Changes in the network security landscape

Until a few years ago network security focused on enterprise systems and relied on firewalls to prevent viruses from arriving electronically. Now there is increasing realisation that the production control systems need to be protected too, and that viruses can be uploaded by many means. Industries as diverse as manufacturing, processing, refining, power generation, and food and drink processing are all considering ways to improve the security of their plant and control systems. John Browett of CLPA (CC-Link Partners Association) considers the current position and looks at how to mitigate potential threats.

As Ethernet becomes the de facto industrial network of choice, installers and users can be seduced by the advantages the technology brings and give insufficient consideration to network security. However, given some recent high-profile situations, there is now a growing awareness that there is the very real possibility that networks can be compromised by both the electronic importation of a virus and from within, either accidentally or maliciously.

The problems of hacking from within a company are as much a personnel security issue as a general network security issue. Security considerations need to consider both deliberate acts of sabotage and the possibility of personnel making an unintended mistake.

Further, companies are increasingly adopting systems that allow remote access to plants - and reaping great benefits. However, monitoring processes typically use standard web browsers, which open the system up to the possibility of abuse of the network by third parties.

It is now well understood that SCADA (supervisory control and data acquisition) and other plant floor control systems have weaknesses and vulnerabilities when it comes to security. Therefore many companies are reassessing their traditional methods for moving information around between the plant/asset and the enterprise level.

The point of attack can be at the enterprise system level, plant control level or even the individual field device level. Top-end attacks have previously been the main concern, with the result that very sophisticated security measures are available. Vulnerable field devices are relatively easy to protect with local measures.

However, in the "˜middle ground' of plant control we frequently see PC-based control systems with little or no security measures in place. There are even cases of some technologies still being utilised despite known vulnerabilities.

Security problems at this level and at plant floor device level are exacerbated by the fact that there is often limited collaboration between a company's IT department and the control engineering departments. In addition, within the control and engineering community, there is not always adequate recognition of the automation system security threats and liabilities. In particular, the business case for automation system security is not established, and there is limited understanding of the automation system risk factors.

Security threat

The drive towards open network technologies generally, and towards Ethernet in particular, as a means of giving companies the freedom they want to choose best-of-breed control technologies has exacerbated the security threat. Users want standardisation, flexibility and choice, and this has been delivered through standardised open protocols. The trade-off, though, which is only just coming to be realised, is that these open protocols are less robust and more susceptible to attack. By contrast, the old proprietary networks were highly robust by virtue of their non-standardisation, but they were far less flexible and they ultimately limited product choice.

Looking then at what the ideal industrial network would offer, we can build up a wish list that offers the robustness of the old combined with the flexibility of the new. This wish list might include common cabling, standard connectors, open standards, ease of configuration, flexibility, highest possible security, and reduced susceptibility to attack.

In looking at how we might be able to adapt industrial Ethernet to meet the requirements of this wish list, it is worth revisiting our definition of Ethernet, because nowhere in networking parlance has a single word been so misused as an umbrella term for so many disparate standards, technologies and applications. And the best place to start for that is with the OSI seven-layer model itself.

Layer 1, the Physical Layer, defines all the electrical and physical specifications for devices. In particular, it defines the relationship between a device and the physical medium. Layer 2 is the Data Link Layer, providing the functional and procedural means to transfer data between network entities and to detect and possibly correct errors that may occur in the Physical Layer. It is here that Ethernet is defined as a network protocol under the IEEE 802.3 standard.

Over the years, Ethernet has become synonymous with the TCP/IP suite, but one does not necessarily imply the other. IP is defined under the Network Layer (Layer 3) of the OSI model. This Layer provides the functional and procedural means of transferring variable length data sequences from a source to a destination via one or more networks. The Transport Layer (Layer 4) provides transparent transfer of data between end users, and defines the likes of TCP and UDP.

The Session Layer (Layer 5) controls the connections between computers, whilst the Presentation Layer (Layer 6) transforms the data to provide a standard interface for the Application Layer (Layer 7) at the top of model. It is here that you find typical applications such as FTP, HTTP, RTP, SMTP, SNMP and others. In short, when it comes to operating as a communications architecture in industrial networks, Ethernet is capable of very little without the layers that sit above it.

