Getting FITS for a secure future

09 April 2019

Industrial security is a complicated, multifaceted challenge that cannot be solved by simply purchasing the latest technology. Instead, managing the security of industrial control systems and networks requires improving processes, tools and ultimately balancing risk, says Glenn Schulz.

The advent of the Industrial Internet of Things (IIoT) has dramatically impacted the cyber threat landscape while the convergence of Informational Technology (IT) and Operational Technology (OT) has also complicated industrial security. Some organisations in critical process industries have an air-gapped requirement prohibiting users of OT systems from direct or even indirect connection to the Internet. These organisations need to find ways to safeguard data access from the enterprise all the way down to the device level.

Integration is at the heart of any automation architecture, and the FDT Group provides a robust solution for the integrated manufacturing enterprise due, in part, to its strong security capabilities. FDT technology (IEC62453, GB/T 29618-2017 and ISA103) standardises the communication and configuration interface between field devices and host systems. The  comprehensive cyber security infrastructure of the standard addresses potential cyber-attacks on automation assets, providing protection when integrated into control system vendor applications and hosted within secure IT platforms.

In 2018, FDT Group announced the development of an FDT IIoT Server (FITS) architecture that will provide a flexible platform for deployment of IIoT-based solutions. The emerging FITS specification is set to empower the intelligent enterprise with native integration of OPC UA, as well as Control and Web Services for mobile applications. FITS will enable cloud, enterprise, on-premise, and single-user desktop deployment methods to meet the needs for process, hybrid and discrete manufacturing.

The FDT Server architecture allows for integration of web-based Device Type Managers (FDT/DTMs) that are digital representations for physical devices. The FDT Server will include an online repository providing end-users with convenient access to the DTMs they need for various applications. The solution also includes an OPC UA Server, WebServer and stand-alone (local) applications. The OPC UA Server allows access to DTM data with OPC UA Clients. The WebServer enables the use of DTM WebUIs on remotely connected, web-based clients on smart phones, tablets, and PCs. The WebServer also supports the use of apps that improve workforce productivity and plant availability.

The FDT Group is now working towards integration of  the .NETCore/Standard to allow the new FDT Server-based architecture to be completely platform independent. This will result in an FDT Server architecture that is deployable on a Microsoft-, Linux-, or macOS-based operating system, empowering the intelligent enterprise by bridging the current installed base with next-generation solutions supporting the IIoT and Industry 4.0 era.

Enhancing security 
An important consideration for the emerging FITS standard is data security for the IIoT and this has gained importance as FDT transitions from primarily a single-user and client/server application to a full distributive architecture that supports browser-based clients accessing an FDT Server deployed in the enterprise, on-premise or in the cloud.

FITS will help to eliminate the traditional automation pyramid. Indeed, it provides a way to flatten the control architecture to eliminate barriers to plant applications in need of directly accessing lower level devices in order to acquire data for analysis and operational dashboards. This is made possible through flexible and distributed components designed to minimise potential security risks.

The FITS solution was also designed to meet both connected and air-gapped requirements, support virtually any automation architecture, and comply with contemporary security policies in a typical industrial operation. Furthermore, it has the ability authenticate client devices attempting to connect to the server.

For consistency across different operating system platforms,  FITS features multi-layered security and leverages vetted industry standards such as Transport Layer Security (TLS) enabling Web Sockets Secure (WSS) and Hyper Text Transfer Protocol Secure (HTTPS). The FITS security strategy encompasses:

• Encrypted communications using TLS
• Role-based user security
• 509v3 certificates for authentication
• On-the-wire-security for enabled industrial control protocols

TLS is a cryptographic protocol designed to provide communications security over a computer network. It has three basic functionalities: message encryption, detection of message alteration, and authentication between client and server, ensuring that all communication exchanges are fully encrypted. This enables the exchange of sensitive information while mitigating the risk of interception or alteration.

In addition to standard encryption and server authentication, FITS can be configured to confirm that a specific client device is authorised to communicate with the server. From an IT/OT perspective, administrators can ensure that authenticated client devices have appropriate virus protection and meet other corporate security guidelines to ensure they are not the source of contamination via connection to the server.

In prior versions of the FDT standard, there has always been a user authentication requirement that grants authorisation to users based on a role-based security model. This approach has been effective for many years and is credited with eliminating a huge administrative burden on industrial OT organisations. Role-based security will be carried forward in the core of the distributed FITS architecture as a multi-layered security approach employing a defense-in-depth strategy. 

The FDT Server’s X.509 certificate-based authentication schemes are tightly integrated with TLS to not only verify the correct server, but also confirm the client device is authorised to communicate with the server. This ‘triple handshake’ of server, client device, and end-user authentication ensures that no impersonations, man in the middle attacks or otherwise unauthorized access is permitted. The use of encryption throughout the communication architecture ensures that no one can eavesdrop on any of the communications.

The various industrial control network organisations are moving towards a more robust security model for their respective protocols. One such example of security-on-the-wire is the newly released Common Industrial Protocol (CIP) Security Volume 8 by the ODVA. CIP Security coupled with FITS enables a complete solution for comprehensive, end-to-end, enterprise-wide security. The FDT Server will natively support CIP Security, linking the IT and OT security architecture with control. Security-on-the-wire will enable the control system to defend itself from unauthorised and/or malicious access. For instance, the layered approach within CIP secure EtherNet/IP allows users to implement EtherNet/IP with all control communications on the strongly authenticated, and optionally encrypted communications, to avert potential disruptions.

Finally, the FDT Server-based architecture can be deployed in the public or corporate cloud, allowing full replication of the server environment for instant cutover in the event of a virtual server or network failure. This improves availability, as all communications between a remote server and local control networks is conducted through a robust Virtual Private Network (VPN) tunnel or equivalent solution in order to obstruct intrusion attempts. The VPN establishes a secure connection from the cloud to an individual plant or factory while allowing redundant paths in the event of a cloud failure. It ensures that all communications between the remote FDT server and the physical plant(s) are carried in a hardened, encrypted VPN tunnel.

Integrating OPC UA 
A critical feature of FITS is the integration of an OPC UA Server providing the information model for enterprise level data exchange. The scalable FITS architecture natively employs an OPC UA Server allowing all devices on all networks to be accessed through the FDT Server. This requires no special configuration by the end-user. Any OPC UA Client that has the correct security profile can browse the entire plant project structure and access any information available from the FDT Server.

All of the well-accepted security mechanisms prescribed by the OPC Foundation are supported for the certified OPC UA Server built into the FDT Server architecture. 

With growing reliance on connected systems in plants and factories, and increasing amounts of data, it becomes more important for the industrial control system, its devices, and the data and points of connectivity to be inherently secure.

The FITS platform has been engineered from the ground up to provide security with flexible deployment options for the process, hybrid and discrete markets. This solution will be optimised by continued review of best practice implementations backed by FDT’s, secure-by-design approach.

Glenn Schulz is managing director at the FDT Group.

Contact Details and Archive...

Related Articles...

Additional Information...

Print this page | E-mail this page