We analyze the architecture and protection of local warning systems

On March 9, 2023, the following was broadcast on Russian television and radio: announcement about air raid siren. A frightening radiation hazard sign, a siren in the background, a tense synthetic voice calling for shelter… A few hours later, at the Ministry of Emergency Situations reported that the alarm was false: the broadcast was launched by hackers who broke into the servers of several radio stations and TV channels.

The situation, frankly speaking, is not pleasant. Even more unpleasant could be the hacking of LSO — local warning systems at enterprises. This attack scenario has everything that can hurt a business: reputational and financial losses, the risk of losing a license for further activity, a threat to people's lives and health.

In this article I will talk about the functions of LSO and how to design protection for such a system in production.

What are the LSOs responsible for and how do they work?

Warning systems are divided into centralized (CWS) and local (LWS). The former are needed to inform the population and authorities about emergency situations, such as missile attacks or natural disasters. The latter are installed at critical infrastructure enterprises (nuclear power plants, chemical plants, etc.) to warn about accidents.

The main task of the LSO is to inform the operator or autonomous system about what exactly happened, as well as to warn the personnel and management of the enterprise about the threat of a catastrophe. If an incident occurs at an enterprise with a high hazard class, the system also notifies the Ministry of Emergency Situations, authorities and the population living in the risk zone about the accident. Some LSO require the presence of an operator, others work autonomously.

Let's take as an example a certain company N from the gas production industry. The company's pipeline can stretch for many kilometers along villages, cities, and railways. The company's pipeline has sensors that react to gas leaks. If a leak occurs in any section of the pipeline, the system will inform the operator about it. If the incident cannot be prevented, the system will warn rescuers about the emergency and start a siren in the required area to notify the population.

Why LSOs need protection from cyber attacks

In law The installation of LSO is mandatory at enterprises of hazard classes I and II: without them, the organization simply will not receive a license to carry out activities. Warning systems at such facilities are part of the state emergency warning system (SEWS). People's lives depend on the work of LSO, so their protection must be approached responsibly.

One should not forget about the legal side of the issue: if during the inspection by the Ministry of Emergency Situations it turns out that the LSO is not working or simply does not exist, the enterprise will receive a fine under Art. 20.07 of the Code of Administrative Offences. Well, if someone gets injured or dies due to a malfunctioning system, the matter may even reach the criminal level.

I would like to note that in my practice I have not yet encountered cyber attacks aimed directly at LSO. All other things being equal, a hacker would rather attack a CSO, if only because it would cause more hype in the news. However, one can come up with a lot of scenarios in which an attacker needs to sabotage a single critical information infrastructure facility, rather than just hype it up in the media and gain classes. In such a scenario, the target of the attack would be LSO, so it is necessary to protect these systems from cyber threats not only on paper.

What LSOs look like in practice

Before we talk about the nuances of LSO protection, let's figure out how these systems are designed. In my practice, I have encountered LSO of varying levels of complexity: there were boxes with an antenna, a switch, and a programmable logic unit for managing the warning system, and systems in the “maximum configuration” – with a warning unit, telephone stations, a switching unit, a system control center, and other services.

What components can be included in LSO?

  • Complex of technical means of a local telephone station;

  • Universal notification blocks;

  • Programmable logic controller;

  • Message switching units;

  • LSO control panels, including those in the ARM version. It will be required if the operator must start it manually;

  • Switching unit of the radio broadcasting node (RTU), including both broadcasting stations and local ones for rescuers;

  • Base and subscriber wireless communication stations. All base stations are reduced to the central station, and subscriber stations, in turn, to the base ones. This is done to ensure the possibility of building a wireless data transmission network;

  • Mobile service and response points;

  • Local warning receivers.

I will share a general diagram that will help you understand the structure of the LSO. Here is an approximate sketch that reveals the typical topology:

General diagram of the LSO device

General diagram of the LSO device

The LSO device is somewhat reminiscent of a cellular communication system: the signal is transmitted from the network control center (NCC) to smaller subscriber stations. In my work, I have come across projects where a company built its industrial network, and the warning systems covered many, many kilometers. At the same time, the parameters (gas contamination, temperature, etc.) arrive from subscriber stations to the NCC. “Sensors and actuators” in the diagram are sirens and sensors themselves, located at production facilities of I or II hazard class. For example, for a gas industry facility, these will be gas contamination sensors.

Due to the geographical distribution of such systems, it is very tempting to connect them to the Internet so as not to have to run their own communication lines between them, but this would be reckless from the point of view of security requirements.

