Securing automation systems: a step-by-step approach

The big problem when it comes to security for automation systems: there are no simple solutions. This makes it all the more helpful when communication technology experts from organisations like PROFIBUS & PROFINET International (PI) give users a hand by providing guidelines. PI also offers specific tests for testing and improving the robustness of devices to withstand denial-of-service attacks, for example.

A system is only safe if the threats are known. Typical security threats in production include infection by malware, unauthorised use (both intentional and unintentional), manipulation of data, espionage and related know-how loss, and denial of service. The consequences can be loss of production, reduced product quality, and endangerment of humans and machines.

In order to evaluate threats, the properties and possible weak points of devices and systems must be known. After all, a property that is useful from the automation perspective - for example, the ability for a programming device to access a controller without authentication - is seen as a possible weak point from the security perspective. It is necessary to distinguish these weak points in order to assess risks, develop security solutions, and take appropriate measures:

  • Weak points that arise due to incorrect implementation (for example, faulty device behaviour).
  • Conceptually planned and accepted properties. These include all features that can also be exploited for attack purposes. An example here would be an integrated web server in an automation device.
  • Weak points that are caused by organisational measures or lack thereof.

Field devices not only contain communication technologies for transmission of process signals (real-time communication) but also standard IT technologies, such as FTP services. In addition, field devices also operate as network infrastructure components (switches) and therefore have services and protocols that are needed for network management and diagnostic purposes. The fact of the matter is that most communication protocols at the field level have no integrated security mechanisms. Devices and data are not authenticated and, consequently, within the scope of a possible attack, systems at the field level can be expanded at will and communications can be imported. Even the transferring of PLC programs often takes place without use of security measures such as user authentication and integrity protection.

There is no panacea

Ideally, users would like to have a tool, certification, or system that promises them long-term security. The difficulty, however, is that such approaches do not provide lasting security. In order to develop secure systems, users must not only implement technical measures but also conceptual and organisational measures. And everyone will know from their own experience that processes can be implemented in technologies much faster than in the minds of people.

However, conceptual and organisational weak points can be more easily overcome when they are described in guideline documents. For example, PI developed a Security Guideline for PROFINET in 2006 and published a completely revised version of this guideline at the end of 2013. This guideline specifies ideas and concepts on how security systems can be implemented and which security options should be implemented. The subject of risk analysis is covered, for example. This analysis estimates the probability of a damage event and its possible consequences, based on protection goals, weak points, and possible threats. Only on the basis of an analysis of this type can appropriate security measures be derived that are also economically feasible. A series of proven best practices are also given, such as the cell protection concept.

Making devices more secure

Another measure concerns the device security. After all, robust devices are the basis for stable processes and systems. They are a basic prerequisite for security in automation. Weak points due to incorrect implementation can be eliminated only through appropriate quality assurance measures and certifications. In large networks, system availability matters the most. To achieve this, devices must respond reliably to various network load scenarios. In systems with many devices, an unintended elevated broadcast load can occur on the network during commissioning, for example, when the master attempts repeatedly to access all devices even though only a few devices are connected. The available devices must be able to handle this abnormal load. It is difficult for operators to predict such scenarios since the probability of a high data volume is dependent on the system. The reason is that the data traffic is determined by cyclic and acyclic data exchange as well as the event-driven data volume.

With the help of the Security Level 1 Tester developed by PI for certification of PROFINET devices and free of charge to member companies, such network load scenarios up to and including denial of service can be simulated already in advance. The field devices are tested under stress conditions to simulate an unpredictable load and, thus, to reduce device failures. Uniform test specifications have been defined for this, which can be systematically applied by the test tool. In addition, various network load-related scenarios have been developed that take into account various frame types and sizes as well as the repetition period and number of frames per unit of time, among other things. The network load-related test is already being required by various end users such as the automotive industry. This test is already integrated in the device certification testing according to the latest PROFINET 2.3 specification and must therefore be passed in order for a device to be certified. Users that purchase such a certified device can rely on having a correspondingly robust device.

By no means are all problems solved

Only those who know their devices can protect them. Still, not all manufacturers provide comprehensive information about the utilised protocols and services and communication properties of their devices. Another problem: in spite of security, users must still be able to handle and operate systems. No maintenance technician wants to be looking for a certification key for a failed device at 2 AM in order to bring a system back online. Future-oriented concepts therefore master the tightrope walk between usability and security.

