Dr. Johan Åkerberg, ABB Corporate Research, Sweden, … · Dr. Johan Åkerberg, ABB Corporate...

Dr. Johan Åkerberg, ABB Corporate Research, Sweden, 2014-11-20

Communication in IndustrialAutomation

Outline

§ Industrial Applications

§ Industrial Automation

§ Safety vs. Security

§ Safety Critical Communication

§ Cyber Security in Industrial Applications

§ Industrial Wireless Communication

§ Safety Critical Wireless Communication

§ Concluding Remarks

January 26, 2015 | Slide 2

Industrial Applications

© ABB GroupJanuary 26, 2015 | Slide 4

Industrial ApplicationsWhat is meant with Industry?

Industrial ApplicationsExamples of Power Systems

Grid stabilization and longdistance power transmission

with low power losses


Industrial ApplicationsExamples of Substation Automation

Continuous electrification andload management of cities and

industries


Industrial ApplicationsProcess Automation

§ Definition:

§ “Process manufacturing is the branch of manufacturing that isassociated with formulas and manufacturing recipes”

§ Once an output is produced by the process, it cannot bedistilled back to its basic components

§ Examples: paper, steel, petrol, food, etc.

Industrial ApplicationsExamples of Process Automation

Continuously stabilizingunstable and unsafe

processes


Industrial ApplicationsDiscrete Automation

§ Definition:

§ “In discrete manufacturing, the manufacturing floor works offorders to build something”

§ Output is easier to “distill” back to original components

§ Examples: cars, consumer electronics, etc

Industrial ApplicationsExamples of Discrete Automation

High speed assembly,packaging and palletizing


Industrial Automation

Industrial AutomationThe Control Pyramid

Several products and protocols in order to meet therequirements


Industrial AutomationFieldbus Communication

• The distributed control systems collect information from theprocess in order to control and actuate using for example

• High voltage to low voltage switchgears

• Electrical machines ranging from MW to kW

• Process instrumentation and control valves

Installed multi billion equipment have an expected life time of up 20years and only subsystems are upgraded due to cost issues


Industrial Automation

§ Safety and Security

§ High availability, redundancy protocols

§ Deterministic communication

§ Low latency and jitter

§ Efficient deployment and maintenance

§ Flexible topologies

§ High throughput

Basic Properties

Often contradicting requirements!


Industrial AutomationControlling Machinery and Processes

Protect worker safety and Return of Investment



Failsafemode



Industrial ApplicationsExamples of Different Communication Requirements

Application Domain Update Rate Nodes / 10 m2

Process Automation 10 – 1000 ms 1 – 20Factory Automation 500 µs – 100 ms 20 – 100Substation Automation 250 µs – 50 ms 1 – 10High Voltage DC control 10 – 100 µs 300 - 500

These numbers include processing time for crypto, etc.!


Ø A journey from electromechanical relays

Ø to centralized control systems and

Ø today decentralized control systems

Industrial AutomationWhere do we come from?

Many plants have two or three generations of systems in operation


Industrial AutomationCommunication Networks

1980s

1990s

2000s

100 ms

µs-ms

n Commonphysical layer

n Single network technologyn Integrated switchingn Legacy network

integrationn Technical

advances

PROFINET IO

IEC-61850

Fieldbus Foundation

EtherCATEtherNet/IP

Internet technologies

Phone modems, HVPLC

Fiber optics

Public cellular

Ethernet Penetration



Industrial AutomationCommunication Architecture in Process Automation


Industrial AutomationBasics of PROFINET IO

§ PROFINET IO uses switched 100 Mbit/s Ethernet networks totransmit both real-time and non real-time data

§ For non real-time data Remote Procedure Calls are used ontop of UDP/IP

§ For real-time data PROFINET IO defines a layer on top of theEthernet layer

§ Both unicast and multicast communication is possible for real-time data

Application Relationship

Record Data CRIO Data CRAlarm CR

UDP Channel (context,diagnostics)

RT Channel (IO Data) RT Channel (Alarms)



§ PROFINET IO devices are modeled in a XML file, GeneralStation Description Markup Language (GSDML) file

§ The GSDML file is imported into the control system andknowledge is gained regarding the devices

§ Modules and Submodules

§ Parameters

§ Data types

Industrial AutomationThe OSI model


Industrial AutomationExample of Architecture and its Adaption Layers


Safety vs. Security

Safety vs. SecurityWhy safety for industrial automation?

Because I care about the environment and worker safety!


Safety vs. SecurityWhy security for industrial automation?

Because I cannot unplug the correct network cable in time?


Safety vs. Security

§ Safety§ To reduce the risk of damage to person, property or

environment§ All possible error cases are determined pre-runtime, and

must not change over time§ Examples: A faulty device causes environmental pollution or

an uncontrolled chemical process§ Examples of solutions: Diagnostics, redundancy, voting, and

hardware and software diversity

§ Security§ To reduce the risk of unauthorized access or sabotage to a

system§ Security threats will change over time§ Examples: A deliberate security attack causes loss of

production or degraded production§ Examples of solutions: cryptography, firewalls, intrusion

detection systems


Safety vs. SecurityHow to deal with this?


Safety Critical Communication

Safety Critical CommunicationThe Safety Function Response Time (SFRT)



Safety Critical CommunicationThe Principle of the Black Channel

§ PROFIsafe is based on the experiences from the railwaysignaling domain and is documented in IEC 62280-1/2

§ Safe and standard applications can share the samestandard PROFIBUS/PROFINET communication system

§ The communication system can be excluded fromfunctional safety certification

§ PROFIsafe is certified for Safety Integrity Level 3

PROFIsafe

PROFIBUS /PROFINET

PROFIsafe

PROFIBUS /PROFINET

Safetyapplication

Standardapplication

Safetyapplication

BlackChannel

Safetyprofile


Safety Critical CommunicationPROFIsafe – Identified Communication Errors


Safety Critical CommunicationPROFIsafe - Deployed Safety Measures


Safety Critical CommunicationPROFIsafe - Safety Container Structure

§ A PROFIBUS or PROFINET IO real-time frame can containone or more PROFIsafe containers

§ Different requirements for processing speed and number ofI/O. There are two modes of operation

§ safety I/O data up to 12 bytes together with a 24 bitCRC2 or

§ safety I/O data up to 123 bytes together with a 32 bitCRC2.

F input/output data Status /control byte CRC2

Max. 12 / 123 Bytes 1 Byte 3 / 4 Bytes

PROFIsafe Container

Safety Critical CommunicationPROFIsafe - Consistency Check of Safety Container


§ The safe host and safe device/modules produces a 2byte CRC1 signature over the safety parameters (F-Parameters)

§ Only the CRC2 is calculated for each cyclic PROFIsafecontainer

CRC1Initialvalue

forCRC2

2 Bytes

VCN

F-HostConsecutive

Number

3 Bytes

F-Output data

Max. 12 or 123 octets

CRC2Across

F-Output dataand F-Parameter

and VCN3 or 4 Bytes

F-Parameters

ToggleB

it

1 Byte

Control Byte


Safety Critical CommunicationPROFIsafe - Virtual Consecutive Number

§ The consecutive number is not visible in the safetycontainer, thus called virtual consecutive number

§ 24 bit counter, wrapping over to 1 at the end. Number 0is reserved for error conditions and synchronization

§ The toggle bit in the Control/Status byte indicates anincrement at each edge

0 1 2 3 4 5

0 1 2 3 4

F-Host Consecutive Number

F-Device Consecutive Number

Toggle_h(from F-Host)

Toggle_d(from F-Device)

Cyber Security in IndustrialApplications

Cyber Security in Industrial ApplicationsThe need for secure systems and communication

Firewalls

IntrusionDetectionSystems

Access Control /User AccountMgmt

Antivirus

Whitelisting

SecureCommunication

Code Signing

Classical security mechanisms are necessary, but no longer sufficient.


