Embedded virtualisation and security for industrial automation
The Engineering Network Ltd
Posted to News on 24th Apr 2013, 10:52

Embedded virtualisation and security for industrial automation

Industrial controllers and HMIs seldom have protection for the IT and network security. This article explains how virtualisation could provide cyber-security for industrial automation, especially where embedded controllers are used.

Embedded virtualisation and security for industrial automation

The networking of machinery and equipment results in new options for the IT integration of processes and for remote services across wide area connections, but it also creates new challenges in the area of cyber security. Systems with dedicated security devices are advantageous in that they physically separate the actual functionality of a system from its protective security measures, thereby avoiding mutual side-effects and allowing independent development of both by respective specialists. However, their deployment often fails due to the additional hardware needs and cost restrictions.

At the same time, the price-performance ratio of processors, memory and peripheral components keeps improving. This gives rise to a shift from specialised hardware to software functions on a common platform, limited by the necessary degree of modularisation to cope with technical risks and enable the integration of subsystems from different suppliers.

Virtualisation is the key to combining the cost savings of advanced hardware consolidation with such a modular design. This leads us to the concept of virtual security appliances for industrial automation.

Virtualisation in IT and Industrial automation

Virtualisation of both client and server systems is state-of-the-art technology in enterprise IT today. Typically the virtual systems are operated on a server farm in the network. The provision and co-ordinated operation of multiple virtual machines on a shared hardware are effected by a layer of software called a hypervisor or virtual machine manager.

Two types of hypervisors and two approaches to virtualisation are usually being distinguished:

  • Type 1 hypervisors run directly on the bare hardware and only co-ordinate the available hardware resources.
  • Type 2 hypervisors run as applications in a host system. The achievable performance is reduced by the additional operating system layer.

The hardware virtualisation approach presents each original guest system with a complete (simulated) computer of its own.

  • The unmodified guest system is run with its own time-slice scheduler not being aware of the virtualised environment, which typically prevents real-time capability.
  • Depending on platform and implementation, the guest system may have direct access to (parts of) the underlying hardware components. Other components may be completely simulated, requiring a fairly complex hypervisor or a hardware platform with virtualisation support.
  • Guest system performance can be equivalent to a standalone system as long as no I/O operations are performed via simulated components.
  • In contrast, under the para-virtualisation approach the guest systems need to be modified for better cooperation with the respective hypervisor.
  • Time-slice and memory management can be more tightly integrated and real-time capability thus be achieved.
  • The internal communication between guest systems or guest system and hypervisor is carried out through efficient specialized interfaces.

In industrial automation and control, however, the requirements are different from those in enterprise IT. The systems deployed here run on dedicated hardware with little or no operator intervention. Controller components typically have real-time requirements whereas human-machine interfaces (HMIs) are mostly applications on a Windows operating system. In this environment, embedded virtualisation using a hybrid approach and combining native Windows installations with additional unmodified guest systems on a thoroughly partitioned multi-core PC platform with virtualisation support is of particular value.

HyperSecured industrial PCs

Innominate has developed the HyperSecured concept in which automation components such as an HMI or controller and a virtual mGuard security appliance are integrated onto a single hardware by means of an embedded virtual machine manager. This provides the automation components with all of the benefits of an upstream security appliance at reduced hardware costs. The automation components can thus be efficiently protected from unauthorised access and malware attacks.

Innominate and TenAsys have together demonstrated a HyperSecured IPC to show that embedded virtualisation and cyber security are ready for production use. The system used TenAsys eVM for Windows embedded virtual machine manager to integrate an original Windows operating system with a virtual mGuard security appliance on a standard industrial PC.

Image

Network communication between the Windows system and the external environment has to pass through and is controlled by the virtual mGuard security appliance that provides firewall, virtual private network (VPN) and integrity monitoring services to the PC system. The internal communication between the Windows system and the security appliance is done through a virtual Ethernet interface.

The hardware used for the demonstration was an off-the-shelf Valueline IPC from Innominate's parent company Phoenix Contact featuring an Intel Core 2 Duo CPU with VT-x support, 2GB RAM and dual Gigabit Ethernet ports. The TenAsys eVM embedded virtual machine manager is a very compact package installed and administered through Windows. It partitions the CPU into two cores and system domains for Windows and the mGuard guest system. Both Windows and the mGuard guest system boot natively, exactly as if they were running stand-alone. Peripheral components, in particular the Ethernet interface, are exclusively assigned to one of the systems.

Virtual mGuard security appliance

Thanks to TenAsys eVM, no para-virtualisation and modification of the mGuard system is necessary on Intel platforms with VT-d support. The original Linux-based mGuard firmware image runs on a dedicated core of the shared x86 CPU. The virtual mGuard ensures comprehensive protection of the PC's network communication, as the physical Ethernet interface to the external environment is exclusively assigned to it. Its DoS protection against denial-of-service attacks will be effective, too, thanks to this direct hardware control: even in an extreme case, only the virtual security appliance could be overloaded and external network packets get delayed or dropped. Due to the strict partitioning of the CPU cores and system domains this will not affect the Windows partition or potential other guest systems.

Access to the PC and its Windows system will be blocked by the mGuard firewall unless authorised by a general static or user-specific dynamic firewall rule. Integrated virtual private network (VPN) functionality enables secure remote access with authentication and encryption. VPN tunnels are terminated by the virtual mGuard; the Windows system gets to see regular IP communication only.

Conclusion

Virtualisation with an appropriate embedded virtual machine manager enables trendsetting consolidation of industrial automation and cyber security functions onto cost-optimised hardware, preserving the modular design and benefits of dedicated devices.

The HyperSecured system as demonstrated is not generally limited to just one protected Windows system. It will be possible to use additional CPU cores with their own native guest systems including real-time operating systems and controllers.

Follow the link to find out more about embedded virtualisation and cyber security for industrial automation from Innominate.


Innominate Security Technologies AG

Rudower Chaussee 13
GERMANY

+49 (0)30 921028 0

The Engineering Network Ltd SICK (UK) LTD ABSSAC Ltd Mechan Controls Ltd Leuze electronic Ltd ifm electronic Limited KEB (UK) Ltd Murrelektronik Ltd Smartscan Ltd FATH Components Ltd STOBER Drives Ltd Rittal Ltd Heidenhain (GB) Ltd Euchner UK Ltd PI (Physik Instrumente) Ltd Procter Machine Safety Phoenix Contact UK Lenze Selection (a Division of Lenze Ltd) Pilz Automation Technology Aerotech Ltd Kawasaki Robotics (UK) Ltd HARTING Ltd
The Engineering Network Ltd