The demand for remote maintenance solutions for machines and systems is constantly increasing. In the future, more and more production facilities will be accessed via new Internet services in particular. Against this background and in view of the increasing number of attacks on industrial components in recent years, secure and user-friendly remote maintenance and authentication to the plant is essential.

However, when looking into today's factory halls, one quickly realizes that the desire for networking is increasing much faster than the awareness of the players for secure communication. To make matters worse, there is usually a wide variety of systems from different manufacturers in the production halls. This makes remote maintenance of these systems confusing and complicated. The specifications of the individual systems also often require individual maintenance by a special service technician directly on site. This results in very high costs.

IUNO wants to address this problem by developing a cloud-based web platform. This should enable a standardized process for access and maintenance via the Internet and provide the company - whether a large corporation or SME - with an overview of all current and past accesses at all times. The highest possible compatibility and vendor independence are further key requirements. This is to be ensured primarily through the use of state-of-the-art technologies and methods as well as common security protocols.

The most important results of the IUNO sub-project 'Secure services / remote maintenance of production facilities' include

• Development of a centralized remote maintenance platform;
• Research into new concepts of networking via software-defined networking;
• Development of a new approach to user authentication;
• Development of an approach to key management for the industry as well as procedures that enable the generation of cryptographic material from the radio channel;
• Development of concepts and technologies that provide a management shell for the networked industry.

Figure 1 shows the overall architecture of the solution approach developed by the project partners based on the following example scenario: The external service technician in the office zone (Figure 1, top left) wants to remotely maintain an industrial system in the production zone in the factory. The central platform is used as a switching interface and serves to connect the service technician to the machine. The central platform also consists of

• A ticketing engine, which is responsible for managing service requests,
• a component for user administration,
• a key management server, responsible for managing cryptographic keys for the machines,
• an authentication server, responsible for authenticating the server technician, and
• the master SDN controller, which is responsible for networking using Software Defined Networking (SDN).

Figure 2: Remote maintenance procedure via the central platform.

© Robert Bosch

Two demonstrators were developed and set up for the practical implementation and testing of the solution approach: The first demonstrator at Bosch Rexroth in Lohr was primarily geared towards mapping an existing IT architecture in a production plant. The aim was to ensure that the solutions implemented as part of the research project could be put into productive use as quickly as possible. In the second demonstrator in Darmstadt, new networking approaches based on software-defined networking (SDN) technologies were researched. This is because it is to be expected that these technologies will find their way into production plants in a few years' time. Background: The conventional administration of networks with many different devices, including routers and switches, is very complex and time-consuming: The intelligence is distributed across many devices, and each device is responsible for tasks at different levels. The purpose of SDN is to simplify the administration of networks by separating the control level from the data level.

At the beginning of the project, a threat analysis was carried out. This means that attacker models were determined with the involvement of external experts, misuse cases were defined and an attack tree was created for each misuse case. The misuse cases were then weighted and prioritized according to damage and probability of occurrence in a risk map. The final step was to determine the security requirements resulting from the threats, which form the basis for the security measures defined.

Networking with Software Defined Networking

Figure 3: SDN-based architecture with processing steps for maintenance requests.

© Robert Bosch

As already mentioned, Software Defined Networking (SDN) is to be used to make the remote maintenance process more dynamic. The local SDN controller with the associated SDN switch in the machine operator's network is initially used for this purpose. A suitable policy frame(work) is also implemented for the efficient implementation of policies for remote maintenance access - in particular for authorization and access control. Here, the SDN controller serves as the Policy Enforcement Point (PEP) and AuthZForce as the Policy Decision Point (PDP) on the central platform; the central platform also serves as the Policy Administration Point (PAP). XACML, an XML-based schema that is particularly suitable for authorization policies, is used as the description language for policy.

