Providing secure remote access to industrial Ethernet networks
The introduction of Ethernet to the plant floor brings with it lots of benefits, notably a more open architecture that allows connectivity to plant devices and management tools from pretty much anywhere. But with that openness also comes an issue that plant network operators must address: security.
When automation systems are attached to Ethernet networks, it’s not all that different from connecting a computer to the Internet. Somewhere in the plant and certainly in the enterprise network an Internet connection exists. Given that, organizations must take steps to protect the plant environment from the same sort of threats that face any Internet-connected computer, including hackers, worms, Trojans, and various other forms of malware.
This means plant network administrators need the same sort of security tools that their IT counterparts use, albeit tools built with the plant environment in mind. Those tools must allow authenticated access to the plant environment from other areas within the facility as well as from remote locations. That enables remote administrators to handle tasks such as configuration and diagnostics, initialization of nodes, and gaining access to on-board Web and FTP servers to glean information from devices.
That tool kit will include assorted hardware, software, and work practices such as firewalls, VPNs (virtual private networks), network address translation (NAT) technology, and appropriate policies. It all adds up to an automation environment that is at once open, with the ability to communicate with other networks as needed, and can be managed from anywhere, while remaining safe and secure from Internet-borne threats.
Firewalls: First line of defense
Firewalls are one of the oldest security tools and still a crucial piece of the security puzzle. A firewall sits between networks, typically controlling traffic between internal and external networks. Its main purpose is to help ensure only legitimate traffic passes through in either direction.
In an industrial environment, firewalls protect a cell that may include several Ethernet-attached automation devices, such as industrial PCs and PLCs. In such a case, companies can install a security module, a simple device with one Ethernet connection coming from the automation network side and another going out to the larger network. Any traffic passing between the two is subject to whatever firewall rules are established for the device.
There are different strategies for firewall operation. Industrial networks often use stateful packet inspection technology, which enables the device to assess traffic in context. It will only allow incoming traffic that it knows is a legitimate response to a request from the internal network. If an external source sends data that was not requested, it is blocked.
To ensure all traffic is legitimate, stateful packet inspection firewalls control the traffic based upon predetermined filter rules. For example, if an internal node sends data to an external target device, the firewall will dynamically allow the response packet for a limited period of time. After the time window has expired, the firewall will block the traffic again.
NAT and NAPT
Another technology that helps provide security for automation environments is network address translation (NAT), which is implemented in devices. NAT essentially hides the actual IP addresses of devices on the internal network from view to those on the public, external-facing side of the network. It presents a public IP address to external-facing nodes but translates that address to a different IP address that’s used on the internal side of the network.
Network address and port translation (NAPT) takes the NAT concept a step further by adding a port number into the mix. With NAPT, only a single IP address need be presented to the public. Behind that, packets are addressed to particular devices by adding port numbers. A NAPT table, which typically resides on a router, maps private IP address ports to the ports of the public IP address.
If a device from the external network wants to send a packet to an internal device, it uses the security device’s public address with the specified port as the destination address. This IP address is translated to a private IP address with port address by the router.
The source address in the IP header of the data packet remains unchanged. But, since the sending address is in a different subnet from the receiving address, the response must go through the router, which forwards it to the external device, all the while protecting the actual IP address of the internal device from public view.
Secure tunnels with VPNs
Another way to provide a secure connection over an inherently insecure network such as the Internet is to use a virtual private network (VPN). A VPN is essentially an encrypted tunnel formed by security devices at each end of the connection, which must generate digital certificates, which are essentially digital IDs, to identify one another as trusted partners. The certificates also enable the devices to encrypt the data at one end, send it over the Internet (or other network) in encrypted form, then decrypt it at the other end before passing it to the end device.
Security modules work using digital certificates and can create VPNs in two basic configurations, bridging and routing mode:
- Bridging mode can be used to enable devices to communicate securely in a virtually "flat" network while they are located farther apart or when their communication has to pass an unsecure section of the network. This is also used for communication types that can’t be routed or have to be in the same subnet.
- Routing mode can be used to create a VPN between devices on separate subnets. The router, operating at Layer 3 of the OSI model, has the intelligence and awareness of surrounding networks required to route packets to the appropriate destination address. Again, the packet travels through a secure, encrypted VPN tunnel, making the communications secure even over a public network such as the Internet.
Sample use cases
The variety of security tools available in the plant environment can be configured in different ways depending on exactly what kind of access you need to provide, and to whom. Here are a few examples:
User-specific firewall—Say you’ve got a contractor working on some of the automation devices in one of your plants. When he’s away from the plant, it’s useful if he can log in, such as to troubleshoot issues. In such a case, you can create a user-specific rule in the firewall enabling that particular remote user to gain access. You can also create different levels of authorization to ensure different remote users gain access only to the devices for which they are authorized.
It’s a simple matter of creating a username and password for the remote user. He can then connect to the IP address of the module and log in using those credentials. By default, he’ll have access for a predefined amount of time, after which he’ll be logged out, to protect against him walking away from his computer and leaving the connection open for an extended period of time. If the contractor needs more time, he can renew the connection before it runs out using a Web-based form.
Site-to-site VPN—In an instance where a company has a central site and maybe two satellite facilities, a site-to-site VPN is likely more appropriate. A site-to-site VPN is essentially a secure encrypted connection between two sites that, depending on how it’s configured, could allow users at each site to access any resource at the other-assuming they have appropriate authorization, of course.
This setup requires a module at each location to create the encrypted VPN tunnel. A firewall can also be used to provide more fine-grained access control, such as to enable certain users to access some resources but not others.
Point-to-point VPN—A point-to-point VPN enables a user to access devices at any site from any other site that has an Internet connection. This is useful for an administrator working from home after hours who needs to log in to a remote location to troubleshoot a device.
This setup requires a module at the target location along with appropriate security client software, which runs on the administrator’s laptop or desktop. The software enables him to establish an encrypted VPN connection with any site that has the module. From there, with the proper permissions, he can log in to whatever device he needs to.
Multipoint VPN connections—Now say that same administrator has to access another five or 10 sites from his home. Rather than establish individual VPN connections to each of them, he can connect to a central module that already has VPN connections established to each of the remote sites and essentially piggyback on those connections.
That’s a great benefit for service engineers who spend much of their time traveling. With a single connection to the central site, they can now easily but securely access any other site as needed, saving valuable time in the process.
These are just a few of the tools to ensure Ethernet-enabled automation environments are just as secure as their fieldbus-based predecessors, and their IT counterparts. While firewalls and VPNs are important pieces of the puzzle, and crucial for providing secure access to remote users, it takes additional layers of security to ensure a true, defense-in-depth security model. Always keep in mind: security is a lifestyle, not just a checkbox.
Tim Pitterling is an industrial Ethernet infrastructure product marketing manager for Siemens Industry Sector. Jonas Ljungberg is an industrial Ethernet infrastructure senior consulting application engineer for Siemens Industry Sector.
- Your industrial networks invariably have a connection to the Internet, one way or another, and therefore must be protected.
- Many techniques are available to help secure communication and minimize your exposure to threats.
For more information, visit: www.siemens.com/industrialsecurity
See related cyber security stories below.
Also at www.controleng.com, find cyber security webcasts and training videos.