The majority of industrial control systems are susceptible to cyber attacks as they continue to be designed without security in mind. Following the Industroyer malware attack, whereby these threats have materialised, security has become a serious concern for plant operators.
To help plant operators tackle these concerns at an affordable cost, Industrial Data Communication specialist MAC Solutions has launched an industrial Gigabit managed encryptor that enables legacy point-to-point (PTP) data security for IP devices, PLC systems and a wide range of other automation and IP security equipment including wireless IP bridges and IP cameras.
Competitively priced to allow mass market data protection (an installation will require at least a pair of encoders), MACsec provides two end-to-end encrypted (E2EE) channels for secure communications between industrial legacy PLCs and automation equipment. TCP/IP traffic cannot be sniffed or decoded; MACsec also prevents ‘man-in-the-middle’ attacks. The encryptor provides secure communications to IEEE 802.1AE standards.
MACsec is built for harsh industrial environments (protected to IP31) and operates across a wide operating temperature range, from -40°C to +75°C. Three MACsec models are available, each with similar functions but different media connections, i.e. copper-to-copper, copper-to-fibre, and fibre-to-fibre connections. While latency and loss of bandwidth have been challenges for vendors, MACsec encryption is performed at wire speed, so it is virtually real-time (low latency) with no loss of bandwidth.
Tim Ricketts, Director at MAC Solutions, commented: “With MACsec, our philosophy has been to add a next generation layer of security to the weak points of the industrial control system network. These layers can be classified by ISO as Layer 2 communications to and from the SCADA system, to prevent data being compromised by simple ‘packet sniffing’ exploits [interception of PLC Protocol, e.g. Modbus] or man-in-the-middle attacks [spoofing, interception and packet manipulation].” Traffic may be routed from site to site using OSPF (Open Shortest Path First) so this allows site to site access securely through public infrastructure.
MACsec supports AES-256 encryption, providing line rate (wire speed) bi-directional traffic encryption/decryption. Other features include VLAN tag detection, a web GUI configuration interface and statistics counter support. Lightweight and with a very compact footprint, MACsec is easily mounted in control cabinets where space may be limited with a redundant supply voltage range 9-48vdc.
As Tim Ricketts adds: “A typical industrial control network may appear to have the greatest of all protection – air gapping. This physical network separation is now the status quo across industry, and rightly so. However, as the defence has changed, so has the method of attack. Malware that is created to destroy a SCADA system, for example, will lay dormant until it finds its target, moving from phone to USB stick to laptop, using its host as a means of transport, until it finally meets its end destination – your process and control equipment. The dormant malware that evaded your corporate firewalls and personal device protection is now on an air gapped system – a system that will likely have an out of date firewall due to the very reason it was deemed to be secure.”
“The key trend across all attack vectors in all industries is that people are the problem: password capture, insecure connections, phishing emails and physical device transfer [i.e. USB stick]. MACsec was developed to help solve these problems at an affordable price for plant operators.”