VW steps up its system protection standards

19 November 2013

Following risk analysis, Volkswagen AG introduced a new security standard for its car bodywork production network at its plant in Emden, Germany. Segmentation of the network, installation of industrial firewalls, and stricter access rules, has ensured that its systems are better protected against unauthorised access.

Ethernet-based production systems now becoming well-established with the benefit of integration into Intranet and Internet, the high bandwidth of up to Gigabits per second, and decreasing costs of industrially specified cables, connectors, switches, and routers. The downside of the technology, however, can be an increased risk of malfunctions and production interruptions due to security loopholes in industrial networks.

Such a problem at Volkswagen AG's Emden car body production plant resulted in an internal risk analysis being conducted, with the security of the systems, including the control technology, being scrutinised.

The investigation identified that some sensitive production systems were insufficiently protected against unauthorised access, because attacks can be triggered by malware, inadvertent access or unintentional misentries during internal network operations and their prevention by centralised firewalls was very complex and not cost-effective. For example, employees of third-party companies who access the network using their laptops during service operations or for hardware and software installations could, unintentionally, spread malware.

Unintentional misentries were also identified as problematic weaknesses at the plant. Jens Hoofdmann, Bodywork Maintenance Specialist, cites one problematic issue arising from the analysis: "A typical example is the installation of a server which subsequently sends ping packets to the entire network at short intervals. Such permanent requests can disrupt or even crash an industrial controller."

New network security rules
Based on the findings of the risk assessment an action item matrix was developed, encompassing organisational changes, network segmentation, and the introduction of distributed industrial firewalls.

When it came to selecting suitable hardening and security measures the company opted for industrial routers with an integrated firewall. The distributed industrial firewall/router solution segments the production network in the car body construction plant into 15 isolated sub-networks. For central protection featuring comparable granularity all systems and sub-networks would need star layout network cabling with a high-capacity firewall in a complex configuration. Given the typical distances between network nodes this would be particularly expensive and inefficient - which is why these environments are dominated by tree-shaped and linear cable topologies and are, therefore, better suited to a distributed firewall approach.

Distributed industrial firewall/router
The central IT department was also involved in the preliminary discussions regarding implementing the new structure, the technical evaluation, and startup monitoring. The production-related IT department ultimately assumed responsibility for addressing the planning, installation, commissioning, and administration tasks.

The system network had already been successfully planned and put into operation in conjunction with Phoenix Contact. The positive experience gained from this project and the knowledge of the systems already acquired proved beneficial during the network protection operations and the company put its trust in FL mGuard industrial firewall/router modules from Phoenix Contact and Innominate. The key criteria for selection was suitability for industrial applications and the availability of a central management system.

The mGuard modules are based on a robust embedded Linux and integrate four co-ordinated security components - a bidirectional stateful inspection firewall, a flexible NAT router, a secure VPN gateway, and industry-suitable protection against malware as an option.
The fact that the mGuard security appliance is self-sufficient and can be integrated into existing production networks without repercussions using its stealth mode of operation proved to be particularly advantageous. As such, in routing terms the firewall behaves transparently as a bridge.

Setting up industrial firewalls
According to Hoofdmann, installing, setting up, and integrating the industrial firewalls was “rather easy”. The devices were used in a distributed manner in control cabinets for every uplink connection. In hardware terms, Volkswagen AG was able to mount the 24 V DIN rail devices directly into the control cabinets and allow its own employees to start them up, based on the existing network structure and without any re-cabling operations.

Hoofdmann explains that a very pragmatic approach was adopted towards setting up the firewall rules. He said: “ In the first instance, all data traffic was permitted and access to the subnetworks was only logged. The log files were subsequently evaluated and recorded in the form of rules governing which type of access should be permitted in future. The rules were tested, revised, and finally defined in their present form.”

The Innominate Device Manager (IDM) central management system features a template mechanism which facilitates central configuration and management of all mGuard devices. The parameters for firewall rules and NAT settings are directly configured in IDM without abstract security policies needing to be defined. The upload function is used to upload the rules to all the listed devices and configure them in one step. The IDM-enabled special rules are implemented between the subnetworks, subgroups, and user groups and then distributed to all firewalls.

According to the maintenance team at Volkswagen Emden, device management has been greatly facilitated by the central management system. Generating a new firewall rule within five minutes in order to grant a member of the service team access, for example, is no longer an issue.

Protection for sensitive production applications
Robots, PLCs, panel PCs, laser technology, welding systems, controllers, and the driverless transport system are now protected by distributed firewalls on the car bodywork production network. Hoofdmann reports that there have been no security incidents since the firewalls were installed. However, they have been able to identify infected devices from other production sectors based on the log files. In one instance, a virus had attempted to spread to other devices. However, access to the protected computers was blocked and it was possible to advise the other sectors of the malicious malware. Hoofdmann concludes: "Our experience with the mGuard industrial firewalls has been positive. We are completely satisfied. All unauthorised access is blocked and the systems are now better protected against malware."

Contact Details and Archive...

Print this page | E-mail this page