Industrial IoT – Cybersecurity for Controllers
Published on : Monday 30-11--0001
Carmen Klingler-Deiseroth explains how the B&R SiteManager with its integrated firewall performs all the tasks required for cybersecurity.
Transferring data from the machine controller to the cloud requires a connection to the Internet. This, however, makes it susceptible to cyberattacks. Machines with cloud connectivity therefore need special protection.
Prior to the Industrial Internet of Things (Industrial IoT), machine controllers communicated – if at all – only with each other or with higher-level systems inside the company network. A direct connection to the Internet was very rare. Machine builders and operators had no reason to concern themselves with the topic of cybersecurity.
“But that is changing,” explains Andreas Hager, B&R's product manager for control systems. In Industrial IoT solutions, industrial PCs and other hardware are used as edge devices with a direct connection to the Internet. This opens them up as potential targets for hackers.
DDoS attacks
Hackers can paralyse controllers and thus entire machines, for example, by overwhelming them with traffic. This is known as a DDoS (Distributed Denial of Service) attack: A hacker distributes attack programs across a so-called botnet comprising several hundred to a thousand computers, smartphones and tablets, effectively weaponising them. On command, the bots then bombard a machine controller with so many simultaneous requests that it fails under the load and the machine stops – as demonstrated recently by a malware attack at a microprocessor manufacturer.
Open ports
To transfer data to the cloud, ports must be opened on the machine controller. “As long as the communication channel between the controller and the cloud gateway is open, these ports are an open window for hackers,” explains Hager. That's not the only problem, however. Devices that are directly connected to the Internet must be updated regularly to close newly discovered gaps in security.
“Many machines run for weeks or months on end,” notes Hager. Yet, updates can only be installed when the machine is stopped. Following an update, it may even be necessary to adjust the application. “That’s a lot of work, and in the long run simply not a viable answer.”
Luckily, there is a simple solution: the control functionality and communication functionality must be isolated from one another. That way, a DDoS attack would be unable to penetrate deep enough to affect machine control. “In the worst case, you might lose communication with the cloud, but the machine itself can continue to operate,” emphasises Hager
B&R has introduced the SiteManager for this purpose. The device has an integrated firewall and performs all the tasks required for cybersecurity, such as keeping cloud certificates up to date and applying patches to close security holes.
Cloud connectivity
To transfer data to the cloud, the controller connects with the SiteManager via OPC UA. During configuration, the user defines which data is to be transferred. It is also possible to transfer different data to different cloud providers. Configuration is a simple matter of checking boxes in the SiteManager's web-based user interface.
If a cloud certificate needs to be updated, the machine operator doesn't have to do anything. The SiteManager automatically downloads and installs updates without affecting machine operation. This also ensures that the security guidelines of the cloud providers are always adhered to and any potential security gaps are closed quickly.
“Having the SiteManager between the controller and the cloud ensures that any data transferred between the machine and applications outside the company network are protected against unauthorised access,” says Hager.
Secure remote maintenance
“The security requirements for remote maintenance are very similar to those for cloud communication,” explains Hager. The SiteManager is therefore perfectly suited for this purpose as well.
The device allows service technicians to connect to the machine control system via a secure VPN connection and search for errors. A user management system provides clearly defined and tamper-proof control over which technicians have access to which controllers. “With a technician on site, it is then possible to begin a targeted troubleshooting process,” says Hager. “The SiteManager ensures that any data transferred between the machine and applications outside the company network are protected against unauthorised access and cyberattacks.”
Captions
Pix1: In a DDoS attack, a hacker distributes programs across a botnet to make a concerted attack that paralyses a controller.
Pix2: The SiteManager transfers data securely to the cloud.
Pix3: Andreas Hager, Product Manager – Control Systems, B&R.
Pix4: B&R Hypervisor makes it possible to use an industrial PC simultaneously as both a machine controller and an embedded SiteManager. No additional hardware is required.
Pix5: The B&R SiteManager is available in three variants, providing an Internet connection via LAN, WLAN or mobile network.