EN 
DE The how and why of security measures
Author: Max Perner, infoteam Software AG
Contribution – Embedded Software Engineering Congress 2018
Security on fieldbuses is necessary, possible, and sensible. The theoretical approach of "security by design" and the concept of "defense in depth" are often neglected in practice, even though attack protection is currently a major focus, especially for embedded systems in the field of industrial control. This is due to both new security standards and long-established functional safety norms.
motivation
Standards for functional safety (Safety), such as IEC 61508, as well as standards for attack protection (Security), such as IEC 62443, require this approach. Security by Design. However, component suppliers in the area of OT (Operational Technology) are often excluded. At the same time, attempts are made to achieve network security through encapsulation using firewalls [1]. Using fieldbuses as an example, it will be shown that all components of an industrial plant can contribute to overall security.
(Safety) fieldbuses in application
Fieldbuses serve to standardize infrastructures. They were introduced to replace parallel wiring and analog signal transmission and to utilize the advantages of digital transmission [2]. Protocols such as PROFIsafe enable security functions by detecting random changes to the data stream. The security aspect is currently only considered in exceptional cases [3]. .
An attacker who wants to deliberately introduce malicious code into a corporate network via a fieldbus will observe, utilize, and misuse the transmission protocol in use. Without security measures, recipients in this case can only assume a legitimate sender, as there is no way to detect the attack as such.
The goal of security
The goal of security always relates to other system components whose functionality must be protected. The requirements for the components of a system to be protected are analyzed and examined for vulnerabilities from the perspective of malicious intent. Subsequently, measures can be taken to mitigate these vulnerabilities. In this way, gaps can be closed or weaknesses bridged.
CIA Triad
Abstract security objectives help to maintain an overview of the system in concrete situations. They help to classify measures taken and to proceed in a structured manner. A common example is the CIA triad [4]. See Fig. 1 (PDF).
One category to be classified is assets [5], i.e., tangible and intangible assets that may be threatened and require protection. These include, for example, production data (more precisely: the confidentiality of production data). Protective measures such as authentication codes for ensuring data integrity can also be classified in this way, as can attacks such as "Denial of Service" through fraudulent service requests affecting availability.
Foundational Requirements
DIN IEC 62443 [6], a standard for system security on industrial networks, expands upon the three very abstract security goals of the CIA triad to provide a better understanding of the security requirements for IACS (Industrial Automation and Control Systems). From these seven Foundational Requirements, this standard then derives concrete security requirements for the systems under consideration. See Fig. 2 (PDF).
Defense in Depth
The design concept „Defense in Depth“ consists of two patterns: Firstly, each protection goal should be secured as independently as possible at each level of a system, and secondly, weaknesses at one level can be compensated for by other levels.
Security on fieldbuses
In the case of fieldbuses, it becomes clear how these abstractions required by standards [5] [7] become reality:
On the one hand, there is a sub-area that can potentially be meaningfully delegated to the trust boundary of the fieldbus system with respect to the connected IT infrastructure: the protection of confidentiality. For example, in manufacturing, all actors involved in a workpiece should know what they are working on and in what context the sensor messages should be interpreted. This does not apply in cases where the protection of confidential information on the fieldbus is deemed necessary, e.g., for prototype protection with regard to industrial espionage [8]. .
On the other hand, risks to availability and integrity should not be ignored. An attacker who gains access to a fieldbus in a manufacturing plant or in the process industry can damage individual products and potentially endanger people, machines, and the environment. For this reason, data streams on the fieldbus should be authenticated, at least partially.
authenticity
Authenticity refers, firstly, to the protection of the identity of the communication participants. Specifically, this means that one addressee cannot be replaced by another without detection. Secondly, it also ensures that the addressee actually possesses legitimate rights. In the CIA paradigm, the integrity of the addressing is therefore to be protected. For the actuator on the fieldbus, this means verifying whether the control commands actually originate from the PLC (Programmable Logic Controller), which is authorized to communicate with the actuator, and not from an attacker who has gained access to the fieldbus via the network.
Data flow integrity
Data flow integrity refers to the protection of the integrity of transmitted data, i.e., safeguarding against illegitimate data alteration. An attacker could potentially modify the message of a legitimate sender. A functionally safe protocol would generally perform an integrity check, but since this cyclic redundancy check (CRC) is transparent and predictable for the attacker, they could also forge the checksum. In this case, functional safety is not guaranteed.
