Remote maintenance through networked security appliances
Modern industrial plants generally comprise highly automated complex machines and systems. The servicing
and maintenance of such applications demands qualified service personnel, but often, only the manufacturer
can provide such a service. However, open automation platforms based on Ethernet provide users with new
options, writes Ingo Hilgenkamp. These include the latest security appliances used in conjunction with CIFS
Integrity Monitoring (CIM).
THERE IS CONSTANT pressure for production
systems to operate ever more efficiently and
economically. Downtimes not only result in
financial loss but also jeopardise delivery dates
and in turn the reputation of the company. At
the same time, it is becoming increasingly
difficult for operating companies to handle
automation systems, frequently requiring
support from the plant manufacturers involved.
To save time and money, operating companies
therefore frequently link their applications to
the service network of the manufacturer via the
web. This is because the Internet has established
itself as a universal medium for
transporting all types of data owing to its high
bandwidth, accessibility from virtually
everywhere, and the low associated costs.
Therefore, it opens up new possibilities for
networking and operating plants and systems.
What does the security box do?
The Phoenix security appliances use SD
memory cards as interchangeable configuration
memories to permit device replacement in the
field. The basic modules are suitable for
addressing simple routing and/or remote
maintenance applications with a maximum of
two VPN tunnels, therefore guaranteeing a high
level of security.When required, a firewall can
be used to control data traffic.
In addition to the routing functions, these
security appliances offer firewall and VPN
functions. A configurable Stateful Inspection
firewall filters communication based on
transparent input and output rules. This ensures
that only data exchanges authorised by the user
can take place. For each device up to 10 VPN
tunnels - extendable to a maximum of 250 VPN
tunnels with an additional license - can be
established and operated in all industrial
environments. The two WAN interfaces, via
which remote access is achieved, allow
implementation of a fallback function. For
example, if the preferred DSL connection
cannot be initiated, then there is automatic
switching to a serial link using an external
modem.The system immediately switches back
once the preferred connection becomes
available. |
A need for remote maintenance
When setting up a teleservice, the focus is on
cost, security, bandwidth, availability and
stability, as well as end-user acceptance. There
are three main reasons why companies might
opt for remote maintenance:
Lower warranty costs. If a company sells a
machine to an end-user, it is obliged to extend
a manufacturer warranty, so costs for maintenance,
repair or spare parts cannot be invoiced
to the customer. The costs for travelling to and
from the plant/machine, as well as the working
hours, can almost be halved if the manufacturer
uses remote maintenance techniques. The
in-house service technician diagnoses and
pinpoints the fault remotely to ensure that he
will bring all required spare parts to the
customer the first time around. If the problem
can be solved through a software adaptation or
by modifying the application, no travel costs
are incurred at all. Not only this, both implementation
time and system downtime are also
significantly reduced.
Outsourcing. Where complex production plants
are concerned, users generally cannot afford to
have an expert on staff for each different
system. Often, external service providers having
the necessary know-how can represent an
economically viable alternative. They invoice
their services based on the actual time spent
and are - in some cases - available around the
clock. Today, it is possible for service technicians
to access machines and plants using
suitable security appliances via VPN.
Hard security: In addition to the routing functions, these
security appliances offer full firewall and VPN functional
scope
Service agreements. Machine and plant
manufacturers offer their customers additional
services through service contracts. Generally,
the contract secures the availability of the
application through a high maintenance
quality. Proactive system diagnostics and
monitoring ensures that required service work
is performed in a timely fashion, therefore
reducing downtimes. In addition, the service
allows a fast response and, therefore, extra
revenue if the customer requires additional
components and/or systems.
Comparing firewall and CIFS: In conjunction with CIFS Integrity Monitoring (CIM), users can immediately detect whether
their systems are being manipulated.
Dynamic monitoring
In the era of the Stuxnet worm and other
increasingly sophisticated attack vectors, some
tailored to damage or steal from automation
systems, the dynamic monitoring of all
Windows systems in the production environment
significantly increases the level of
security. The Common Internet File System
(CIFS) Integrity Monitoring (CIM) anti-virus
protection is suitable for the industrial environment,
and is available as an additional license
for certain security appliances.
CIFS is better known as Windows File Sharing.
The most vulnerable part of Windows based
automation components are the file shares.
CIFS Integrity Monitoring monitors those shares
against malware infections and provides two
options to check them for malware infections:
CIFS Integrity Checking and CIFS Antivirus Scan
Connector.
CIM works like an anti-virus sensor but does
not need to reload virus patterns, and it detects
whether malware has infected a Windows
system comprising control, operator unit and
PC (Fig. 1).
Fig. 1. CIM's working
principle: It operates as an
anti-virus sensor but does not
need to reload virus patterns.
It detects whether malware
has infected aWindows
system comprising control,
operator unit and PC.
In this way, operators can run firewalls and
CIMs in parallel to achieve maximum protection
of their systems in a way not previously
possible. These include systems:
• That involve an out-of-date operating system
for which Microsoft no longer provides any
security patches, such as Windows 2000 and older.
• Whose (software) supply state was certified
by the manufacturer or an authority, and where
a change to the software - for example as a
result of an operating system update - would
mean that the warranty of the manufacturer or
authorisation from the authority would be lost.
• That cannot be equipped with a virus scanner
in time-critical industrial applications.
• That cannot perform a virus pattern update,
because, for instance, an Internet connection
is not available or it has consciously not been
equipped with virus scanners and/or IDS/IPS
(Intrusion Detection System/Intrusion
Prevention System) - because an incorrect
alarm would cause the complete application
to come to a standstill.
• Whose operators have no expertise regarding
the correct installation of virus scanners and/or
IDS/IPS, resulting in the danger of negatively
influencing the system.
Boxing in security
The latest generation of industrial security
routers operate without a fan in a rail-mounted
metal enclosure. Such devices have an SD card
slot as well as connections for a VPN enable
switch and VPN status displays,making device
replacement simple. For example, the Phoenix
Contact RS4000 series an embedded Linux
operating system and has four security
components that complement each another:
• A bidirectional Stateful Inspection firewall
• A flexible NAT router
• A highly secure VPN gateway
• Optional protection against malware using
CIFS integrity monitoring.
These devices have been designed as industrial
VPN field routers, so they can be directly used
at the machine or as central security
components in distributed networks. They offer
up to two parallel VPN tunnels, a simple 'twoclick'
firewall, as well as flexible routing
functions. There is also scalable security
functionality. |
And finally
Modern security appliances are well suited to
implementing a secure, cost-effective and
reliable remote maintenance solution. In
conjunction with CIFS Integrity Monitoring
(CIM) available for such security appliances,
users can immediately detect whether their
systems are being manipulated
Ingo Hilgenkamp is with Marketing Network Technology,
Phoenix Contact Electronics GmbH, Bad Pyrmont,
Germany.
www.phoenixcontact.com
|
Back
