Beckhoff EtherCAT measurement technology
Industrial Ethernet Book Issue 78 / 15
Request Further Info   Print this Page   Send to a Friend  

Successful protection for industrial networks

Following a risk analysis, Volkswagen AG has introduced a new security standard for its car bodywork production network at its plant in Emden, Germany. Thanks to segmentation of the network, installation of industrial firewalls and stricter access rules, the systems are now protected against unauthorized access.

Volkswagen AG took a series of steps to prevent attacks on sensitive production systems that were insufficiently protected against unauthorized access.

Ethernet-based production systems are becoming increasingly well-established. Easy integration into Intranet and Internet, the high bandwidth of up to Gigabits per second and decreasing costs of industrially specified cables, connectors, switches, and routers are the reasons behind this development.

Industrial network security

The other side of the coin is an increased risk of malfunctions and production interruptions due to security loopholes in industrial networks. For this reason, an internal risk analysis was conducted at Volkswagen AGs Emden car body production plant and the security of the systems was scrutinized, including their control technology. The result: sensitive production systems were insufficiently protected against unauthorized access because attacks can be triggered by malware, inadvertent access or unintentional misentries during internal network operations and their prevention by centralized firewalls is very complex and not cost-effective.

Employees of third party companies who access the network using their laptops during service operations, or for hardware and software installations that can unintentionally spread malware, are deemed to pose a potential risk, for example. Unintentional misentries were also identified as problematic weaknesses.

Jens Hoofdmann, Bodywork Maintenance Specialist, cites one problematic issue arising from the analysis: "A typical example is the installation of a server which subsequently sends ping packets to the entire network at short intervals. Such permanent requests can disrupt or even crash an industrial controller."

New security rules

At Volkswagen, an action item matrix was developed based on the risk assessment, encompassing organizational changes, network segmentation and the introduction of distributed industrial firewalls.

When it came to selecting suitable hardening and security measures Volkswagen AGs Emden plant opted for industrial routers with an integrated firewall. The distributed industrial firewall/router solution segments the production network in the car body construction plant at Emden into 15 isolated subnetworks. For central protection featuring comparable granularity, all systems and sub-networks would need star layout network cabling with a high-capacity firewall in a complex configuration. Given the typical distances between network nodes at industrial plants this proves particularly expensive and inefficient which is why these environments are virtually dominated by tree-shaped and linear cable topologies and therefore better suited to a distributed firewall approach.

Distributed firewall/router

The central IT department was also involved in the preliminary discussions regarding implementing the new structure, the technical evaluation and startup monitoring. The production-related IT department ultimately assumed responsibility for addressing the planning, installation, commissioning and administration tasks.

The system network had already been successfully planned and put into operation in conjunction with Phoenix Contact. The experience gained from this project and the knowledge acquired of the systems proved highly beneficial during the network protection operations. The company selected mGuard industrial firewall/router modules from Phoenix Contact and Innominate. The key criteria in their selection were their suitability for industrial applications and the availability of a central management system.

The mGuard technology is based on embedded Linux and integrates four coordinated security components: a bidirectional stateful inspection firewall, a flexible NAT router, a secure Vpn gateway and industry- suitable protection against malware as an option.

the mGuard security appliance is self-suffi - cient and can be subsequently integrated into existing production networks without repercussions using its stealth mode of operation , which proved to be particularly advantageous. as such, in routing terms, the fi rewall behaves transparently as a bridge.

Sensitive production systems tend to be inadequately protected. Imported malware or unintentional incorrect misentries on the internal network cannot be prevented by central fi rewalls.

Setting up industrial fi rewall

hoofdmann said that installing, setting up and integrating the industrial fi rewalls was easy, and devices were used in a distributed manner in control cabinets to protect every uplink connection. in hardware terms, Volkswagen aG was able to mount the 24 V din rail devices directly into the control cabinets, and allow its own staff members to start them up based on the existing network structure and without any re-cabling operations.

a very pragmatic approach was adopted towards setting up the fi rewall rules. in the fi rst instance, all data traffi c was permitted and access to the subnetworks was only logged. the log files were subsequently evaluated and recorded in the form of rules governing which type of access should be permitted in future. the rules were tested, revised and fi nally defi ned in their present form.

Central management system

the innominate device manager (idm) central management system used in this installation offers a template mechanism facilitating central confi guration and management of all mGuard devices. the parameters for fi rewall rules and nat settings are directly confi gured in system without abstract security policies needing to be defi ned.

an upload function is used to upload the rules to all the listed devices and confi gure them in one step. the idm enabled special rules to be implemented between the subnetworks, subgroups, and user groups and then distributed to all fi rewalls.

according to the maintenance team at Volkswagen Emden, device management has been facilitated by the central management system. Generating a new fi rewall rule within fi ve minutes in order to grant a member of the service team access, for example, is no longer an issue.

Protection for sensitive applications

robots, pLcs, panel pcs, laser technology, welding systems, controllers and a driverless transport system have since been protected by distributed firewalls on the Emden car bodywork production network.

hoofdmann reports that there have been no security incidents since the firewalls were installed. however, they have been able to identify infected devices from other production sectors based on the log fi les. in one of these instances, a virus had attempted to spread to other devices. however, access to the protected computers was blocked and it was possible to advise the other sectors of the malicious malware.

"our experience with the mGuard industrial firewalls is nothing but positive," said hoofdmann. "all unauthorized access is blocked and the systems are now better protected against malware."

Application story by Innominate Security Technologies.

Source: Industrial Ethernet Book Issue 78 / 15
Request Further Info    Print this Page    Send to a Friend  


DINSpace fiber optic and Cat 6 patch panels
Siemens IWLAN  the WLAN for challenging industrial applications
Accelerate your HART data at the speed of Ethernet
iManufacturing Shanghai 2019
Industry of Things World

Get Social with us:

© 2010-2019 Published by IEB Media GbR · Last Update: 19.09.2019 · 28 User online · Privacy Policy · Contact Us