Ethernet Security, Safety Relies on Common Sense Networking
KEY WORDS Networks and communication Ethernet Internet and intranet PC-based control Device-level networksThe price of freedom? A little less freedom. More users are seeking to gain Ethernet's interoperability and flexibility. However, the relatively greater openness of Ethernet can mean increased network vulnerability, especially when networks are linked via the Internet.
Networks and communication
Internet and intranet
The price of freedom? A little less freedom. More users are seeking to gain Ethernet's interoperability and flexibility. However, the relatively greater openness of Ethernet can mean increased network vulnerability, especially when networks are linked via the Internet. Hazards range from internal data traffic accidents to external hacker attacks.
To prevent potential problems, users can perform several basic precautions as they design, install, and operate their Ethernet-based networks. The good news is that, because Ethernet has been used in other settings for 15 to 20 years, many security measures exist that manufacturing can use as well.
'Manufacturing had been accustomed to generally closed networks, but many engineers are now becoming enamoured of the information they can get from more open systems. Unfortunately, they're so excited that they sometimes lose sight of the fact that one node on Ethernet may give everyone access to their data and network,' says Ralph Mackiewicz, sales and marketing vp, Sisco Inc. (Sterling Heights, Mich.), a provider of real-time communications software. 'Restricting access probably just seems counterintuitive when you're trying to open a system up. Ethernet aids interoperability by eliminating former barriers, but it also reduces isolation and some of the security that used to be taken for granted.'
Basic components of an Ethernet-based local area network (LAN) or wide area network (WAN)
include hubs, routers, switches linking I/O points, devices, controllers, and PCs.
Openness = exposure
Because manufacturing processes and related control components are often located in one place, their physical presence reportedly gives them more initial security than widely distributed applications. However, stand-alone device and network exposure increases when they're connected with software-based business management systems, intranets, Internet, and wireless systems.
'When you interconnect devices via Ethernet it doesn't change their individual security issues per se. However, because Ethernet usually enables links to the Internet, it can open a Pandora's Box of security issues along with, for example, its new remote access capabilities,' says Gerardo Pardo-Castellote, chief technology officer, Real-Time Innovations (Sunnyvale, Calif.). Real-Time's NDDS middleware aids interconnections between devices. 'Each application is different, but baseline security means having a firewall that separates your process' local area network (LAN) from the external Internet and unauthorized access.'
All interdepartmental traffic in this network design goes through
one or more routing switches. This gives network administrators
one point to manage network protection and security using
virtual local area networks (VLANs) and filters.
Accidents vs. enemy action
Most problems that disable Ethernet networks and related equipment and applications are caused by accidents, such as misconfigured routers or other technical snafus. However, deliberate attacks are a genuine problem, especially because of shareware programs that help hackers search for open ports in otherwise secure networks.
'The most common Ethernet and network problem is when data packets or messages on one network infiltrate another and cause traffic problems. This occurrs because classic network design used hubs that forwarded all bits of data to all parts of a network,' says Eric Byres, P.E., research team leader, Advanced Information Technologies Group, British Columbia Institute of Technology (Vancouver, B.C., Canada). 'For example, years ago, when I was asked to test a large manufacturer's network using a high frequency pulse to check for reflections, I was told it was a stand-alone system. Unfortunately, it was actually connected to the company's overall network, and when the pulse hit its repeaters, the whole plant shut down.
'With hubs and repeaters, there is no isolation, and so there is no protection against problems propagating throughout a facility. This is why it's so important to use switches that can check the validity of every message.' There are two basic switches, Layer-2, a multi-port bridge that checks packet integrity before forwarding, and Layer-3, a router that checks packet source destination and function before forwarding.
Though intrusions by hackers are more well-known, Mr. Byres notes a majority of intentional attacks come from within companies. He says 60% of deliberate and accidental hacks come from internal sources.
'In another large plant, which had had some union problems and hard feelings, one operator signed onto a programming terminal in another department, accessed a PLC on the Allen-Bradley Data Highway Plus system, and changed its password. This forced us to shut down the line, and physically replace the PLC.'
Because newer PC-based networks are often more distributed and interconnected than PLC-based systems, unauthorized intrusions can potentially cause more widespread damage, which means better security is needed.
'Everyone's GUI [graphical user interface] is now a Microsoft Windows NT or 2000 box. In one West Coast facility, this meant that a disgruntled employee was able to change the settings for all on-screen objects, lettering, and backgrounds to white, which made all the screen appear blank. Protecting these settings is something else system administrators need to think about, but often do not.'
Achieving enough isolation
Mr. Byres says Layer-3 switches or routers allow system administrators to develop specific definitions that filter out bad or misdirected data packets. This is known as a basic packet inspection firewall that separates a manufacturer's process level from its business level or other external input. For example, this type of firewall prevents anyone in the accounting department from sending a programming packet to the PLC .
Password protection, firewalls, intelligent network switching, sub-networks, and virtual local areas networks (VLANs) are all useful, well-accepted methods of isolating crucial manufacturing devices, processes, and networks from unwelcome input or access (see sidebar). Some users are beginning to employ data encryption-accessible with a certificate or key-and secure web servers to protect communications. None of these methods is expected to slow Ethernet network speed significantly.
