How to secure your Smart Factory – Q&A with COPA-DATA
The Smart Factory has been inspiring industry for some time. Plant managers hope for more intuitive operation and a better supply of information, and process managers expect machines that communicate smartly with one another, and look forward to increasing efficiency. This inspiration has the potential to fundamentally change many areas of industrial production. Today, however, one thing is clear: we will not be given the efficiency gains from the Smart Factory on a plate!
The opening up of production networks and the exchange of data beyond different areas, and possibly the limits of the company, leaves the automation infrastructure open to attack. In addition to the existing mantra of high availability, automation systems must now implement a further challenge in the shortest time possible: protection of the system against cyber-attacks.
For COPA-DATA, the topic of industrial security has been an integral part of their product philosophy for many years. This stance covers the design of their internal development processes through the architecture of their products to the basic technologies used and operating systems supported. Their aim is to strengthen the zenon Product Family even further and to give their users all the tools necessary to protect their equipment.
As they do so, the following question arises: what can a component supplier such as COPA-DATA contribute to a security concept for a complete plant? One could argue that it is the task of the equipment operators to implement suitable measures to guarantee the security of equipment. However, we believe a holistic consideration of systems, as well as people and processes, is always necessary for security questions. Particular components used, such as software, can make their contribution to “system security”.
What follows is an overview, based on questions that COPA-DATA customers have asked.
Security Q&A with COPA-DATA
The answers below can be attributed to Reinhard Mayr, Product Manager, COPA-DATA Headquarters and Philipp Schmidt, Branch Office Manager, COPA-DATA Germany (Cologne).
How secure is my production network with zenon?
zenon pursues the approach of “Security by Design”. This means that zenon and its components are already designed for secure operation in the design phase. Nevertheless, the corresponding configuration is necessary for such a complex system. This includes possibilities for the encryption of network traffic, client authentication and many other technical options, such as creating “islands” or a distributed zenon network.
What does “Security by Design” mean for COPA-DATA?
At COPA-DATA, “Security by Design” covers not only our products but all areas of the company. It is a basic tenet of our philosophy to create high-quality products that are as secure as possible. COPA-DATA thus has its own development team at its headquarters in Salzburg, where the planning and complete project and quality management take place. All product source code is developed, tested and released from the COPA-DATA headquarters. Neither third-party systems nor third-party source code is used in our products. Only this way can we guarantee the high quality of the zenon Product Family.
We are aware that, in the security area especially, we need to work with external experts. This cooperation covers conventional employee training through to targeted security tests and audits of the finished products. Our most important partners are universities, TÜV SÜD and public institutions such as CERT.
To supplement our organisational capabilities, we consistently leverage the most current technologies available. In addition to development and QA tools, for us this primarily includes the fastest support for the latest Microsoft operating systems (currently Windows 10) covering security and batch mechanisms through to Windows error reporting.
We follow a “Security in Depth” strategy. This means your complete production structure can be designed to allow the quick and easy distribution of our HMI/SCADA systems. This way, individual tasks or access to different hardware systems can be distributed. Attackers must overcome a number of barriers before they can get to the core productive system. In addition, there is consistent use of encryption and signing technology in all our products and components.
The overall strategy is topped off with open dialogue and documentation about security. We offer close cooperation with our customers and partners to strengthen security guidelines and share our experiences in the field of industrial security.
How can zenon prevent unauthorised users operating my equipment?
Since its first generation, zenon has included integrated user administration. This function has been continually enhanced and now offers a number of possibilities for application. All user operations can be locked, even access to Windows Desktop and thus access to other applications can be prevented. In addition to the user administration integrated into zenon, there is also the possibility to seamlessly integrate Windows domain users in all products. zenon thus integrates perfectly into a centrally-administered and centrally-monitored user infrastructure. All passwords and user information are, of course, stored in encrypted form in the whole system and also transferred in encrypted form within the zenon network.
How does zenon secure information that is sent over the network?
In principle, we use COPA-DATA’s own network protocol to communicate between the individual zenon products. This is characterised by high performance and the security features that have already been integrated. All data is transferred to separate binary data packages and machine-readable information in plain text is never communicated in the complete communication concept; data packages are always encrypted. In addition, users can decide to use strong encryption via the protocol. Further client authentication at the connection setup stage also prevents access to the zenon network.
Does zenon secure my complete network?
A number of different IT systems are usually used in production. This starts at field level with different controllers and smart meters and sensors, covers superordinate control, in which other components such as databases are frequently present, and reaches to the MES level or ERP system level and the components there. It is therefore not sufficient to consider zenon individually; one must take a holistic approach to security. Taking an effective and thorough approach to security means the complete IT system with all its components, protocols, interfaces and access possibilities must be considered.
Is the communication to the PLC also encrypted?
This depends on the communication protocols used, and also on the PLC hardware used. COPA-DATA develops all native communication protocols itself. Our experts therefore have excellent specialist knowledge of the protocols, interfaces and devices of different manufacturers. Where envisaged in the protocol specification, our drivers support the modern concepts of authentication or certificate handling. Details about this can be found in the respective driver documentation.
What security standards does zenon support?
There are various standards which relate to industrial security (such as IEC 27001). Most consider the complete IT system, including all components, people and processes. Many prescribe only very general process guidelines, which COPA-DATA naturally meets. The most important elements are documented and proven development processes. Together with employees at TÜV SÜD, we are currently dealing with the IEC 62443 standard, which goes into the specifics of the automation industry in more detail and prescribes more than just general industrial security guidelines (see illustration). In spring 2015 we started a joint project, as part of which we are aiming to achieve company and product certification in accordance with this standard.
Can an attacker change the zenon program or project files?
In principle, physical or administrative access to the file system by an unauthorised user is more or less equivalent to the security worst-case scenario. zenon can only protect itself to a limited extent in this case, most of all because fundamental operating system components can be manipulated or destroyed. In accordance with our “Security by Design” strategy, we have implemented the best possible prevention for this.
One of the most important mechanisms is the signing of the COPA-DATA product files. All program files that we have supplied through the official installation medium are monitored by an integrated VeriSign certificate. In this way external security tools, and also zenon itself, can monitor whether the files are genuine. Manipulated files are recognised and the user is informed immediately. The existing setups are of course signed with hash codes and can thus be checked to see if they are genuine.
For your projects and project data, we recommend that projects are protected by a user with a password, in order to prevent access to critical information in the project configuration files or the manipulation of them. In general, a critical examination should take place to examine who gets authorisation to amend a project on the productive Runtime system and whether it is necessary to also amend data by means of remote access.
How can COPA-DATA support me with my security setups and requirements?
We have considered security questions for many years. Many ideas and concepts have been incorporated into our products in this time. It isn’t only zenon’s features that contribute to a secure environment. However, it is, most of all, open communication and documentation, cooperation with external expert organisations such as TÜV SÜD, various universities and public institutions such as CERT, which contribute to our continuous improvement. In addition to open dialogue about the subject of security, we also offer our customers specific hardening guidelines for zenon and your IT infrastructure.