Selection of security measures
To implement these specific security objectives, cryptographic measures [9] [10] are taken. These measures must be tailored to the specific scenario: In the area of IIoT (Industrial Internet of Things), the performance of the processors in the end devices and the available bandwidth limit the selection of usable methods. At the lower end, for 8-bit microcontrollers [11], simple heartbeat protocols [12] can be enhanced with cryptographic functions to achieve a minimum level of protection through authentication. At the other end of the scale, the same level of security as in online banking can be achieved with TLS [11] [13].
Fulfillment of Security Objectives – Security by Design
The goal of these measures is to enable the system to meet security requirements. This requires identifying potential attack surfaces, analyzing them for vulnerabilities, and then resolving the identified issues. Compared to desktop systems, the complexity of the hardware and software used in embedded systems is typically low. If security is neglected in this case, an attack surface exists at the core of a company, potentially vulnerable to attacking the entire IT infrastructure and manufacturing processes. However, this low complexity also presents opportunities: hardening components to protect against attacks requires significantly fewer resources than with complex office IT systems.
Conclusion
If fieldbus devices only respond to secure and authenticated communication, it becomes significantly more difficult to attack this part of a network. Consistent hardening of the individual components within a system can prevent such an attack from occurring in the first place.
Bibliography
| [1] | C. Romeo, „www.iot-inc.com,“ 2017. [Online]. Available: https://www.iot-inc.com/the-s-in-iot-stands-for-security-article/. |
| [2] | Wikipedia, „Fieldbus,“ 2018. [Online]. Available: https://de.wikipedia.org/w/index.php?title=Feldbus&oldid=179337515. |
| [3] | IEC 61508-1:2010 Functional safety of electrical/electronic/programmable electronic safety-related systems – Part 1: General requirements, Geneva: IEC, 2010, pp. IEC 61508-1-1 7.5.2.2. |
| [4] | S.-P. Oriyano, CEHTM v9 Certified Ethical Hacker Version 9 Study Guide, Indianapolis: Wiley, 2016. |
| [5] | IEC/TS 62443-1-1:2009-07: Industrial communication networks – Network and system security – Part 1-1: Terminology, concepts and models, Geneva: IEC, 2009. |
| [6] | IEC DIN EN 62443-4-2:2017-10;VDE 0802-4-2:2017-10 – Draft Industrial communication networks – IT security for industrial automation systems – Part 4-2: Requirements for components of industrial automation systems, Berlin: Beuth Verlag, 2017. |
| [7] | K. Wallace, „Common Criteria and Protection Profiles,“ 2003. [Online]. Available: https://www.sans.org/reading-room/whitepapers/standards/common-criteria-protection-profiles-evaluate-information-1078 p.8. [Accessed on August 23, 2018]. |
| [8] | C. Sydow, „BND Affair: NSA spied on German companies as late as 2013,“ . [Online]. Available: https://www.spiegel.de/politik/deutschland/bnd-affaere-nsa-spaehte-noch-2013-deutsche-firmen-aus-a-1032049.html. [Accessed 5 September 2018]. |
| [9] | B. Schneier, Applied Cryptography, 20th Anniversary Edition, Wiley, 2015. |
| [10] | J. Schwenk, Security and Cryptography on the Internet: Theory and Practice, Wiesbaden: Springer, 2014. |
| [11] | M. Welschenbach, Cryptography in C and C++, Berlin: Xpert.press, 2001. |
| [12] | O. Pfeiffer, „Scalable CAN security for CAN, CANopen and other protocols in CAN in Automation, iCC 2017,“ [Online]. Available: https://www.can-cia.org/fileadmin/resources/documents/conferences/2017_pfeiffer.pdf. [Accessed on November 3, 2017]. |
| [13] | R. Bless, Secure Network Communication. Fundamentals, Protocols and Architectures, Berlin: Springer, 2005. |
Our training courses & coaching sessions
Do you want to bring yourself up to date with the latest technology?
Then find out more here Regarding training courses/seminars/workshops and individual coaching sessions offered by MircoConsult on the topic Quality, Safety & Security.
Training & coaching on the other topics in our portfolio can be found here. here.
Quality, Safety & Security – Expertise
Valuable expertise on the topics of quality, safety & security is available. here Available for you to download free of charge.
You can find expertise on other topics in our portfolio here. here.
