Edited by Michael Jermann, Assistant Editor
Ethernet-based production systems are becoming increasingly well-established. Easy integration into Intranet and Internet, the high bandwidth of up to Gigabits per second, and decreasing costs of industrially specified cables, connectors, switches, and routers are the reasons behind this development. The other side of the coin, though, is an increased risk of malfunctions and production interruptions due to security loopholes in industrial networks.
For this reason, Volkswagen AG conducted an internal risk analysis at its car body production plant in Emden, Germany. The audit scrutinized the security of multiple systems, including their control technology. The result: sensitive production systems were insufficiently protected against unauthorized access because attacks can be triggered by malware, inadvertent access or unintentional mis-entries during internal network operations. In addition, preventing these issues through centralized firewalls is complex and not cost-effective.
For example, employees of third-party companies who access the network using their laptops during service operations or for hardware and software installations can unintentionally spread malware that are deemed a potential risk. The analysis also identified unintentional mis-entries as problematic weaknesses. Jens Hoofdmann, bodywork maintenance specialist, cited one problematic issue arising from the analysis: “A typical example is the installation of a server which subsequently sends ping packets to the entire network at short intervals. Such permanent requests can disrupt or even crash an industrial controller.”
An action item matrix was developed based on the risk assessment, encompassing organizational changes, network segmentation and the introduction of distributed industrial firewalls. When it came to selecting suitable hardening and security measures, Volkswagen AG‘s Emden plant opted for industrial routers with an integrated firewall. The distributed industrial firewall/router solution segments the production network in the car body construction plant at Emden into 15 isolated subnetworks. For central protection featuring comparable granularity, all systems and sub-networks would need star layout network cabling with a high-capacity firewall in a complex configuration. Given the typical distances between network nodes at industrial plants, this proves particularly expensive and inefficient which is why these environments are virtually dominated by tree-shaped and linear cable topologies and therefore better suited to a distributed firewall approach.
The central IT department was also involved in the preliminary discussions regarding implementing the new structure, the technical evaluation and start-up monitoring. The production-related IT department ultimately assumed responsibility for addressing the planning, installation, commissioning and administration tasks.
The system network had already been successfully planned and put into operation in conjunction with Phoenix Contact, an automation company based in Blomberg, Germany. The experience gained from the project and the knowledge acquired of the systems also proved beneficial during the network protection operations. The company used FL mGuard industrial firewall/router modules from Phoenix Contact and Innominate.
The mGuard modules are based on an embedded Linux and integrate four coordinated security components: a bidirectional stateful inspection firewall, a flexible NAT router, a secure VPN gateway, and protection against malware as an option.
The fact that the mGuard security appliance is self-sufficient and can be integrated into existing production networks without reconfiguring end devices using its stealth mode of operation proved to be advantageous. In networking terms, this means the firewall behaves transparently as a bridge.
From Jens Hoofdmann‘s perspective, installing, setting up and integrating the industrial firewalls was easy. The devices were used in a distributed manner in control cabinets for every uplink connection. In hardware terms, Volkswagen AG was able to mount the 24-V DIN rail devices directly into the control cabinets and allow its own staff members to start them up based on the existing network structure and without any re-cabling operations.
A very pragmatic approach was adopted towards setting up the firewall rules. In the first instance, all data traffic was permitted and access to the subnetworks was only logged. The log files were subsequently evaluated and recorded in the form of rules governing which type of access should be permitted in the future. The rules were tested, revised and finally defined in their present form.
During this phase, the company relied on the experience of Innominate, a fully owned Phoenix Contact subsidiary. Jens Hoofdmann stated: “We benefited from Innominate‘s expertise in industrial networks, protocols, and firewall rules and were able to optimize the structure of the installations.”
The mGuard Device Manager (MDM) central management system features a template mechanism facilitating central configuration and management of all mGuard devices. The parameters for firewall rules and NAT settings are directly configured in IDM without the need to define abstract security policies. Volkswagen can use the upload function to upload the rules to all the listed devices and configure them in one step. The IDM enabled special rules to be implemented between the subnetworks, subgroups and user groups and then distributed to all firewalls.
According to the maintenance team at Volkswagen Emden, device management has been greatly facilitated by the central management system. Generating a new firewall rule within five minutes in order to grant a member of the service team access is no longer an issue.
Robots, PLCs, panel PCs, laser technology, welding systems, controllers and the driverless transport system have since been protected by distributed firewalls on the Emden car bodywork production network. Jens Hoofdmann reports that there have been no security incidents since the firewalls were installed. However, they have been able to identify infected devices from other production sectors based on the log files. In one of these instances, a virus had attempted to spread to other devices. However, the mGuard blocked access to the protected computers, making it possible to advise the other sectors of the malicious malware.
Phoenix Contact
www.phoenixcontact.com
Filed Under: CONNECTIVITY • fieldbuses • networks, PLCs + PACs
Tell Us What You Think!