Rugged communications for intelligent transport systems
Industrial Ethernet Book Issue 68 / 30
Request Further Info   Print this Page   Send to a Friend  

Remote maintenance through networked security appliances

Modern industrial plants generally comprise highly automated complex machines and systems. The servicing and maintenance of such applications demands qualified service personnel, but often, only the manufacturer can provide such a service. However, open automation platforms based on Ethernet provide users with new options, writes Ingo Hilgenkamp. These include the latest security appliances used in conjunction with CIFS Integrity Monitoring (CIM).

THERE IS CONSTANT pressure for production systems to operate ever more efficiently and economically. Downtimes not only result in financial loss but also jeopardise delivery dates and in turn the reputation of the company. At the same time, it is becoming increasingly difficult for operating companies to handle automation systems, frequently requiring support from the plant manufacturers involved.

To save time and money, operating companies therefore frequently link their applications to the service network of the manufacturer via the web. This is because the Internet has established itself as a universal medium for transporting all types of data owing to its high bandwidth, accessibility from virtually everywhere, and the low associated costs. Therefore, it opens up new possibilities for networking and operating plants and systems.

What does the security box do?

The Phoenix security appliances use SD memory cards as interchangeable configuration memories to permit device replacement in the field. The basic modules are suitable for addressing simple routing and/or remote maintenance applications with a maximum of two VPN tunnels, therefore guaranteeing a high level of security.When required, a firewall can be used to control data traffic.

In addition to the routing functions, these security appliances offer firewall and VPN functions. A configurable Stateful Inspection firewall filters communication based on transparent input and output rules. This ensures that only data exchanges authorised by the user can take place. For each device up to 10 VPN tunnels - extendable to a maximum of 250 VPN tunnels with an additional license - can be established and operated in all industrial environments. The two WAN interfaces, via which remote access is achieved, allow implementation of a fallback function. For example, if the preferred DSL connection cannot be initiated, then there is automatic switching to a serial link using an external modem.The system immediately switches back once the preferred connection becomes available.

A need for remote maintenance

When setting up a teleservice, the focus is on cost, security, bandwidth, availability and stability, as well as end-user acceptance. There are three main reasons why companies might opt for remote maintenance:

Lower warranty costs. If a company sells a machine to an end-user, it is obliged to extend a manufacturer warranty, so costs for maintenance, repair or spare parts cannot be invoiced to the customer. The costs for travelling to and from the plant/machine, as well as the working hours, can almost be halved if the manufacturer uses remote maintenance techniques. The in-house service technician diagnoses and pinpoints the fault remotely to ensure that he will bring all required spare parts to the customer the first time around. If the problem can be solved through a software adaptation or by modifying the application, no travel costs are incurred at all. Not only this, both implementation time and system downtime are also significantly reduced.

Outsourcing. Where complex production plants are concerned, users generally cannot afford to have an expert on staff for each different system. Often, external service providers having the necessary know-how can represent an economically viable alternative. They invoice their services based on the actual time spent and are - in some cases - available around the clock. Today, it is possible for service technicians to access machines and plants using suitable security appliances via VPN.


Hard security: In addition to the routing functions, these security appliances offer full firewall and VPN functional scope

Service agreements. Machine and plant manufacturers offer their customers additional services through service contracts. Generally, the contract secures the availability of the application through a high maintenance quality. Proactive system diagnostics and monitoring ensures that required service work is performed in a timely fashion, therefore reducing downtimes. In addition, the service allows a fast response and, therefore, extra revenue if the customer requires additional components and/or systems.


Comparing firewall and CIFS: In conjunction with CIFS Integrity Monitoring (CIM), users can immediately detect whether their systems are being manipulated.

Dynamic monitoring

In the era of the Stuxnet worm and other increasingly sophisticated attack vectors, some tailored to damage or steal from automation systems, the dynamic monitoring of all Windows systems in the production environment significantly increases the level of security. The Common Internet File System (CIFS) Integrity Monitoring (CIM) anti-virus protection is suitable for the industrial environment, and is available as an additional license for certain security appliances.

CIFS is better known as Windows File Sharing. The most vulnerable part of Windows based automation components are the file shares. CIFS Integrity Monitoring monitors those shares against malware infections and provides two options to check them for malware infections: CIFS Integrity Checking and CIFS Antivirus Scan Connector.

CIM works like an anti-virus sensor but does not need to reload virus patterns, and it detects whether malware has infected a Windows system comprising control, operator unit and PC (Fig. 1).


Fig. 1. CIM's working principle: It operates as an anti-virus sensor but does not need to reload virus patterns. It detects whether malware has infected aWindows system comprising control, operator unit and PC.

In this way, operators can run firewalls and CIMs in parallel to achieve maximum protection of their systems in a way not previously possible. These include systems:

That involve an out-of-date operating system for which Microsoft no longer provides any security patches, such as Windows 2000 and older.

Whose (software) supply state was certified by the manufacturer or an authority, and where a change to the software - for example as a result of an operating system update - would mean that the warranty of the manufacturer or authorisation from the authority would be lost.

That cannot be equipped with a virus scanner in time-critical industrial applications.

That cannot perform a virus pattern update, because, for instance, an Internet connection is not available or it has consciously not been equipped with virus scanners and/or IDS/IPS (Intrusion Detection System/Intrusion Prevention System) - because an incorrect alarm would cause the complete application to come to a standstill.

Whose operators have no expertise regarding the correct installation of virus scanners and/or IDS/IPS, resulting in the danger of negatively influencing the system.

Boxing in security

The latest generation of industrial security routers operate without a fan in a rail-mounted metal enclosure. Such devices have an SD card slot as well as connections for a VPN enable switch and VPN status displays,making device replacement simple. For example, the Phoenix Contact RS4000 series an embedded Linux operating system and has four security components that complement each another:

A bidirectional Stateful Inspection firewall

A flexible NAT router

A highly secure VPN gateway

Optional protection against malware using CIFS integrity monitoring.

These devices have been designed as industrial VPN field routers, so they can be directly used at the machine or as central security components in distributed networks. They offer up to two parallel VPN tunnels, a simple 'twoclick' firewall, as well as flexible routing functions. There is also scalable security functionality.

And finally

Modern security appliances are well suited to implementing a secure, cost-effective and reliable remote maintenance solution. In conjunction with CIFS Integrity Monitoring (CIM) available for such security appliances, users can immediately detect whether their systems are being manipulated

Ingo Hilgenkamp is with Marketing Network Technology, Phoenix Contact Electronics GmbH, Bad Pyrmont, Germany.

www.phoenixcontact.com


Source: Industrial Ethernet Book Issue 68 / 30
Request Further Info    Print this Page    Send to a Friend  

Back

Sponsors:
TTTech: Deterministic Ethernet
CC-Link: Your gateway to Asia
sps ipc drives 2014
Industrial Automation Show 2014

Get Social with us:


© 2010-2014 Published by IEB Media GbR · Last Update: 22.10.2014 · 22 User online · Legal Disclaimer · Contact Us