Industrial controllers and HMIs seldom have protection for the IT and network security. This article explains how virtualisation could provide cyber-security for industrial automation, especially where embedded controllers are used.
The networking of machinery and equipment results in new options for the IT integration of processes and for remote services across wide area connections, but it also creates new challenges in the area of cyber security. Systems with dedicated security devices are advantageous in that they physically separate the actual functionality of a system from its protective security measures, thereby avoiding mutual side-effects and allowing independent development of both by respective specialists. However, their deployment often fails due to the additional hardware needs and cost restrictions.
At the same time, the price-performance ratio of processors, memory and peripheral components keeps improving. This gives rise to a shift from specialised hardware to software functions on a common platform, limited by the necessary degree of modularisation to cope with technical risks and enable the integration of subsystems from different suppliers.
Virtualisation is the key to combining the cost savings of advanced hardware consolidation with such a modular design. This leads us to the concept of virtual security appliances for industrial automation.
Virtualisation of both client and server systems is state-of-the-art technology in enterprise IT today. Typically the virtual systems are operated on a server farm in the network. The provision and co-ordinated operation of multiple virtual machines on a shared hardware are effected by a layer of software called a hypervisor or virtual machine manager.
Two types of hypervisors and two approaches to virtualisation are usually being distinguished:
The hardware virtualisation approach presents each original guest system with a complete (simulated) computer of its own.
In industrial automation and control, however, the requirements are different from those in enterprise IT. The systems deployed here run on dedicated hardware with little or no operator intervention. Controller components typically have real-time requirements whereas human-machine interfaces (HMIs) are mostly applications on a Windows operating system. In this environment, embedded virtualisation using a hybrid approach and combining native Windows installations with additional unmodified guest systems on a thoroughly partitioned multi-core PC platform with virtualisation support is of particular value.
Innominate has developed the HyperSecured concept in which automation components such as an HMI or controller and a virtual mGuard security appliance are integrated onto a single hardware by means of an embedded virtual machine manager. This provides the automation components with all of the benefits of an upstream security appliance at reduced hardware costs. The automation components can thus be efficiently protected from unauthorised access and malware attacks.
Innominate and TenAsys have together demonstrated a HyperSecured IPC to show that embedded virtualisation and cyber security are ready for production use. The system used TenAsys eVM for Windows embedded virtual machine manager to integrate an original Windows operating system with a virtual mGuard security appliance on a standard industrial PC.
Network communication between the Windows system and the external environment has to pass through and is controlled by the virtual mGuard security appliance that provides firewall, virtual private network (VPN) and integrity monitoring services to the PC system. The internal communication between the Windows system and the security appliance is done through a virtual Ethernet interface.
The hardware used for the demonstration was an off-the-shelf Valueline IPC from Innominate's parent company Phoenix Contact featuring an Intel Core 2 Duo CPU with VT-x support, 2GB RAM and dual Gigabit Ethernet ports. The TenAsys eVM embedded virtual machine manager is a very compact package installed and administered through Windows. It partitions the CPU into two cores and system domains for Windows and the mGuard guest system. Both Windows and the mGuard guest system boot natively, exactly as if they were running stand-alone. Peripheral components, in particular the Ethernet interface, are exclusively assigned to one of the systems.
Thanks to TenAsys eVM, no para-virtualisation and modification of the mGuard system is necessary on Intel platforms with VT-d support. The original Linux-based mGuard firmware image runs on a dedicated core of the shared x86 CPU. The virtual mGuard ensures comprehensive protection of the PC's network communication, as the physical Ethernet interface to the external environment is exclusively assigned to it. Its DoS protection against denial-of-service attacks will be effective, too, thanks to this direct hardware control: even in an extreme case, only the virtual security appliance could be overloaded and external network packets get delayed or dropped. Due to the strict partitioning of the CPU cores and system domains this will not affect the Windows partition or potential other guest systems.
Access to the PC and its Windows system will be blocked by the mGuard firewall unless authorised by a general static or user-specific dynamic firewall rule. Integrated virtual private network (VPN) functionality enables secure remote access with authentication and encryption. VPN tunnels are terminated by the virtual mGuard; the Windows system gets to see regular IP communication only.
Virtualisation with an appropriate embedded virtual machine manager enables trendsetting consolidation of industrial automation and cyber security functions onto cost-optimised hardware, preserving the modular design and benefits of dedicated devices.
The HyperSecured system as demonstrated is not generally limited to just one protected Windows system. It will be possible to use additional CPU cores with their own native guest systems including real-time operating systems and controllers.
Follow the link to find out more about embedded virtualisation and cyber security for industrial automation from Innominate.