How to optimize industrial motor communications, Part 4, cybersecurity
Three thought leaders offer advice on improving industrial motor communications and how cybersecurity helps engineers, in this transcript from an August 2022 webcast. Part 4 discusses how three industrial internet protocols handle cybersecurity and how cybersecurity matters for motor-drive communications. Link to other parts.
- Understand how cybersecurity approaches differ for motor-drive communications with Profinet from PI North America, EtherCAT from EtherCAT Technology Group, and EtherNet/IP from ODVA.
- View archived webcast about optimizing motor drive communications prior to Aug. 4, 2023. A RCEP professional development hour is available.
- Understand how Git unifies information technology/operational technology (IT/OT) processes and ensures greater data security and disaster recovery.
Motor communication insights
- Cybersecurity approaches differ for motor-drive communications, for Profinet from PI North America, EtherCAT from EtherCAT Technology Group, and EtherNet/IP from ODVA.
- A Control Engineering webcast about optimizing motor drive communications is archived for viewing prior to Aug. 4, 2023.
Cybersecurity best practices for motor and drive communications include ODVA identification, authentication, control; Profinet’s GSD, SNMP and encryption; and EtherCAT’s suggested separation of the motion control domain.
Michael Bowne, executive director from PI North America, Bob Trask the North American representative of EtherCAT Technology Group and Paul Brooks, ODVA distributed motion and time synchronization, SIG Member, explain how engineers can optimize industrial motor communications and how engineers can improve their operations while also being safe. This has been edited for clarity.
Cybersecurity best practices with motor and drive communications
Bob Trask: We really don’t want motor and drives to worry about cybersecurity practices. They should be abstract and removed for basic motion and for more complex, synchronized, deterministic motion.
I have to be able to operate a motion system without having to stop to patch. For systems today, we need to abstract the motion systems from any kind of IT concerns. How can I go about lowering cybersecurity risk without patch disturbances? Security is very important. But if it’s everybody’s network then it’s nobody’s network. That is an issue. Highly synchronized, deterministic, motion systems cannot tolerate changes to the control system at will.
EtherCAT is standard Ethernet. There’s nothing different about the frame; it’s just not IP-routed communications. Our feeling is that I don’t want to have to worry about my motor drive getting affected by the overall system. I need to be separate from it.
ODVA cybersecurity: identification, authentication, control
Paul Brooks: My favorite quote about cybersecurity comes from the UK’s Institute of Strategic Studies, which did a survey of nuclear power industry. Those involved concluded that the biggest threat was what they called the myth of the air gap. The threat wasn’t that the air gap didn’t exist because they recognized that Ethernet access was absolutely critical for modern nuclear power generation in the UK.
The threat was actually that management believed that there was an air gap, and that they, therefore, didn’t need to do anything about security. ODVA elected to deploy security right down to the drive such that every component underneath the network is secured.
What do we mean by secured? First of all, within the system we have identification, authentication, control. Anywhere that someone plugs into a network, they are identified and only allowed to do anything if they’re authenticated and only allowed to do what they are permitted to do if they’re authenticated.
We have authorization for use control enforced right at the drive level. We ensure system integrity. It’s not just about knowing who they are, it’s about knowing who I am, ensuring that the firmware has not been tampered with. We look at data confidentiality, ensuring that, for instance, production recipes cannot be intersected and can’t be listened to by malicious actors. We do restrict data flow. We ensure that networks are properly segmented using logical segmentation rather than physical segmentation so that the physical topology doesn’t drive your policies, it’s the logical policy that drives your security policies. We ensure a timely response to events, having tools in place to try to stop security events, but, also, when security events do occur, to identify them and to provide the ability for the operator to decide what to do if there is potentially malicious activity on the network.
And finally, most importantly, and coupled with the importance of production efficiency, ensure that network resources are available, ensure that traditional attacks like denial of service like a human in the middle attack cannot affect the performance or the operation of motors in a motion control system. Ensure that it isn’t possible or is as difficult as possible for malicious actors to interfere with the velocity or target the position of a motor.
Profinet hybrid approach to cybersecurity: GSD, SNMP, encryption
Michael Bowne: From a Profinet perspective, we have a little bit of a hybrid approach to cybersecurity. A human-in-the-middle attack typically gets scary at the IP level. As mentioned, most Profinet data skips layers three and four of the ISO/OSI model, going straight from layer two directly to layer seven. This avoids the human-in-the-middle cybersecurity risk from an IP-based traffic. Just about the one thing that everybody promotes is a holistic view of network security, and we do and have in the past. With defense in depth, you have layers of security, such that if a malicious actor gets past one layer, there are many behind it, like in a medieval castle.