PI has been dealing with the issue of security for years. For example, one PI Working Group is concentrating continuously on security concepts. A product of this is the PROFINET Security Guideline, which can also be downloaded free of charge by non-members. Moreover, further development of the Security Level 1 Tester is being advanced here. In so doing, it is important to all participants that the described and recommended procedures are sustainable and practicable and ultimately also accepted by users. Only in this way can protection concepts be successful.

To learn more security for automation systems and PROFIBUS & PROFINET International (PI) please visit www.profibus.com.

The Profibus Group

Suite 183
19 Lever Street
Manchester
M1 1AN
UNITED KINGDOM

+44 (0)208 144 9597

uk@profibus.com

www.profibusgroup.com

More from The Profibus Group

Why use a fieldbus? New video explains key benefits

Posted 1 week ago

New video: cables in PROFINET networks

Posted 3 weeks ago

PROFINET Webinar December 16th 1800

Posted 1 month ago

Additional measures for PROFINET security

Posted 2 months ago

omlox initiative wins Hanover Fair 2020 Award

Posted 4 months ago

New Profibus competency centre confirmed

Posted 4 months ago

New Video: PROFIBUS vs. PROFINET comparison

Posted 5 months ago

Free webinar: Lightning Surge Protection on Profibus Networks

Posted 7 months ago

Free webinar: Profibus to Profinet gateways

Posted 7 months ago

Online conference and exhibition explores IoT and Industry 4.0

Posted 8 months ago

APL used successfully in test setup at BASF

Posted 8 months ago

OPC UA-PN Companion Specification Version 1.0 announced

Posted 8 months ago

Profinet and IO-Link node count still rising

Posted 8 months ago

PIUK announces more Profinet and Profibus webinars

Posted 8 months ago

New date for Profinet, Profibus and IO-Link Birmingham seminar

Posted 8 months ago

PI UK webinar explores EMC for industrial automation systems

Posted 8 months ago

New date for Profinet, Profibus and IO-Link Scotland seminar

Posted 8 months ago

Automation and Robotics Online Conference scheduled for 2 June

Posted 8 months ago

Profinet, Profibus and IO-Link Birmingham seminar postponed

Posted 9 months ago

Belfast Profinet, Profibus and IO-Link seminar rescheduled

Posted 10 months ago

PI UK events and precautions for Covid-19

Posted 10 months ago

Profinet and OPC UA used by Audi for predictive maintenance

Posted 10 months ago

Profinet, Profibus and IO-Link - Scotland seminar

Posted 11 months ago

IODDfinder automates IO-Link description files

Posted 11 months ago

Profinet protocol gains further security measures

Posted 1 year ago

Progress on Profinet-over-TSN specification

Posted 1 year ago

OPC UA Safety: technical work now finished

Posted 1 year ago

Free seminar: Practical aspects of Profinet, Profibus, IO-Link

Posted 1 year ago

New book: Profinet in Practice

Posted 1 year ago

PI UK to participate in Smart Industry Conference 2019

Posted 1 year ago

PI UK to participate in Connected Manufacturing 2019

Posted 1 year ago

Specification of Profinet with TSN is now complete

Posted 1 year ago

Profinet, Profibus and IO-Link seminar review

Posted 1 year ago

Table-top exhibition at Profibus, Profinet and IO-Link seminar

Posted 1 year ago

Profinet and Profibus node count tops 87 million in 2018

Posted 1 year ago

Agenda published for Profinet, Profibus and IO-Link seminar

Posted 1 year ago

Free seminar: Practical Aspects of Profinet, Profibus, IO-Link

Posted 1 year ago

Cyber security: secure architecture challenges for real business

Posted 1 year ago

Safety & Security - not so different from one another

Posted 1 year ago

UK's PICC to present Professional Design and Practice projects

Posted 1 year ago

PI UK to support The Smart Industry series of Conferences

Posted 1 year ago

IO-Link as the key to implementing Industry 4.0

Posted 2 years ago

Implementing Industry 4.0 using Profinet and OPC UA

Posted 2 years ago

Live demo shows how easily TSN can be integrated in Profinet

Posted 2 years ago

The smart way to Industry 4.0 with Profinet-based technologies

Posted 2 years ago

PI to present Industry 4.0 Demonstrator at SPS IPC Drives 2018

Posted 2 years ago

Free-to-attend PROFIBUS, PROFINET and IO-Link seminar

Posted 2 years ago

Agenda announced for Profibus, Profinet and IO-Link seminar

Posted 2 years ago

New PROFIdrive profile tester and Encoder profile

Posted 2 years ago

Understanding and Applying Profibus, Profinet and IO-Link

Posted 2 years ago

Update on an advanced physical layer for industrial Ethernet

Posted 2 years ago

Learning how to use IO-Link Wireless

Posted 2 years ago

PA Profile V4.0 enables use of Profinet in process automation

Posted 2 years ago

Profinet exhibits first integration of TSN

Posted 2 years ago

Continued growth in Profibus, Profinet, PROFIsafe and IO-Link

Posted 2 years ago

Development of functionally safe communication between machines

Posted 2 years ago

IO-Link Wireless specification completed

Posted 2 years ago

PI UK to present and exhibit at Connected Manufacturing 2018

Posted 2 years ago

Free-to-attend Profibus, Profinet and IO-Link seminar

Posted 2 years ago

Updated agenda: PROFIBUS, PROFINET and IO-Link Glasgow seminar

Posted 2 years ago

Profibus, Profinet and IO-Link seminar comes to Glasgow

Posted 2 years ago

Watch new video on PROFINET and Time Sensitive Networking

Posted 3 years ago

Update on an advanced physical layer for industrial Ethernet

Posted 3 years ago

PI UK to support Connected Manufacturing at Advanced Engineering

Posted 3 years ago

PROFINET test system - quality is the goal

Posted 3 years ago

IO-Link Safety specification ready for implementation

Posted 3 years ago

PI releases new PA Profile - now also available for PROFINET

Posted 3 years ago

PI releases PROFIBUS, PROFINET and IO-Link node count numbers

Posted 3 years ago

Free training on PROFIBUS, PROFINET, IO-Link and IIoT

Posted 3 years ago

Symposium on the topic of Ethernet in process automation

Posted 4 years ago

FDI (Field Device Integration) technology: now ready to use!

Posted 4 years ago

Certified training in PROFINET and OPC UA

Posted 4 years ago

IO-Link's success in the field continues unabated...

