Keeping the bad guys out of industrial networks

To keep hackers from wreaking havoc in industrial networks, modern controllers employ measures that go far beyond ordinary firewalls.

Laura Dickinson | Wago Corp.

A few years ago, viewers of a TV series called Mr. Robot watched the main character try to destroy mag tape backups held at a data facility that was portrayed as both well-fortified and remote. The idea was to raise the temperature of the storage room enough to melt the tapes. The plan called for connecting an ordinary Raspberry Pi computer board into the climate control system that would simply override climate commands from the building automation controller.

With the Raspberry Pi installed, the main character (Elliot Alderson) was able to access the HVAC system from an ordinary laptop with an internet connection using a real-life website called Shodan (www.shodan.io), a search engine that lets users find not just HVAC systems but also routers, servers, and other equipment connected to the internet. Shodan finds these unprotected devices by crawling the internet rooking for IP addresses with open ports. It can find computer-controlled HVAC systems if they’ve been plugged into a company web server that reaches the internet. (Conversely, Shodan won’t see HVAC systems operating on their own closed networks.)

The Mr. Robot hack worked without a hitch. In fact, it came off so flawlessly that viewers probably wondered about the cybersecurity of real industrial networks. Can hackers or technical glitches compromise servers this easily?

A Wago PFC200 controller and its main security measures designed to deter the efforts of hackers.

Part of the problem is that the original development of widely used fieldbus protocols, which took place long before the advent of the internet, proceeded with no thoughts about security. Those systems were designed for ease-of-use and operational reliability which often led to the creation of vulnerable access points for external attackers.

But that doesn’t mean modern industrial networks can’t be rendered close to bulletproof. To get an idea of what’s possible, consider the security measures implemented by Wago’s PFC family of controllers. Security techniques that PFC100 and PFC200 controllers implement can serve as examples of the safeguards modern industrial networks can employ.

“Our devices have security measures built-in that are unlike those of other products on the market,” Charlie Norz, Wago Automation Product Manager said. “We have a built-in firewall to separate networks; in addition we also have built-in VPN that support two different types of VPN technologies that users can add to their controllers to enhance security. When sending information to a cloud, for example, we also have a TSL 1.2 security that can transfer data via HTTP. So we add a lot of features right within the controller so that users don’t have to add additional components in their network.”

A few basic security terms might be worth explaining. TLS is an acronym for “Transport Layer Security,” which is the protocol that allows digital devices (such as computers and phones) to communicate over the internet securely without the transmission being vulnerable to an outside audience. Since last year, websites that process credit card payments have had to use the latest version, TLS 1.2.

A computer firewall is a software program that inspects each individual “packet” of data inbound to or outbound from a computer to determine whether it should be allowed to pass or be blocked. Firewalls can also control what types of system functions and processes have access to networking resources. In that case, firewalls can use various types of signatures and host conditions to allow or deny traffic.

A VPN (virtual private network) is a service that lets you access the web safely and privately by routing your connection through a server and hiding your online actions. In operation, the VPN client (software) encrypts your data, even before your Internet Service Provider sees it. The data then goes to the VPN and from the VPN server to your online destination. The online destination sees your data as coming from the VPN server and its location, not from your computer and your location. Data goes in encrypted form to your ISP then to the VPN server. The VPN server is the third party that connects to the web on your behalf. Thus the destination site sees the VPN server as the traffic origin, not you. And no one can (easily) identify you or your computer as the source of the data, nor what you’re doing (in the case of a PLC, what data is transferred). And your data is encrypted, so even if someone does look at what’s being sent, they only see encrypted information and not raw data.

VPN protocols define how the service handles data transmission over a VPN. One of the most common protocols is OpenVPN. It’s based on SSL/TLS (SSL or secure sockets layer is the standard security technology for establishing an encrypted link between a web server and a browser.) and it’s an open-source project, meaning it’s constantly improved by hundreds of developers. It secures the connection by using keys that are known only by the two participating parties on either end of the transmission.

Getting back to the Mr. Robot hack, a VPN alone would probably have been enough to thwart the efforts of Elliot Alderson. But VPNs and firewalls are only the beginning of security measures modern industrial networks can implement.

