Recent viruses such as Stuxnet have highlighted the vulnerabilities of industrial networks. Now is the time to take a fresh look at how industrial network security is managed, says John Browett of CLPA
Ethernet is becoming the network of choice in industry, but considerations for security are lagging behind. While the risk of deliberate hacking from inside a company is difficult to protect against, consideration needs to be given to the possibility of personnel accidentally connecting the wrong device to the wrong part of a network, or to unauthorised users finding themselves able to adjust key process parameters without realising what it is that they’re doing.
Another problem is the adoption of remote access to plants. With companies monitoring processes by standard web browsers, for example, there is the risk of network abuse by third parties.
An example here is the Stuxnet virus that attacked SCADA (supervisory control and data acquisition)
systems last year. This showed that a typical plant floor control architecture has weak points when it comes to security, leading many companies to question the traditional methods used to move information between the plant/asset and the enterprise level.
The Stuxnet virus changed the point of attack in the business from the seemingly very secure top end to the somewhat vulnerable middle ground. At this level we frequently see PC-based control systems with little or no security implemented, and some technologies still being utilised despite known vulnerabilities.
Security problems at this level and at plant floor device level are exacerbated by the fact that there is often limited
collaboration between a company’s IT department and the control engineering departments. Furthermore, within the control and engineering community, there is not always adequate recognition of the automation system security threats and liabilities. In particular, the business case for automation system security is not established, and there is limited understanding of the risk factors.
User demands
The drive towards open network technologies generally, and Ethernet in particular, to give companies the freedom to choose best of breed control technologies, has exacerbated the security threat. Users want standardisation, flexibility and choice, and this has been delivered through standardised open protocols. However, these open protocols are less robust and more susceptible to attack, whereas the old proprietary networks were highly robust by virtue of their non-standardisation, but were less flexible and limited product choice.
The ideal industrial network should therefore offer robustness and flexibility, and include common cabling, standard connectors, open standards, ease of configuration, flexibility, highest possible security, and reduced susceptibility to attack.
In looking at how we might be able to adapt industrial Ethernet to meet these requirements, it is worth revisiting our definition of Ethernet, because nowhere in networking parlance has a single word been so misused as an umbrella term for so many disparate standards, technologies and applications. The best place to start is with the OSI seven layer model itself.
Layer 1, the Physical Layer, defines all the electrical and physical specifications for devices – in particular the relationship between a device and the physical medium. Layer 2 is the Data Link Layer, providing the functional and procedural means to transfer data between network entities and to detect and possibly correct errors that may occur in the Physical Layer. It is here that Ethernet is defined as a network protocol under the IEEE 802.3 standard.
Over the years, Ethernet has become synonymous with the TCP/IP suite, but one does not necessarily imply the other. IP is defined under the Network Layer (Layer 3) of the OSI model.
This Layer provides the functional and procedural means of transferring variable length data sequences from a source to a destination via one or more networks. The Transport Layer (Layer 4) provides transparent transfer of data between end users, and defines the likes of TCP and UDP.
The Session Layer (Layer 5) controls the connections between computers, whilst the Presentation Layer (Layer 6) transforms the data to provide a standard interface for the Application Layer (Layer 7) at the top of model. It is here that you find typical applications
such as FTP, HTTP, RTP, SMTP, SNMP and others. In short, when it comes to operating as a communications architecture in industrial networks, Ethernet is capable of very little without the layers that sit above it.
Not all industrial Ethernet offerings implement the Ethernet stack in the same way. Within the Application Layer the different industrial Ethernet organisations implement their own kernels and protocols which define much of the functional benefits of their technologies. From a security point of view, though, what is really of interest are the more vulnerable lower layers.
Under the seven layer model, all it takes is for one layer to fall to an attack before the whole communications system is compromised – potentially without the other layers being aware that there is a problem.
While there are a number of discrete security products available, one of the biggest problems in the industrial arena lies in implementing tightly integrated security systems without incurring excessive costs and without imposing a level of complexity that makes the system difficult to maintain and support. In addition, standard commercially available security solutions are rarely up to the rigours of life in challenging industrial environments.
In terms of network technology, much work has been done to make Layer 2 more secure, but in classic implementations of industrial Ethernet little has been done to address weaknesses in the Network Layer (Layer 3) and the Transport Layer (Layer 4).
Like the office Ethernet implementation, the vast majority of industrial Ethernet technologies are still built around IP within Layer 3 and TCP/UCP within Layer 4.
Most industrial Ethernet network installations implement perimeter security (firewall services) at points where they connect to other networks. Firewalls filter on source and destination IP addresses and protocol port numbers (for example TCP and UDP ports) to further restrict the traffic
permitted to enter an Ethernet network. Packet filtering may be implemented even among known network communities, and in some cases filtering deals with very specific device addresses and application ports to provide a layer of access security unique to an attached device and application. Despite this however, in classic industrial Ethernet implementations, Layer 3 and Layer 4 are still highly vulnerable to attack.
Reliable data transfer
CC-Link IE (Control and Communication Link Industrial Ethernet), however, is different. It was developed by CLPA as a completely integrated gigabit Ethernet network for industrial automation. It combines the best of many existing technologies and applies them to an optical or copper based industrial network system with a redundant architecture that enables extremely high-speed and reliable data transfer between field devices and other controllers via Ethernet links.
The signalling rate of 1Gbps is more than enough to cater for the real-time communications requirement of today’s manufacturing industries.
There are variants of CC-Link IE to address control requirements at all levels of the automation network: at controller level, there is CC-Link IE Control; at device level, there is CC-Link IE Field and CC-Link IE Motion. There is also tight integration with the CC-Link fieldbus.
Importantly, CC-Link IE defines an open ‘Real-Time Protocol’ within the stack layers. It uses standard Ethernet connectors, is easy to configure and is highly robust. It is also an open standard, so users still have that freedom of choice in the selection of best-of-breed component technologies. But most importantly it inherently offers the highest possible security and is therefore less susceptible to attack.
Evolving requirements
Security requirements for industrial Ethernet networks are continuing to evolve, with sophisticated requirements increasingly migrating from Enterprise networks to process control and other industrial environments.
Wherever there are network installations, companies need to look at the probability of attacks to the network, and the risk associated with any attack. As security becomes more important, companies must look at ways to mitigate the risk, reduce the risk or eliminate the risk as appropriate within each branch of the network topology.
With its open standards approach combined with proprietary communications technology, the CC-Link IE implementation of industrial Ethernet represents an option in the drive to maximise and optimise network security.
CLPA
T: 0776 833 8708