Posted 4 years ago

Free Profinet technology workshop for developers

Posted 4 years ago

Profibus and Profinet in process training seminar

Posted 4 years ago

Free-to-attend Process Networking Seminar - Manchester, June 29

Posted 4 years ago

Ensuring drive and motion control applications interoperability

Posted 4 years ago

PROFIsafe: national safety standard for industry in China

Posted 4 years ago

Practical aspects of PROFIBUS, PROFINET, IO-Link: free seminar

Posted 5 years ago

Merging Profibus PA and Profinet: a future-proof building block

Posted 5 years ago

New white paper: Profinet as a platform for process automation

Posted 5 years ago

PI technologies enable innovation for Industry 4.0

Posted 5 years ago

Higher performance for the process industry with PROFINET

Posted 5 years ago

The Profibus and Profinet User Conference, June 2015

Posted 5 years ago

PROFIBUS & PROFINET International announces market results

Posted 5 years ago

Strong growth for PROFINET and PROFIsafe

Posted 6 years ago

Free seminars: digital communications in automation

Posted 6 years ago

PROFINEWS now available on mobile devices

Posted 7 years ago

Free tickets to Profibus Group's 20th Anniversary Conference

Posted 7 years ago

PROFINET helps GE make appliance manufacturing leaner

Posted 7 years ago

Multi-vendor workshops to be hosted at Profibus Conference

Posted 7 years ago

Profibus conference programme to address key industry issues

Posted 7 years ago

PROFINET - A strong driver

Posted 8 years ago

Faster cycle time for PROFINET

Posted 8 years ago

Profisafe celebrates ten years of safety on a common cable

Posted 8 years ago

An introduction to PROFIenergy, an update and a White Paper

Posted 10 years ago

Attend the Profibus & Profinet User Conference for £50

Posted 10 years ago

Profinet, Profibus and Profisafe performance in 2009

Posted 10 years ago

Profibus and Profinet training courses for 2010

Posted 10 years ago

User Conference: Profibus, Profinet, ProfiEnergy and ProfiSafe

Posted 10 years ago

See Profibus and AS-i equipment networked in real time

Posted 11 years ago

Beginners' guide to Profibus and Profinet

Posted 11 years ago

See the latest developments in Profibus and Profinet

Posted 11 years ago

Fieldbus market research to be presented at conference

Posted 11 years ago

Find out about fieldbus systems at user conference

Posted 11 years ago

New book provides an introduction to Profibus

Posted 11 years ago

2009 Profibus and Profinet User Conference

Posted 11 years ago

Wireless Profibus and Profinet for factory automation

Posted 11 years ago

Substantial growth in number of installed Profibus nodes

Posted 11 years ago

Software distributes device descriptions based on EDDL

Posted 11 years ago

Profinet to support energy-efficient production

Posted 11 years ago

Free entry to Profibus and Profinet User Conference

Posted 11 years ago

New version of PROFIsafe starter kit

Posted 12 years ago

2009 Profibus and Profinet conference - Excellence in Automation

Posted 12 years ago

Training course: networked automation and control systems

Posted 12 years ago

FDI team develops draft architecture concept

Posted 12 years ago

Quality assurance for PROFIsafe products and systems

Posted 12 years ago

Call for papers for 2009 Profibus/Profinet conference

Posted 12 years ago

Over 25million Profibus nodes installed worldwide

Posted 12 years ago

Profibus Group reports on successful user conference 2008

Posted 12 years ago

An introduction to IO-Link for sensors and actuators

Posted 12 years ago

Learn about Profibus DP and PA system design and layout

Posted 12 years ago

Profibus and Profinet User Conference 2008

Posted 12 years ago

First Profinet training course successfully completed

Posted 12 years ago

AS-i training course includes integration with other networks

Posted 12 years ago

