In order to achieve data and service consistency as part of the future-oriented Industry 4.0 project, production networks are increasingly being connected to company-wide networks - the office systems - and thus ultimately to the Internet. While production-related data flows can be reduced to a defined level and the machines and systems can therefore be protected by applying known best practice methods - such as the creation of a security architecture based on the defense-in-depth principle in accordance with ISA99 and IEC 62443 - maintenance and programming access to such systems proves to be a special task.

As with the onion principle, when implementing a security architecture according to the defense-in-depth method, several network layers are set up, which are protected against each other by access restrictions. The outer layer is connected to the Internet and is therefore the least trustworthy layer. The 'trust level' achieved increases with each additional network layer. Particularly vulnerable systems are therefore located at the core of the 'network onion' - in production networks, the machines and systems with their components. Due to the formation of invisible subnets, their systems are protected by NAT (Network Address Translation) and masquerading, as well as by setting access restrictions that only allow the data streams absolutely necessary for production.

In order to be able to carry out service and maintenance tasks, the relevant employees of the operator as well as the external service technicians of the machine manufacturer must have access to these specially protected network areas. In the past, they were often able to dial in via their own nodes. However, dial-in nodes that can be accessed directly from the telephone network prove to be a considerable security risk. This is because the person dialing in can access the entire network and does not even have to authenticate themselves for most of the systems connected there. Today, this outdated technology is often replaced by common VPN remote maintenance access.

A service network zone enables user authentication as well as precise access authorizations and access records to be implemented.

© Phoenix Contact

Although the VPN solutions commonly used today allow an identity check of the authorized group of people and encrypted data transmission, the authorized person still has free access to the protected network. In addition, the encryption prevents the machine operator from viewing the data and thus any control. This means that a damaging event cannot be traced back. Another problem with the concept is that every machine manufacturer wants to use their preferred remote access system. This results in heterogeneous, unmanageable IT landscapes. Furthermore, VPN remote maintenance access does not solve the challenge of providing the operator's service technicians with controlled and authenticated access, as VPN remote maintenance access is usually installed by the machine builders.

If the internal service employees are granted extensive access rights to the machines and systems, this in turn leads to a significant reduction in the security level achieved. Access to the protected network should therefore always be reduced to a necessary level, not only in terms of user authentication but also in terms of the access permitted for these users. As a solution, Phoenix Contact's 'ICS Security Consulting' therefore developed a new concept: the establishment of a separate isolated network zone - also known as a service network - for handover or routing and, above all, for controlling and limiting service connections. In the field of information technology, such a network zone is also referred to as a demilitarized zone.

Control over all connections

Security appliances secure the individual production cells and also enable the creation of service network zones as a transfer point for corresponding service connections.

© Phoenix Contact

The individual production cells can be secured with industrial-grade security appliances. These devices also enable the creation of the service network zones addressed. The service network is located at the level of the production network. Both networks are separated and isolated from each other by the security appliances.

Due to their consistent focus on ICS security, appliances such as the devices in the mGuard family from Phoenix Contact include precisely the range of functions required to implement the tasks described and also act as an access point to the individual networks of the production cells. These networks are transparently integrated into the service network via VPN connections. Corresponding service connections based on VPN can be established and terminated from the production cells - for example using a key switch that controls the security appliances via the integrated digital I/Os. Alternatively, the machine operator can use an HMI device, in which case internal network events are sent. This allows the operator to retain control over possible service connections at all times. Within the VPN connections, firewall rules can determine which service accesses are authorized. If the use of VPN connections is not permitted in the internal networks, the GRE tunnel (Generic Routing Encapsulation) function and conditional firewall - i.e. switchable firewall rule sets - provide the same functionality.

Activation of dynamic firewall rules

If service is required, the machine operator's technicians are integrated into the network via VPN connections or direct access.

© Phoenix Contact

In the approach described above, the machine manufacturer's external service technicians are connected to the service network zone via VPN. All access can be configured in such a way that the respective technician must authenticate themselves via the user firewall of the security appliances. This procedure makes it possible to activate dynamic firewall rules for defined users. The rules apply to the IP address used for authentication. In this way, each technician can only be allowed certain accesses and a multi-level security concept can be created. If the operator accepts the VPN solutions preferred by the machine manufacturer, corresponding end devices must be placed within the service network zone.

In conclusion, it can be said that Providing service access to machines and systems offers operators considerable advantages, but also presents them with major challenges in terms of access security. Ultimately, security is not static, but must be lived. This also means that everyone involved, from the user to the administrator to those responsible for security, should have the same level of knowledge.

Author:
Andreas Fuß works in Marketing Network Technology at Phoenix Contact Cyber Security, Berlin.