The document discusses cyber security standards and threats in industrial networks. It describes the IEC 62443 standard for securing industrial networks and discusses levels of security it provides. The document also summarizes WoMaster's cyber security solutions, including secure remote access, multi-level authentication, ACLs, DHCP snooping, and DDoS prevention in line with IEC 62443 requirements to secure industrial IoT networks. WoMaster's solutions integrate software and hardware for comprehensive protection against cyber threats.
2024: Domino Containers - The Next Step. News from the Domino Container commu...
The new era of Cyber Security IEC62443
1. The New Era of Cyber Security
IEC62443
Yohan / FAE Engineer
White Paper
2. 1. Background
For these past few years, cyber security had found itself being tech talk at the center of
international conversations. It was part of presidential debates, it determined elections, data
breaches were front page news, it temporarily shut down major companies, and the world saw
huge increases in both attacks and spending. Some of the biggest headline about cyber security in
2010 report that The Stuxnet Worm first emerged during the summer of 2010 and attack the
Bushehr nuclear plant in Iran. 20% centrifuge broken, more than 45,000 network devices were
infected. Stuxnet was a 500-kilobyte computer worm that infiltrated numerous computer systems.
This worm was first detected in June by a security firm based in Belarus, but may have been
circulating since 2009. Unlike most viruses, the worm targets systems that are traditionally not
connected to the internet for security reasons. Instead it infects Windows machines via USB keys -
commonly used to move files around - infected with malware. Once it has infected a machine on a
firm's internal network, it seeks out a specific configuration of industrial control software made by
Siemens. Once hijacked, the code can reprogram so-called PLC (programmable logic control)
software to give attached industrial machinery new instructions.
Picture Source: Extreme Tech
The other case is from Ukraine, which is attacked the power system that caused over 1.4 million
people encountered power outage for 3 hours. In total, up to 73 MWh of electricity was not
supplied (or 0.015% of daily electricity consumption in Ukraine). As we can see from several cases
above, cyber-attacks should be a big concern in the IIoT industry.
3. 2. Securing Industrial Network with Cyber Security IEC 62443 Standard
As the Industrial IoT (IIoT) demand continues growing, the industrial networks are facing
so many new challenges to be accessible over the public Internet. While it enhances
operational efficiency, however, it brings more cyber security threats. The governments
and enterprises are more concerned about the potential cyber security damages.
The IEC 62443 Standard includes up-to-date security guidelines and a list of best practices
for different parts of a network. It also includes information for those who perform
different responsibilities on the network in order to protect against known security leaks
and unknown attacks. The ultimate goal of the standard is to help improve the safety of
networks and enhance industrial automation and control settings security.
For the IEC 62443-4-1 standard, Product Development Requirements, it specifies
process requirements for the secure development of products used in an IACS. It defines a
secure development life-cycle for developing and maintaining secure products. This
life-cycle includes training, security requirements definition, secure design, secure
4. implementation, verification and validation, release, defect management and patch
management. These requirements can be applied to new or existing processes for
developing, maintaining and retiring hardware, software or firmware for new or existing
products. The requirements apply to the developer and maintainer of a product, but not to
the integrator or user of the product.
In the last decade, implementing of Industrial Ethernet has become the most influential
and transformative phenomenon which is now evolving to highly digitalize and data driven
infrastructure, referred to as Industrial Internet of Things (IIoT). To address and resolve
the growing threat for closed industrial networks to be accessed and influenced over the
public Internet, WoMaster, as a trusted and highly experienced partner of industrial
automation and system control integrators, developed and introduced to the market the
innovative advanced Cyber Security solutions for industrial networks.
With deploying WoMaster’s Industrial M2M solutions, the network is completely
protected from currently existing threats on the following levels:
Level 1 – accidental unauthenticated access
Level 2 – the most common attack experienced by system integrators
Level 3/4 - intentional access by hackers who utilize specific skills and tools
From the viewpoint of cyber security experts, there are several major cyber security
threats that can affect internal networks include unauthorized access, unsecured data
transmission, unencrypted key data, incomplete event logs, and operational errors.