Another important component is the PKI server located on the central platform. The key pairs generated here are used to protect the identity of the maintenance technician during maintenance as well as for secure communication between the service provider and the machine operator. All connections can then be made using TLS. The master SDN controller available on the central platform is not necessary for the planned solution for the time being, but it makes sense to equip it with this component for possible expansions, especially if the networking in the plant is made more dynamic at a later date and if external value-added services are used. In detail, the maintenance request is processed in the following steps as shown in Fig. 3:

1. Maintenance request is sent to central platform.
2. Suitable maintenance providers are searched for in the database.
3. Provider is contacted; the provider itself assigns a technician.
4. PKI creates key pair for the selected technician.
5. Maintenance window is sent to AuthZForce as XACML.
6. Configuration including the key is sent to the technician.
7. (Optional) Maintenance provider notifies technician internally.
8. Establishment of the VPN tunnel with the data received.
9. SDN switch receives packet, this does not match any flow, controller is notified.
10. Controller asks central platform whether the connection belongs to a maintenance session.
11. Connection is enabled/forwarded within the network via flow table entries.

Authentication via QR login

Another central task in the project was the development of a new method for user authentication in industrial environments. The developed solution is ultimately based on a system consisting of an authentication server, which is located in the central platform, and an authentication app, which is installed on the service technician's smartphone. The process consists of the following four steps:

1. Initial one-time login of the user: the service technician is logged into the system for the first time, the app is installed on the smartphone and the technician receives instructions for further steps. The authentication app is then provided with a pairing key - a special cryptographic key that ensures a unique connection between the authentication server and the app.
2. In the case of remote maintenance, the service technician is assigned a service ticket by the central platform. As soon as the service technician wants to log in, he is shown a QR code instead of the conventional prompt to enter the user name and password. This QR code is generated by the central platform's authentication server and contains information about the current service case, the machine to be serviced, the current time and other cryptographic features.
3. The service technician scans the QR code with the app on their smartphone. This generates a one-time key in the background and sends it to the authentication server via the smartphone's connection. The latter also authenticates itself with the app using a similar procedure.
4. The service technician waits a few seconds and the authentication page on his laptop updates automatically. The technician is logged in and can now start servicing the machine. If authentication is not correct, an error message is displayed.

The procedure is based on the extension of the OATH Challenge-Response Algorithm (OCRA) protocol, which was developed by the Internet Engineering Task Force for the purpose of secure authentication with one-time keys using a challenge-response procedure. A key derivation function PBKDF2 was used as cryptographic building blocks in the procedure, which mixes the authentication information received from the server together with a symmetric key and generates a one-time key from it.

In a nutshell: The developed solution enables secure two-sided authentication with one-time keys and is also user-friendly, as no passwords need to be entered. It is also cost-effective, provided that a smartphone is already available.

The solutions researched in the project and implemented on the prototypes have several concrete advantages compared to the solutions currently available: By standardizing the access points, it is easier for both the plant operator and the remote maintainer to carry out remote maintenance. Hundreds of different systems with dozens of different remote maintenance solutions currently exist in larger plants. Setting up the relevant access often takes several weeks and always requires a great deal of cognitive effort, activation in the firewalls and coordination with several departments and suppliers.

Advantages and benefits of the solution

The solution developed as part of IUNO is different: instead of the tedious process of setting up and configuring access for each machine and service provider, the operator only has to configure the activation in the local firewalls at the plant to the central platform once. After that, remote maintenance is simple and transparent for everyone involved. The pilot phase for implementing the concept began in 2018 and will initially involve several Robert Bosch plants. Once the test phase has been successfully completed, further expansion is planned in the coming years. To this end, Robert Bosch is trying to attract internal and external partners to use the remote maintenance solution developed. It is conceivable that the remote maintenance platform presented could be used as a service for OEMs in the automotive industry, for example.

Some concepts, in particular measures for the secure storage of cryptographic material and aspects of crypto-agility, could not be conclusively addressed within the scope of the IUNO research project. These also need to be investigated in more detail as part of future activities.

Authors:
Alexander Borisov is a project manager in the field of industrial IT security and cryptography at Robert Bosch;
Alexander Kern is a researcher in the field of industrial IT security at TU Darmstadt;
Dr. Dirk Scheuermann is a scientist at the Fraunhofer Institute for Secure Information Technology SIT.

The IUNO project

IUNO is a publicly funded research project of the Federal Ministry of Education and Research (BMBF). 14 industrial companies and seven research institutions are pursuing a common goal: securing the production of tomorrow against external attacks, in particular espionage, sabotage and manipulation. A total of four demonstrators are being developed in the project, each led by an industrial partner. In detail, the following sub-aspects and use cases are involved:

• Secure data / technology data marketplace
• Secure networking / visual security control center
• Secure services / remote maintenance of production facilities
• Secure processes / customized production