Keywords: Safety, Security, Communications, Connectivity, OPC UA, OPC DA.
Information technology and automation are the backbones of most manufacturing operations; however, safety and security breaches caused by IT-related risks are on the rise. In the coming years, both the rate of technology change and the degree of required information integration are predicted to remain high. How will we manage the associated risks? How can we secure plant systems in the future?
In industrial applications, the goal is to keep the plant operational and to secure all data exchange. Security breaches in automation systems cannot be tolerated because of the potential threat they pose to production, personnel safety, and the environment. Although plant security and safety are top priorities, other important points include data integrity (the data should not be manipulated), deterministic data delivery, confidentiality (only authorized users have data access), and authenticity (the data origin must be without ambiguity).
The ability to securely move information between software applications and hardware appliances is critical to any automated process. This requires an interoperable communications platform that can be layered into the control system. Today, the designers and implementers of these systems take a "defense-in-depth" approach to securing their critical infrastructure. They expect that each layer in the control system will provide the functionality and flexibility needed to meet their security requirements.
For communications between software and hardware components, an additional layer of security is needed to help ensure that critical information cannot be deciphered by unauthorized applications for malicious use (such as taking over a system or stealing intellectual property). There is also a need to limit the scope of what each authorized user is allowed to do. Systems must be able to provide the information users need to perform their responsibilities. By appropriately limiting access to the information that is not required, administrators can minimize unintentional mistakes that could cause downtime or impact safety.
Security at the Interface and User Levels
Information technology enables data to flow between plant and enterprise systems. In today's data-intensive manufacturing environments, real-time plant management requires continuous data exchange. Yet, new technologies like wireless communications, remote diagnostics, and computer configuration of field devices further increase communication intensity. This creates new hazards, which may include faulty software or hardware, improper use of IT equipment, malware (such as viruses, worms, Trojans), intentional equipment damage (such as manipulation by disgruntled employees), or hacker attacks from "outside the fence." Today, risk analysis typically has to consider all the above.
Although standard interfaces have enabled companies to develop secure communications between components, many current solutions do not incorporate role-based security. An additional complication is that people often think of security differently. Some want to be able to allow or deny access to everything whereas others require a fine level of control over accessible and/or modifiable information based on the user's role. Some prefer a whitelist approach (that only provides access to necessary functions and applications and restricts access to everything else) whereas others prefer a blacklist approach (that provides access to everything except what is not necessary). Regardless of the approach, the security strategy's implementation should have the least possible impact on performance, the ability to be modified at will and without requiring a system restart, and provide the tools necessary to deploy a tested solution into production.
Kepware's KEPServerEX Addresses Communication Security
Kepware Technologies develops a wide range of communication and interoperability software solutions for the automation industry. With the introduction of KEPServerEX version 5.12 and its Security Policies Plug-In, the company offers a platform for communications security solutions.
Kepware approaches security based on proven and adopted security strategies. KEPServerEX provides a set of services that a range of client applications and interfaces can leverage. These include OPC Unified Architecture (UA); plus classic OPC Data Access (DA), Alarm and Events (AE), and Dynamic Data Exchange (DDE).
The first step in designing secure communications is to identify the interfaces required based on the types of client applications that will be connected. For interfaces that are not utilized, the KEPServerEX platform provides a master switch to let administrators disable each individually. This prevents any application of that type from connecting to the server and represents a simple but effective first step in securing communications platforms.
For OPC UA clients, the platform limits which clients should be allowed to connect by creating trusted relationships through the deployment of security certificates. Access can be restricted further based on user name and password settings. Older technologies found in legacy installed bases like OPC DA and AE would utilize Microsoft's Distributed Component Object Model (DCOM) security model that is built into the operating system to accomplish this same task. In some cases (such as DDE), connectivity may have to be "all or nothing."
OPC UA's Role in Communication Security
OPC UA provides a great deal of flexibility in terms of security, and is quickly becoming the de facto standard in the automation industry for sharing information. KEPServerEX's OPC UA Configuration Manager allows administrators to set up trusted relationships with UA clients running locally or remotely. In addition, administrators can enforce which UA transport should be used for communications to ensure that the data being exchanged meets security requirements. The OPC UA Configuration Manager also allows users to specify the network adapters and ports that should be used to work with new or existing firewalls.
The OPC UA Configuration Manager provides the ability to restrict access to authorized users that are interacting with a trusted client application. Administrators can enforce whether a trusted client must provide user-level credentials by disabling the "Allow anonymous login" setting associated with the project. Disabling anonymous access will only allow the users that are defined within KEPServerEX's user management interface to have a defined level of authorized access within the system. The User Manager also allows administrators to manage user groups, including defining the users that belong to each group. Administrators can set security policies that will be applied to all users that belong to the group. Built-in user groups exist for Administrators and Anonymous Clients; user-defined groups can also be created.
To ensure that only known users of trusted client applications can access the server; administrators can start by denying all access to the Anonymous Clients group. This is as simple as opening the Anonymous Clients group properties and denying all read, write, and browse access for all tag types (including I/O Tags, Internal Tags, and System Tags). This will prevent both OPC UA client applications that do not provide an authorized username/password and other client application types (such as OPC DA or DDE) from accessing the server. Administrators may want to minimally allow read access to all or a selective set of channels, devices, tag groups, and/or tags. This is as simple as selecting the appropriate object from the Security Policies tab and overriding the access permissions.
User Groups and Focus on Roles versus Individuals
By creating user groups, administrators can specify distinct roles for a group of individuals like operators, managers, engineers, or any group that fits the organizations' model. By defining authorized users and assigning them to their appropriate user group, administrators can focus on roles rather than individuals. For the most secure solution, administrators should deny access for all permissions at the highest level and only allow access where absolutely necessary. In the case where a manager should be allowed to monitor but not control a system, the administrator would deny write access to all tag types at the manager's user group level. Conversely, if an operator should only be able to write to certain tags, the administrator would allow write access for this user group and then select the objects that can and cannot be written to through the Security Policies tab. Administrators may want to deny write access at the root level and then select the underlying objects where write access is needed. All of these changes can be made without restarting the server and halting production; the administrator can grant and take away access at any time.
The security policies of a KEPServerEX project are only validated once the project is placed into run mode. In the event that a security policy references a group that does not exist, all access will be denied to protect the system. Details will be provided to enable the administrator to diagnose and remedy the problem.
In cases where the administrator needs to deploy a project from one machine to another, the user group information can be exported from the source machine and then reimported on the target machine. The administrator also has the option to password protect the file on export, in which case the password will need to be re-entered. Once the import is complete and the project file has been copied from the source machine to the target machine, the project will run as expected because the user group information required by the project's security policies is now available.
Kepware Technologies' KEPServerEX version 5.12 and the Security Policies Plug-In address the question of how to manage the security risks associated with moving information between software applications and hardware appliances. This solution demonstrates one of the many actions that must be taken to help secure plant systems today and in the future. KEPServerEX and the Security Policies Plug-In deliver a solution that provides flexibility while helping to effectively secure a communications infrastructure.
As the security needs of the market develop and change, the Security Policies Plug-In will need to continue to evolve to meet future requirements. ARC is confident that Kepware Technologies is in a position to address these evolving security and communication challenges head on and respond with solutions that keep manufacturing and processing plants device communications infrastructure as safe and secure as possible.
All signed-in ARC Advisory Group clients can view this report in pdf format at this Link
If you would like to buy this report or obtain information about how to become a client, please Request ARC Info