'Ethernet and network security can be as straightforward as configuring a router,' says Mr. Mackiewicz. 'You must first know what you want to do based on your business goals, and then choose the right products to prevent unauthorized access as determined by those needs.
'Networks are often built piecemeal. All of a sudden users find themselves with these huge systems, but no overall vision, which is needed to help information technology (IT) and plant-floor staffs cooperate and develop security and other consistent network policies.'
Data traffic goes through one routing switch, which allows
network protection at one point using IP security filters, but only
messages originating at computers with the 10.5.1.0 0 subnet
and using TCP socket 6000 are allowed onto the DCS network.
Managing for security
Besides matching isolation methods with business requirements, Mr. Byres adds that Ethernet network security improvements must be properly configured and managed. 'You can't put these systems in and go to sleep,' he says. 'This begins with developing a good security policy; really deciding who can talk to who; and how many locks you really need.
'You have to sit down and figure out your network traffic flow patterns, test your equipment, evaluate your existing system, determine what can now talk to what, and look to the future. Then, you prioritize according to critical data flows, secondary, nice-to-have, and flows that aren't needed.
'Finally, after implementing this security policy, you can seek and add authorized flows that weren't listed, or simply block everything except defined devices and users, and then open authorized holes in the firewalls when the complaints come in.'
Common sense, cooperation
Besides software, hardware, and other technical security measures, Ethernet and network security can also be enhanced if users are simply aware of their overall network's parameters, distributed locations, and capabilities.
'Sometimes people will secure their local network, but forget to do the same to counterparts at other sites or in other states; neglect to secure data storage; or send security-related policies, passwords, or certificates via unsecured e-mail,' says Mr. Pardo-Castellote. 'Most security breaches are the result of well-known, well-documented security problems that someone just hasn't gotten around to fixing yet. For instance, many PCs were formerly shipped with default passwords that users never took the time to change, which made them vulnerable.'
Perhaps the best way to increase Ethernet and network security is to bring a facility's IT and factory-floor personnel together. Despite their traditional mistrust, these two groups can jointly solve most network security problems.
'For instance, we always use switched hubs and intelligent routers, but they need TCP/IP addresses that don't go through the business network. This concerns packet traffic, which is often dictated by IT, and so a lot of coordination is needed,' says Frank Kling, business development manager for North America, Control Systems International (Lenexa, Ks.). 'Working well with IT is important because if a network isn't configured properly, it can be very inefficient and take up more bandwidth than it should.'
Mr. Byres adds IT staffs are often overloaded and don't traditionally concentrate on keeping manufacturing processes running. 'In the end, it's still the process control specialists' responsibility to make sure the process won't go down. This can be a huge mind-shift because process engineers have to take on a more IT, software-based perspective.'
For more suppliers, go to www.controleng.com/buyersguide; for more info, use the following numbers or go online at www.controleng.com/freeinfo.
British Columbia Institute of Technology www.bcit.ca 262
Control Systems International www.csiks.com 263
Opto 22 www.opto22.com 264
Real-Time Innovations www.rti.com 265
Sisco Inc. www.sisconet.com 266
Ethernet networking security basics
The following tools can help protect Ethernet and other networks:
Password protection, including one-time password generators that prevent unauthorizedpassword grabs from web traffic;
Firewalls and other isolation methods using routers, which check data packet validity and use definitions to filter out bad or unintended packets;
Network switches-Layer-2 and Layer-3 switches with high-speed backplanes-that isolate collision domains and prevent data traffic tie-ups;
Establishing a network policy that clearly defines levels of access and privileges;
Setting up sub-networks with a traditional IP router and/or virtual local areas networks (VLANs) with a Layer-3 switch for added isolation;
Encrypting data and communications with access via secure certificate or key; and
Using secure web servers for Internet-related communications.
Ethernet aids liquid gas monitoring, control
To improve tank level monitoring, operations, and alarming of the liquid nitrogen, oxygen, and hydrogen equipment assisting its X-ray tube manufacturing process, Varian Medical Systems
(Salt Lake City, Ut.) implemented Snap Ethernet I/O from Opto 22 (Temecula, Calif.).
Snap Ethernet I/O delivered more and better level and flow rate data from the Absa liquid gas unit's 4-20 mA loops about 1,200 ft to Varian's Ethernet network, according to Blair Devey, Varian's control systems engineer in its Information Systems for Manufacturing department. The new system helps Varian avoid dry tanks, smoothes ordering and supply schedules, and means Varian didn't have to use 10 different software programs and interfaces it might have needed without Ethernet.
A web server included with Snap Ethernet I/O provides web pages that Varian uses for easy configuration and scaling on the Absa unit and interface with its network's OPC server. In fact, Mr. Devey says the new network ran so well that when he pulled up an HMI screen over a DSL line at home, he was surprised to find himself connected with the actual machine. 'I asked our information systems people to close that port at the firewall as soon as we found it,' says Mr. Devey. 'Snap Ethernet I/O also helped here because it has a utility that can check which IP addresses are active and lists their port numbers. This means I can open an OPC client, have it talk to Snap Ethernet I/O, find out what port is receiving certain
input, and then tell IT which port to close.'