The direct consequences of targeted, destructive access to a machine controller or an unintentional operating error are the same: standstill or even destruction of a machine or plant and thus production stoppage, loss of reputation and money. Therefore, the main objective is to ensure robustness against disturbances. Protection of data and communication as well as the logging of access are preventive measures that make unauthorized access more difficult and bring irregularities to light.
Exposed machines and plants are not subject to the same perimeter protection as enclosed industrial plants. Hence, wind power plants or biogas plants are relatively easy to access and the response times in the event of a detected break-in are high. High risk in production plants mainly emanates from legitimized persons. Service staff from the external service provider or a dismissed employee who in frustration succumbs to the temptation of a targeted act of damage to property are two classical examples. The targets here are switches, routers and controllers with free ports. These can be used for inconspicuous disruption or for targeted interception of communications.
Control components of Bachmann have various measures for counteracting targeted access. Effective mechanisms are in place for protecting against network overload which ensure stability of the application in the event of denial of service attacks. Vigorous implementation of end-to-end encryption of the communication by SSL renders eavesdropping ineffective. User programs use interfaces to current cryptographic procedures to encrypt data.
Guided by national and international regulations, public utility companies are particularly sensitized in matters of security and are obligated to protect their plants accordingly. Comprehensive measures embedded in detailed security concepts at all organizational levels have long been established. Protective fencing, own surveillance staff and continuous access controls have been found in critical parts of these plants. Control networks and operating panels were strictly sealed off previously. In the meantime, modern business and service models require targeted access of other organizational components via Intranet and even externally via Internet.
The efficient management of a large number of controllers in critical infrastructures requires the ability to manage users and their access rights, SSL certificates and the central logging of system messages. For this reason, the M1 controller system supports the LDAP protocol for central user management, SCEP for the centralized rollout of SSL certificates, and syslog for the logging of system messages.
Access Control includes a powerful module for user and access control. Users and groups can be created by simple Copy&Paste as well as by integrated inheritance logic thus saving a great deal of time. The clear assignment of system rights allows the specific assignment of rights for each user.
Defects and operating errors
Targeted security management only helps in the case of undesirable and potentially destructive access. Inadvertent changes to machine parameters, failures of network components or misconfigurations of the machine network are far more frequent, particularly in the protected environment of production plants, but pose the same security threats in terms of symptoms and effects. For example, a broadcast storm as a result of a faulty network switch, overloads connected network clients in the same way as a targeted denial of service attack.
Unlike other security measures, the added value of revealing defects can only be achieved if appropriate protective measures directly affect the controller. Bachmann provides its controllers with functions for limiting the bandwidth of the ethernet ports in order to increase the robustness against intentional and unintentional network disturbances. Realtime processes are not disturbed by overloading of the network interface.
It is advisable to set up a user and access management system for each user via Access Control. This limits any possibilities of manipulation centrally according to the least privilege principle, and independent security logging allows changes to be allocated to individual users. Operating errors can thus be detected and warranty cases processed speedily.
Safety and Security
Functional safety requires a high degree of security measures to prevent operating errors. Unnoticed changes to the safety programming as well as dangerous interferences during safe operation must be prevented and logged. Safety Control of Bachmann already warns about any malicious, manipulated code on the configuration computer and protects against inadvertent changes by means of functions for pinning software versions. A separate login system on each safety controller allows individually restrictable access. The continual logging is tamper-proof and implemented redundantly, so that even in the case of partial destruction of the module, it will be possible to reproduce the chain of events up to the failure with a high degree of probability.
Security measures are only effective if they are also applied. Bachmann sees it as its task to promote the total application and dissemination of security functions even when no comprehensive security concepts exist and the staff are still not security experts. Simple activation and operation of the extensive protective measures ensures that the dangers of careless operation and simple attacks are already minimized even at this early stage.
The central part is composed of four predefined security levels that can be selected in the security configurator. Behind this are templates which set the settings within the controller so that certain logs and functions are activated or even forbidden depending on the level.
Basic protection is gainable in three steps
Recommended procedure for safeguarding the control
- Setting the security level
- Deactivating unnecessary services
- Activating logging
- Defining group rights
- Creating users
- Setting file rights
- Implementing applications while taking general security aspects into account