Lockdown of a different stripe – locking down a validated production system with perimeter security
The requirement to keep confidential information secure is hardly new. The Spartans of ancient Greece encoded messages vertically on leather-wrapped in a helix around a wooden rod. Without the right key – the correct sized rod – the message couldn’t be decoded. While we are now a long way from wrapping wooden rods with strips of leather, the need for security hasn’t changed.
However, it’s only in recent years that security has become a prime concern of manufacturers. For as long as I can remember, the security people in a manufacturing plant were much more concerned with crescent wrenches and screwdrivers “accidentally” leaving the building.
Today, our factory floor production machines are using Ethernet as the backbone of their control systems. Few, if any, of these Ethernet devices use secure boot. Almost none are encrypting control messages. And recently, a lot of these systems have been extended to link to enterprise and cloud applications. Those connections are avenues of attack. If an attacker gets access to a manufacturing Ethernet network, he can often have free reign to create all kinds of havoc. There’s generally nothing stopping the attacker from accessing the controller tags, turning pumps on or off, increasing motor speeds, or opening and closing valves.
There are two general approaches to manufacturing security: device and perimeter security. One is a waste of time, the other is the effective approach.
DEVICE SECURITY (an impractical approach)
The makers of security ASICs and high-end custom processors recently started promoting the idea of securing the factory by equipping every single device on the plant floor with security hardware. Device security, like this, requires every component of the manufacturing system to ensure data integrity, reject untrusted entities and prevent unauthorized actions.
These are reasonable objectives but achieving this kind of secure operation in a control network means adding specialized security components, higher performance processors, more memory and higher cost to every single device on the factory floor.
Expecting to achieve manufacturing security by upgrading every single factory floor device is extremely problematic and essentially unworkable:
- These types of systems use Public Key Infrastructure (PKI) which relies on public and private keys. Who will generate those keys? Do we burden the manufacturer with maintaining that key generation process?
- PKI requires a Certificate Authority. Do manufacturers build that infrastructure or do they accept unsigned certificates from vendors?
- Are manufacturers willing to invest the time and money to upgrade many of their older, legacy devices?
- Are manufacturers prepared to pay more (a lot more) for advanced devices equipped with the special hardware and advanced processors required to achieve device security? Or will they just buy the insecure devices because of cost considerations?
What’s clear is that equipping every single device on the factory floor with device security is far too complex, impractical and expensive for cost-sensitive manufacturing operations. Lockdown, a long-established mechanism for keeping a validated line operational, becomes impossible. Instead, manufacturers would have to track every device and every device’s hardware and firmware level, and continually roll out security updates. That’s so wildly impractical that it boggles the mind that it would be proposed.
PERIMETER SECURITY (the right approach)
A better choice for manufacturing security is adopting an enhanced perimeter security system. Perimeter security is not new to manufacturing. Most manufacturing systems have always had the capability to restrict message traffic between the IT network and the control system. With the growing threat from outside attackers, internal resources requiring more and more data, and vendors wanting maintenance access to devices in the control system, the need to provide highly secure access is greater than ever.
At the minimum, routers with firewall capabilities can provide some capability to restrict message traffic but routers are not security appliances. An effective plant floor security appliance should, at a minimum, provide these kinds of benefits:
- A stateful firewall to implement security policy for the control network
- A captive portal where users can be authenticated locally or by Active Directory
- Network Address Translation(NAT): 1:1, 1:many, port forwarding and Outbound NAT
- Remote access using a VPN server
- Configuration over a graphical user interface, not a Command Line Interface (CLI)
- A Deep Packet Inspection (DPI) engine supporting EtherNet/IP, PROFINET IO and Modbus TCP
- Scheduled security policy that restricts certain traffic to specific days and hours
- Network Asset Detection with support for the Rockwell FactoryTalk® AssetCentre
A security appliance of this type allows the controls team to be more flexible and adaptable, using any and all legacy devices. Most of all, it allows a validated production system to go into lockdown. The requirement to manage the security of hundreds, if not thousands, of control devices is eliminated.
Every day manufacturers continue to increase the number of IoT devices and connect more and more of their control systems to enterprise and cloud applications. And every day they increase their vulnerability to attack. Because the majority of these attacks are often not publicized, no one knows for certain how many plants have had their servers locked, important data stolen, messages altered, and programmable controllers hijacked.
Many silicon vendors, sensing an opportunity, are prodding manufacturers to require all control and I/O devices to include hardware-based security. That’s clearly the wrong approach. Equipping every factory floor device with device security is far too complex, impractical and expensive. It is too much for already overburdened control teams to manage, and it impedes the long-established practice of locking down a validated production line.
The right approach is to invest in perimeter security appliances that provide enhanced firewalls, NATs, Deep Packet Inspection, captive portals, scheduled security policy rules, and all the other characteristics that make an effective perimeter security appliance.
For more information on what to look for in a perimeter security appliance, download the white paper at www.rtautomation.com/defender.