September 2011
SCADA Vendors Use Public Routable IP Addresses By Default
Most IT Professionals understand the difference between public routable IP addresses and private IP addresses. Unfortunately, we still find many SCADA and Industrial Control System vendors that ship their product to their clients with public IP addresses as the default build. System Integrators and Control System Engineers may not know the impact of implementing TCP/IP based control systems with public addressable IP ranges, so they accept the default public IP addresses and simply build the system around the core system blocks that were provided to them by the vendor.
Since we run into this situation in almost every field assessment, I thought it was a good time for a quick primer on private IP address ranges and why SCADA and Industrial Control Systems should never be configured with public IP addresses. For many of you, this briefing will be a review of some basics that you already know… for others, this may be helpfiul, so let’s begin…
For internal systems that should never be accessable directly from the Internet, there are only three IP address ranges that are reserved by the RFC 1918 and 4193 as private address spaces. They are classified as private because they are not allocated to any specific organiztion, and IP traffic addressed by these IP address ranges can not be transmitted over the public Internet.
RFC1918 name | IP address range |
number of addresses | classful description | CIDR block (subnet) |
24-bit block | 10.0.0.0 – 10.255.255.255 | 16,777,216 | Class A | 10.0.0.0/8 (255.0.0.0) |
20-bit block | 172.16.0.0 – 172.31.255.255 | 1,048,576 | Class B | 172.16.0.0/12 (255.240.0.0) |
16-bit block | 192.168.0.0 – 192.168.255.255 | 65,536 | Class C | 192.168.0.0/16 (255.255.0.0) |
The network ranges shown in the above table are reserved for use for internal private networks, and most of us are familiar with the 192.168 range from configuring our home and small business routers. When designing and implementing private networks, these are the only ranges of IP addresses that should be used. Unfortunately, there are several major SCADA and Industrial Control System vendors that do not ship their systems configured to operate in these IP address ranges, and we find SCADA systems that are publically routable over the Internet in almost every one of our field assessments. When we bring this point up, some SCADA and Control Engineers simply reply that it is how their system came from the vendor, or they will justify it and say that the address range does not matter because they are behind a firewall.
Using public routable IP addresses on the inside of sensitive mission-critical SCADA systems is not a good practice, since the firewall(s) protecting these systems are the only line of defense from malicious packets and payloads being routed from anywhere on the Internet into these environments. Configuring firewalls to protect public routable addresses on the inside is also much more complicated because you can not take advantage of built in features for routing classless routes to the outside interface for Internet-bound traffic. Also, if any component of the system is inadvertantly exposed to the Internet, then the system is exposed to attacks that can be routed into the system from anywhere in the world.
Hopefully SCADA and Industrial Control System vendors can start shipping their systems with private IP addresses as the default, and system integrators and asset owners can start implementing these systems with private IP addreses from the start. If the system is up and running in a live state actively controlling production systems, converting from public to private IP addresses is a challenge that may not be possible unless the system is down for maintenance.
More food to chew on while you enjoy the weekend…
Jonathan