Strategies for secure automation, Ethernet networks

Ethernet networks provide plants with an open environment that connects local and remote plant devices with management tools, but open networks come at a cost: security. Several strategies can foster openness while promoting safety and cyber security.

By Tim Pitterling January 14, 2014

The introduction of Ethernet to the plant floor provides an open architecture, connecting plant devices and management tools from most anywhere. But there is a trade-off: network security.

Ethernet networks function much like home Web connections, relying on the Internet to operate properly. Plants must take steps to protect connected automation systems from the same threats that face personal computers, such as hackers, worms, and Trojans.

To overcome these challenges, the plant environment should employ the same cyber security tools that its IT counterparts use. Such tactics must maintain network security while allowing local and remote authenticated access. Doing so enables even faraway administrators to handle tasks such as configuration and diagnostics, initialization of nodes, and gaining access to on-board Web and FTP servers.

Finding balance between openness and security, the following strategies can help create an automation environment that can communicate with other networks and be managed locally and remotely while, at the same time, remaining safe and secure.

First line of defense: Firewalls

Firewalls—one of the oldest cyber security tools—are still a crucial piece of the network puzzle. A firewall sits between the internal and external networks, ensuring only legitimate traffic passes between them.

In an industrial environment, firewalls protect cells that often include several Ethernet-attached automation devices, such as Industrial PCs and PLCs. To protect them, companies can install one security module with one Ethernet connection that traffics between the automation and larger networks according to the firewall rules established for the device.

To ensure all traffic is legitimate, stateful packet inspection firewalls protect the network using pre-determined filter rules. For example, if an internal node sends data to an external target device, the firewall will dynamically allow the response packet for a limited period. After the time window has expired, the firewall will block the traffic again.

NAT and NAPT

Network address translation (NAT) is an automation security technology that is implemented in devices rather than the network. NAT hides the device’s IP address on the internal network from those on external networks. Instead, it presents a generic public IP address to external-facing nodes, translating that address to the established internal network address.

More complicated yet, network address and port translation (NAPT) further encrypts NAT by adding a port number. Only one IP address is presented to public networks. Behind that, packets are addressed to particular devices by adding port numbers. A NAPT table, typically residing on a router, maps private IP address ports to the public IP address ports.

If a device from the external network wants to send a packet to an internal device, it uses the security device’s public address with a specified port as the destination. This IP address is then translated by the router to the assigned private IP address and its appropriate port. The source address in the data packet’s IP header remains unchanged. But since the sending address is in a different subnet than the receiving address, responses must go through the router, which forwards it to the external device, protecting the internal device’s actual IP address from public view.

Building secure tunnels with VPNs

Virtual private networks (VPNs) are another way to secure networks. A VPN is an encrypted tunnel formed by security devices at each end of the connection. To connect with one another, the remote devices generate digital certificates that act as identification. The certificates also permit the devices to share encrypted data over the established network.

In a VPN environment, security modules use digital certificates to create VPNs with two basic configurations: bridging and routing.

Bridging mode enables devices to communicate securely in a flat network—one in which all devices are directly connected to one another. This configuration can be advantageous when the connections are physically distant or when data must pass through an unsecure network section. Bridging is often used for communication types that cannot be routed and that may not necessarily be in the same subnet.

Routing mode creates a VPN between devices on separate subnets. Much like NAPT, the router, operating at Layer 3 of the open systems interconnection (OSI) model, sends packets to the appropriate destination address. The packet travels over an encrypted VPN tunnel, making the communications secure even over a public network such as the Internet.

Sample cases

These security tools can be configured to plant-specific environments, taking both open access and security into account. Here are some examples in practice:

User-specific firewall: When automation contractors, for example, are away from the plant, user-specific firewall rules can enable remote access, allowing for administration and troubleshooting. By establishing different levels of authorization, plant managers can also use the firewall to establish device-specific access for remote users, limiting users only to the device for which they are authorized.

To connect to the module’s IP address, the contractor creates a username and password and logs in under those credentials. According to established permissions, the network will be available for a specific amount of time before the connection is lost. The user can renew the connection at any time according to the plant’s firewall rules.

Site-to-site VPN: If a company has a central site and a number of satellite facilities, a site-to-site VPN might be more appropriate. A site-to-site VPN is a secure encrypted connection between two sites that, depending on configuration, allows users at each site to access resources at another.

This setup requires a module at each location to create the encrypted VPN tunnel. A firewall can also be used to provide access control, enabling access to certain users but not to others.

Point-to-point VPN: A point-to-point VPN allows users access to plant devices from any Internet connection. This could be advantageous for working-from-home administrators who must troubleshoot a device, for example.

This setup requires a module at the target location and security client software, which runs on the administrator’s laptop or desktop. The client allows the administrator to establish an encrypted VPN connection with any site that has the module. With the proper permissions, the administrator can log in to whatever device is necessary.

Multipoint VPN connections: If administrators are responsible for more than one site, plants can establish a central module that connects each of the remote sites over a VPN. Instead of establishing many individual VPN connections, the administrator can then piggyback the connection from the central module.

This can benefit service engineers, for example, who spend much of their time traveling. With one connection to the central site, they can now easily and securely access any other site as needed, saving valuable time in the process.

-Tim Pitterling, product marketing manager, Siemens Industry Sector. Edited by Jordan M. Schultz, CFE Media, Control Engineering, jschultz@cfemedia.com