Ethernet-based communication plays a key role in the automation sphere and industrial Ethernet is being used more and more in the field area. The advantages of this are evident: with the use of open and standardized IT technology, such as wireless LAN or a web server, uniform networking also be achieved. However, this also increases the danger of access violation and so-called malware, so, at the same time, the potential risk for the automation networks is re-evaluated and security concepts are implemented accordingly.
IT security in office IT networks has not been an issue for a long timenot because it is not important, but because it has become standard. Security patches and updates, encryption and passwords have been commonplace for a long time. The situation in the automation sphere is quite different. The task of making automation networks secure presents a considerable challenge as it collides with other important requirements such as performance and usability. Naturally, the additional costs here also play an important role. Furthermore, securing a network requires constant monitoring and cannot be achieved with a single set-up.
Nevertheless, security is a topic that must be given top priority in automation and/or industrial plants. Uniform networking and the use of open IT standards do not only guarantee, but are also prerequisites for competitiveness in most cases. Furthermore, the ever ubiquitous reports in the media of security incidents clearly indicate that the dangers are real. The more challenging topic of industrial security is addressed in both national and international norms and standards, and places increasing demands on automation systems and plants. Here, particular attention is paid to securing crucial infrastructures. If security incidents in production plants largely only constitute monetary losses (even if sometime large), when it comes to critical infrastructures, public interest also comes into play since the general public can also be affected by disruptions.
How can potential risk be significantly minimized and both sufficient and affordable security in industrial automation be achieved? There is not a panacea or a patented solution that can be used every time, since every plant has individual framework conditions, dangers and protection objectives. However, there are best practices and/or a manageable number of key points for an efficient security concept that must be considered, as individual security measures alone are patchy and insufficient, thus optimal protection can only be achieved with an overall concept.
The operator is responsible for secure operation, but the manufacturer can offer support by providing corresponding consultation services and secure products and components.
The top priority and the most important task is to establish a security process and/or security management. In order to be able to make sound decisions regarding which measures must be taken in the end, first you must analyze which specific risks are present that cannot be tolerated. Both the probability of occurrence of a risk and the potential degree of damage play a role here. If risk analyses and processes to determine the protection objectives are neglected or not performed at all, there is significant risk that unsuitable, excessive or ineffective measures will be taken and that the weaknesses will not be identified and rectified (Fig. 1).
Fig. 1. Decision table for evaluating risks
according to a plant-specific risk analysis that
should be verified regularly.
The risk analysis then yields protection objectives that serve as a basis for specific measures, which must be added to both organizational and technical measures. The measures must be verified after implementation. From time to time, or if changes have arisen, the risk must be reevaluated, as the threat posed may have changed meanwhile. The process then starts again from the beginning (Fig. 2).
Fig. 2. The four continuous steps of the
security management process to be
The following elements are also part of security management:
Establishing a fundamental understanding of security among all employees (security awareness)
Defining endangered processes and corrective measures
Developing emergency plans, like what to do in the event of plant disruptions due to malicious software.
This element is necessary if there is a network connection between company and plant networks. Above all, this falls within the parameters of the IT department, as it primarily concerns the definition of authorized company network to plant network access and what data may be transferred in the reverse direction. These definitions must be rendered as rules and access rights that must be implemented with technical measures. Top priorities here are network intrusion detection systems (NIDSs) and firewalls, which identify intrusion attempts across the whole network and regulate the data traffic in both directions. It is also possible to establish a so-called demilitarized zone (DMZ) in which both network participants can exchange data between them, without having to have a direct connection (Fig. 3).
Fig. 3. Use of a demilitarized zone for data
exchange between company and plant network.
Protection of PC-based systems
Just as office PC systems must be protected against malware and possible gaps in the operating system or gaps in user software due to updates that must be patched, PCs and PC-based control systems in the plant network also require corresponding protective measures. Many of the tried and tested office protection systems can also be used here. One of the most well-known measures here is a regularly updated virus scanner. However, you must bear in mind that virus scanners can only identify one part of the virus (approximately 70% to 80%) and are powerless against new viruses for which patterns are not yet available. Furthermore, in the automation sphere, they cannot always be updated promptly if there is no maintenance window.
