Security
Small firewalls protect machines and systems
Author / Editor: Martin Reimann / Dipl.-Ing. (FH) Reinhold Schäfer
Software components of machines are increasingly becoming targets for attacks on the Internet. Small firewalls can be used to isolate the machines by segmenting traffic and increasing security in the corporate network.
The Microwall can be installed directly on site as it is so small (image Wiesemann & Theis)
At a glance:
Unless there is a specific contract with your manufacturer that states otherwise, you as the plant operator are responsible for ensuring that your software is up to date.
Small firewalls can reduce the threat of malware infiltrating non up to date software.
The configuration is done via an easy-to-use web interface and takes only a few minutes.
One of the major challenges on the road to Industry 4.0 is to guarantee the highest possible level of security as connectivity in the production data network increases. A key problem lies in ensuring the software components used by the machines are kept up to date. This is a particular concern in the production environment where there is often outdated software, which poses a high security risk.
Gallery
(Images Wiesmann & Theis)
The SMD production at Wiesemann & Theis was islanded with the help of the Microwall. Communication with the island data network segment is limited to only essential cases. This reduces the opportunities to attack.
Software components are levers for attackers
Software contains errors. Some of these errors are so severe that they allow sensitive data to be accessed or malicious code to be executed. The older a software gets, the more is usually known about these errors. Manufacturers provide security updates during product lifetimes to fill these known gaps. However, the product lifetimes of machines and the software components used vary widely: While machines are normally used over several decades, software manufacturers usually only provide updates for the first few years. At the same time, as the system ages, more and more potential vulnerabilities become known that can be exploited by attackers.
The fact that a software manufacturer provides updates does not mean that the machine manufacturer also provides an update. This is because significant changes, such as changes to the control software, can mean that a new conformity assessment procedure needs to be carried out. When an update is carried out by the operator of the machine there is the possibility that liability is then also transferred to the operator.
If the manufacturer is not required to provide updates as part of a maintenance contract, then the responsibility for updates lies with the operator. She needs to know which patch status software components are required, which updates are available and what the current threat situation is. There is often a lack of awareness of the problems and lack of resources to address them, especially in small and medium-sized enterprises.
Unpatched is unprotected
In 2017, the WannaCry worm was eating its way through data networks around the world. It encrypted hard drives from universities, companies, hospitals and ministries. The issue was a vulnerability in the file and printer sharing of Windows computers that had become known a few months earlier. Although Microsoft had recently patched the operating systems that had not yet reached their End of Life, it spread through systems that had not applied the patch or where this patch was not initially available. WannaCry was so destructive in its harmful effect that Microsoft was forced to recreate a patch for legacy systems.
In May 2019, Microsoft again delivered an extraordinary security update for unsupported systems. This time it was a security vulnerability in the remote maintenance system. This, too, was deemed a high risk, so that Microsoft and the Federal Office for Information Security (BSI) warned against WannaCry-like attacks.
Attacks over IP data networks
Normally, corporate networks are well secured to the Internet. If an attacker still manages to take over a computer on the network, for example through malicious e-mails or compromised USB sticks, he can systematically search other systems on the network for vulnerabilities. These are typically errors in server applications that provide different services on the endpoints in the network.
In the case of WannaCry, the vulnerability was in the software that provides files from Windows computers over the network. As most Windows computers have enabled this file exchange, WannaCry managed to spread quickly.
Many endpoints in computer networks have a large number of open ports. Each of these ports represents a server program that receives and evaluates data over the network. Because it is assumed that each software contains errors, each open port is therefore a potential security vulnerability.
The best way to do this would be to stop unnecessary server applications. However, this is not always possible: Many embedded systems do not have the necessary access to the operating system. Often server applications start dynamically when needed, and in other cases it is not at all clear whether a control computer really needs a port or if the computer is simply poorly configured.
All devices that can connect to each other via the data network therefore pose a potential danger to each other. If you limit the connectivity between the individual devices, the security in the network can be increased. A basic technique for this is segmentation.
Increased security by segmenting the network
The Internet Protocol (IP) allows you to send data packets across network boundaries. If a terminal detects that its communication partner is in another data network, it sends the data over IP to a router that handles forwarding to the destination or the nearest intermediate station.
If you separate a large data network and divide it into different subnets connected to each other via routers, it is called segmentation. Communication between the individual segments can now be restricted: Based on the transport protocol used, the communication partners involved, the ports used and the direction of the connection setup, filter rules can now be defined to distinguish illegal data packets from permitted data packets. For example, these packet filters prevent production machines from accessing data in accounting by suppressing certain traffic between segments.
Restrictive filters prevent unnecessary or potentially dangerous traffic. Malware that spreads in one subnet cannot easily spread to other subnets.
The segmentation of individual machine islands is a consistent form of segmentation: Small firewalls, such as the Microwall from Wiesemann & Theis, isolate machines in their own data network segment. All communication to and from this island will initially be stopped on a flat-rate basis. Connections with the outside world necessary for operation, such as receiving production orders or reporting status and error messages back to a monitoring system, are allowed. For this purpose, connection rules are recorded in a positive list.
Traffic for which no rule exists is suppressed and logged as needed. Within the individual segment, the open ports remain reachable, the communication between the involved machine components is not restricted. Communication that crosses the island’s borders, on the other hand, must be explicitly permitted.
By islanding with the Microwall, systems and machines can be easily isolated from each other and thus protected. The configuration is done via an easy-to-use web interface and takes only a few minutes. When setup is complete, the interface can be permanently disabled, requiring physical device access to change the settings.
* Martin Reimann is an employee of Wiesemann & Theis GmbH in 42279 Wuppertal, Germany
*Asia Pacific Region: Thomas Entrup www.teautomation.com.au + sales@teautomation.com.au