Distributed Temperature Sensing (DTS) systems have become a well accepted and powerful tool in various markets like in the electrical energy industry, in fire detection and downhole well monitoring. Following a general trend, the initially isolated stand-alone DTS systems become recently more and more integrated into complex Supervisory Control and Data Acquisition (SCADA) systems. Taking current Smartgrid initiatives for instance, the DTS system has certainly grown out of pure temperature sensing.
With these demands in mind LIOS has been looking closer to Cyber Security for Supervisory Control and Data Acquisition (SCADA) systems. Several recent incidents in industry have proved that the risks coming from cyber security breaches are no longer fiction, and the resulting consequences can be severe. Due to the well-known risks in cyber space, LIOS has paid special attention to the structure and cyber security of the DTS system design and its interfaces:
- System design – The LIOS OTS controller is based on a DSP which runs the data acquisition and data reduction. The software is not based upon an operating system, and has been extensively tested and verified by the VdS (Association of German asset insurers). A separate processor is used for the network connectivity. This approach ensures a decoupling of the data reduction from the network.
- Linux based system – The network processor runs the Linux operating system. Linux is well-known as extremely stable operating system for which almost no malware like viruses or Trojans exist. All unnecessary parts (e.g. hardware or network protocol drivers which are not needed) have been stripped from the operating system, which does not only reduce its memory and processing demands, but also greatly reduces the possibility of being hit by a yet unknown bug. The system has been extensively tested with standard security tools, including Netwox and Nessus, and did not show any vulnerabilities or security issues.
- Built-In Firewall – The OTS controller offers a built-in firewall, based upon the standard Linux iptables infrastructure, which can easily be configured separately for each protocol. The firewall can be used to block the access to a specific protocol by an intruder on a very low level, thus ensuring that the attacker can neither read any data, nor perform an action like resetting the device's outputs.
- Protocol Encryption – For all protocols, the OTS controller offers optional encryption using the industry-standard Transport Layer Security (TLS, RFC 5246) protocol. Using TLS, both the connecting system and the OTS controller can be configured to present a cryptographic certificate to prove their identity. If any of the checks fails, the connection is simply rejected. The encryption can be used with both self-signed certificates as well as with certificates issued by a Certificate Authority (CA). After a successfully authenticated connect, the data exchange is encrypted, thus preventing an attacker from sniffing any data on the wire.
The combination of the aforementioned measures result in a DTS system which is considerably more secure than comparable devices.
Read the full story: