Tackling data security in industrial networks
26 February 2013
Suzanne Gill reports on the Open DeviceNet Vendor Association’s (ODVA) vision for securing the flow of CIP data and Etherent IP assets in industrial networks, which was presented by Katherine Voss, executive director of ODVA at SPS/IPC/Drives 2012.
When discussing the ODVAs approach to industrial control system (ICS) cybersecurity, Katherine Voss stressed that this is not simply an initiative. “It is much more pervasive,” she said. “We see it as being essential to how we implement the technologies overall, going forward.”
Concerns regarding cybersecurity in the ICS space have expanded in recent years due to the widespread adoption of Ethernet and Internet technologies across industrial ecosystems in critical applications. “It is critical for ODVA to help address these cyber security risks and enhance protection of data transported on Ethernet IP and CIP industrial control systems,” said Voss. The association is, therefore, approaching cyber security as integral to ODVA’s overall management of its specification. Key major components of the plan include:
* Establishing the appropriate role and scope of key stakeholder groups.
* Defining the key data flows for which communication must be secure.
* Identifying the scope of technical work that is needed.
ODVA’s approach originates from a four-part working hypothesis. Voss explained further: “Stand-alone industrial control assets and systems are quickly disappearing with the convergence of production systems with one another, and of the production domain with the enterprise and power grid domains. Secondly, traditional defence in depth practices are necessary, but are not sufficient to help mitigate the risk of cyber security threats and protect data flows between industrial cyber security assets. Thirdly, cyber security weaknesses will always exist in process networks and systems, increasing the potential for cyber security threats. Finally, remote access to industrial control systems is essential.”
ICS cyber security should be a community effort.
To effectively address the issue ODVA has engaged all stakeholder groups in the industrial ecosystem. “We need to work together to manage and mitigate the risks associated with securing data found in industrial control system,” said Voss. “From the ODVA perspective each stakeholder group has a role and a responsibility. In the case of end users – they need to focus on maintaining safe and secure systems with technical and non-technical controls to help secure assets, limit access, and protect property and information necessary to sustain business.”
Voss continued: “Device vendors need to focus on complying with Ethernet IP standards and recommendations to enhance security and resilience of devices and help ensure interoperability. OEMs and systems integrators need to focus on delivering safe and secure systems that help protect assets, people, property and information.”
Voss went on to explain that the ODVA now needs to focus on facilitating resiliency and interoperability of Ethernet IP devices and establishing requirements and guidelines for their use. ODVAs technical approach combines the defence in depth strategy with three complimentary areas:
* Hardening Ethernet IP endpoints - increased productivity on the plant floor demands that equal care be given to the resiliency of end devices in the face of demanding network traffic conditions such as broadcast storms and denial of service attacks. To achieve this goal ODVA will combine base level product hardening requirements for Ethernet IP devices and rationalised default for CIP services and conditions for their use.
* Protect CIP – A well segmented network design is essential to reducing cyber security risk. However, application needs, including but not limited to remote access, dictate that CIP methods be allowed to cross design boundaries. To achieve this goal ODVA will define methodologies for allowing transported CIP messages via secure tunnels.
* Securing CIP – Ultimately, managing and mitigating cyber security risks in industrial control systems will require features such as authentication and encryption. To achieve this goal ODVA will define future enhancements to CIP for end to end cyber security in industrial control systems.
ODVA has produced a whitepaper which discusses its vision for securing the flow of data in industrial networks, entitled ‘Cybersecurity for Industrial Control Systems’ This can be downloaded as a PDF from the Whitepaper section: http://www.controlengeurope.com/white-papers.aspx?ShopItemID=134.
The process initiative
At the ODVA 2012 AGM the launch of a process initiative was announced as a new activity, with Endress + Hauser’s increased participation in ODVA as a prinicple member promoting Ethernet IP in process applications down to the field level. This initiative is also being supported by CISCO Systems, Rockwell Automation and Schneider Electric.
The Ethernet IP and process automation initiative is the result of evolving market conditions identified by ODVA. The first is the acceptance of Ethernet IP in discrete automation applications which has helped to converge control applications and control solutions. The result will be the ability to replace a multi-tier network process automation architecture with a single architecture, providing easy access to process information.
Contact Details and Archive...
Most Viewed Articles...