Cyber Security

Cybersecurity – not a freestyle, but a duty

The factory of the future is characterized by the increasing networking of control technology, IT and IoT. The various systems must be seamlessly interconnected to ensure end-to-end digital processes. At the same time, however, this increases the risk of cyber attacks, as attackers have more and more entry points. In the connected world, attacks can cause more damage than ever before. It is therefore essential that security is consistently implemented at all levels. ctrlX AUTOMATION shows how this works while maintaining radical openness in automation.

More and more devices and machines are being networked and communicate via the Internet of Things (IoT). This creates numerous opportunities, but also risks. The more components are connected, the larger the attack surface. Cyber attacks can paralyze production and lead to financial losses and image damage.

Many systems in factories are outdated and were developed without considering cyber security. This makes them more vulnerable to attacks and difficult or impossible to update. It is therefore necessary to develop more resilient solutions. This must include IT systems as well as control technology and the IoT. This means: radical openness at all levels meets security at all levels.

But secure: from the control system to the apps

With ctrlX AUTOMATION, Bosch Rexroth has launched an end-to-end, open automation solution that has been designed from the ground up to be completely secure. The high security standards apply to all components in the automation toolkit and to every component by which the system grows. The hardware and software products are Secure by Design. This means that security requirements are already taken into account in the development phase. The automation solution, which was developed with a focus on conformity with IEC 62443-4-2, is based on the Linux Ubuntu Core operating system, which is considered to be extremely secure.

The ctrlX CORE controller is an example of the high level of security in the ctrlX AUTOMATION portfolio. The associated IoT software has fully integrated IT security standards according to IEC 62443-4-2 for access control and remote maintenance. In addition, the controller offers various security features such as Secure Boot, a security chip in accordance with TPM 2.0, and a minimal network footprint when delivered. With the optional firewall and VPN client, the controller can be upgraded to a full-fledged network appliance, which ensures the highest possible availability and security of the connected network components.

Since ctrlX AUTOMATION is not a self-contained system, but rather a place where different players pool their domain knowledge, the security strategy also includes the partner network ctrlX World. For example, each of the partner apps offered is validated by Bosch Rexroth. This rules out the possibility of third-party software introducing malicious code. This and the sandboxing principle further increase the security of the other apps installed on the system.

ctrlX developR design with a view to the future

The holistic and fundamental implementation of security standards and mechanisms in all facets of ctrlX AUTOMATION creates a resilient overall system that can also demonstrate these capabilities. In order to maintain this level, permanent further development is required – also in view of ever new types of attacks and ways of attack.

That is why ctrlX developR always keep their fingers on the pulse and look to the future. The latest security requirements are already taken into account in the planning and development phase. At Bosch Rexroth, “Two steps ahead” also applies when it comes to security.

If you have any questions or require further information regarding ctrlX AUTOMATION, please contact us: sales@cmafh.com

CMA/Flodyne/Hydradyne is an authorized Bosch Rexroth distributor in Illinois, Wisconsin, Iowa and Northern Indiana.

In addition to distribution, we design and fabricate complete engineered systems, including hydraulic power units, electrical control panels, pneumatic panels & aluminum framing. Our advanced components and system solutions are found in a wide variety of industrial applications such as wind energy, solar energy, process control and more.

Secure Protection from Attacks, Malicious Software and Unauthorized Access

Guest contributors: Gerrit Boysen and Mariam Coladonato, Phoenix Contact

High system availability is very important in process engineering, because ongoing processes must not be interrupted. A fence is a physical, easily identifiable safety measure to secure systems from unauthorized persons. In addition to such physical protections, implementing IT security practices is also becoming more important.

The current trend toward interconnectivity is driving the growing need for IT security in process engineering. Not only is there an increasing number of horizontal interconnections from one system to another, but also the field level is more connected to the office level. In addition, all levels are using more and more Ethernet components. The good news is that this interconnection increases efficiency and reduces costs. The downside of this, however, is that it also increases the risk that malicious software will quickly spread throughout all areas of a company.

In light of this information, process-engineering systems are repeatedly being threatened by new security gaps and a growing number of malicious programs. The computers and control systems used in industrial networks must have much more extensive protection from attacks, malicious software, and unauthorized access than they have so far (Figure 1).

Figure_1phoenixcon

Figure 1: The Process Analysis Center is protected by a firewall.

The security strategies used in conventional office IT, however, usually are not designed for industrial systems. Industrial networks require special protective measures. The IT systems used in production environments differ fundamentally from those used in office environments in four ways.

