Guest contributors: Gerrit Boysen and Mariam Coladonato, Phoenix Contact
High system availability is very important in process engineering, because ongoing processes must not be interrupted. A fence is a physical, easily identifiable safety measure to secure systems from unauthorized persons. In addition to such physical protections, implementing IT security practices is also becoming more important.
The current trend toward interconnectivity is driving the growing need for IT security in process engineering. Not only is there an increasing number of horizontal interconnections from one system to another, but also the field level is more connected to the office level. In addition, all levels are using more and more Ethernet components. The good news is that this interconnection increases efficiency and reduces costs. The downside of this, however, is that it also increases the risk that malicious software will quickly spread throughout all areas of a company.
In light of this information, process-engineering systems are repeatedly being threatened by new security gaps and a growing number of malicious programs. The computers and control systems used in industrial networks must have much more extensive protection from attacks, malicious software, and unauthorized access than they have so far (Figure 1).
Figure 1: The Process Analysis Center is protected by a firewall.
The security strategies used in conventional office IT, however, usually are not designed for industrial systems. Industrial networks require special protective measures. The IT systems used in production environments differ fundamentally from those used in office environments in four ways.
- Patches cannot typically be applied to industrial systems
- Industrial systems use special protocols such as OPC Classic, which are not used in the office world
- Large systems can have structurally identical modular assemblies with identical IP addresses
- Production systems often require different firewall rules and standards during maintenance and in the event of remote servicing
Office PCs usually have virus scanners that perform security updates at regular intervals. These measures do not normally work for industrial systems for a few reasons. Sometimes, the manufacturer of the operating systems or applications used in the industrial sector no longer provides security updates. In addition, test measures must be performed on industrial PCs before each operating system, antivirus software, or application update, and this cannot be done efficiently in terms of operation.
The use of specific industrial firewalls can protect these non-patchable systems against attacks from outside the network. To do this, hardware-based firewall appliances are connected between industrial PCs and outside networks. Another advantage of using external security hardware is that the system’s resources do not have to be used for security tasks (Figure 2).
Figure 2: Security example from the process industry.
Targeted restriction of network communications
With firewalls, the user can configure the protocols and ports that can be used to access the protected systems. This can prevent or at least limit the attempt of an attacker to gain access to the network through insecure ports. The Stateful Packet Inspection Firewall approach is an ideal way to manage these systems. This approach uses rules to filter incoming and outgoing data packets in both directions: from the outside to the protected internal network and vice versa. Based on the protocol, source addresses and ports and destination addresses and ports can be used to limit network communications selectively to a defined scope required for production. Here, the Connection Tracking function identifies the response packets on permitted connections and lets them through.
When selecting a suitable firewall, the engineer must ensure that the selected firewall understands any protocols used in the particular industry. Otherwise, reliable protection cannot be guaranteed. For example, office firewalls typically do not support industrial protocols such as OPC Classic, so they cannot provide appropriate protection for the application.
While conventional firewalls cannot reliably protect data traffic via OPC Classic, industrial variants – such as one with a license for OPC Inspector – can provide a suitable solution. The firewall checks the OPC Classic communications data packets and filters them precisely, based on Deep Packet Inspection. For this purpose, the Stateful Inspection principle is also applied to OPC Classic data. This means that the firewall identifies the port changes negotiated in the OPC Classic protocol and approves them dynamically. In this context, it inspects whether a port opened by OPC is used within a timeout period and whether the data traffic moving through this port corresponds to the OPC protocol. This method provides high-access security (Figure 3).
Figure 3: Deep Package Inspection in the OPC protocol.
Unique and clear mapping to virtual external networks
Complex production sequences are typically structured into networked, largely standalone cells. For an efficient design of the engineering, documentation, and cell operation, the use of identical IP addresses for all systems of a single type proves to be advantageous. If all communications are initiated from the internal cell networks, several identical systems can be connected with simple masquerading NAT (Network Address Translation) routers to the operator’s production network. If the higher level network also needs to establish a connection to the individual cell nodes, however, this solution is not sufficient, because the cell nodes cannot be addressed from the outside. In this case, the user requires a router that can map internal machine networks universally or selectively to unique virtual external networks using 1:1 NAT.
Because of this, an industrial firewall offers the so-called 1:1 NAT routing function, in addition to the pure NAT routing. OPC Inspector, mentioned above, allows this NAT function for the OPC Classic protocol. This sets it apart from conventional office firewalls and other industrial firewalls.
Event-controlled (de)activation of firewall rules
Different firewall rules and standards have advantages in different situations. This is because during production operation or maintenance and remote system servicing, different connections are allowed or forbidden. In practice, the user usually solves the problem by summarizing the various firewall requirements in a set of rules. This procedure inevitably lowers the level of security, because the firewall rules allow all connections required for the different operating states, even if they are not required for the current operation.
An industrial firewall solves the problem by implementing a Conditional Firewall. This function allows the firewall rules to be activated or deactivated depending on events. A variety of events – such as an externally connected button, switch, control window in a web interface, API command line, or establishing or disconnecting a VPN (Virtual Private Network) connection – can be selected to trigger a specific firewall rule (Figure 4).
Figure 4: Secure remote access to the system.
The requirements placed on a firewall in a production zone are different from those in the office world. Therefore, using an industrial firewall with a NAT function can support the individual, simple segmentation of networks. This allows the Defense-in-Depth concept based on the ISA-99 and IEC 62443 international standards to be implemented even in systems using the OPC Classic protocol.