In order to be able to counter different threat scenarios flexibly, security strategies consisting of several layers of protection are implemented nowadays: At the core are the automation components. This is followed by the network, via which these components can communicate with other components or even with an ERP system. The top layer is the factory, which is shielded from the outside by a firewall concept.

However, such concepts are not enough to provide all-round protection for systems. Threats can also come from within, i.e. from employees themselves. Therefore, physical protection against unauthorized access to network devices such as firewalls, switches and automation components forms the basis of any security strategy. Only if these devices are not freely accessible can they be prevented from being manipulated on site.

A simple measure can be to install all these components behind closed doors, for example in lockable switch cabinets or distribution boxes. This also significantly reduces the risk of operating errors by unauthorized personnel.

The situation is different directly at the machine and in the machine parks: If operation, set-up, maintenance and repair are to be economical, direct and, above all, safe human access to the machine or machinery is required. Different roles and authorizations are associated with the aforementioned activities on the machine - from machine operator to service technician. At this point, the operator needs a user management system that regulates access to the machine according to authorizations or skills. The Human Machine Interface (HMI) serves as the operator interface.

Security and user management rules

The normative framework for the implementation of secure user management is already regulated in principle: There is the NIS 2.0 (Directive on the Security of Network and Information Systems). The first EU-wide law on cybersecurity, the NIS Directive, came into force in 2016 and helped to achieve a higher and more consistent level of security for network and information systems across the EU. The NIS 2.0 and the IT Security Act 2.0, which came into force in July 2015, primarily relate to critical infrastructures. The topic of industrial security is also included in the new Machinery Regulation. It will become binding from the Machinery Directive in 2023 at the earliest. This still gives manufacturers in particular a certain amount of leeway - but there is still an acute need for action in the search for practicable solutions.

Clear specifications through IEC 62443-4-2

Industrial security is anchored in the new Machinery Ordinance.

© iStock.com/metamorworks

IEC 62443-4-2 prioritizes the identification and authentication of human users as the most important point, followed - and closely interwoven - by usage control. Usage control means the enforcement of authorization and the mapping of authorization to the respective roles (operate, maintain, repair, ...).

One thing is certain: People are the weakest link in the security network. User administration must therefore not only be solved and supported organizationally, but also technically. This is where classic user administration comes in, which is implemented with local user administration in the components. The disadvantage here is often the limited number of user accounts due to limited storage resources and the defined rigid assignment of privileges to roles or groups - for example for administration and diagnostics.

This is only partially efficient for the future. For example, traditional user administration requires regular changes to passwords and password policies. This ongoing task must also be documented correctly. Added to this are the many different components from various manufacturers and, last but not least, the different approaches of machine manufacturers and operators. A practicable implementation of all security rules and measures requires integration into a user management system.

What solutions does IT offer?

Various IT solutions are available for user administration. LDAP (Lightweight Directory Access Protocol) is a well-known network protocol for querying and changing information from distributed directory services and is also the de facto industry standard for authentication, authorization and address and user directories. Most software products that have to deal with user data and are relevant on the market support the protocol.

LDAP can also be easily integrated into Windows environments (Active Directory), is widely used and is also suitable for WiFi WPA2 Enterprise.

Another IT solution is 'Radius'. Radius stands for Remote Authentication Dial In User Service and is a network protocol for user authentication. In the past, it was primarily of interest to Internet service providers (ISPs). The network protocol performs three main functions: authenticating users or devices before they gain access to a network; authorizing these users or devices for certain network services; and tracking access to these services (important for user management).

For LDAP and Radius, the secure variants LDAPS (LDAP Security) and RadSec (Radius Security) should be used. But there are disadvantages: RadSec, for example, is not widely used. In addition, RadSec and LDAPS are based on asymmetric cryptography, which increases the resource requirements in the control level components, which in turn increases the hardware costs, as an on-site server must also be integrated into the solution. Another disadvantage is that if the LDAP or Radius server is under the management of the operator, the machine manufacturer cannot simply maintain users for remote access - and vice versa.

Away from hardware, towards the cloud

The general trend towards cloud solutions is also interesting for the topic of user administration. The advantage of a cloud solution is that it saves space in the components. In addition, no local LDAP or Radius server is required. Even complex policies can be implemented in the cloud. Machine builders and operators can share user administration (for example, thanks to the multi-client capability of the cloud solution). In addition, a cloud connection could be used for other services.

But there are disadvantages here too: TLS (Transport Layer Security) or a comparable secure protocol is required for communication with the cloud, which in turn increases resource requirements. In addition, the necessary internet connection represents a potential security gateway for attackers. And, of course, 'end-to-end availability' plays an important role when it comes to the cloud.

Although a cloud solution could solve existing problems, new challenges arise at the same time.

User administration with certificate