Learn about the latest in Profibus, Profinet and Profisafe

Posted 12 years ago

I/O-Link integration in Profibus and Profinet

Posted 12 years ago

Profibus claims global lead in fieldbus market

Posted 12 years ago

PROFIenergy at the Profibus and Profinet User Conference

Posted 12 years ago

An opportunity for hands-on experience with Profibus/Profinet

Posted 12 years ago

Profibus and Profinet User Conference, 29-30 June 2010

Posted 12 years ago

Certified Profinet Engineer course offered in the UK

Posted 12 years ago

A guide to Profibus and Profinet industrial fieldbus networks

Posted 12 years ago

Profibus User Conference 2008 - schedule published

Posted 12 years ago

IEC 61800-7 standard defines PROFIdrive profile

Posted 12 years ago

Profinet offers greater potential for industrial automation

Posted 13 years ago

Draft specification for integration of Hart into Profinet

Posted 13 years ago

Profibus Group reports on successful user conference 2007

Posted 13 years ago

PROFIBUS projects at User Group conference

Posted 13 years ago

A chance for hands-on training in Profibus and Profinet

Posted 13 years ago

How Profinet can provide data for MES and ERP systems

Posted 13 years ago

Baggage handling system uses redundant Profibus DP

Posted 14 years ago

2009 Profibus and Profinet User Conference papers

Posted 14 years ago

Profibus/Profinet TCI specification completed

Posted 14 years ago

Certification of Profinet IO devices is now available

Posted 14 years ago

Free booklet covers Industrial Ethernet and Profinet

Posted 14 years ago

Functional Safety and IT Security for automated manufacturing

Posted 14 years ago

Find out about fieldbus for the UK water industry

Posted 14 years ago

CSi uses Profibus to speed construction of modular palletisers

Posted 14 years ago

More technical articles
1 hour ago
Crosser and Advantech announce alliance
New partnership aims to simplify Edge Analytics for Industrial IoT
1 day ago
New bifold constant torque hinge improves user experience
Southco has expanded its popular range of position control hinges with a new version that has been specifically designed for fold-out tables in passenger transit interior applications
1 day ago
New FDA compliant cable entry plates
Foremost Electronics has introduced new KEL-DPZ-HD FDA compliant cable entry plates from icotek, specially developed for the use in the food and pharmaceutical industries
4 days ago
Boxing clever
A new chainflex cable box means big shipping cost savings for customers
5 days ago
New industrial vision online channel sees the light of day
Industrial vision provider IDS is making its expertise as a manufacturer of digital industrial cameras available free of charge and readily accessible on a new platform
5 days ago
Ball screws help protect buildings from earthquakes
Ball screws from NSK are helping to protect structures and people in earthquake zones
5 days ago
ATEX certification for new pneumatic valve island
Pneumatic process control offers numerous benefits, especially in hygienic applications. Bürkert says that its new Type 8652 AirLINE valve island provides users with improved safety features, communications and diagnostics
5 days ago
ABB launches condition-based maintenance service for robots
New service enables users to plan ahead and optimise production performance
5 days ago
What the UK-EU trade deal means for UK vehicle manufacturers
Now the UK has left the EU, the transition period has ended and the two parties have established a new trading relationship, UK-based vehicle manufacturers have some clarity over what they need to do to serve three key markets: Great Britain (England, Scotland and Wales), the EU and Northern Ireland
5 days ago
Farnell publishes Industry 4.0 ebook
New ‘Industry 4.0 Interviews’ ebook is available for free download from Farnell and showcases the opinions of leading global experts on the future of IIoT and Industry 4.0