Following risk analysis, Volkswagen AG has introduced a new security standard for its car bodywork production network at its plant in Emden, Germany. Thanks to the segmentation of the network, the installation of industrial firewalls, and stricter access rules, the systems are now protected against unauthorised access.

Ethernet-based production systems are becoming increasingly well established. Easy integration into intranet and internet, the high bandwidth of up to Gigabits per second and decreasing costs of industrially specified cables, connectors, switches, and routers are the reasons behind this development. The other side of the coin is an increased risk of malfunctions and production interruptions due to security loopholes in industrial networks.

For this reason, an internal risk analysis was conducted at Volkswagen AG’s Emden car body production plant and the security of the systems was scrutinised, including their control technology. The result – sensitive production systems were insufficiently protected against unauthorised access because attacks can be triggered by malware, inadvertent access or unintentional misentries during internal network operations and their prevention by centralised firewalls is very complex and not cost effective.

Employees of third party companies who access the network using their laptops during service operations or for hardware and software installations and can unintentionally spread malware are deemed to pose a potential risk, for example. Unintentional misentries were also identified as problematic weaknesses. Jens Hoofdmann, bodywork maintenance specialist, cited one problematic issue arising from the analysis, “A typical example is the installation of a server which subsequently sends ping packets to the entire network at short intervals. Such permanent requests can disrupt or even crash an industrial controller.”

An action item matrix was developed based on the risk assessment, encompassing organisational changes, network segmentation, and the introduction of distributed industrial firewalls.

When it came to selecting suitable hardening and security measures Volkswagen AG’s Emden plant opted for industrial routers with an integrated firewall. The distributed industrial firewall/router solution segments the production network in the car body construction plant at Emden into 15 isolated subnetworks. For central protection featuring comparable granularity all systems and sub-networks would need star layout network cabling with a high capacity firewall in a complex configuration. Given the typical distances between network nodes at industrial plants this proves particularly expensive and inefficient which is why these environments are virtually dominated by tree shaped and linear cable topologies and therefore better suited to a distributed firewall approach.

The central IT department was also involved in the preliminary discussions regarding implementing the new structure, the technical evaluation, and start-up monitoring. The production related IT department ultimately assumed responsibility for addressing the planning, installation, commissioning, and administration tasks.

The system network had already been successfully planned and put into operation in conjunction with Phoenix Contact, the automation specialist based in the German town of Blomberg. The positive experience gained from this project and the knowledge acquired of the systems also proved highly beneficial during the network protection operations. The company put its trust in FL mGuard industrial firewall/router modules from Phoenix Contact and Innominate. The key criteria in their selection were their suitability for industrial applications and the availability of a central management system.

The mGuard modules are based on an embedded Linux and integrate four perfectly coordinated security components – a bi-directional stateful inspection firewall, a flexible NAT router, a secure VPN gateway, and industry suitable protection against malware as an option.

The fact that the mGuard security appliance is self sufficient and can be subsequently integrated into existing production networks without repercussions using its stealth mode of operation proved to be particularly advantageous. As such, in routing terms the firewall behaves transparently as a bridge.

From Jens Hoofdmann’s perspective, installing, setting up, and integrating the industrial firewalls was rather easy. The devices were used in a distributed manner in control cabinets for every uplink connection. In hardware terms, Volkswagen AG was able to mount the 24 V DIN rail devices directly into the control cabinets and allow its own staff members to start them up based on the existing network structure and without any re-cabling operations.

Jens Hoofdmann explained that a very pragmatic approach was adopted towards setting up the firewall rules. In the first instance, all data traffic was permitted and access to the subnetworks was only logged. The log files were subsequently evaluated and recorded in the form of rules governing which type of access should be permitted in future. The rules were tested, revised, and finally defined in their present form.

During this phase, the company was able to utilise the experience of Innominate, a fully owned Phoenix Contact subsidiary. Jens Hoofdmann stated, “We benefited extensively from Innominate’s first class expertise in industrial networks, protocols, and firewall rules and were thus able to optimize and enhance the structure of the installations.”

The Innominate Device Manager (IDM) central management system features a template mechanism facilitating central configuration and management of all mGuard devices. The parameters for firewall rules and NAT settings are directly configured in IDM without abstract security policies needing to be defined. The upload function is used to upload the rules to all the listed devices and configure them in one step. The IDM enabled special rules to be implemented between the subnetworks, subgroups, and user groups and then distributed to all firewalls.

According to the maintenance team at Volkswagen Emden, device management has been greatly facilitated by the central management system. Generating a new firewall rule within five minutes in order to grant a member of the service team access, for example, is no longer an issue.

Robots, PLCs, panel PCs, laser technology, welding systems, controllers, and the driverless transport system have since been protected by distributed firewalls on the Emden car bodywork production network. Jens Hoofdmann reports that there have been no security incidents since the firewalls were installed. However, they have been able to identify infected devices from other production sectors based on the log files. In one of these instances, a virus had attempted to spread to other devices. However, access to the protected computers was blocked and it was possible to advise the other sectors of the malicious malware. Jens Hoofdmann, “Our experience with the mGuard industrial firewalls is nothing but positive. We are completely satisfied. The support provided by Innominate was also extremely professional as and when problems arose. All unauthorized access is blocked and the systems are now better protected against malware.”