5. 3. Facing New Cyber Risks with Industry 4.0
Today we stand at the beginning of the fourth industrial revolution. The most commonly used
terms to describe this era, which is rapidly changing the industrial, are Industry 4.0, smart
manufacturing, the Internet of Things, cyber-physical systems and digital transformation.
Picture Source: Simio
The world is evolving more rapidly than ever before. As the adoption of digital technologies
continues to move at a fast pace, organizations are seeking to rapidly transform. Moreover, a new
economic order is emerging, where established manufacturers have to deal with both large digital
organizations and innovative start-ups both determined to build new revenue models. New
technologies, new products and services and new business models can be disruptive. Based on
this scenario, adopting Industry 4.0 principles becomes a necessity, and tomorrow’s leaders need
to be prepared to embrace a different corporate structure.
6. In fact, it’s estimated that companies all around the world will have implemented Industry 4.0
solutions in all important business divisions. Flexible, lean manufacturing delivered by the
industrial Internet is predicted to increase productivity and resource efficiency by 18% in the next
five years and reduce inventories and costs by some 2.6% annually. While the integration of
systems that were once separate benefits manufacturers, it also carries risks- in particular to
security. Processes that were once isolated are now vulnerable to cyber-attack, both directly and
indirectly.
Industry 4.0 is getting more impressive with Cloud technology. The adoption of Cloud
technology offers central benefits to industrial enterprises: cost reduction, central data access for
planning and control, speed, and much more.
From the security side, encryption is hardly a new technology, but historically encrypted data was
stored on servers which resided on premises over which the data owner had direct control.
WoMaster is equipped with cloud technology and the best encryption method with AES 256 bit /
3DES 168bit / DES 64 bit encryption, so now we don’t need to worry about the data safety.
The figure above shows how the data is secure when it is being sent from the laptop up to the
cloud then send out to the mobile phone. How WoMaster secure the data, the data was
encrypted before send to the cloud and still encrypted when it is being sent out to the end point.
It can prevent any kind of attacks or hacker who tries to access our data.
7. 4. The Defense in Depth Approach
WoMaster product here has adapted Defense in Depth approach; where it is the concept of
protecting a computer network with a series of defensive mechanisms such that if one mechanism
fails, another will already be in place to prevent an attack. Because there are so many potential
attackers with such a wide variety of attack methods available, there is no single method for
successfully protecting a computer network. Utilizing the strategy of defense in depth will reduce
the risk of having a successful and likely very costly attack on a network.
A well-designed strategy of this kind can also help system administrators and security personnel
identify people who attempt to compromise a computer, server, proprietary network or ISP
(Internet service provider). If a hacker gains access to a system, defense in depth minimizes the
adverse impact and this situation gives administrators and engineers time to deploy new or
updated countermeasures to prevent recurrence. Components of defense in depth include
antivirus software, firewalls, anti-spyware programs, hierarchical passwords, DMZ, VPN Tunnel
and many more.
No single security measure can adequately protect a network; there are simply too many methods
available to an attacker for this to work. Likewise, policies and procedures do not mean anything
to an attacker from the outside but should be part of the plan to protect a network from insiders.
Implementing a strategy of defense in depth will hopefully defeat or discourage all kinds of
attackers. Firewalls, intrusion detection systems, well trained users, policies and procedures,
switched networks, strong password and good physical security are examples of some of the
things that go into an effective security plan. Each of these mechanisms by themselves are of little
value but when implemented together become much more valuable as part of an overall security
plan.
8. 5. IEC62443-4-2 Level 2 Security
(1) Secure Remote Access
WoMaster provide the IPSec and OpenVPN feature to make sure the data transmission
between LAN and WAN are secured and encrypted. For the IPSec and OpenVPN, WoMaster
supports multiple networks, like a hybrid network, where the VPN connection can facilitate
secure remote access from public to LAN with the secure authentication. So with this secure
remote access, no one can access the remote site except the operator that pass through the
authentication section.
For example, network operators based at a central location need to be able to remotely
access each data provider for both monitoring and control purposes. Network operators
based in the central control room often have to use the Internet to gain access to the remote
sites. The gateway that functions as a firewall and authenticator to the network must support
VPN functionality. VPNs can filter IP packets that are sent through the virtual encrypted
connection that connects the data provider at remote locations with the centralized control
center. Networks that support remote access allows operators to save travel time, reduce
costs, and also decrease the likelihood of system downtime occurring by making it easier to
support predictive maintenance. Although there are multiple VPN technologies available,
IPsec is the most widely used protocol. The reason why IPsec is the most frequently used
protocol is because it sets up a secure channel over multiple networks that can be private,
public, or a combination of private and public networks. IPsec supports secure authentication
and data integrity, which are the two key requirements when transferring packets on
industrial networks. Therefore, using IPsec guarantees that control and monitoring data is
protected through its strong encryption methods.
9. (2) IEEE802.1x MAB (MAC Authentication Bypass)
MAB enables port-based access control by bypassing the MAC address authentication process
to TACACS+/Radius Server. Prior to MAB, the endpoint's (ex. PLC) identity is unknown and all
traffic is blocked. The switch examines a single packet to learn and authenticate the source
MAC address. After MAB succeeds, the endpoint's identity is known and all traffic from that
endpoint is allowed. The switch performs source MAC address filtering to help ensure that
only the MAB-authenticated endpoint is allowed to send traffic.
(3) Advanced Port Based Security
In addition to MAB, the authentication can also be done by the pre-configured static or
auto-learn MAC address table in the switch.
• MAC address Auto Learning enables the switch to be programmed to learn (and to
authorize) a preconfigured number of the first source MAC addresses encountered
on a secure port. This enables the capture of the appropriate secure addresses
when first configuring MAC address-based authorization on a port. Those MAC
addresses are automatically inserted into the Static MAC Address Table and
remain there until explicitly removed by the user.
• The port security is further enhanced by Sticky MAC setting. If Sticky MAC address
is activated, the MACs/Devices authorized on the port 'sticks’ to the port and the
switch will not allow them to move to a different port.
• Port Shutdown Time allows users to specify for the time period to auto-shutdown
the port, if a security violation event occurs.
10. (4) Multi-Level User Passwords
Different centralized authentication server is supported such as RADIUS and TACACS+.
Using a central authentication server simplifies account administration, in particular
when you have more than one switch in the network.
Authentication Chain is also supported. An authentication chain is an ordered list of
authentication methods to handle more advanced authentication scenarios. For
example, you can create an authentication chain which first contacts a RADIUS server,
and then looks in a local database if the RADIUS server does not respond.
6. IEC62443-4-2 Level 3/4 Security
(1) DHCP Snooping
DHCP snooping acts like a firewall between untrusted hosts and trusted DHCP servers.
It performs the following activities:
• Validates DHCP messages received from untrusted sources and filters out invalid
messages.
• Rate-limits DHCP traffic from trusted and untrusted sources.
11. • Builds and maintains the DHCP snooping binding database, which contains
information about untrusted hosts with leased IP addresses.
• Utilize the DHCP snooping binding database to validate subsequent requests from
untrusted hosts. DHCP snooping is enabled on a per-VLAN basis. By default, the
feature is inactive on all VLANs.
(2) Dynamic ARP Inspection (DAI)
DAI validates the ARP packets in a network. DAI intercepts, logs, and discards ARP
packets with invalid IP-to-MAC address bindings. This capability protects the network
from some man-in-the-middle attacks.
DAI ensures that only valid ARP requests and responses are relayed. The switch
performs these activities:
• Intercepts all ARP requests and responses on untrusted ports
• Verifies that each of these intercepted packets has a valid IP-to-MAC address
binding before updating the local ARP cache or before forwarding the packet to
the appropriate destination
• Drops invalid ARP packets
DAI determines the validity of an ARP packet based on valid IP-to-MAC address
bindings stored in a trusted database, the DHCP snooping binding database. This
database is built by DHCP snooping if DHCP snooping is enabled on the VLANs and on
the switch. If the ARP packet is received on a trusted interface, the switch forwards
the packet without any checks. On untrusted interfaces, the switch forwards the
packet only if it is valid.
