- By Philip Marshall
- May 02, 2023
- Hilscher
- Feature
Summary
Protocol stacks built to cybersecurity standards make device communication safer. This feature originally appeared in AUTOMATION 2023 Volume 2: Connectivity & Cybersecurity.
Historically, industrial cybersecurity in automation systems has concentrated on controller-tocontroller communications and using dedicated IT/OT gateways, with systems segmented into interconnected zones. Today, integrators are primarily applying cybersecurity to the interfaces of these zones. These segments typically include operations technology (OT) industrial networks, and their device intercommunications are generally unprotected. Integrators are installing firewalls and strict on-premises access control to increase security in this space.
A good strategy to prevent incidents from spreading and reduce risks is segmentation. However, segmentation alone isn’t enough to resolve every issue. User groups, standardization bodies, and technology providers are working on extensions to secure OT-level communications. These extensions include field devices, servo drives, IO-devices, and small sensors, to name a few, and they are equipped with security capabilities (Figure 1).
With new heightened security functionalities, network nodes will be able to authenticate each other and data can be protected against tampering to ensure that only trusted devices can communicate. Data encryption is another viable method of confidential information protection.
A good strategy to prevent incidents from spreading and reduce risks is segmentation. However, segmentation alone isn’t enough to resolve every issue. User groups, standardization bodies, and technology providers are working on extensions to secure OT-level communications. These extensions include field devices, servo drives, IO-devices, and small sensors, to name a few, and they are equipped with security capabilities (Figure 1).
With new heightened security functionalities, network nodes will be able to authenticate each other and data can be protected against tampering to ensure that only trusted devices can communicate. Data encryption is another viable method of confidential information protection.
Hilscher has already implemented such cybersecurity standards into its communication protocol stacks. Devices based on the multiprotocol netX chips that feature security-enabled hardware and firmware make use of these advantages.
Advantages of field-level security
Field-level security is required to further open industrial networks toward enterprise networks and the internet. Access to field-level data increases production process transparency and visibility, enabling new technologies to increase productivity.
One simple application is asset management, while device condition monitoring, remote diagnostics, and predictive maintenance are other potential applications that enable system operators to save time and money.
New business models are possible when applications in the cloud can directly access the field level. Machine builders can release their products and charge customers by production quantities rather than selling a machine. This will lead to more flexibility in production processes — factories could offer individualized products down to a lot size of one.
Controlling physical access to industrial facilities is difficult, expensive, and sometimes impossible when systems are distributed over large areas like chemical process automation systems. However, cybersecurity-protected networks could make physical access restrictions obsolete because a communication channel that prevents infiltration allows a system to be exposed to the public without risks. Going forward, it is expected that authorities worldwide will increase mandatory requirements related to cybersecurity functions for industrial automation equipment.
Device makers must follow these upcoming requirements and can benefit from Hilscher solutions since cybersecurity functions are transparently integrated into the protocol stacks. This alleviates a lot of development-engineering responsibilities—an API interface can be used for security certificate handling.
Applying new technologies to industrial environments
It isn’t necessary to reinvent the wheel in order to provide security functions to field devices. OT can borrow well-established security methods and standards from the IT world. One example is EtherNet/IP CIP Security, which makes use of proven SSL/TLS technology and its underlying methods, to secure IP-based real-time Ethernet communication. It uses the same cryptographic algorithms like Advanced Encryption Standard (AES), Rivest–Shamir–Adleman (RSA), or Diffie-Hellmann Elliptic Curve Cryptography (ECC), which are all already established in IT systems. This is similar to Profinet security and other industrial Ethernet-based communication standards.
However, technologies must be adapted to the unique requirements of OT networks such as determinism, guaranteed timing behavior and long maintenance intervals. But this adaptation is a difficult task, as OT devices typically have limited resources in terms of CPU performance, memory, and available space.
For this reason, Hilscher includes dedicated security hardware support to its netX 90 multiprotocol communication controller. Security-enabled firmware makes use of a hardware accelerator for encryption functions to unburden the CPU and guarantee deterministic real-time behavior (Figure 2).
Hilscher provides the protocol firmware as a monolithic binary, running independently on a dedicated CPU on the netX communication controller. Users won’t have to hassle with library integration, enabling fast time to market.
Where to direct cybersecurity efforts
Field-level cybersecurity is important for all sectors of the industrial automation market. As discussed earlier, every system operator who wants to benefit from IT/OT convergence must consider field-level cybersecurity. Automation system operators must reduce the high-cost risks caused by cyberattacks.
Authorities will define systems rules, beginning with critical infrastructure, and certain security levels will be mandatory in such systems. This shows there is a market demand for all kinds of securityenabled automation equipment such as servo drives, sensors, valves, and IO-systems. These components, and others like them, will have to meet IEC 62443 requirements. Hilscher’s solution is ideal for device makers, as it provides a ready-to-use protocol firmware with integrated security functionality that helps them equip their devices quickly at a low cost.
Cybersecurity solves industrial automation challenges
Real-time Ethernet protocols are common and widespread in automation systems. But implementing them requires constant maintenance since the compliance test specifications are continually adjusting and expanding. Security extensions add another level of complexity, because even if device integrators are familiar with the protocol specifications, the latest cybersecurity extensions require a lot of time to build knowledge, train, and implement. The Hilscher netX 90 with security protocol firmware is a solution for this problem.
Handling security certificates poses another challenge. Each device in a secure network requires certificates that must be initially deployed (transferred to and stored on the device), then updated in regular intervals. Typically, this task is the operator’s responsibility, and it should occur during normal system operation. But there are different approaches to address this issue.
Operators may want full control over certificates and keys because they are using a public key infrastructure (PKI) or they might want to leave key generation and certificate signing to the device maker. Therefore, component manufacturers must provide flexible solutions for their products.
The security-enabled protocol firmware from Hilscher provides a flexible certificate manager that supports a variety of different uses and enables the freedom to adapt to individual requirements and use cases.
This feature originally appeared in AUTOMATION 2023 Volume 2: Connectivity & Cybersecurity.
About The Author
Philip Marshall is the CEO of Hilscher North America and is responsible for overseeing all development and sales activities for the U.S. and Canada. Marshall has been active in industrial communications since 1985. He holds a BS in operations management and information systems from Bradley University.
Did you enjoy this great article?
Check out our free e-newsletters to read more great articles..
Subscribe