Making machinery and plant more secure
20 August 2013
Recent events have demonstrated that a protection concept is becoming more important for manufacturers and operators of machinery and plants. Automation components need to be protected from external attacks and unauthorised internal access.
More machinery and plant controls are based on standard PC and Ethernet technologies. Even industrial switchgear and controlgear often now have controllers with an Ethernet connection. It has become increasingly important to consider the IT security of controllers, networks, and control systems and to take precautions accordingly.
The Siemens Cyber Emergency Readiness Team (CERT), have changed to encompass this need. Previously, the primary concern was industrial espionage involving electronic data processing. Today, it also now employs defensive strategies to ensure the security of industrial production processes and to make its own products more secure.
It takes a great deal of expertise in both Ethernet technology and engineering systems to be able to launch targeted attacks on industrial plants from outside. So-called whitelisting programs provide additional protection. They stand guard like gatekeepers, determining which processes may run on PC-based systems. However, hackers are not primarily interested in process manipulation, but in infiltrating systems.
Expanding system security
Manufacturers and operators of machinery and plants need to be aware of security issues. For example, unchanged passwords from the delivery state should not to be used throughout the plant. It is also recommended that employees no programming knowledge are not be able to influence the CPU via the HMI. It is, therefore, important to implement appropriate role management that precisely defines who is allowed to change what. It should also always be possible to record any changes for treaceability purposes.
It is also advisable to use modern firewall systems. Furthermore, the stateful inspection has already proved itself in the Internet world. This type of protection is available, both in the form of an individual product and as an integrated function on communications processors.
For machinery and plant manufacturers, as well as plant operators, it is becoming increasingly important to set up a custom multi-stage protection concept following the defense-in-depth approach, as described in detail in standards such as ISA-99 and IEC 62443. A protection philosophy of this kind could include a hardware firewall on the outside, plus anti-virus software solutions on the system and machine level.
Siemens also recommends, for example, that a Demilitarized Zone network (DMZ) be installed in any large production network. This is a quarantine network, closed off by two firewalls, in which critical server applications can run, such as the update server or the remote access server. An anti-virus server is located within the DMZ network that checks all incoming data packets from the outside for viruses.
Additional anti-virus software should be installed on PC-based controllers for protection from ‘inside’. However, software products approved or tested by experts should be used, because there is a risk that when removing threats, untested virus scanners could also remove parts of the system software.
Contact Details and Archive...
Most Viewed Articles...