Over the next decade the majority of plants and machines in production networks will be networked as part of the Industrial Internet of Things (IIoT). In order to ensure data and service consistency, production networks in turn will be connected with company-wide networks (office systems) and then connected with the Internet. The number of production networks connected in this way will continue to grow.
Although this kind of development opens up a number of opportunities, ensuring access protection for complexly networked plants and machines poses great challenges to operators in terms of IT security, which is known within the industry as ICS (industrial control system) security. Production-related data streams are reduced to a defined volume and machines and plants are consequently protected through the application of known best-practice methods. This includes creating a security architecture in keeping with the Defense in Depth principle, in accordance with ISA99 and IEC 62443. Meanwhile, ensuring maintenance and programming access to these kinds of systems represents a special task in and of itself.
Dial-in nodes pose a significant security risk
As is the case with the onion approach to IT security, implementing the Defense in Depth concept for security architecture involves constructing several network security layers that are protected from one another through access restrictions. The outermost layer is connected with the Internet and thereby represents the least reliable level. These levels are also known as “trust levels”; the trust level increases with each successive network layer. This means that the heart of the “network onion” consists of systems that require an especially high level of protection – in production networks, these are the machines and plants plus their components. These systems are protected by constructing invisible subnetworks through NAT (network address translation), masquerading, and setting access restrictions that only permit data streams that are absolutely necessary for manufacturing.
In order to carry out service and maintenance tasks, the corresponding employees at the operating company, as well as the mechanical manufacturer’s external service technicians, need to receive access to these specially protected network areas. In the past, they could often dial up access to them through their own nodes. Dial-up nodes that are directly accessible through the phone network pose a significant security risk. This is because the dialer can access the entire network and usually doesn’t have to go through any authentication process to access the systems connected to it. Nowadays, this outdated technological setup is often replaced by popular VPN remote maintenance access.
Setting up a service network
The solutions described above enable identity verification of the persons authorised for access as well as encrypted data transmission. However, individuals with access rights still have free access to the protected network. Also, encryption prevents machine operators from gaining any insight into the data, which means they have no control over the data. As a result, damaging events cannot be traced. A further problem resulting from this concept is that each machine manufacturer would like to use their own preferred remote access system. This results in heterogeneous, unmanageable IT landscapes. It also means that VPN remote maintenance access does not solve the issue of providing the operator’s service technicians with controlled, authenticated access.
If the internal service employees are granted extensive access rights to the plants and machines, the security level drops. Because of this, corresponding access should always be reduced to the minimum necessary level.
One way of doing so is setting up a separate, isolated network zone (a service network) to hand over, or route service connections. In the IT sector, this type of network zone is also known as a demilitarised zone.
Control over all service connections
There are several products available that can fulfil this task, This includes the FL mGuard product range of products, which are suitable for industrial applications and protects individual manufacturing cells. They also enable service network zones to be constructed. The service network is ideally located on the level of the production network. Both networks are separated and isolated from one another by the security appliances.
This product also acts as an access point for the individual networks of the production cells. These networks are transparently integrated into the service network via VPN connections. Corresponding service connections based on VPN can be built on top of and dismantled from the production cells. A key switch that controls the security appliances via the integrated digital I/Os can be used for this. Alternatively, machine operators can use an HMI device that communicates internal network events. This method allows operators to control possible service connections at all times. Firewall rules within the VPN connections can determine authorised service access. If the use of VPN connections in the internal networks is prohibited, the GRE (Generic Routing Encapsulation) tunnel function and conditional firewall (or the changeable firewall rule sets) provide the same functionality.
Activation of dynamic firewall rules
The machine manufacturer’s external service technicians are connected to the service network zone via VPN. Phoenix Contact also offers suitable solutions for this application, with the FL mGuard Secure VPN Client or the FL mGuard Smart2 VPN. The machine operator’s technicians can also be connected via VPN connections or direct network access. All access can be configured in such a way that the respective technician needs to be authorised via the user firewall of the security appliances. This process opens up the opportunity to activate dynamic firewall rules for defined users. These rules apply to IP addresses that are used for authentication. In this way, each technician is only permitted certain access, which means that a multi-level security concept can be created. If the operator accepts the VPN solutions preferred by the machine manufacturer, the corresponding end devices should be placed within the service network zone.
Providing service access to plants and machines opens up advantages to operators, but also entails large challenges in terms of access security. The right strategies and special technologies allow operators to master these challenges and thereby reduce maintenance costs while increasing availability.