Standard security measures, like firewalls, password protection and individual user rights, protect data within each location from unauthorized access. Wago’s PFC100 and PFC200 controllers transmit data through onboard TLS 1.2 security protocols and also securely transmit data to the cloud.

A virtual private network extends a private network across a public network and enables users to send and receive data across shared or public networks as if their computing devices were directly connected to the private network. The Wago PFC controllers support the two common protocols that are used to set up VPN Connection, OpenVPN and Ipsec. (IPsec, for IP security, is a suite of protocols developed to ensure the integrity, confidentiality and authentication of data communications over an IP network.) This means there is secure communication over an insecure network.

An Open VPN connection can be applied straight from the PLC through data that is sent encrypted with the VPN directly on the PFC100 and PFC200 controllers. Communication is secured by encrypted VPN connection using MQTT and other protocols.

MQTT (MQ Telemetry Transport) is a publish/subscribe, simple messaging protocol designed for constrained devices and low-bandwidth, high-latency or unreliable networks. The design principles are to minimize network bandwidth and device resource requirements while simultaneously attempting to ensure reliability and some degree of assurance of delivery. These principles make the protocol useful for Internet of Things connected devices and for mobile applications where bandwidth and battery power are at a premium.

To ensure information security and integrity during web access and data transfers, the TLS 1.2 encryption method is used as the standard for establishing secure HTTPS and FTPS connections, and the SSH protocol is integrated as standard for establishing secure shell and SFTP connections.

“TLS Security is used for transporting HTTP and is an industry standard for communication,” Norz said. “It is important when connecting data from a plant floor to the cloud. With our controllers we have the ability to publish and subscribe to MQTT brokers, which is becoming an industry standard for cloud technology and even more recently we have Sparkplug, which is also MQTT-based and through both of those protocols we are able to enable TLS security. If you are sending data, the data is encrypted so no one can read the data even if they capture the communications.”

With a standard integrated firewall, Wago’s PFC100 and PFC200 controllers protect against unwanted network attacks. There is no need for encryption via external components and protection through external firewalls. Firewall protection is out of the box without the addition of external devices.

Linux software is the foundation behind these security mechanisms. Because the Wago controllers are based on a Linux system, the security is essentially built-in. The Wago controllers also have physical network segmentation via VLAN so application levels and management levels can be separated safely from one another.

A virtual LAN (VLAN) is any part of a computer network that is partitioned and isolated at the data link layer (OSI layer 2). VLANs work by applying tags to network frames and using them to create the appearance and functionality of network traffic that is physically on a single network but acts as if it is split between separate networks. In this way, VLANs can keep network applications separate despite being connected to the same physical network. VLANs address issues such as scalability, security, and network management. Routers between VLANs filter broadcast traffic, enhance network security, perform address summarization, and mitigate network congestion.

“It is recommended by a number of industry organizations and security experts to separate networks in the event of a cyber hack,” Norz said. “If your network is separated within your facility the intruder will only have a certain access to part of the facility instead of the whole operation. So following good security standards, VLAN is just one of the many ways to engineer a defense in depth strategy.”

The traditional automation pyramid using conventional central controllers is gradually transitioning to new information and communication technologies like cloud services, OPC-UA (object linking and embedding for process control unified automation) with TSN (time sensitive networking), and flexible automation solutions. Cloud connectivity solutions from Wago provide a high security standard and a secure path to the cloud.

With the quick development of the digital world, flexible solutions that can move with a company long term are necessary. Users have the option with Wago PLC Controllers of later upgrading controllers to match the requirements of the Federal Association of Energy and Water Industries white paper and the Federal Office for Information Security catalog if need be.

“People need cyber security because more companies are going through a digital transformation where they want to get more plant floor data into a cloud,” Norz said. “So when you are moving information over the internet then obviously your system is open to the internet which is an entry for hackers to compromise your system.”

In that regard, there’s a good chance any one of the security measures Norz mentions would have rendered the schemes of the Mr. Robot hackers moot. But that, of course, would have made for much less exciting TV. DW