unless the system is down for maintenance.
More food to chew on while you enjoy the weekend...
Jonathan
Reader Comments (2)
First, other than how they are treated in the routing table, there are no meaningful differences between publicly routable and private IP addresses. The security implications of the two are identical.
Traffic to ranges within RFC1918/RFC4193 space is transmitted over the internet all the time, every day. If you depend on your addresses for your security, you are begging for trouble. The point of these addresses is to allow private networks that are behind proxies or NAT systems to share address space providing for the conservation of IPv4 addresses. The purpose has absolutely nothing to do with security.
Further, NAT does not provide any actual security. In fact, NAT is somewhat antithetical to security because it obfuscates audit trails and makes event correlation harder (at best), sometimes impossible.
If the public addresses being used aren't routed by the firewalls or the routers in front of the systems, then, they are every bit as effective as the use of private addresses. If the addresses chosen are being routed to these systems from the internet, then, that is a separate matter unrelated to whether the addresses in question are public or private.
The vast majority of this article is mythical at best and shows a rather thorough lack of understanding of how the internet in general works. I would love to see how the author plans to deploy these systems in an IPv6 world.
I find it hard to believe that a device would ship from manufacturing with a real public IP, because manufacturing would not know what range to put it in. Even a real public IP on which is not in the correct range would not have packets routed back to it, similar to a RFC1918 address in fact, except outbound packets would be dropped at the ISP's edge routers.
Usually most devices are shipped with DHCP on or a static private IP. This suggests that it would in fact be the installer that has set the public IP address based on information provided by the client at setup time.
I also have to agree with "security engineer". Pretending that using a public IP address somehow makes a firewall less effective and that private IP addresses are somehow secure is frankly utter rubbish. With a private IP address you are relying on your ISP to drop your packets. Alas most ISPs will route private IPs around their edges, leaving you vulnerable to probing from persons in the same ISP network region as you. Part of the reason for this is that 10.x.x.x ranges are frequently used for management of the ISP's network equipment. It has been demonstrated many times to somewhat shocked clients that you can scan a PAT'd network from the ISP side.
Utilising a stateful firewall that is set to fail safe (DROP ALL default rule) is the best way to protect your infrastructure. This will become even more relevant as IPv6 deployment continues and end-to-end connectivity is restored to most consumer and business networks. People need to learn to set up a proper security infrastructure before then and stop relying on the placebo effect of Port Address Translation.