Beckhoff: Get ready for the next automation revolution
Industrial Ethernet Book Issue 67 / 44
Request Further Info   Print this Page   Send to a Friend  

The changing network security threat demands layered defence

Security requirements for industrial Ethernet networks are quickly migrating from Enterprise networks to process control and other industrial environments. The recent issues with the clever Stuxnet malware have given us all a wakeup call, and we need now to take a fresh look at how security is managed within industrial networks. CLPA's John Browett considers the potential threats to network security, and their mitigation.

IN THE PROGRESSION toward Ethernet as the industrial network of choice, considerations for network security have lagged behind somewhat, yet there is the very real possibility of networks being compromised both from outside a given facility, and from within.

The furore over Stuxnet and worries about a possible 'son-of-Stuxnet' has greatly raised awareness that the need for better cyber security must be taken seriously by automation, process and critical infrastructure industries alike.

The risk of deliberate hacking from within a company is difficult to protect against and is as much a personnel security issue as a general network security issue. Sensible security considerations, however, need to extend to the possibility of personnel accidentally connecting the wrong device to the wrong part of a network, or to unauthorised users finding themselves able to adjust key process parameters without realising what it is that they're doing.

In addition, as companies come to see the benefits of remote access to plants, monitoring processes by standard web browsers for example, then they are opening themselves up to the possibility of abuse of the network by third parties.

In particular, last year's incident involving the widely publicised Stuxnet virus that attacked SCADA systems has shown that a typical plant floor control architecture has weak points and vulnerabilities when it comes to security. This has led many companies to question the traditional methods used to move information around between the plant/asset and the enterprise level.

The Stuxnet virus changed the point of attack in the business from the seemingly very secure top end to the somewhat vulnerable middle ground. At this level we frequently see PCbased control systems with little or no security implemented, and some technologies still being used despite known vulnerabilities.

Fig. 1 : IT security threats in a modern network. These come from many directions, both from without and within.

Security problems at this level, and at plant floor device level, are exacerbated by the fact that there is often limited collaboration between a company's IT department and the control engineering departments. In addition, within the control and engineering community, there is not always adequate recognition of the automation system security threats and liabilities. In particular, the business case for automation system security is not established, and there is limited understanding of the automation system risk factors (see Figures 1 and 2).

Fig. 2: IT and automation convergence: Control systems can be accessed from many different points.

Risk increases with openess

The drive towards open network technologies generally, and towards Ethernet in particular, as a means of giving companies the freedom they want to choose best of breed control technologies has exacerbated the security threat. Users want standardisation, flexibility and choice, and this has been delivered through standardised open protocols. The trade-off, though, which is only just coming to be realised, is that these open protocols are less robust and more susceptible to attack (see Figures 3 and 4). By contrast, the old proprietary networks were highly robust by virtue of their non-standardisation, but they were far less flexible and they ultimately limited product choice.

Fig. 3: Security considerations and where we started: Older proprietary networks were highly robust by virtue of their non-standardisation.

Fig. 4: Security considerations - where we are: By contrast, open protocols are less robust and more susceptible to attack.

Looking then at what the ideal industrial network would offer, a wish might request the robustness of the old combined with the flexibility of the new. This wish list might include common cabling, standard connectors, open standards, ease of configuration, flexibility, highest possible security, and reduced susceptibility to attack.

Looking at the layers

In looking at how industrial Ethernet might be adapted to meet the requirements of this list, it is worth revisiting the definition of Ethernet, because nowhere in networking parlance has a single word been so misused as an umbrella term for so many disparate standards, technologies and applications. The best place to start is with the OSI seven layer model itself, because Ethernet can achieve little without the layers above it.

Layer 1, the Physical Layer, defines all the electrical and physical specifications fordevices. In particular, it defines the relationship between a device and the physical medium. Layer 2 is the Data Link Layer, providing the functional and procedural means to transfer data between network entities and to detect errors (and possibly correct them) that may occur in the Physical Layer. It is here that Ethernet is defined as a network protocol under the IEEE 802.3 standard.

Over the years, Ethernet has become synonymous with the TCP/IP suite, but one does not necessarily imply the other. IP is defined under the Network Layer (Layer 3) of the OSI model. This layer provides the functional and procedural means of transferring variable length data sequences from a source to a destination via one or more networks. The Transport Layer (Layer 4) provides transparent transfer of data between end users, and defines the likes of TCP and UDP.

The Session Layer (Layer 5) controls the connections between computers, whilst the Presentation Layer (Layer 6) transforms the data to provide a standard interface for the Application Layer (Layer 7) at the top of model. It is in Layer 7 that typical applications, such as FTP, HTTP, RTP, SMTP, SNMP and others, are found.

In summary, therefore, when it comes to operating as a communications architecture in industrial networks, Ethernet is capable of very little without the layers that sit above it.

Vulnerability lower down

Not all industrial Ethernet offerings implement the Ethernet stack in the same way. Within the Application Layer, the various industrial Ethernet organisations implement their own kernels and protocols, which define much of the functional benefits of their technologies. From a security point of view, though, what is really of interest are the more vulnerable lower layers.

Under the seven layer model, all it takes is for one layer to fall to an attack before the whole communications system is compromised - potentially without the other layers even being aware that there is a problem. Security is only as strong as the weakest link.

Industrial network security issues

Security issues in an industrial environment typically concern network infrastructure device access (physical security, port security, local passwords, securing administrative access, notification banners), network device protection resiliency and survivability.

Ethernet switch functionality may include both local user and global password encryption to help secure locally stored information. Authentication, Authorisation and Accounting (AAA), which is highly secure, but can be difficult to use, can be employed for access control to network infrastructures. Per-port Static MAC address configurations provide very high security, but maintenance can be high. Other security best practices relevant manufacturing areas typically include VLAN best practices, restricting broadcast domains, Spanning Tree Protocol (STP) security, Dynamic Host Configuration Protocol (DHCP), Address Resolution Protocol (ARP) and Traffic Storm Spoofing protection. IP address allocation must also be protected.

The protection of network assets needs defence-in-depth security. This can be achieved using many layers of physical and electronic defence at the various logical framework levels. Policies and procedures that help protect against the different types of threats should be used or devised.

Physical security should not be forgotten. This means applying computer and controller hardening, including antivirus software, as well as AAA procedures. It also means limiting people's access to areas containing relevant equipment and network cabling - only authorised personnel should have access.

James Hunt

There are a number of discrete security products available, and these work well, but one of the biggest problems in the industrial arena lies in implementing tightly integrated security systems without incurring excessive costs and without imposing a level of complexity that makes the system difficult to maintain and support. Further, standard commercially available security solutions are rarely up to the rigours of life in challenging industrial environments.

In terms of network technology, much work has been done to make Layer 2 more secure, but in classic implementations of industrial Ethernet, little has been done to address weaknesses in the Network Layer (Layer 3) and the Transport Layer (Layer 4). Like the office Ethernet implementation, the vast majority of industrial Ethernet technologies are still built around IP within Layer 3 and TCP/UCP within Layer 4.

Most industrial Ethernet network installations implement perimeter security (firewall services) at points where they connect to other networks to provide protection at these vulnerable layers. Firewalls filter on source and destination IP addresses and protocol port numbers (for example TCP and UDP ports) to further restrict the traffic permitted to enter an Ethernet network. Packet filtering may be implemented even among known network communities, and in some cases filtering deals with very specific device addresses and application ports to provide a layer of access security unique to an attached device and application. Despite this however, in classic industrial Ethernet implementations, Layers 3 and 4 are still highly vulnerable to attack.

Open RTP within stack layers

CC-Link IE (Control and Communication Link Industrial Ethernet - see Box 1), however, is different from conventional implementations because it defines an open 'Real-Time Protocol' within the stack layers (see Figures 5 and 6). By taking this approach to implementing these layers within the Ethernet stack, it realises the benefits of our network technology wish list.

Fig. 5. The Ethernet stack with uncontrolled knowledge base: Common dialect and ID. CC-Link IE defines an open 'Real-Time Protocol' within the stack layers.

Fig. 6. The Ethernet stack with open/controlled knowledge base: Regional dialect and bespoke ID.

It uses standard Ethernet connectors, it is easy to configure and it is highly robust. It is also an open standard, so users still have that freedom of choice in the selection of best-ofbreed component technologies. Most importantly from a security point of view, it inherently offers the highest possible security and is therefore less susceptible to attack. These are significant advantages over alternative industrial Ethernet implementations.

The key distinguishing factor is an open, but controlled knowledge base for the network technology. Hence while bona-fide companies can implement the technology on an open basis, it will be harder for the bad guys to infiltrate.

Security requirements for industrial Ethernet networks are continuing to evolve, with sophisticated requirements increasingly migrating from Enterprise networks to process control and other industrial environments. Wherever there are network installations, companies need to look at the probability of attacks to the network, and the risk associated with any attack (see Fig. 7).

Fig. 7. The hacker's decision grid: A network using an open but uncontrolled knowledge base compared with a network using an open but controlled knowledge base.

In every case, as security becomes more important, companies must look at ways to mitigate the risk, reduce the risk or eliminate the risk as appropriate within each branch of the network topology.

With its open standards approach combined with proprietary communications technology, the CC-Link IE implementation of industrial Ethernet represents a real option in the drive to maximise and optimise network security.

About CC-Link IE

CC-Link IE was developed by CLPA as the first completely integrated gigabit Ethernet network for industrial automation, defining the new threshold for open standards for Industrial Ethernet.

CC-Link IE combines the best of many existing technologies and applies them to an optical or copper based industrial network system with a redundant architecture that enables extremely high-speed and reliable data transfer between field devices and other controllers via Ethernet links. The signalling rate of 1Gbps is more than enough to cater for most real-time communications requirement of today's manufacturing industries.

There are variants of CC-Link IE to address control requirements at all levels of the automation network.At controller level, there is CC-Link IE Control. At device level, there is CCLink IE Field and CC-Link IE Motion. Moreover, there is tight integration with the CC-Link fieldbus.

John Browett is the Acting General Manager of CLPA - Europe.

Source: Industrial Ethernet Book Issue 67 / 44
Request Further Info    Print this Page    Send to a Friend  


DINSpace fiber optic and Cat 6 patch panels
Siemens IWLAN  the WLAN for challenging industrial applications
Accelerate your HART data at the speed of Ethernet
Industry of Things World

Get Social with us:

© 2010-2019 Published by IEB Media GbR · Last Update: 10.10.2019 · 23 User online · Privacy Policy · Contact Us