Vulnerable lower layers

Not all industrial Ethernet offerings implement the Ethernet stack in the same way. Within the Application Layer the different industrial Ethernet organisations implement their own kernels and protocols which define much of the functional benefits of their technologies. From a security point of view, though, what is really of interest are the more vulnerable lower layers.

Under the seven-layer model, all it takes is for one layer to fall to an attack before the whole communications system is compromised - potentially without the other layers even being aware that there is a problem. Security is only as strong as the weakest link.

There are a number of discrete security products available, and these work well, but one of the biggest problems in the industrial arena lies in implementing tightly integrated security systems without incurring excessive costs and without imposing a level of complexity that makes the system difficult to maintain and support. Further, standard commercially available security systems are rarely up to the rigours of life in challenging industrial environments.

In terms of network technology, much work has been done to make Layer 2 more secure, but in classic implementations of industrial Ethernet little has been done to address weaknesses in the Network Layer (Layer 3) and the Transport Layer (Layer 4). Like the office Ethernet implementation, the vast majority of industrial Ethernet technologies are still built around IP within Layer 3 and TCP/UCP within Layer 4.

Most industrial Ethernet network installations implement perimeter security (firewall services) at points where they connect to other networks to provide protection at these vulnerable layers. Firewalls filter on source and destination IP addresses and protocol port numbers (for example TCP and UDP ports) to further restrict the traffic permitted to enter an Ethernet network. Packet filtering may be implemented even among known network communities, and in some cases filtering deals with very specific device addresses and application ports to provide a layer of access security unique to an attached device and application. Despite this however, in classic industrial Ethernet implementations, Layer 3 and Layer 4 are still highly vulnerable to attack.

Image

CC-Link IE, however, is different (see graphic above). CC-Link IE (Control and Communication Link Industrial Ethernet) was developed by CLPA as the first completely integrated gigabit Ethernet network for industrial automation, defining the new threshold for open standards for Industrial Ethernet. CC-Link IE combines the best of many existing technologies and applies them to an optical or copper-based industrial network system with a redundant architecture that enables very high-speed and reliable data transfer between field devices and other controllers via Ethernet links. The signalling rate of 1Gbps will redefine the users' expectations and systems capabilities, it being more than enough to cater for the real-time communications requirement of today's manufacturing industries.

There are variants of CC-Link IE to address control requirements at all levels of the automation network. At controller level, there is CC-Link IE Control. At device level, there is CC-Link IE Field and CC-Link IE Motion. And of course there is tight integration with the CC-Link fieldbus.

Most importantly, CC-Link IE differs from conventional implementations by defining an open "Real-Time Protocol" within the stack layers. By taking this approach to implementing these layers within the Ethernet stack, CC-Link IE realises the benefits of our network technology wish list. It uses standard Ethernet connectors, it is easy to configure and it is highly robust. It is also an open standard, so users still have that freedom of choice in the selection of best-of-breed component technologies. But most importantly from a security point of view, it inherently offers the highest possible security and is therefore less susceptible to attack. These are significant advantages over alternative industrial Ethernet implementations. The key distinguishing factor is an open, but controlled knowledge base for the network technology. Hence while bona-fide companies can implement the technology on an open basis, it will be harder for the "bad guys" to infiltrate.

Security requirements for industrial Ethernet networks are continuing to evolve, with sophisticated requirements increasingly migrating from Enterprise networks to process control and other industrial environments. Wherever there are network installations, companies need to look at the probability of attacks to the network, and the risk associated with any attack. In every case, as security becomes more important, companies must look at ways to mitigate the risk, reduce the risk or eliminate the risk as appropriate within each branch of the network topology. With its open standards approach combined with proprietary communications technology, the CC-Link IE implementation of industrial Ethernet represents an attractive option in the drive to maximise and optimise network security.

To learn more about CC-Link IE in security for production control systems please visit www.clpa-europe.com.

