Free Newsletter
Register for our Free Newsletters
Access Control
Deutsche Zone (German Zone)
Education, Training and Professional Services
Government Programmes
Guarding, Equipment and Enforcement
Industrial Computing Security
IT Security
Physical Security
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec

Security protection for industrial systems

Innominate Security Technologies : 30 October, 2015  (Technical Article)
Gerrit Boysen of Phoenix Contact Electronics explains the role of Innominate mGuard in the protection of industrial IT systems.
Security protection for industrial systems

High system availability is very important in process engineering resulting in greater importance being placed on IT security

The growing need for IT security in the field of process engineering is primarily the result of the current trend toward greater interconnectivity, which can be seen in an increasing number of horizontal interconnections from one system to another, but also in vertical interconnections from the field level to the office level. In addition, more and more Ethernet components are being used at all levels. The considerable degree of interconnection increases efficiency while simultaneously reducing costs. At the same time, however, it also increases the risk that malicious software will quickly spread throughout all areas of a company.

In light of this information, process-engineering systems are repeatedly being threatened by new security gaps and a growing number of malicious programs. This means that the computers and control systems used in industrial networks must have much more extensive protection from attacks, malicious software and unauthorised access than they have so far. But the security strategies used in conventional office IT usually cannot be implemented efficiently for industrial systems. Special protective measures are therefore required for industrial networks. The IT systems used in production environments differ fundamentally from those used in office environments in four ways.

First, patches cannot typically be applied to industrial systems. In addition, industrial systems use special protocols such as OPC Classic which are not used in the office world. In large systems, there are also structurally identical modular assemblies with identical IP addresses. And finally, systems in production often require different firewall rules and standards during maintenance and in the event of remote servicing.

On office PCs, virus scanners are usually installed and security updates performed at regular intervals. These measures cannot normally be taken for industrial systems. This is because sometimes the manufacturer of the operating systems or applications used in the industrial sector no longer provides security updates. In addition, test measures must be performed on industrial PCs before each operating system, antivirus software, or application update, and this cannot be done efficiently in terms of operation.

The use of specific industrial firewalls nevertheless allows the protection of these non-patchable systems against attacks from outside the network. For this purpose, hardware-based firewall appliances are connected between industrial PCs and outside networks. Moving the security function to external hardware also offers the advantage that the resources of the systems to be protected do not have to be used for security tasks.

Targeted network communication restrictions

For firewalls, the user can configure the protocols and ports that can be used to access the systems to be protected. This can prevent or at least limit the attempt of an attacker to gain access to the network through insecure ports. The Stateful Packet Inspection Firewall approach should be mentioned in this context. This approach uses rules to filter incoming and outgoing data packets in both directions: from the outside to the protected internal network and vice versa. On the basis of the protocol, source addresses and ports and destination addresses and ports can be used to limit network communications selectively to a defined scope that is required for production. Here, the Connection Tracking function identifies the response packets on permitted connections and lets them through.

Selecting a suitable firewall must include ensuring that the selected firewall understands the protocols used in the particular industry in question. Otherwise, reliable protection cannot be guaranteed. Office firewalls typically do not support industrial protocols such as OPC Classic, so they cannot provide appropriate protection for the application. While conventional firewalls cannot reliably be used to protect data traffic via OPC Classic, industrial variants – such as one with a license for OPC Inspector – provide a suitable solution. Based on Deep Packet Inspection, the firewall checks the OPC Classic communications data packets and filters them precisely. For this purpose, the Stateful Inspection principle is also applied to OPC Classic data. This means that the firewall identifies the port changes negotiated in the OPC Classic protocol and approves them dynamically. In this context, it inspects whether a port opened by OPC is used within a timeout period and whether the data traffic moving through this port corresponds to the OPC protocol. This method provides high access security.

Virtual external network mapping

Complex production sequences are typically structured into networked, largely standalone cells. For an efficient design of the engineering, documentation, and cell operation, the use of identical IP addresses for all systems of a single type proves to be advantageous. If all communications are initiated from the internal cell networks, several identical systems can be connected with simple masquerading NAT (Network Address Translation) routers to the operator’s production network. If the higher level network should also be able to establish a connection to the individual cell nodes, however, this solution is not sufficient, because the cell nodes cannot be addressed from the outside. In this case, the user requires a router that can map internal machine networks universally or selectively to unique virtual external networks using 1:1 NAT. For this purpose, an industrial firewall offers, in addition to the pure NAT routing, the so-called 1:1 NAT routing function. OPC Inspector, mentioned above, allows this NAT function for the OPC Classic protocol. This sets it apart from conventional office firewalls and from other industrial firewalls.

Event-controlled (de)activation of firewall rules

Different firewall rules and standards are often advantageous in different situations. This is because during production operation or maintenance and remote system servicing, different connections are to be allowed or forbidden. In practice, the user usually solves the problem by summarizing the various firewall requirements in a set of rules. This procedure inevitably results in lower security than is possible because the firewall rules allow all connections that are required for the different operating states, even if they are not required for the current operation. An industrial firewall solves the problem by implementing a Conditional Firewall. This function allows the firewall rules to be activated or deactivated depending on events. Selection of a given firewall rule can be triggered via an externally connected button, switch, control window in a web interface, API command line, or by establishing or disconnecting a VPN (Virtual Private Network) connection.

Bookmark and Share
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
   © 2012
Netgains Logo