For about five or six years, we’ve had this idea of communication robustness, which we call net load. Since every device on a Profinet device is certified for compliance, we stress test it. During testing, if there is something like a denial-of-service attack, does it automatically degrade gracefully and recover from that denial-of-service attack? That’s been in place for a while. Beyond net load class one, we have three classes of security where we have a DCP read-only mode. DCP is a protocol used to name and address devices during setup; by default, it is read-only. A general station description (GSD) file comes with every device.
Now we’ve introduced the idea where you can sign the GSD files so that when you import one into your engineering tool, you know that it is authentic from the vendor. Another idea is turning SNMP off by default. SNMP is a really powerful IT protocol, which can make it really nice and easy to analyze a network and gather data about the network. But there have been concerns that this can be a cybersecurity risk, a hole for access. So the thought is to turn SNMP off by default.
For class two authenticity and integrity, devices can have signatures. For configuration and parameterization data, we use IP-based protocols because these are not the real-time parts.
We want to make sure to avoid human-in-the-middle attacks for configuration data, and this would be class two. Finally in class two, we’re looking at the confidentiality of I/O data, the real-time data. Here we’re talking about encryption between the controller device for proprietary data, like recipe data. That covers scalable security from basic all the way up to confidentiality of I/O data.
Examples of motor-drive communications to help with optimization
Looking at examples of motor-drive communications to help with optimization, from very high and high levels, this goes back to cyclic data exchange and acyclic data. Cyclic data are the process values.
Acyclic data are things that are not time critical, such as alarms and events. This could be something that is used for analysis. This can be used for diagnostics and for clock synchronization. For communications, it’s cyclic, acyclic, alarms and then clock synchronization..
Inside the drive, we talk about state machines; most of the time you’re in that S4 or operation mode. Without getting too deep into the state machines of a drive, the drives are set up in such a way that they cannot function improperly. Based on these state machines, all this is abstracted from the user, so that it’s easy to just set up the drive and run without having to get directly into state machines.
EtherCAT separates motion control domain
Bob Trask: CiA DS402 defines PDOs, which are cyclically exchanged, and STOs, which are acyclically exchanged, so I can monitor everything. You have access to a broad range of information. There are basically buckets, and you can select which buckets of process information you want. The configuration is already there, the data size and the back and forth and STOs, everything else that I can monitor acyclically. Architecture is important. We feel that the items in the motion control domain need to be just by themselves, not to put any kind of security on and security above them, but they need to be robust enough systems that I don’t have to worry about any kind of attacks.
Scalable motion control technology, motor-drive communications
Paul Brooks: One size doesn’t fit all. There are different applications. That means that you need to have a scalable motion control technology in your plants. Secondly, motion works. Different motor-drive communication technologies have significant things in common, and have significantly different approaches. Dig into the technologies to see which scales best for your applications.
Additional answers about motor-drive communications
Mark Hoske: Bob, Michael, Paul. Thank you very much. Time to answer audience questions.
Question: Many parameters are available in a drive. In your view, what are some of the most important parameters to monitor to maintain the motors?
Bob Trask: Well, the basic mode matters along with how you cyclically distribute it. So if your basic mode is velocity, I really just need to exchange velocity back and forth and maybe get position feedback. Things become quite simple. Then, do I need to add on other parameters, which I can monitor acyclically? The key is to have the flexibility to add and remove what is needed.
Paul Brooks: I’ll vote for currents, heat and vibration as important parameters to monitor because a motor and more importantly, the load attached to the motor when they’re wearing, they tend to become less mechanically efficient. More friction starts to drive up the current. Increased heat and vibration also indicate something is not working properly.
Question: How can protocols help with cybersecurity of motor-drive communications?
Bowne: We recommend that you look at your network holistically. When you’re looking at motor-drive communications, the recommendation is to look at the communications in the entire plant and not just the motor-drive. Also look at the defense-in-depth approach and the network as a whole, from I/Os, other devices to everything else on the network.
For additional questions and answers, see a related article: More answers about motor-drive communications.
KEYWORDS: Motor-drive communications, EtherCAT, Profinet, EtherNet/IP
What level of cybersecurity risk can you tolerate with industrial communications with motors and drives?