Hardware architecture of the cloud processor environment: In addition to the classic elements (RAM module, processor and flash memory), the boot ROM and a secure element are also added here.

© MB Connect Line

The classic architecture in embedded systems usually has a RAM module, processor and flash memory. The firmware and user data are stored on the flash. In the concept presented here, two additional hardware elements have been added. The boot ROM with the permanently burned-in boot loader and the manufacturer certificates ensures that the system is booted with an unchangeable trust anchor (chain of trust). The firmware on the flash is signed with the manufacturer's certificate and is only accepted by the boot loader if it matches. A secure element was added as a second element. This is a separate hardware component (IC) that stores the digital keys and certificates separately from the flash. In this case, the encrypted user memory on the flash is released with a key from the secure element.

The software architecture of the data diode is based on so-called Docker containers. This architecture enables isolation from the operating system.

© MB Connect Line

The corresponding software architecture of the system is based on so-called Docker containers. This principle is comparable to virtualization, but has the advantage that it requires fewer system resources such as memory and CPU power. By dividing the applications into containers, isolation from the operating system is achieved and any vulnerability remains in the container and does not spread to the entire application.

One example is the IIOT construction kit Node-RED, which also runs in a Docker container and therefore represents an intelligent solution for pre-processing the collected data. Users can implement individual and secure edge computing with their own Docker applications.

Web server security risk

One example of insecure technologies is web servers in control systems and other automation components. In many control systems used in practice, web servers are already activated at the factory. Some of these systems provide information about the serial number, firmware version or order number without being asked. These functionalities, originally intended for the automation system operator, represent attack vectors through which hackers can gain information, data and, in the worst case, access to the components in order to influence the control systems. Even if these functions are secured by authentication measures, they are often provided with default passwords. Even if security and firmware updates are available for this purpose, no changes are usually made to a functioning machine during operation.

In terms of cyber security, it is generally advisable to check existing systems for known vulnerabilities. Web servers are often unknowingly activated and have no operationally relevant function in the network. In this case, it is urgently necessary to shut down these web servers and thus close this gateway.

In practice, however, two difficulties arise: On the one hand, interfering with a PLC involved in the running process means the risk of a production standstill and, on the other hand, the operator often does not even have the possibility of influencing the control program - either because the necessary programming tools are not available or because the warranty claim against the manufacturer is lost in the event of such an intervention.

Segmenting industrial networks

Segmentation of networks with the industrial firewall. Clear separation of identical IP segments from each other with simultaneous connection to a higher-level network.

© MB Connect Line

To still achieve effective protection against attacks, experts recommend segmenting the network into manageable logical units. By setting up secure zones, the user not only mitigates the update problem, but also protects devices such as panels and controllers that do not have their own security mechanisms. MB connect line has developed the 'mbNetflix' automation firewall for this purpose. This filters data traffic to and from the controller and is only able to allow authorized data to be established. This makes it easy and inexpensive to ensure the transparent flow of communication without running the risk of these known security vulnerabilities being attacked.

With the Automation Firewall, new machines can also be securely integrated into existing plant networks. Two networks - that of the operator and that of the new system - must be linked together. When designing the networks, both sides have each considered a structure and made specifications that rarely fit together directly in practice. Experience has shown that a great deal of coordination is required to link the two networks in a meaningful way. As the supplier, the machine manufacturer wants to retain its IP address space, which it designs identically for all systems. At the same time, he wants to prevent the system supplied by him from being influenced or changed from the outside. This is also a warranty issue. At the same time, the operator wants to ensure that the new system does not cause any disruption to the existing network and that sensitive data from his production system cannot be accessed.

The implementation of an automation firewall is not only in the interest of the operator. On the part of the machine builder who installs a machine or system as a supplier, there is the certainty that his customer will only make changes on the operator side via defined interfaces and not directly on the PLC. This increases mutual trust and reduces the workload for both the customer and their own support team.

Firewall as device protection

Put simply, a configuration in automation networks usually consists of a user interface (HMI) and a PLC controller. The user interface communicates with the machine controller via the corresponding control protocol and visualizes its data. Of course, this function must be maintained, while crisis-prone gateways such as the PLC's web server must be secured.

In this case, the automation firewall is connected between the HMI and PLC and activates whitelisting. The whitelist ensures that only one authorized data structure is permitted at a time. In this example, this would block all data transfer except that from the HMI to the PLC.

During the development process of the firewall, emphasis was placed on incorporating the workflow of the automation system right from the design stage - configuration takes place directly on the device (online) or on the computer (offline). Integrating the firewall is quick and easy, as it takes into account the way the automation system works. The configuration software is installed on a Windows computer for configuration. This is then connected to the firewall's programming interface via USB cable. With just a few mouse clicks, the user creates their own project for the installation and the firewall records all connections in learning mode. The so-called MapView then graphically shows which IP users in the network are communicating with which target via which protocols. On the basis of the recorded packet table, the user decides which connections are permitted and blocks all others. The communication settings can be made with just a few clicks and the configuration is completed in just a few minutes. No special IT knowledge is required, so the installation can be carried out directly by the technical maintenance staff.

In order to keep the attack vectors of the firewall as small as possible, a web interface for configuration was deliberately omitted. By default, the firewall can only be configured via the USB interface. Authentication is carried out using a so-called RSA key and offers a considerably higher security standard compared to password protection. An optional SSH interface is also available for IT experts.

Author:
Siegfried Müller is Managing Director at MB Connect Line.