Network security for automated production

ZF Sachs, with 16,500 employees, has been a renowned partner in the automotive industry for more than 100 years. The traditional office network security solution, using VLANs, was rejected by ZF Sachs as being unsuitable in the harsh environment of the plant floor.

Virus problems in the office network are merely inconvenient when compared to expensive virus disruptions and unwanted data traffic in a production network. In order to minimise the risk of disturbances and production downtime caused by unauthorised access or malware, one leading manufacturer decided to implement greater security precautions.

ZF Sachs (www.zf.com), with 16,500 employees, has been a renowned partner in the automotive industry for more than 100 years. Its drive train and chassis components are also used for commercial transportation, rail transportation, construction vehicles, agricultural vehicles and motorsports. The traditional office network solution, using virtual local area network segmentation with VLAN-compatible switches, was rejected by ZF Sachs as being expensive, complex to implement, difficult to control, insufficiently secure and potentially unreliable in the harsh environment of the plant floor.

“We evaluated different firewall security products under two main criteria. Industrial suitability with, for example, an extended temperature range was particularly important to us. We also needed a solution that could be integrated into our automation component environment as flexibly as possible and with a low level of complexity,” said Asmund Hey, head of automation technology for ZF Sachs Technical Services.

Ultimately, they chose to utilise a small, industrial module called FL mGuard, a product of Phoenix Contact, created and developed by Innominate Security Technologies. The hardened product’s Linux-based system incorporates router and firewall capabilities, as well as encrypted VPN (virtual private network) tunnels, filtering of incoming and outgoing traffic, and other functions to provide layers of distributed ‘defence-in-depth’ economically and without disturbing production.

Sealing off the office network from the production network was carried out with individual industrial firewalls behind a production firewall to create a multilayered defence architecture within which critical production lines and individual systems could be doubly safeguarded. Network traffic could be controlled and filtered with a greater degree of flexibility and lower costs using distributed industrial firewalls rather than delicate IT network equipment.

A total of 40 decentralised machine networks were implemented and each of these subnetworks was secured by an mGuard firewall. The automation technology and machine maintenance departments were responsible for the implementation, in coordination with the IT department. Along with the use of virus scanners in the production area, the most important measure became the segmentation of the production network into small and manageable machine networks. The assignment was conducted spatially based on building zones with additional Profinet components for individual installations.

Implementation of the decentralised security architecture was based on a network structure plan. This describes the individual network segments and contains specifications concerning which device is attached to which port, as well as which IP addresses, MAC addresses, firmware version and product designations are given.

To ensure that the decentralised architecture with 40 individual machine networks did not lead to greater configuration and operative effort, a basic set of common firewall rules for all subnetworks was developed first as an overriding control. This meant that most of the requirements were already covered and only individual rules had to be added for special cases, such as for controller access to office server shares.

A three-month introductory and learning phase followed start-up, allowing any missing accesses or ports to be included. “During this phase, we realised how important a careful network architecture plan is. The more time invested here, the smaller the correction effort will be later. We also discovered the advantages of central device management,” recalled Hey.

Various special requirements were desirable and taken into account in setting up the decentralised security architecture. The production facility with Profinet components needed to be sealed off from disturbances from the network. For example, a jitter of less than a microsecond was necessary for the response time behaviour of critical components, and these needed to be consistently sealed off from disturbances such as those caused by a typical IT network broadcast. A further requirement was 1:1 NAT (network address translation) for DNC (distributed numerical control) machines. This concerned the software for the distribution of the DNC programs running in the office network. Since the mGuard components support 1:1 NAT, no adjustments to the internal address space of the machines were necessary for the software.

Setting up port forwarding was a further important requirement, as central databases had to be accessed from the outside in the plant stations. Strict outgoing rules were also necessary. The spatial separation of plants leads to a distribution of the software and process data, which must then be centrally merged again on a server. Access to the central server is enabled through rules in the central firewalls, but any other uncontrolled access is prevented.

The mGuard security solution has been used at ZF Sachs for two years now. The decentralised firewalls in new plants and in plants with Profinet components are now equipped to protect against disturbances.

“The decentralised networks run smoothly. There is nothing that halts the automation technology and operation continues largely without maintenance. We also successfully protected several older machines without virus protection from disturbances and attacks. Thanks to the segmentation, any virus brought in by a technician has not been able to spread into the network,” said Hey.

And he has good evidence, as the virus problems continue to be present in the office area and in old machines without firewall protection. Asmund Hey emphasises that a secure production flow is also guaranteed when other network components fail. If this is the case, the firewall protects the plants from disruptive broadcasts or defective packet transmissions.