CC-Link Partner Association - Europe (CLPA)

Gothaer Strasse 8
40880 Ratingen
GERMANY

+44 (0)7768 338708

partners@clpa-europe.com

www.clpa-europe.com

More from CC-Link Partner Association - Europe (CLPA)

Time Sensitive Networking – what’s in it for machine builders?

Posted 3 months ago

CLPA creates Global Strategic Advisor role for Smart Factories

Posted 9 months ago

Benefits of TSN discussed at ARC Industry Forum Europe 2019

Posted 1 year ago

CLPA to show Ethernet innovation at SPS IPC Drives Italia 2019

Posted 1 year ago

CC-Link IE TSN attracts attention at Hannover Messe

Posted 1 year ago

Why is 100Mbit industrial Ethernet insufficient for Industry4.0?

Posted 1 year ago

Why open industrial networks are essential for Smart Factories

Posted 1 year ago

CC-Link IE TSN: the next-generation Ethernet-based network

Posted 2 years ago

Factory networks take a big step forward at SPS 2018

Posted 2 years ago

CC-Link IE is Mitsubishi's network of choice for Industry 4.0

Posted 2 years ago

Slip rings use CC-Link IE for gigabit data transfer

Posted 2 years ago

Coupler enables interoperability between CC-Link IE and Profinet

Posted 2 years ago

CLPA highlights growth of CC-Link IE development options

Posted 3 years ago

CLPA OPC UA companion specification for CSP+ for Machine

Posted 3 years ago

Is Gigabit Industrial Ethernet key for Industry 4.0 goals?