  1. Patches cannot typically be applied to industrial systems
  2. Industrial systems use special protocols such as OPC Classic, which are not used in the office world
  3. Large systems can have structurally identical modular assemblies with identical IP addresses
  4. Production systems often require different firewall rules and standards during maintenance and in the event of remote servicing

Office PCs usually have virus scanners that perform security updates at regular intervals. These measures do not normally work for industrial systems for a few reasons. Sometimes, the manufacturer of the operating systems or applications used in the industrial sector no longer provides security updates. In addition, test measures must be performed on industrial PCs before each operating system, antivirus software, or application update, and this cannot be done efficiently in terms of operation.

The use of specific industrial firewalls can protect these non-patchable systems against attacks from outside the network. To do this, hardware-based firewall appliances are connected between industrial PCs and outside networks. Another advantage of using external security hardware is that the system’s resources do not have to be used for security tasks (Figure 2).

Figure_2phoenixcon.jpg

Figure 2: Security example from the process industry.

Targeted restriction of network communications

With firewalls, the user can configure the protocols and ports that can be used to access the protected systems. This can prevent or at least limit the attempt of an attacker to gain access to the network through insecure ports. The Stateful Packet Inspection Firewall approach is an ideal way to manage these systems. This approach uses rules to filter incoming and outgoing data packets in both directions: from the outside to the protected internal network and vice versa. Based on the protocol, source addresses and ports and destination addresses and ports can be used to limit network communications selectively to a defined scope required for production. Here, the Connection Tracking function identifies the response packets on permitted connections and lets them through.

When selecting a suitable firewall, the engineer must ensure that the selected firewall understands any protocols used in the particular industry. Otherwise, reliable protection cannot be guaranteed. For example, office firewalls typically do not support industrial protocols such as OPC Classic, so they cannot provide appropriate protection for the application.

While conventional firewalls cannot reliably protect data traffic via OPC Classic, industrial variants – such as one with a license for OPC Inspector – can provide a suitable solution. The firewall checks the OPC Classic communications data packets and filters them precisely, based on Deep Packet Inspection. For this purpose, the Stateful Inspection principle is also applied to OPC Classic data. This means that the firewall identifies the port changes negotiated in the OPC Classic protocol and approves them dynamically. In this context, it inspects whether a port opened by OPC is used within a timeout period and whether the data traffic moving through this port corresponds to the OPC protocol. This method provides high-access security (Figure 3).

a_0065449

Figure 3: Deep Package Inspection in the OPC protocol.

Unique and clear mapping to virtual external networks

Complex production sequences are typically structured into networked, largely standalone cells. For an efficient design of the engineering, documentation, and cell operation, the use of identical IP addresses for all systems of a single type proves to be advantageous. If all communications are initiated from the internal cell networks, several identical systems can be connected with simple masquerading NAT (Network Address Translation) routers to the operator’s production network. If the higher level network also needs to establish a connection to the individual cell nodes, however, this solution is not sufficient, because the cell nodes cannot be addressed from the outside. In this case, the user requires a router that can map internal machine networks universally or selectively to unique virtual external networks using 1:1 NAT.

Because of this, an industrial firewall offers the so-called 1:1 NAT routing function, in addition to the pure NAT routing. OPC Inspector, mentioned above, allows this NAT function for the OPC Classic protocol. This sets it apart from conventional office firewalls and other industrial firewalls.

Event-controlled (de)activation of firewall rules

Different firewall rules and standards have advantages in different situations. This is because during production operation or maintenance and remote system servicing, different connections are allowed or forbidden. In practice, the user usually solves the problem by summarizing the various firewall requirements in a set of rules. This procedure inevitably lowers the level of security, because the firewall rules allow all connections required for the different operating states, even if they are not required for the current operation.

An industrial firewall solves the problem by implementing a Conditional Firewall. This function allows the firewall rules to be activated or deactivated depending on events. A variety of events – such as an externally connected button, switch, control window in a web interface, API command line, or establishing or disconnecting a VPN (Virtual Private Network) connection – can be selected to trigger a specific firewall rule (Figure 4).

Rexroth-BR_Catalog2 (1)

Figure 4: Secure remote access to the system.

Summary

The requirements placed on a firewall in a production zone are different from those in the office world. Therefore, using an industrial firewall with a NAT function can support the individual, simple segmentation of networks. This allows the Defense-in-Depth concept based on the ISA-99 and IEC 62443 international standards to be implemented even in systems using the OPC Classic protocol.