Securing automation systems: a step-by-step approach
02 December 2014
Frithjof Klasen focuses on industrial communications networks and explains how Profibus International (PI) is squaring up to the problem of automation system security.
When it comes to the security of automation systems, there are no simple solutions. A system is only safe if the threats are known. Typical security threats in production include infection by malware, unauthorised use (both intentional and unintentional), manipulation of data, espionage and related know-how loss, and denial of service. The consequences can be loss of production, reduced product quality, and endangerment of humans and machines.
In order to evaluate threats, the properties and possible weak points of devices and systems must be known. After all, a property that is useful from the automation perspective – for example, the ability for a programming device to access a controller without authentication – is seen as a possible weak point from the security perspective. It is necessary to distinguish these weak points in order to assess the risks, develop security solutions, and take appropriate measures. These might include:
- Weak points that arise due to incorrect implementation (for example, faulty device behaviour).
- Conceptually planned and accepted properties. These include all features that can also be exploited for attack purposes. An example here would be an integrated web server in an automation device.
- Weak points that are caused by organizational measures or lack thereof.
Field devices not only contain communication technologies for transmission of process signals (real-time communication) but also standard IT technologies, such as FTP services. In addition, field devices also operate as network infrastructure components (switches) and therefore have services and protocols that are needed for network management and diagnostic purposes.
The fact of the matter is that most communication protocols at the field level have no integrated security mechanisms. Devices and data are not authenticated and, consequently, within the scope of a possible attack, systems at the field level can be expanded at will and communications can be imported. Even the transferring of PLC programs often takes place without use of security measures such as user authentication and integrity protection.
There is no panacea
Ideally, users would like to have a tool, certification, or system that promises them long-term security. The difficulty, however, is that such solutions don't provide lasting security. In order to develop secure systems, users must not only implement technical measures but also conceptual and organizational measures. And everyone will know from their own experience that processes can be implemented in technologies much faster than in the minds of people.
However, conceptual and organizational weak points can be more easily overcome when they are described in guideline documents. For example, Profibus and Profinet International (PI) developed a Security Guideline for Profinet in 2006 and published a completely revised version of this guideline at the end of 2013. This guideline specifies ideas and concepts on how security solutions can and should be implemented, as well as covering the subject of risk analysis
The risk analysis estimates the probability of a damage event and its possible consequences, based on protection goals, weak points, and possible threats. Only on the basis of an analysis of this type can appropriate security measures be derived that are also economically feasible. A series of proven best practices are also given, such as the cell protection concept.
Making devices more secure
Another measure concerns the device security. After all, robust devices are the basis for stable processes and systems. They are a basic prerequisite for security in automation. Weak points due to incorrect implementation can be eliminated only through appropriate quality assurance measures and certifications.
In large networks, system availability matters the most. To achieve this, devices must respond reliably to various network load scenarios. In systems with many devices, an unintended elevated broadcast load can occur on the network during commissioning, for example, when the master attempts repeatedly to access all devices even though only a few devices are connected.
The available devices must be able to handle this abnormal load. It is difficult for operators to predict such scenarios since the probability of a high data volume is dependent on the system. The reason is that the data traffic is determined by cyclic and acyclic data exchange as well as the event-driven data volume.
With the help of the Security Level 1 Tester developed by PI for certification of Profinet devices and available free-of-charge to member companies, such network load scenarios up to, and including, denial of service can be simulated already in advance. The field devices are tested under stress conditions to simulate an unpredictable load and, thus, to reduce device failures.
Uniform test specifications have been defined for this, which can be systematically applied by the test tool. In addition, various network load-related scenarios have been developed that take into account various frame types and sizes as well as the repetition period and number of frames per unit of time, among other things.
The network load-related test is a standard requirement of the automotive industry. It is now integrated in the device certification testing according to the latest PROFINET 2.3 specification and must therefore be passed in order for a device to be certified. Users that purchase such a certified device can be confident that it is robust.
Only those who know their devices can protect them. But not all manufacturers provide comprehensive information about the protocols and services, and the communication properties of their devices. And there's another problem: security aside, users must still be able to handle and operate their systems; no maintenance technician wants to be looking for a certification key for a failed device at 2.00am in order to bring a system back online. There's a balance to be struck between usability and security.
PI has been dealing with the issue of security for years, with one PI Working Group dedicated to this subject. The Profinet Security Guideline is a product of this Group, and it be downloaded free of charge by non-members.
PI is also keen to see that its guidelines and recommended procedures are sustainable and practicable and ultimately acceptable to users. Only in this way can the protection measures be truly successful.
Professor Frithjof Klasen is a member of the managing board of the Profibus Nutzerorganisation e.V. (PNO), director of the Institute for Automation & Industrial IT (AIT) at FH Köln, and director of AIT Solutions GmbH in Gummersbach
Contact Details and Archive...