Security for the industrial Internet of Things

Cybersecurity for production processes

In times of IoT, machines, tools and control devices carry digital information. These smart devices can process data and forward commands independently. The ongoing development of IoT brings a host of opportunities for the manufacturing industry. Production processes are becoming more and more dynamic and efficient thanks to constant communication between production sites, suppliers and end products. At the same time, however, the increasing number of devices connected to the Internet bears a security risk. Cybercriminals are given a path of attack and the potential to cause great damage reaching from the loss of sensitive corporate information and the sabotage of individual machines to production halts.
 
The industrial control elements employed in production networks can hardly defend against these threats because most components in the control and management technology were designed favoring availability over security. When process networks were still isolated from the remaining IT infrastructure, there were fewer opportunities for attackers. This began to change with the emergence of IoT and smart factories. To benefit from IoT and modern IP technology, networks need to be protected by a new security architecture and innovative security technologies. Today, security solutions must be able to prevent production downtime, process manipulations and theft of sensitive information.
 
Blacklisting lacks precision
 
Up to now, process and control networks were protected mostly by perimeter firewalls shielding the company network as a whole from outside attacks (First Line of Defense). But this port-based technology can only provide limited protection for process networks. The reason is that conventional filters lack precision and can be bypassed by complex attacks.
 
Additionally, add-on solutions like antivirus, anti-spyware and web filters also follow the blacklisting approach. This is a problem because blacklisting solutions can only protect against known threats. New viruses or spyware always need to be added to the blacklist before they can be identified as threats and blocked. This makes networks susceptible to zero-day attacks, i.e. attacks that occur before vulnerabilities are discovered and fixed.  
 
Blocking undefined traffic
 
Instead of conventional port-based firewalls, the manufacturing industry requires firewalls that include Deep Packet Inspection (DPI) technology. Conventional firewalls filter traffic by port. DPI technology, however, decodes data at the content level, up to individual applications, protocols and sources. This allows for creating a fine-tuned ruleset for both machine-to-machine and human-to-machine traffic. Any undefined traffic will be blocked entirely. This whitelisting approach ensures that only authorized personnel can send pre-defined commands to devices in industrial networks. The network administrator in charge is able to allow or block individual functionalities, depending on the source and the target. Any traffic passing the firewall, up to individual applications, devices or users, is clearly identified and validated, ensuring maximum security.
 
DPI engines are also a key element in programmable networks. These networks allow for the separation of control and data flows and for dynamic scaling of network functions in virtualized entities. As for IoT, this means that you can define and supply individual quality parameters for different services, which guarantees flexibility when handling the manifold and dynamic requirements for network resources. Using DPI, you can identify which applications cause the highest network load. Based on these metrics, you can, for example, selectively prioritize or limit streaming applications.
 
Analyzing data in real time
 
As IoT devices generally only establish short-time connections with each other, load balancing and individual quality parameters are becoming much more dynamic. Also, it is increasingly difficult to track individual devices within a network. In a dynamic IoT network, it is impossible to set up a conventional firewall at every single gateway, which is why both better analysis and a new security concept are needed. In such a structure, a DPI solution is able to connect information from the user level to firewall-based solutions.
 
A firewall for industrial networks needs to fulfill another requirement. As data transfer in a production network needs to be secured in real time, the usual sequential data processing is not an option because it would slow down the systems. Instead, fast, parallel data processing is needed. Real next-generation firewalls (NGFW) use this data-flow-based technology, the single-pass technology. To increase performance, they do not wait for the complete file but immediately start checking when the first packet arrives. Thanks to a shared database for firewall and web filter rules as well as for antivirus and IPS signatures, data packets only need to be processed once.
 

Info box: Rohde & Schwarz Cybersecurity secures industrial IoT networks

Industrial firewall with DPI engine
The next-generation firewall gateprotect Specialized Line has been developed specifically for complex industrial environments requiring high-level protection. It includes the Deep Packet Inspection engine R&S®PACE 2, a world-leading DPI product. The gateprotect Specialized Line ensures data transfer in real time, analyzing data with a data-flow-based single-pass technology. The firewall is configured to meet each customer’s individual needs, which enables it to decode industry-specific communication protocols. The protocol and application detection software R&S®PACE 2 allows for various individual use cases. Firewall vendors and other IT security suppliers can purchase it as a separate product.

Robust firewall for tough environments
The UTM firewall GP-Tough has been developed for challenging environments such as wind farms, workshops, ships, airplanes or railway traffic. Thanks to its robust hardware, it is dust- and splash-proof and well protected against extreme motion and temperatures.  

Protecting web applications
The security solutions for web applications by DenyAll offer additional protection for web-based connections in Industry 4.0. Rohde & Schwarz Cybersecurity acquired the French company in December of 2016. The DenyAll web application firewalls (WAF) and web services firewalls (WSF) protect all web services against attacks and misuse. Machines increasingly communicate with each other via web services. This makes the behavior- and application-based DenyAll solutions an essential component for securing IoT applications in the manufacturing industry. 

Rohde & Schwarz Cybersecurity at the CeBIT 2017: Hall 6 / Booth J16

Call Back