Security requirements for industrial Ethernet networks are quickly migrating from Enterprise networks to process control and other industrial environments. The recent issues with the Stuxnet malware has given us all a wakeup call, and we need now to take a fresh look at how security is managed within industrial networks. John Browett of CLPA looks at the potential threats to industrial network security, and how to mitigate them
In the march towards Ethernet as the industrial network of choice, considerations for network security have lagged behind somewhat. And yet there is the very real possibility of networks being compromised both from outside a given facility, and from within.
In particular, last year’s incident involving the widely publicised Stuxnet virus that attacked SCADA systems has shown that a typical plant floor control architecture has weak points and vulnerabilities when it comes to security. This has led many companies to question the traditional methods used to move information around between the plant/asset and the enterprise level.
Security problems at this level and at plant floor device level are exacerbated by the fact that there is often limited collaboration between a company’s IT department and the control engineering departments. In addition, within the control and engineering community, there is not always adequate recognition of the automation system security threats and liabilities.
The drive towards open network technologies generally, and towards Ethernet in particular, as a means of giving companies the freedom they want to choose best of breed control technologies has exacerbated the security threat. Users want standardisation, flexibility and choice, and this has been delivered through standardised open protocols. The trade-off, though, which is only just coming to be realised, is that these open protocols are less robust and more susceptible to attack.
Looking then at what the ideal industrial network would offer, we can build up a wish list that offers the robustness of the old combined with the flexibility of the new. This wish list might include common cabling, standard connectors, open standards, ease of configuration, flexibility, highest possible security, and reduced susceptibility to attack.
In looking at how we might be able to adapt industrial Ethernet to meet the requirements of this wish list, it is worth revisiting our definition of Ethernet, because nowhere in networking parlance has a single word been so misused as an umbrella term for so many disparate standards, technologies and applications. And the best place to start for that is with the OSI seven layer model itself.
Not all industrial Ethernet offerings implement the Ethernet stack in the same way. Within the application layer the different industrial Ethernet organisations implement their own kernels and protocols which define much of the functional benefits of their technologies. From a security point of view, though, what is really of interest are the more vulnerable lower layers.
Under the seven layer model, all it takes is for one layer to fall to an attack before the whole communications system is compromised, potentially without the other layers even being aware that there is a problem. Security is only as strong as the weakest link.
There are a number of discrete security products available, and these work well, but one of the biggest problems in the industrial arena lies in implementing tightly integrated security systems without incurring excessive costs and without imposing a level of complexity that makes the system difficult to maintain and support. Further, standard commercially available security solutions are rarely up to the rigours of life in challenging industrial environments.
In terms of network technology, much work has been done to make Layer 2 more secure, but in classic implementations of industrial Ethernet little has been done to address weaknesses in the Network Layer (Layer 3) and the Transport Layer (Layer 4). Like the office Ethernet implementation, the vast majority of industrial Ethernet technologies are still built around IP within Layer 3 and TCP/UCP within Layer 4.
Most industrial Ethernet network installations implement perimeter security (firewall services) at points where they connect to other networks to provide protection at these vulnerable layers. Firewalls filter on source and destination IP addresses and protocol port numbers (for example TCP and UDP ports) to further restrict the traffic permitted to enter an Ethernet network. Packet filtering may be implemented even among known network communities, and in some cases filtering deals with very specific device addresses and application ports to provide a layer of access security unique to an attached device and application. Despite this however, in classic industrial Ethernet implementations, Layer 3 and Layer 4 are still highly vulnerable to attack.
CC-Link IE, however, is different. CC-Link IE (Control and Communication Link Industrial Ethernet) was developed by CLPA as the first completely integrated gigabit Ethernet network for industrial automation, defining the new threshold for open standards for Industrial Ethernet.
CC-Link IE combines the best of many existing technologies and applies them to an optical or copper based industrial network system with a redundant architecture that enables extremely high-speed and reliable data transfer between field devices and other controllers via Ethernet links. The signalling rate of 1Gbps will redefine the users’ expectations and systems capabilities; it being more than enough to cater for the real-time communications requirement of today’s manufacturing industries.
There are variants of CC-Link IE to address control requirements at all levels of the automation network. At controller level, there is CC-Link IE Control. At device level, there is CC-Link IE Field and CC-Link IE Motion. And of course there is tight integration with the CC-Link fieldbus.
Most importantly, CC-Link IE differs from conventional implementations by defining an open ‘Real-Time Protocol’ within the stack layers. By taking this approach to implementing these layers within the Ethernet stack, CC-Link IE realises the benefits of our network technology wish list.
T: 0776 833 8708