Therefore, the use of whitelisting software is a good alternative to virus scanners. Whitelisting works with so-called positive lists, in which the user can specify which processes or programs may run on the computer. So if a user or malware attempts to install a program, the installation may be successful but the processes necessary for operation do not run, meaning the program cannot be started and thus no damage will occur.
Manufacturers of industrial software can support users here by testing the compatibility of their software with virus scanners or whitelisting software.
Just to clarify, a white list, also known as a positive list, indicates a collection of equal elements that are classified as trustworthy. Whitelisting for PCs ensures that only desired programs can be run.
Protection of control levels
It has long been known that PCs and networks can and must be protected. But what measures are available for the protection of most manufacturer-specific, proprietary systems? How do you protect programmable logic controllers (PLCs) and operator stations that use neither a commercial operating system nor an older version because they have been in used for many years or even decades? Here it is not possible to use third-party security software, and access to the system functions of the devices is mostly not possible at all or only possible to an extent. Therefore, at this stage, the manufacturers of automation hardware are asked to implement corresponding security mechanisms and to provide the users with plant-specific setting options. However, in order to do this, the users are prompted to ask the manufacturers about the availability of such mechanisms and to ask them to activate these, whereby setting options are offered.
The fundamental robustness of the system in relation to the impact of defective data telegrams and larger, unwanted data traffic is important. The manufacturer must ensure that devices are tested for possible weaknesses and are hardened using specific measures, such as secure coding.
Similar to PC-based systems, unused services (like an unnecessary web server), protocols and even unused interfaces in SPS and HMI systems should also be deactivated. If, for example, the functions provided by controllerssuch as password protection, component encryption and copy protectionare used, further essential foundations for securing the plant network are laid.
The fifth element of an industrial security concept concerns the network security. This is an important step toward a secure plant, since it concerns the security of the data transfer and access to the network.
Very few automation devices currently have security functions that can protect communications against espionage or manipulation using encryption and/or can securely authenticate the communication partners. The situation is not likely to change soon due to the long life cycles of automation plants and their devices. Although more and more devices are equipped with these functions by the manufacturer, there will still be devices that have no such security functions due to cost optimization or other reasons. In addition, in many cases, there are real-time requirements that currently do not allow the use of performance-intensive security functions, such as encryption or secure authentication.
Network segmentation and cell protection
The proven solution to this dilemma is the so-called cell protection concept. The idea is simple: You use a security appliance i.e. a special hardened network component that has security functions, such as a firewall and virtual private network (VPN). These security appliances, also known as security modules, assume the protection of the automation devices, whereby they are arranged upstream and create exclusive access to each device to be protected. The protected area is also known as cells and corresponds to a network segment, mostly to its own sub-network. Thus, the network is segmented in terms of security.
The firewall can now control the access to the cells, whereby it can be determined, which network participants may communicate with each other and, if necessary, also which protocols they may communicate with. Thus not only can unauthorized access be prevented, but also the network load can be reduced as not every communication, e.g. broadcasts (reports to all network participants) may pass.
The security modules can also establish secured VPN channels, so that the communication to, and from, cells can be encrypted and authenticated. Thus, the data transfer is protected against manipulation and espionage. In the future, automation system suppliers will offer these security functions in communication processors for controllers and PCs.
The advantages are evident: one security module can protect several other devices; therefore, you do not have to install and manage these functions in each device. Real-time communication within the cells, such as Profinet I/O communication, is unaffected by performance-intensive security functions and thus access to the cells is protected (Fig. 4).
Fig. 4. Overview of the cell protection concept.
The effective implementation of an industrial security concept requires the involvement of the manufacturer, the user and the operator of automation technology. Norms and standards committees also must impose corresponding rules, develop standard solutions and identify appropriate preventative measures. To ensure the utmost in security, a comprehensive approach is required. Securing plant networks from malicious attacks will be an ongoing issue that plant managers must address. The five-step security solution proposed here is a step in the right direction. HP
|The author |
Franz Köbinger is system manager for security in the industrial communication department at Siemens AG, Industry Sector, in Nuremberg, Germany.