Industrial Ethernet Architecture & Cyber Security Risks

Summary

By Bill Lydon, Editor

As Industrial Ethernet protocols have proliferated on the factory floor, IP devices have become vulnerable to cyber threats. As one cyber security expert noted, “Anything with an IP address can be hacked.” Ironically, while the importance of cyber security protection is being emphasized, the industrial Ethernet protocol associations have no firm plans to migrate to new Ethernet standards that offer higher cyber security protection.

Manufacturing & Business Integration

The value of leveraging Ethernet technology is clear. Ethernet allows companies to implement new manufacturing methods including make-to-order and mass customization that require flexible factories and relying on interactive communication with all participants including customers, purchasing, supply chain, machines, production line equipment, and workers. Ethernet is becoming the unifying communications technology that is enabling the creation of more flexible and responsive manufacturing to better serve the needs of customers. The bigger challenge is the integration of enterprise and control systems that is addressed by international standards such as ISA-95 and others which are the basis for the development of standard interfaces between automation, ERP, MES and other systems.

Ethernet communications is making it possible and desirable to create streamlined 2-3 layer automation systems to increase performance and lower software maintenance costs as noted in, Simplifying Automation System Hierarchies. Historically, the constraints of computing costs and networking bandwidth dictated this configuration. In the new model, controllers communicate information to all levels directly from level 0 and 1 to level 4 and 5 using the appropriate protocols, particularly WEB services.

Industrial Ethernet Technology Lags Developments

Ethernet communication technology is moving to IPv6 for improved communications and greater cyber protection. Meanwhile, industrial Ethernet network standards have not been upgraded to IPv6 compliance. Most people think that IPv6 is only to increase IP addresses but there are a number of other advantages:

• More Efficient Routing - IPv6 reduces the size of routing tables and makes routing more efficient and hierarchical. In addition, in IPv6 networks, fragmentation is handled by the source device, rather than the router, using a protocol for discovery of the path's maximum transmission unit (MTU).
• More Efficient Packet Processing - IPv6's simplified packet header makes packet processing more efficient. Compared with IPv4, IPv6 contains no IP-level checksum, so the checksum does not need to be recalculated at every router hop. Getting rid of the IP-level checksum was possible because most link-layer technologies already contain checksum and error-control capabilities. In addition, most transport layers, which handle end-to-end connectivity, have a checksum that enables error detection.
• Directed Data Flows - IPv6 supports a superior multicast method saving network bandwidth. The IPv6 header has a new field, called Flow Label, that can identify packets belonging to the same flow.
• Simplified Network Configuration - Address auto-configuration (address assignment) is built in to IPv6. A router will send the prefix of the local link in its router advertisements. A host can generate its own IP address by appending its link-layer (MAC) address, converted into Extended Universal Identifier (EUI) 64-bit format, to the 64 bits of the local link prefix.
• Support For New Services - By eliminating Network Address Translation (NAT), true end-to-end connectivity at the IP layer is restored, enabling new and valuable services. Peer-to-peer networks are easier to create and maintain, and services such as VoIP and Quality of Service (QoS) become more robust.
• Security - IPSec, which provides confidentiality, authentication and data integrity, is baked into in IPv6. Because of their potential to carry malware, IPv4 ICMP packets are often blocked by corporate firewalls, but ICMPv6, the implementation of the Internet Control Message Protocol for IPv6, may be permitted because IPSec can be applied to the ICMPv6 packets.

The general computing industry is supporting this movement as illustrated by comments from industry leaders. John Chambers, President and CEO of Cisco Systems said, “If we don't overcome the challenges of IPv4 we will slow down the growth of the Internet and lose momentum as an industry.” “IPv6 is important to all of us, to everyone around the world. It is crucial to our ability to tie together everyone and every device.” Click here for more information from CISCO in IPv6.

CISCO has an interesting interactive webpage with information on IPv6 adoption by countries. The CISCO IPv6 adoption statistics website has daily consolidated and updated statistics in a single view at global and country level.

Internet Protocol Security (IPsec)

A fundamental improvement in IPv6 is the Internet Protocol Security (IPsec) - a protocol suite for securing Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication session. IPsec also includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys to be used during the session. IPsec is an end-to-end security scheme operating in the Internet Layer of the Internet Protocol Suite. It can be used in protecting data flows between a pair of hosts (host-to-host), between a pair of security gateways (network-to-network), or between a security gateway and a host (network-to-host). Some other Internet security systems in widespread use, such as Secure Sockets Layer (SSL), Transport Layer Security (TLS) and Secure Shell (SSH), operate in the upper layers of the TCP/IP model. Hence, IPsec protects any application traffic across an IP network. Applications do not need to be specifically designed to use IPsec. In contrast the current use of TLS/SSL and other methods used in IPv4 implementations must be designed into an application to protect the application protocols, making it highly dependent on each vendor’s design.

Industrial Protocol Posturing

I have asked major industrial Ethernet protocol groups about their position on IPv6 and they indicate there are no firm plans at this point. The major strategies suggested to extend the life of industrial Ethernet IPv4 based protocols is to create VPNs that use private IP address space and Network Address Translation (NAT) tables. The NAT approach is counter to policies of many IT organizations. Basically these standards organization and vendors do not yet have solutions.

Thoughts & Observations

The merging of enterprise and manufacturing is a major driver for the integration of data between industrial and enterprise Ethernet. There are challenges to achieving the vision, which is being given various names including Automation IT, Industry 4.0, Industrial IP Advantage, and Integrated Manufacturing. There are some major technical alignments that need to be accomplished to achieve the vision. In my opinion, the lack of an IPv6 plan by industrial Ethernet protocol groups is troubling because the general computing industry is already leveraging the value of IPv6’s improved performance and built-in cyber security.