In addition, Frimo deploys an mGuard bladeBase compatible with up to 12 mGuards in a standard, 19-in. rack at its headquarters, which connects to all its locations via an internal multiprotocol label switching (MPLS)network. All technical parameters and authorizations are already set up in the rack, so new machines can be added and connected without making added entries. Consequently, when servicing is required, technicians from any location obtain remote access to the client's machine via the blade unit over the VPN connection, depending on their authorization levels.
Naturally, unauthorized probes, intrusions and attacks get all the attention, but network misconfigurations and other mistakes cause far more unplanned downtime and damage. Either way, these new industrial network archipelagos need serious security evaluations and upgrades. This means: use complex passwords; enable network-protection software and encrypted communications; identify all network-access points; close all unneeded ports and services; and segment and divide networks.
Simplify and Secure
Logically, one of the best ways to improve machine security is to turn off or remove unneeded software, hardware, services or access points, as well as simplify associated network designs, components and potential failure points. For example, Frimo Group in Wixom, Michigan, and Lotte, Germany, builds machines and production systems for automotive and other plastic-parts manufacturers at 15 locations worldwide, and its remote service technicians have supported its clients' operators for about 20 years, initially accessing its machines' PLCs via 56-kbps analog modems and telephone lines (Figure 3). Over the years, broadband Internet connections replaced analog links, which established manipulation-proof connections through VPN tunnels, while faster data connections between users' plants and Frimo's technicians allow the machines' industrial PCs to be operated easily. In fact, using virtual network computing (VNC) software, the entire screen content of a remote computer is transmitted and can be used by service technicians just like a local PC. Frimo mostly uses its remote capabilities for rapid fault clearance, but expanded services are available, and security is essential.
"Increasingly, powerful industrial PCs have taken over more functions in our machines. Analog connections are no longer sufficient to ensure remote maintenance for these computers," says Axel Starflinger, IT administrator at Frimo. "We adapt our machines to the specific requirements of our customers. With fast and secure VPN connections, we have access to all the devices in the machine. For example, our service allows us to remotely set up an extra checkbox in the PC's visualization system or adjust the parameters of a frequency converter."
To keep its remote services and clients secure, Frimo initially used a large supplier's broadband, remote-maintenance solution, but found it too complex and costly. It decided to implement 80 mGuard industrial security routers from Innominate Security Technologies, a division of Phoenix Contact, because the configuration templates with required parameters could be read into mGuard on an SD card. This reduced configuration time from several hours to a few minutes because the only items that need to be added are customer-specific entries for the VPN connection, the customer's default router network and the machine's IP addresses. Address conflicts are avoided by mapping the machine network's real addresses onto virtual IP addresses through the 1:1 network address translation (NAT) function of the VPN router. That means added adjustments to the machine's internal address space no longer are needed.
"With our centralized solution, we created a uniform and standardized access solution for our subsidiaries. This simplifies operation, and administration costs are considerably less," Starflinger says. "Security concerns are initially high, especially in the automotive sector. However, the benefits of rapid troubleshooting and the security features of our solution are convincing." Starflinger says that mGuards integrate three coordinated security components based on hardened, embedded Linux programming, including a bidirectional, stateful firewall, flexible NAT router and a secure VPN router with IP security protocol (IPsec) encryption. He adds that operators' IT teams especially appreciate that mGuard prevents external access to the machine by default. This means a secure data connection can be established only with the explicit authorization of the operator via a VPN hardware switch, so access to the machine is only initiated by an outgoing connection controlled by the customer.
Lessons from IT
Because machine control and automation networks increasingly overlap onto enterprise and IT-level networks, it shouldn't be surprising that they can use their security methods.