"Whether energy producers, transportation or the automotive and food industries - security vulnerabilities are not a phenomenon of individual sectors, but are common to all branches of industry," says Andrey Nikishin, Special Projects Director, Future Technologies, at Kaspersky Lab. This is shown by a recent study: According to this, 188,019 computers (hosts) of industrial control systems (ICS) worldwide were accessible via the Internet in 2015. Of these, 13.9% were located in Germany. In addition, the number of vulnerabilities found within ICS components has increased tenfold over the past five years. Almost half of the cases (49%) are critical vulnerabilities.

Kaspersky has therefore come to the conclusion that the industry needs special security solutions that are designed and developed on the basis of its specific needs. Andrey Nikishin and Dimitri Philippe, CEO of BE.services, a Kempten-based company specializing in embedded software technologies for industrial automation, explained in a press conference what such a solution looks like, which can provide comprehensive protection against general and targeted threats without having a major impact on technical processes. The 'Embedded Security Shield' jointly developed by the two companies is based on 'Kaspersky Security System' (KSS) and includes the embedded software 'Embedded Security Shield' (ESS) and the development software 'ESS Security Editor Plug-in for Codesys'.

According to Dimitri Philippe, the solution is integrated into Codesys-based control systems, for which BE.services will be responsible, as follows: "We separate the Codesys runtime system into two completely isolated domains - Codesys COM RTS for communication on one side and Codesys CORE RTS for application execution on the other. The inter-process communication between these two domains is handled by KSS, which controls incoming requests via the 'Codesys Gateway' and either allows them or blocks the request command according to predefined rules." By way of explanation, the gateway in question is responsible for online access to PLC-OPC communication and other functionalities such as the PLC handler or the data server in Codesys. A successful attack via an OPC client, for example, would therefore enable unlimited access to the PLC.

In a nutshell: With KSS, BE.services implements a security kernel in the Codesys runtime that regulates access to the controller via a white listing. Security guidelines are configured using the 'ESS Security Editor'. With this plug-in, the security administrator can configure KSS directly in the Codesys interface. Communication between the editor and KSS takes place via a trusted channel.

At the Kaspersky Lab stand, the solution was presented using the example of an RTU from Altus for power distribution applications. As part of an 'Industry 4.0 & IIoT Software Package for PLCs', the integration of KSS was also on display at the Xilinx stand. A corresponding evaluation board will be available shortly after the trade fair.