Credit: SPS IPC Drives
Presenting the highlights of the ‘IT security in automation’ tour at SPS IPC Drives 2017 in Nuremberg from WAGO and Phoenix Contact.
WAGO
WAGO spoke about its solutions for ‘digitization and cyber security’.
Vertical integration
- When a device is connected to the internet it is secured with a TLS encryption and an MQTT format is used. The device has to send information about production for this to be analysed for efficiency within automation.
Data transferred out of the network needs protection. To get all of this information ti the cloud, a bypass lane is created using a separate controller with protection. This controller has one Ethernet connected to the internet, and one Ethernet connected to the information network.
WAGO aim to digitize the existing business system. This allows direct access to the cloud which is open but reliable and secure – and it can be tailored to the needs of the user.
Horizontal integration
- Remote access, control maintenance and asset management.
WAGO propose to use VRN (Virtual Private Network) to secure these channels – along with more conventional precautions such as disabling unnecessary users, separate switch networks, changing standard passwords and closing unused Ethernet ports.
Phoenix Contact
Phoenix Contact presented its solutions for secure remote service for a smart industry, covering three aspects: protection, detection and response.
Protection
- The mGuard product line of industrial firewalls available in different housing for various applications.
- The new IEC6443 standard for cyber security which will become standard soon – getting security standards level with safety standards. Phoenix Contact’s devices are approved for this new standard.
- Remote access via a VPN tunnel.
Detection
- Phoenix Contact offer hardware protection in collaboration with Security Matters – a startup from the Netherlands.
- Phoenix Contact create segments in the production network in the firewall and provides software on top for anomaly detection.
Response
- Reacting to any problem.
- Analyzing the network communication for anomaly detection.
- Employee training on security.
Weidmüller
Security is a subject that needs to be addressed by everyone, and Weidmüller decided to take the approach of talking about the overall security, rather than focusing on one element.
Overall security is important, for example imagine your company as a chain, the whole product is as strong as the weakest link within it, so this is the area that needs to be addressed.
Safe and secure matter
If you look at one particular product on its own it is more likely to be hacked than a newer product that is connected to everything else with u-control. Security needs to be focused on at the design stages, to ensure that right from the start you can concentrate on security.
Hackers will try and attempt to break into devices, so it is your job to make it hard for them to do so. Controllers are protected by passwords, and often it is not the lack of password that is the issue, it is the many users that do not change the password from the default password they are provided with. The changing of data is actually fully processed by the controller inside.
Weidmüller continued to say building up application programs which are encrypted can occur from users just copying and pasting, which a lot of people tend to do – but it just increases your chances of being hacked.
The correct way is to try and decrypt the software, as it is easier to stop the software in the first place then to have to take it away later on.
“If I want to access my devices how do I know this is safe?”
The new u-link remote access service from Weidmüller, allows an easy and secure access of Service PCs to remote Ethernet devices via the Internet.
The VPN-based access of a Service PC to remote devices will be provided by the web-based u-link Portal service (VPN server) and a Weidmüller Router (VPN client) located in a remote target network. The u-link VPN server is used as a meeting point and connects a Service PC to a Router (both running as VPN clients) to allow an encrypted data communication between the PC and remote Ethernet devices connected to the LAN port of the Router.
Using the u-link VPN server as public accessible meeting point both a Service PC and a Router only need to establish an outgoing VPN connection to the Internet which usually is allowed and compliant to IT security requirements.
For secure data integrity the u-link Remote Access Service uses for each u-link system account its own server and database instances (secure separation of u-link accounts). The data communication between an account specific u-link VPN server and remote clients is based on a certificate-secured OpenVPN communication.
The u-link Remote Access Service is offered to be used with following variants and additional options:
Entry-Version
- Can be used free of charge, no time limitation of use
- Maximum 50 Router objects configurable (Access points to a remote network)
Versions Standard 150/300/500/unlimited
- Configurable Router objects from 150 up to an unlimited number based on the used license version
- Advanced functions and features compared to the Entry-Version (see data sheets of Standard versions)
Additional VPN connection licenses
- License key useable for all Standard versions
- Additional data volume with guaranteed bandwidth.
MB Connect Line
This year has been full of changes and revolutions which will continue to grow, however one of the biggest at the moment is Ethernet and Industry 4.0.
Cyber security is involved with everything, take for example our office furniture:
- Connected Factory Floor
- Desktops in offices
- LEDs, Smart lighting
A lot of IT equipment is related to automation, and a lot of automation equipment is fitted for the level of IT security that is needed today. This is where MB Connect Line step in as its main concern is implementing security by design.
It is vital that users test their products. Security by design is looking at security from a different angle, as you are making sure the trust chain is never broken – you need to secure everything on a device from start to finish.
MB Connect Line work hard with its users to fit its customers’ needs, by using knowledge from both the user and customer.
Everything is maintained along the same guidelines:
- Secure machine networks with firewall mbNETFIX – typically unplugging the machine from the switch into firewall, and firewall into the machine. This can be through USB port and user interface.
- Going online and allowing the device to listen to network and other IPs
- Access control for the production network and the machine components
- Efficient network security – without the need to master technology
- Allowing easy separation of production and machine network
- Tested and proved with customers
All IT is trying to prevent a hacker – but why not prevent your machines from attacks from the internet?
For example if something does happen with a hacker, you want to know about it and you want to know immediately.
The mbSECBOX does exactly this:
- It protects your PLC from malicious programs and unwanted changes
- It detects product changes and alerts you through messages
- It has programme memory which can backup and restore
- It is a stand-alone and closed system
Remote Access Solution allows customers to look for easy support and software is also offered to help them.
This allows customers to run their own remote portal, which benefits in many ways:
- Capture factory floor data via mbNET or mbSPIDER
- Store data on central server
- Distribution of data into user dashboards and export data to external systems
Some people believe you have to choose between security and simplicity, but cyber security is basically useless if it can be wiped away.
With this system from MB Connect Line there is no more writing down and remembering usernames and passwords.
