Professor Dr. Frithjof Klasen, a member of the Managing Board of the PROFIBUS Nutzerorganisation e.V. (PNO), discusses problems surrounding security for automation systems and explains how guidelines from communication technology organisations, such as PROFIBUS & PROFINET International (PI), can be helpful.
Typical security threats in the production environment can include infection by malware, unauthorised use (both intentional and unintentional), manipulation of data, espionage and related know-how loss, and denial of service. The consequences of security breaches can be loss of production, reduced product quality, and can pose a safety threat to both humans and machines.
In order to evaluate threats, the properties and possible weak points of devices and systems must be known. A property that is useful from the automation perspective – for example, the ability for a programming device to access a controller without authentication – can be seen as a possible weak point from the security perspective. It is necessary to distinguish these weak points in order to assess risks, develop security solutions, and take appropriate measures. Areas to focus on include:
- Weak points that arise due to incorrect implementation (for example, faulty device behaviour)
- Conceptually planned and accepted properties: these include all features that can also be exploited for attack purposes; an example here would be an integrated web server in an automation device.
- Weak points that are caused by organisational measures or lack thereof
Field devices contain communication technologies for transmission of process signals (real-time communication) and also standard IT technologies such as FTP services. In addition, field devices operate as network infrastructure components (switches) and therefore have services and protocols that are needed for network management and diagnostic purposes. Most communication protocols at the field level have no integrated security mechanisms. Devices and data are not authenticated and, consequently, within the scope of a possible attack, systems at the field level can be expanded at will and communications can be imported. Even the transferring of PLC programs often takes place without use of security measures such as user authentication and integrity protection.
Ideally, users want a tool, certification, or system that promises long-term security. The difficulty, however, is that such solutions do not provide lasting security. In order to develop secure systems, users must implement both technical measures and conceptual and organisational measures.
Conceptual and organisational weak points can be more easily overcome when they are described in guideline documents. PI, for example, developed the ‘Security Guideline for PROFINET’ in 2006 and published a revised version of this guideline at the end of 2013. This guideline specifies ideas and concepts on how security solutions can be implemented and which security solutions should be implemented. The subject of risk analysis is covered, for example. This analysis estimates the probability of a damage event and its possible consequences, based on protection goals, weak points, and possible threats. On the basis of an analysis of this type it is possible for economically feasible and appropriate security measures be derived. The guidelines also offer a series of proven best practices, such as the cell protection concept.
Making devices more secure
Another measure concerns device security. Robust devices are the basis for stable processes and systems and are a prerequisite for security in automation. Weak points due to incorrect implementation can only be eliminated through appropriate quality assurance measures and certifications…