By Dr. Harald Hoffmann, Head of the Industrial Security Unit at Janz Tec AG and Managing Director at Thinkurity GmbH, Paderborn
Many producers integrate systems from different manufacturers in their machinery. The manufacturers are involved in service and operational processes and responsible for the availability and reliability of the supplied machinery.
How a producer embeds the machinery and systems in his digital infrastructure is key since, within this IT network, all parties - producers, manufacturers and, when necessary, service providers - can cross their organizational boundaries. The network partners must ensure that none of the parties can obtain the private information of the other.
Preventing unauthorized access
In order to ensure the operation of the supplied machinery, the manufacturers need dedicated, secure access to the machinery. To this end, the producer must create the necessary network connections. However, a direct implementation of this network topology can lead to serious problems. These include:
- the unauthorized access to the production information of another manufacturer, or
- access to the producer's Manufacturing Execution System (MES) by one or more manufacturers.
The retrofitting of existing machinery and plants with secured IT components makes it possible to move towards Industrie 4.0 in secure steps and with comparatively low investments. The IEC 62443 "Industrial communication networks - Network and system security" set of standards supports producers and manufacturers of machinery to prepare for the integration of the machines. It defines a set of standards specifically aimed at the IT security of control and automation systems, i.e. on industrial security.
Identifying protective zones
The integration concept begins with the system documentation and identifies the zones within an organization to be protected. The parties assign security levels to the zones which define the requirements on the technical measures and processes. By considering the necessary information and data flow between the security zones, they can define the necessary network connections (conduits) and create a network topology.
When the manufacturers define requirements for the remote monitoring and configuration of the used machinery and plants, this lead to topologies that finally break down the classical, hierarchical approaches of communication between the security zones when the machinery is mixed. In these cases, communication crosses the respective company boundaries.
Defining security requirements
Therefore, the producer should finish by analyzing which threats the individual security zones are exposed to and which protective measures are necessary for them. This results in security requirements which he desperately needs to consider in his selection of IT equipment:
- securing of the equipment as well as hosted data, services and applications
- establishing and securing of the connections between the zones
- creation of an autonomous operation of each zone, for example for emergency operation including the local provision of all necessary data, services and applications.
Disconnecting security zones
Security appliances allow you to connect the elements of the same security zone, but separate the zones from each other. Thus, data from one security zone cannot end up in another.
This company security platform implements a multi-stage security concept. At the lowest level, measures are taken which exclude manipulation of the security device and thus prevent sabotage of the security architecture. On the next level, the security platform allows the establishment of subnetworks (VLAN). Within a security zone, the authentication and authorization is carried out by the Extensible Authentication Protocol (EAP). This allows producers to create security zones with different access rights based on a common infrastructure.
Safeguarding network connections
In order to safeguard network connections, standard VPN implementations are used which ensure the confidentiality and integrity of the data. This enables users of the security platform to implement the infrastructure even in non-trusted environments such as the Internet.
If users use the solution for temporarily storing data, for example for machine configurations or formulas, they are stored in an encrypted form. A role-based access control manages the access to data.
IEC 62443 outlines an approach that must be taken into consideration when upgrading existing machinery and plants for future business models. When applying the standard, producers and manufacturers should pay particular attention to ensuring that the zones and connections are made secure using appropriate systems.
vdma.org: Industrial Security | VDMAimpulse 03-2017: "The invulnerable machine" | VDMAimpulse 03-2017: "Comprehensive security concept" | VDMAimpulse 03-2017: "Innovative risk management with CMDB" | VDMAimpulse 01-2016: "Security - A moving target"