What might an information security system for LSO look like?

Now let's figure out how to protect the NCC of a single LSO in practice. First, let's look at what the NCC looks like without information protection tools:

TsUS without SZI

TsUS without SZI

GSM modem — is a dual-band wireless communication terminal. It can be used to notify the population, rescuers and the government about an emerging threat.

Operator — the place where the operators themselves are located. Here they receive information and launch LSO.

LSO Control Center – needed to start the alert system.

Let's imagine that our system assumes the presence of a connection to the RSChS system. In this case, the NCC protection system will have to meet the requirements for ensuring information security, recorded in the FSTEC orders from 14.03.2014 N 31 and from 11.02.2013 N 17. You can see the full list of these requirements, if you scroll to the end of each order: the lists there are quite extensive, so I will not dwell on them here. Remember that in practice, the security measures listed in these documents must be adapted and clarified to the threat model for the facility you are working with.

To analyze the parameters from the sensors and select zones for turning on the sirens at the central control center, servers in a fault-tolerant design are used. In our typical facility, the server logic components will be deployed using virtualization tools, so we will also consider the protection of virtual environments.

The control center with the protective equipment applied will look like this:

Example of a protected LSO

Example of a protected central control system

A few words about the role of the components of this LSO

  • GSM modem — a dual-band wireless communication terminal. It can be used to notify the population, rescuers and the government about an emerging threat.

  • Operator — the place where the operators themselves are located. Here they receive information and launch LSO.

  • AVZ – antivirus protection.

  • LSO Control Center – needed to start the alert system.

  • Garda IB — a means of protection against developers from our holding.

  • NGFW – firewall.

  • IB Segment — for proper protection, it is worth segmenting the network using NGFW (terminating a separate subnet on the firewall) so that security tools operate separately from the main purpose tools.

  • TsUS ME, Administrator, Statewatcher, Pollicy manager — to manage NGFW, especially in the case when the network is distributed among many objects, each of which must be protected including at the network level (i.e. several NGFWs are used), it is convenient to use centralized firewall management tools. They are usually called the NMC (network control center). The diagram shows Administrator, Statewatcher, Pollicy manager as examples of software tools for managing a network built on the basis of ViPNet.

  • SIEM technology that provides real-time analysis of security threats.

  • IDS – intrusion detection system.

  • ZSV remedy — in the context of FSTEC orders, this abbreviation stands for “protection of the virtualization environment.”

It is important to remember that security should be provided not only by means of imposed tools, but also by those built into the system. This means that certified operating systems should be used to implement identification and authentication subsystems and access control subsystems. These OS should have configured security policies, including delimitation of discrete access. Certified information protection tools (IPS) from unauthorized access (UA) may also be required. One of the most popular solutions is the Secret Net Studio program.

Among the requirements FSTEC order No. 17 for the second security class, there is a clause on the need to ensure trusted boot (UPD.17). As an example, we can consider the Sobol solution as a hardware trusted boot tool (HTTB), which integrates well with Secret Net Studio. However, this solution requires a suitable PCI slot on the motherboard. Therefore, when choosing a HTTB tool, pay attention to compatibility with the NSD security system.

For antivirus protection, it is necessary to use solutions that integrate with the security tools already in operation at the facility. For example, if a Kaspersky Security Center server is installed at the facility, it would be appropriate to use Kaspersky Endpoint Security. This is a proven agent solution for protecting end devices. If the components of the local area network operate on specialized industrial processors that need to be monitored at the application level and can be affected by viruses, then the antivirus tool will have to be selected separately. Kaspersky Endpoint Security can be used to ensure information security (IS) of database management systems (DBMS) and to perform antivirus protection tasks (AVP).

Garda DB is recommended for use, since geolocation databases are often used on the NCC servers. This is necessary for localizing incidents and correctly triggering sirens depending on the calculation of dangerous zones. Garda DB can be used at typical facilities to ensure the information security of the DBMS and to perform security event registration (SER) tasks at the application level.

To protect the virtualization environment in the development of solutions for typical objects, it is better to use vGate. However, it should be taken into account that this protection tool is only suitable for a limited number of hypervisors. Therefore, it is necessary to adapt the tool to a specific object. Our specialists know how to select such tools. vGate can be used to ensure the information security of the DBMS and to protect virtualization tools (ZSV).

