Tackling the challenge of service access cybersecurity
To carry out the highest levels of service and maintenance, employees at the operating company as well as the mechanical manufacturer′s external service technicians need to receive access. Constructing a service network zone serves as a transfer point for connections that can be securely restricted and monitored.
THE MAJORITY OF PLANTS AND MACHINES in production networks are already networked as part of the pioneering Industrie 4.0 project, also known as the Industrial Internet of Things. In order to ensure data and service consistency, production networks in turn are connected with company-wide networks (office systems) and then connected with the Internet. The number of production networks connected in this way will continue to grow in the future.
Although this kind of development opens up a number of opportunities, ensuring access protection for complexly networked plants and machines poses great challenges to operators in terms of IT security, which is known within the industry as ICS (industrial control system) security.
Production-related data streams are reduced to a defined volume and machines and plants are consequently protected through the application of known best practice methods, such as creating a security architecture in keeping with the Defense in Depth principle, in accordance with ISA99 and IEC 62443. Meanwhile, ensuring maintenance and programming access to these kinds of systems represents a special task in and of itself.
Dial-in nodes security risk
As is the case with the ′onion′ approach to IT security, implementing the Defense in Depth concept for security architecture involves constructing several network security layers that are protected from one another through access restrictions. The outermost layer is connected with the Internet and thereby represents the least reliable level. These levels are also known as ′trust levels′; the trust level increases with each successive network layer.
This means that the heart of the ′network onion′ consists of systems that require an especially high level of protection - in production networks, these are the machines and plants plus their components. These systems are protected by constructing invisible subnetworks through NAT (network address translation), masquerading, and setting access restrictions that only permit data streams that are absolutely necessary for manufacturing.
In order to be able to carry out service and maintenance tasks, the corresponding employees at the operating company as well as the mechanical manufacturer′s external service technicians need to receive access to these specially protected network areas. In the past, they could often dial up access to them through their own nodes. Dial-up nodes that are directly accessible through the phone network pose a significant security risk, however. This is because the dialer can access the entire network and usually doesn′t have to go through any authentication process to access the systems connected to it. Nowadays, this outdated technological setup is often replaced by popular VPN remote maintenance access.
Setting up service networks
The solutions described above enable identity verification of the persons authorized for access as well as encrypted data transmission. However, individuals with access rights still have free access to the protected network. Moreover, encryption prevents machine operators from gaining any insight into the data, which means they have no control over the data. As a result, damaging events cannot be traced. A further problem resulting from this concept is that each machine manufacturer would like to use their own preferred remote access system. This results in heterogeneous, unmanageable IT landscapes. Moreover, VPN remote maintenance access does not solve the issue of providing the operator′s service technicians with controlled, authenticated access.
If the internal service employees are granted extensive access rights to the plants and machines, the security level significantly drops as a result. Because of this, corresponding access should always be reduced to the minimum necessary level. One way of doing so is setting up a separate, isolated network zone (a service network) to hand over or route service connections. In the IT sector, this type of network zone is also known as a demilitarized zone.
Security appliances protect the individual manufacturing cells and enable the construction of service network zones.
Control all service connections
The security appliances in the FL mGuard product range by Phoenix Contact are suitable for industrial applications and protect individual manufacturing cells. Moreover, they also enable service network zones to be constructed.
Due to their systematic orientation to ICS security, these devices offer precisely the range of functions that is required for carrying out the tasks described here. The service network is ideally located on the level of the production network. Both networks are separated and isolated from one another by the security appliances. The FL mGuard products also act as an access point for the individual networks of the production cells. These networks are transparently integrated into the service network via VPN connections. Corresponding service connections based on VPN can be built on top of and dismantled from the production cells. A key switch that controls the security appliances via the integrated digital I/Os can be used for this.
Alternatively, machine operators can use an HMI device that communicates internal network events. This method allows operators to control possible service connections at all times. Firewall rules within the VPN connections can determine authorized service access. If the use of VPN connections in the internal networks is prohibited, the GRE (Generic Routing Encapsulation) tunnel function and conditional firewall (or the changeable firewall rule sets) provide the same functionality.
During servicing, machine operator technicians are integrated into the network via VPN connections or direct access.
Activate dynamic firewall rules
The machine manufacturer′s external service technicians are connected to the service network zone via VPN. Phoenix Contact also offers the right solutions for this application, with the FL mGuard Secure VPN Client or the FL mGuard Smart2 VPN.
The machine operator′s technicians can also be connected via VPN connections or direct network access. All access can be configured in such a way that the respective technician needs to be authorized via the user firewall of the security appliances.
This process opens up the opportunity to activate dynamic firewall rules for defined users. These rules apply to IP addresses that are used for authentication. In this way, each technician is only permitted certain access, which means that a multi-level security concept can be created. If the operator accepts the VPN solutions preferred by the machine manufacturer, the corresponding end devices should be placed within the service network zone.
Providing service access to plants and machines opens up significant advantages to operators, but also entails large challenges in terms of access security. The right strategies and special technologies allow operators to master challenges and reduce maintenance costs while increasing availability.
Andreas Fuß, Marketing Network Technology, Phoenix Contact Cyber Security AG.