Posted 3 years ago

Working group: security for open industrial automation networks

Posted 3 years ago

Hilscher plans first "˜coupler' between CC-Link IE and PROFINET

Posted 3 years ago

Benefits of open gigabit Ethernet illustrated at ARC Forum

Posted 3 years ago

Integrated factory automation networks key to Industry 4.0

Posted 3 years ago

CC-Link Partner Association at SPS Italia 2017

Posted 3 years ago

Implementing Ethernet at the field device level

Posted 3 years ago

Working with multiple networks and growth in Asia

Posted 3 years ago

CLPA webinar shows benefits of open gigabit industrial Ethernet

Posted 3 years ago

Weidmüller develops CC-Link IE products to drive Industry 4.0

Posted 4 years ago

New CC-Link IE and Profinet interoperability specification

Posted 4 years ago

CLPA brings networking accessibility to SPS/IPC/Drives 2016

Posted 4 years ago

CLPA helps cable manufacture expand into Asian markets

Posted 4 years ago

Balluff I/O blocks enable quicker CC-Link IE network building

Posted 4 years ago

CC-Link IE and CC-Link adoption soars

Posted 4 years ago

Production machines and automation products for the Asian market

Posted 4 years ago

PROFINET and CC-Link IE cooperation will expand open networks

Posted 4 years ago

Twelve things you need to know about CC-Link networks

Posted 4 years ago

CLPA to show CC-Link IE and CC-Link open at SPS Italia

Posted 4 years ago

Reports of fieldbuses' usage disappearing are premature

Posted 4 years ago

OPC Foundation and CLPA sign Memorandum of Understanding

Posted 4 years ago

CC-Link Partner Association (CLPA) opens office in Mexico

Posted 4 years ago

Lapp Group grows with CC-Link IE & CC-Link

Posted 4 years ago

White paper previews CC-Link IE and PROFINET interoperability

Posted 4 years ago

CC-Link IE - the natural choice for Industry 4.0

Posted 4 years ago

SLMP for integrating FAG SmartCheck into industrial automation

Posted 5 years ago

CC-Link keeps up with demand for water in Denmark

Posted 5 years ago

CC-Link Partner Association marks its 15th anniversary

Posted 5 years ago

Major Asian and European network collaboration announcement

Posted 5 years ago

CC-Link IE and CC-Link set new record for global installed base

Posted 5 years ago

CC-Link Partner Association brings on Cisco as Board member

Posted 5 years ago

Global networking specialist acknowledges importance of CC-Link

Posted 5 years ago

Building chips for CC-Link IE is good for business at Renesas

Posted 5 years ago

SLMP for CC-Link IE: exploit open industrial Ethernet protocol

Posted 5 years ago

CC-Link IE wins IEC61158/IEC61784 certification

Posted 5 years ago

More development options for CC-Link, CC-Link IE device makers

Posted 5 years ago

One year on, the CLPA's Gateway to Asia is still wide open

Posted 5 years ago

Double link strengthens approach to Asian automation

Posted 5 years ago

The future of open automation networks - gigabit CC-Link IE

Posted 6 years ago

Molex becomes a CLPA board member

Posted 6 years ago

CC-Link opens up Asian markets for measurement specialist

Posted 6 years ago

CC-Link plans major board member announcement at SPS/IPC/Drives

Posted 6 years ago

Skydivers practise indoors with CC-Link industrial network

Posted 6 years ago

CC-Link gives Cognex a clear view of Asian opportunities

Posted 6 years ago

New CLPA Chair is world-renowned production engineer

Posted 6 years ago

CC-Link partner Festo is using nature to inspire automation

Posted 6 years ago

Conformance testing ensures clear open communications

Posted 6 years ago

Industrial Ethernet connects systems, improves energy efficiency

Posted 6 years ago

Safety networks: The route from zero accidents to zero risk

Posted 6 years ago

CLPA announces EUR10,000 support for CC-Link product developers

Posted 6 years ago

CC-Link opens actual Gateway to Asia with new Turkish branch

Posted 6 years ago

CLPA appoints first European member to Managing Board

Posted 7 years ago

Open industrial networking associations ASI and CLPA forge links

Posted 7 years ago

Industrial automation changes up a gear with CC Link

Posted 7 years ago

CC-Link seminar explores opportunities for growth in Asia

Posted 7 years ago

Berners joins CLPA to help companies export to China

Posted 7 years ago

CLPA unveils major developments at the SPS IPC Drives 2013 Fair

Posted 7 years ago

Car manufacturer sees benefits via use of CC-Link open networks

Posted 7 years ago

Multiple approvals enhance CC-Link's global acceptability

Posted 7 years ago

CC-Link membership booms as interest in open networks grows

Posted 7 years ago

Sensors and communications combine to improve production hygiene

Posted 7 years ago

CC-Link widens partner product development options

Posted 8 years ago

CC-Link highlights industry solutions with key European partners

Posted 8 years ago

CC-Link expands horizons with management board appointments

Posted 8 years ago

Learn more about CC-Link anytime, anywhere with a virtual booth

Posted 8 years ago

Indian sub-continent gets local support for CC-Link

Posted 8 years ago

CC-Link adds energy management capabilities

Posted 8 years ago

CLPA shares open networks for success at the 2012 EMS Summit

Posted 8 years ago

CC-Link helps Ford & Mazda stay flexible in China

Posted 8 years ago

Energy management and FPGA on show at SPS/IPC/Drives Fair

Posted 8 years ago

Free Gateway to China business kit on 4GB USB stick

Posted 8 years ago

Strengthening the CC-Link open network partnership

Posted 8 years ago

CC-Link sponsors major European manufacturing summit

Posted 8 years ago

Gateway to China from the CLPA for potential new markets

Posted 8 years ago

White Paper explores strategies for entering the Chinese market

Posted 8 years ago

Starter kits make CC-Link adoption a simple step

Posted 8 years ago

CC-Link IE Field Ethernet-based network gains motion control

Posted 8 years ago

CC-Link enhances productivity for flat-panel LCD plant

Posted 8 years ago

SIL 3 safety layer added to CC-Link IE Field Industrial Ethernet

Posted 8 years ago

CLPA celebrates 10th anniversary of CC-Link

Posted 9 years ago

CC-Link becomes 'The Non-Stop Open Network'