12. (3) IP Source Guard
IP Source Guard is a feature to block layer 3 IP address spoofing and layer 2 MAC
address on switches. This feature looks at the DHCP snooping table and drops packets
that have addresses that spoofed. It provides source IP address filtering on a Layer 2
port to prevent a malicious host from impersonating a legitimate host by assuming the
legitimate host's IP address.
The feature uses dynamic DHCP snooping and static IP source binding to match IP
addresses to hosts on untrusted Layer 2 access ports. Initially, all IP traffic on the
protected port is blocked except for DHCP packets. After a client receives an IP
address from the DHCP server, or after static IP source binding is configured by the
administrator, all traffic with that IP source address is permitted from that client.
Traffic from other hosts is denied. This filtering limits a host's ability to attack the
network by claiming a neighbor host's IP address.
(4) Denial of Service (DoS) / Distributed DoS (DDoS) Prevention
13. A DoS attack is a malicious attempt by a single person or a group of people to cause
the victim, site, or node to deny service to its customers. When this attempt derives
from a single host of the network, it constitutes a DoS attack. On the other hand, it is
also possible that a lot of malicious hosts coordinate to flood the victim with an
abundance of attack packets, so that the attack takes place simultaneously from
multiple points. This type of attack is called a Distributed DoS, or DDoS attack.
To prevent DoS/DDoS attacks WoMaster provide several solutions:
• Illegal address check (IPv4/IPv6)
• Denial of Service detection/prevention
• Land packets (SIP = DIP)
• NullScan (TCP sequence number = 0, control bits = 0)
• SYN with sPort < 1025
• Ping flood (flood of IPMC packets) prevention
• SYN/SYN-ACK flooding prevention
• Smurf attack prevention
• Individual control over handing of DOS packet
(5) IPv4/IPv6 Access Control List (ACL)
14. Packet filtering limits network traffic and restrict network uses by certain users or
devices. ACLs filter traffic as it passes through a switch and permits or denies packets
crossing specified interfaces. An ACL is a sequential collection of permit and deny
conditions that apply to packets. When a packet is received on an interface, the switch
compares the fields in the packet against any applied ACLs to verify that the packet
has the required permissions to be forwarded, based on the criteria specified in the
access lists.
WoMaster supports L2-L7 ACLs, parsing up to 128 bytes/packet and L2-L7 packet
classification and filtering IPv4/IPv6 traffic, including TCP, User Datagram Protocol
(UDP), Internet Group Management Protocol (IGMP), and Internet Control Message
Protocol (ICMP). For HMI monitoring/SCADA, it has the capability to do the deep
packet inspection of Ethernet/IP and Modbus TCP, allowing read only packet and
discarding the write packet
7. The Advatages of WoMaster’s Cyber Security
WoMaster provides Software & Hardware(ASIC) integrated protection mechanism, which
applies the latest Application-Specific Integrated Circuit (ASIC) secure technology (L2-L7
packet classification), multi-level authentication, secure data transmission, encrypted key
data, complete event logs/traps, operational errors prevention, and even logs,
and operational errors exceeds IEC62443-4-2 Level 2 requirements to build most secure
systems for industrial applications.
15. 8. Conclusion
The cyber issues have been all time in around the world as well as information systems are around
us. It is clear that the hacking or cybercrime is the offence at where simple bytes are going much
faster than the bullet. Over the last decade, addressing and resolving the growing threat for closed
industrial IoT networks to be accessed and influenced over the public Internet has become the
main priority for industrial automation and system control integrators. From this point of view we
can see that the existence of cyber security will be a major requirement in the current industrial
IoT era. WoMaster currently has provided the best option for a complete protection of IIoT
network according to IEC 62443-4-1 and IEC 62443-4-2. If you still want to know more, please
contact us at help@womaster.eu
About Womaster
WoMaster Group is an international group based in Europe, with over 20 years of industrial
market experience. We provide rugged products with customer oriented support for critical
applications such as railway, power and utility, waste water, intelligent transportation and IP
surveillance.
The WoMaster brand’s name distinguishes our target markets as well as symbolizes the nature
sources which enforced us to become Master brand for Industrial Data Communication
Market.