There are many benefits to bringing Ethernet to the shop floor. One important benefit is the creation of a more open architecture that allows for a large number of connection to various plant equipment and management tools. But this openness also brings a problem that must be solved for the operators of the factory network: security.
Once the automation system is added to the Ethernet, it's about the same as connecting a computer to the Internet. In some corner of the factory, or in the corporate network, there will always be an Internet connection. Therefore, companies must take action to protect the factory environment from threats from Internet-connected computers. These threats can be hackers, viruses, Trojans, and various other forms of toxic programs.
This means that the plant network administrator needs the same security protection tools as the IT department colleagues, and it is best to design tools for the factory environment. These tools must be authorized to connect to the factory in other areas within the facility or at other remote locations. This allows remote administrators to perform tasks such as configuration and diagnostics, node initialization, and access to information from the device's connection to the onboard network and FTP server.
This tool set needs to include a variety of hardware, software, and usage tools such as firewalls, virtual private networks (VPNs), network address translation (NAT) technologies, and policies. Once the automation environment is open, it will work, and it will need to communicate with other networks and be managed from different locations to ensure factory security from Internet threats.
Firewall: the first barrier
Firewalls are one of the oldest security tools and are still an important part of security components today. The firewall is located between the networks, mainly to control the flow of information between the internal and external networks. Its main purpose is to help ensure that only legitimate information flows in a particular direction.
In an industrial environment, a firewall can protect an automated device unit that may include multiple Internet connections, such as an industrial PC or a PLC. In this case, the enterprise can install a security module that accepts Ethernet access from the automation network at one end and simple devices that connect to a larger network at one end. The interaction between any two networks depends on the rules set by the firewall installed on the device.
There are many strategies for running a firewall. Industrial networks generally use packet detection technology to enable devices to connect to the current information flow. Information is allowed to enter only when it is determined that the request from the intranet is legally received. If an external source sends unwanted information, it will be blocked.
In order to ensure that all information flows are legitimate, a dedicated packet inspection firewall controls the flow of information according to predetermined filtering rules. For example, if an internal node sends data to an external target device, the firewall will allow the response packet for a specific amount of time. After this time, the firewall will block the traffic again.
NAT and NAPT
Another technology that provides security for the automation environment is NAT, which is applied at the device level. NAT generally hides the actual IP address of the device in the internal network from the perspective of the external public. It displays the public IP address to the external node, but it changes the IP address used inside the network.
Network Address and Port Compilation (NAPT) technology takes advantage of the concept of NAT and adds port numbers to take the technology one step further. Through NAPT technology, the intranet only displays one IP address in front of the public. In the background, packets are assigned to the specified device by adding a port number. NAPT worksheets are typically deployed on routers that map private IP address ports to public IP address ports.
If a device from an external network wishes to send a packet to an internal device, it needs to use the public address of the security device with a specific port as the destination address. This destination IP address will be translated by the router into a private IP address with a port address.
The source address in the packet IP header remains unchanged. However, because the sending address is in a different subnet of the receiving address, the feedback must be routed and then forwarded to the external device while protecting the actual IP address of the internal device from being seen by the external public.
Secure channel using VPN
Another way to make a secure connection over an essentially insecure network is to use a virtual private network (VPN). A VPN is basically an encrypted channel formed by a security device at each endpoint of the connection, and it must generate digital authentication. This type of authentication is generally a numeric ID that can be used by trusted partners for identification. Authentication also ensures that the device encrypts the data at one end, sends it over the Internet in encrypted form, and then decrypts it on the other end before transmitting it to the terminal device.
The security module works with digital authentication and creates VPNs in two basic configurations: bridging and routing modes:
Bridging mode can be used to enable devices to communicate securely over a virtual "flat" network, where the geographic locations of these devices may be far apart, or where communication between them needs to span unsafe parts of the network. It can also be used for communication that cannot be routed or on the same subnet.
Routing mode can be used to create VPNs between devices on separate subnets. The router works at the third level of the OSI model and has some intelligence to recognize that the surrounding network needs to send data to the appropriate destination address. Packets are transmitted over a securely encrypted VPN tunnel, so this communication is more secure than on a public network like the Internet.
The factory environment has a lot of security tools that can be configured in different ways depending on your specific needs. Here are some examples:
A firewall for a specific user. Suppose your contractor is debugging some of the automation equipment in your plant. When he is not in the factory, if he can log in to the factory network, such as troubleshooting, it is very beneficial to solve unexpected problems. In this case, you can create a set of specific user rules in the firewall to ensure that the remote user can access the network. You can also create different levels of authorization to ensure that different remote clients can only connect to the appropriate device they are authorized to.
Creating a username and password for a remote user is a simple task, and then he can connect to the module's IP address and log in with this secret information. Install the default settings, he can connect for a specific period of time, after which time he will automatically log out to prevent him from leaving the computer but stay connected for too long. If the contractor needs more time, he can log back in using a web-based form before the end of the time.
Station to station VPN. Sometimes the company has a central station and there may be two satellite facilities. In this case, station-to-station VPN is a more suitable solution. The station-to-station VPN generally uses an encrypted connection between the two stations. According to the configuration, the users on each station are allowed to connect to any resources on other stations, of course, on the assumption that they have the appropriate rights.
This approach requires modules at each location to create encrypted VPN tunnels. The firewall can also be used to provide more granular access control, such as allowing specific users to access a subset of resources without viewing others.
Point-to-point VPN. Peer-to-peer VPNs ensure that users can connect to devices from any other location from anywhere with an Internet connection. This is very important for administrators who need to log in from a remote location for device troubleshooting after work from work.
This approach requires that the module at the target location be populated with the appropriate secure client software running on the administrator's laptop or tablet. The software helps the administrator establish an encrypted VPN connection to any site that owns the module. No matter where he is, he can log in to any device he needs with the right permissions.
Multi-point VPN connection. Now, the administrator, he wants to connect another five to ten sites from home. He does not need to establish a corresponding VPN connection for each site. He can connect to an established central module that connects to each remote site VPN, and then connect to the above site.
This is definitely good news for service engineers who travel around the world every day. By connecting to the central site individually, they can now easily and securely access other sites they need, saving connection time.
There are also tools to ensure that Ethernet-based automation environments are as secure as fieldbus environments. While firewalls and VPNs are an important part of a security solution, and for secure access to remote users, we also need a defense-in-depth security model to ensure true deep security in industrial environments. Always keep in mind that safety is life is not a play.