To ensure security at the network level, it makes sense to use a new generation firewall (NGFW). The physical network should be divided not only logically, but also physically. This is necessary so that wireless network traffic is filtered before it enters the local and corporate networks. NGFW should be selected individually for each object, taking into account the features of its topology. For example, for the object from our example, ViPNet xFirewall will not be able to provide security, since in the network logic, the wireless channel is used as the main connection, and the corporate network is used as a backup route. Therefore, using ViPNet xFirewall will not ensure correct operation of the system due to limitations in the implementation of the OSPF protocol. The RFC2328 specification does not support setting the cost of zones.

When a network is distributed across multiple sites in different control zones, each of which needs to be protected at the network level, it is convenient to use centralized firewall management tools. These are called network control centers. Examples of ViPNet-based network management programs include ViPNet Administrator, ViPNet Statewatcher, and ViPNet Policy Manager.

To perform intrusion detection subsystem measures, you can use the IDS (Intrusion Detection System). In some cases, the NGFW functionality may provide for the use of IPS, so IDS integration may not be necessary.

Since the technological network of the facility under consideration includes many remote network devices, centralized authentication tools will be used to manage the system. For network devices, such a tool is Radius Server. Support for the 802.1x protocol allows access control, and the TACACS protocol helps to regularly monitor the integrity of the network (NIC). Efros CI and Efros ACS can be used as examples.

FSTEC Order No. 17 prescribes the implementation of the RSB.3 measure. In the information system, it is necessary to combine information from security event registration records received from different devices and software into a single logical or physical audit log. This will help to promptly identify incidents and respond to them. To do this, you need to use a SIEM system. In our example, MaxPatrol SIEM is well suited for these purposes.

What else to consider when designing information security

Potential threats may vary depending on the specific LSO device. For a box that sends “on-off” signals, you can design simpler protection. But if it is a distributed automated system that analyzes sensors and includes disaster-resistant systems that reserve each channel, a completely different approach will be needed to organize information security. The more devices in the system, the more opportunities there are for intruders. In addition, the system may contain zero-day vulnerabilities that no one knows about yet.

Economic feasibility also plays a role in choosing an information security system. Designing entire incident analysis servers for one small booth would be unjustifiably expensive.

It is also worth considering that sometimes the requirements for LSO and reality do not correspond. On the Internet, you can find regulations that contain a clause: “Install this or that antivirus on each computing device.” But if our device is a box with an antenna and a switch, then what antivirus can we install on it?

Here is an approximate amount of work that an organization will have to do to take care of the information security of LSO:

  • pre-project survey and/or information security audit;

  • risk analysis, development of an information security threat model;

  • determination of requirements for information security tools, development of technical specifications;

  • design work on the creation of integrated information security systems;

  • development of organizational measures to ensure security;

  • implementation of organizational and software-technical measures to ensure security;

  • certification of software and hardware included in the LSO;

  • support of software and hardware measures to ensure security;

  • training for staff (improving the competence of employees in the field of information security).

As trivial as it may sound, each LSO is unique. Accordingly, the safety requirements must be analyzed individually for each system. You cannot simply take and apply the same set of measures to all LSO – it must be adapted and specified for each individual system.

What could go wrong

In theory, problems can arise due to a lack of experience among the employees who build information security for the alert system. For example, on one of the first projects, I had to work a lot with a wireless distributed network. The employees on the customer's side did not understand this at all: no one understood what and how it worked. I had to gain experience right in the field.

Another difficult point is the economic component. Some customers are simply not ready to spend extra money on information security and allocate a minimal budget for LSO protection. At the same time, designing a truly reliable system is not cheap: it is necessary to install firewalls on each object, protect them at the network level, install an ARM solution for Endpoint protection, bother with virtualization systems… Having estimated the costs of hardware and software components, many customers say: “Guys, this is so damn expensive.”

It's scary to imagine what will happen if you leave the system unprotected or leave it hanging out on the Internet. This is a corporate network that connects potential targets for attack: any more or less informed attacker will be able to gain access to them and sabotage. At the same time, any wireless substation, from subscriber stations to the central control center, can become the entry point to the network.

Is it possible to organize an information security system for LSO on your own? In general, it is possible, but you should soberly assess your strengths. Let's say that there are 86 LSO facilities in the organization – will the company be able to certify them all? Does it have people who can competently draw up a technical passport and pass the regulator's inspection so that this passport is not cancelled and you do not have to recertify the system? If you cannot answer these questions affirmatively, it is better to entrust the creation of a LSO security system to a professional team.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *