Industry NewsDecember 12, 2020

Industrial automation security: Specialized or better integrated?

Industrial Control Systems & Security

Digitization offers many opportunities, but also poses risks. For example, the factory network may be subject to unwanted attacks, such as unauthorized access, malware, incorrect operation or malfunction.

To address these risks, cyber security includes technical measures designed to prevent or at least contain damage. Essentially, these are methods to limit access and approaches to protect integrity. The individual measures complement each other in their effects.

Dr.-Ing. Lutz Jänicke, Corporate Product & Solution Security Officer, Phoenix Contact

Dr.-Ing. Lutz Jänicke, Corporate Product & Solution Security Officer, Phoenix Contact

Protection against unauthorized access

Regardless of whether a targeted attack or a misuse must be prevented, access protection is probably the most important instrument of cyber security. It begins with physical protection against unauthorized access and continues on the communication level. If the attacker does not gain access to the network, the damage potential is obviously much lower.

Protection at the network level

Firewalls are the first line of defense to prevent unauthorized intrusion via communication links. They filter the communication connections so that only permitted connections can be established. This filtering can either be integrated into a device or implemented by a dedicated firewall component in the network. A built-in firewall is advantageous in terms of cost, but is more vulnerable to attack depending on the quality of the main system implementation. If many different devices with integrated firewall are to be used, all variants must be administered and maintained. If the main system is nevertheless successfully attacked, the firewall can also be infiltrated. In addition, the high-quality setup of a firewall requires own knowledge, which is not always available.

A dedicated firewall as an external device requires a target-oriented investment, but allows a selection independent from the other automation components. In addition, central administration can be realized. The independent security device proves to be robust against weak points in other automation components. It can be patched and updated without affecting the function of the overall system. In the event of a network overload, the firewall provides protection because it can itself take the load and thus shield the automation components located behind it.

Remote connection protection Remote connections via the Internet should always be encrypted, for example via VPN. The protocols used for this purpose generally not only protect against the interception and tapping of information, but also contain mechanisms to protect against manipulation. For the implementation, it is also true here that integration through software or as an already built-in function opens up cost advantages, while execution as a dedicated component has a positive effect on the quality of the implementation and administration. That’s why the functions of a VPN gateway and a firewall are combined in numerous solutions.

Protection at user level

If the communication has been allowed by a firewall or is possible via a local access, it should be protected by a user login. The user management can take place locally, but is then difficult to administer. Central management systems prove to be more practical. If the automation system does not support access control, a dedicated firewall can help. This firewall will only allow pre-defined connections if the user has already logged on to the firewall.

Protection against malware

Many damages are caused by malware whose damaging effect only occurs when it is executed. To prevent the malware from being implemented nevertheless, anti-virus software is available as a classic security product. However, its quality depends on the detection rate and regular updates. Furthermore, the demands on computing power and occasionally observed error detections lead to malfunctions in automation applications. Solutions that directly prevent the execution of unknown software – keyword: whitelisting – as well as automation components with built-in integrity protection are more suitable. An essential element here is a secure patch and update process that only allows the installation of original software or firmware.

Conclusion

The comparison of integrated security functions with specialized security products makes it clear that both concepts have their strengths and should at best complement each other. Built-in functions prove to be particularly useful if, for example, the entire application is operated by a single control unit that is also used to connect to the Internet. More complex systems consisting of several devices are better connected by specialized firewalls and VPN gateways. Simultaneous use of the security functions integrated into the components can further increase the security level.

Dr.-Ing. Lutz Jänicke, Corporate Product & Solution Security Officer, Phoenix Contact