Posted 9 years ago

CLPA to promote FDT as an international standard

Posted 9 years ago

Mitsubishi opens CC-Link conformance test centre in Germany

Posted 9 years ago

Financial benefits of retrofitting open fieldbus networks

Posted 9 years ago

CC-Link to be incorporated within FDT protocol standard

Posted 9 years ago

Automation and robotics training centre features CC-Link

Posted 9 years ago

CC-link exceeds 1500 members and 8,500,000 devices

Posted 9 years ago

Open architecture control systems offer plant-wide benefits

Posted 9 years ago

CLPA-China celebrates ten years of CC-Link in China

Posted 9 years ago

Free webinar explains CC-Link 'Gateway to China' programme

Posted 9 years ago

'Gateway to China' programme to feature at SPS/IPC/Drives

Posted 9 years ago

CLPA offers three chances to win an iPad

Posted 9 years ago

'Gateway to China' movie helps companies enter Chinese market

Posted 9 years ago

CC-Link network supports automation of winemaking

Posted 9 years ago

John Browett named Acting General Manager of CLPA - Europe

Posted 9 years ago

CC-Link selected for biogas cogeneration plants

Posted 10 years ago

New Anybus-CC drive profile modules for CC-Link

Posted 10 years ago

Heavy-duty CC-Link I/O modules are sealed to IP67

Posted 10 years ago

CC-Link selected for crane upgrade project

Posted 10 years ago

CC-Link survives in harsh die casting environment

Posted 10 years ago

CC-Link helps maintain productivity and quality in pharma plant

Posted 10 years ago

CC-Link connects eleven Danish boreholes

Posted 12 years ago

CC-Link network expands to encompass entire factory

Posted 12 years ago

CC-Link connects conveyor inverters to PLC network

Posted 12 years ago

CC-Link helps to ensure reliability of pumping station

Posted 12 years ago

A guide to the CC-Link industrial fieldbus network

Posted 12 years ago

Integrator GB Innomech uses CC-Link for building control

Posted 12 years ago

CLPA offers assistance to UK OEMs selling into Asia

Posted 12 years ago

New version of CC-Link based on Industrial Ethernet

Posted 12 years ago

Using fieldbuses with multi-vendor automation systems

Posted 12 years ago

European applications for the CC-Link industrial fieldbus

Posted 13 years ago

New CLPA office supports use of CC-Link in Turkey

Posted 13 years ago

CC-Link adopted by Polish universities

Posted 13 years ago

CLPA to show CC-Link IE at SPS/IPC/Drives show

Posted 13 years ago

CC-Link partners launch new safety fieldbus, CC-Link Safety

Posted 13 years ago

CLPA sponsors European Manufacturing Strategies Summit

Posted 13 years ago

More technical articles
2 days ago
Boxing clever
A new chainflex cable box means big shipping cost savings for customers
2 days ago
New industrial vision online channel sees the light of day
Industrial vision provider IDS is making its expertise as a manufacturer of digital industrial cameras available free of charge and readily accessible on a new platform
2 days ago
Ball screws help protect buildings from earthquakes
Ball screws from NSK are helping to protect structures and people in earthquake zones
2 days ago
ATEX certification for new pneumatic valve island
Pneumatic process control offers numerous benefits, especially in hygienic applications. Bürkert says that its new Type 8652 AirLINE valve island provides users with improved safety features, communications and diagnostics
2 days ago
ABB launches condition-based maintenance service for robots
New service enables users to plan ahead and optimise production performance
2 days ago
What the UK-EU trade deal means for UK vehicle manufacturers
Now the UK has left the EU, the transition period has ended and the two parties have established a new trading relationship, UK-based vehicle manufacturers have some clarity over what they need to do to serve three key markets: Great Britain (England, Scotland and Wales), the EU and Northern Ireland
2 days ago
Farnell publishes Industry 4.0 ebook
New ‘Industry 4.0 Interviews’ ebook is available for free download from Farnell and showcases the opinions of leading global experts on the future of IIoT and Industry 4.0
2 days ago
Can DC motors be used at high temperatures?
There is no need for a heated discussion about it as maxon’s motor expert Andrew Gibson offers a view on the subject
3 days ago
Switching up a gear
Phoenix Contact is expanding its line of unmanaged switches
3 days ago
New Intertronics metering, mixing and dispensing system
Adhesives supplier Intertronics has introduced a new 2-K-DOS metering, mixing and dispensing system, said to be a compact, benchtop unit suitable for materials including silicones, polyurethanes and epoxies