Cyber Security in Industrial ApplicationsFrom the Product Lifecycle to the Plant Lifecycle

Product Lifecycle

Project Lifecycle

Plant Lifecycle

Design Implemen-tation Verification Release Support

Design Engineering FAT Commissioning SAT

Operation Maintenance Review Upgrade


Cyber Security in Industrial Applications

§ Why not applying security best practices from the ITdomain directly?

§ We do, but locking down systems for sake of security mighthave a negative impact on safety

§ Patching 10.000 – 30.000 embedded systems in a plantevery year hamper the production rate

§ How to keep things secure with all different actors involvedover the complete lifecycle of a plant?

§ Maintenance and commissioning personnel are not cryptoexperts, but process experts

§ They cannot enter a RSA key pair in a device or install digitalcertificates on New Year’s Eve when the plant managerdemands full production after a component failure

Challenges



§ How to deal with key distribution over the completelifecycle with different vendors over time?

§ Most security solutions demand ”out-of-channel”communication to establish a secure channel, this ischallenging in high availability systems

§ Solutions needed to deal with multiple involved parties overtime is needed

§ Security/cryptography is all about trust, so whom to trustthen?

§ Most likely one-solution-fits-all is not feasible

§ How to deal with trust over 20-30 years of operation andvendors are entering and leaving the plant due to competitionand market economics.

Challenges



Cyber Security in Industrial ApplicationsPROFINET is vulnerable to man-in-the-middle attacks

§ We have shown that it is possible to deploy a man-in-the-middle attack on PROFINET IO from IEC 61784 and IEC61158 and change process data without any peer detectingthe attack

§ In case of identified security threats and vulnerabilities,how to guarantee safety?

Attacker Controller Device

Period time

n

n+1

n+2

n+3

AttackerController Device

nARP-poisoning

m

n+1 n+1

n+2 n+2

Period time

m+1m+1


Cyber Security in Industrial ApplicationsPROFIsafe is vulnerable to man-in-the-middle attacks

§ We have shown that it is possible to deploy a man-in-the-middle attack on a SIL3 certified implementation ofPROFIsafe from IEC 61784, and change safety-relatedprocess data without any peer detecting the attack

§ Safety does not necessarily include security

CRC1Initialvalue

forCRC2

2 Bytes

VCN

F-HostConsecutive

Number

3 Bytes

F-Output data

Max. 12 or 123 octets

CRC2Across

F-Output dataand F-Parameter

and VCN3 or 4 Bytes

F-Parameters

ToggleB

it

1 Byte

Control Byte


§ Security is important, but remember that§ Security should be deployed based on a risk/benefit

assessment§ Example IEC 61850 with RSA crypto

§ Security is a process and not a state you enter§ How to deal with trust and privacy during a plant life time of

more than 20-30 years

§ ”Air-gaps” will not keep you secure§ Use multiple counter measures, defense in depth and hide

information from possible attackers

§ Security is not better than the weakest link§ Will an adversary stubbornly try to get through the armored

main gate, or be scared by a formal proof on an abstractlevel?

§ And is in most cases based upon the assumption of”computationally infeasible”

Remarks



§ The safest and securest critical infrastructure is the onethat is never taken in to operation!

§ But that would be the worst multi billion investmentever…

§ So, should we go back to electromechanical relays?

§ Or will it be more cost efficient to secure real-timeembedded systems that control critical infrastructure?

§ But more important, just because we can add for exampletechnologies like IoT, IPv6, Cloud, M2M, etc., are thebenefits worth the risks?

Remarks


Dr. Johan Åkerberg, ABB Corporate Research, Sweden, … · Dr. Johan Åkerberg, ABB Corporate...

Documents

Transcript of Dr. Johan Åkerberg, ABB Corporate Research, Sweden, … · Dr. Johan Åkerberg, ABB Corporate...