Mario Crevatin

Security for Industrial Communication Systems

Modern industrial communication networks are increasingly based on open protocols and platforms that are also used in the office IT and Internet environment. This reuse facilitates development and deployment of highly connected systems, but also makes the communication system vulnerable to electronic attacks. This paper gives an overview of IT security issues in industrial automation systems which are based on open communication systems. First, security objectives, electronic attack methods, and the available countermeasures for general IT systems are described. General security objectives and best practices are listed. Particularly for the TCP/IP protocol suite, a wide range of cryptography-based secure communication protocols is available. The paper describes their principles and scope of application. Next, we focus on industrial communication systems, which have a number of security-relevant characteristics distinct from the office IT systems. Confidentiality of transmitted data may not be required; however, data and user authentication, as well as access control are crucial for the mission critical and safety critical operation of the automation system. As a result, modern industrial automation systems, if they include security measures at all, emphasize various forms of access control. The paper describes the status of relevant specifications and implementations for a number of standardized automation protocols. Finally, we illustrate the application of security concepts and tools by brief case studies describing security issues in the configuration and operation of substations, plants, or for remote access.

HTTP digest authentication in embedded automation systems

In automation systems, embedded web servers are often used for human machine interface (HMI) functionalities. Using the TCP/IP stack as communication protocol suite opens new opportunities to access the embedded web server. Therefore, an embedded web-server based HMI is very suitable for remote services as configuring, monitoring and control. However, a remote access requires security procedures. A security protocol that is able to deal with the limited resources of an embedded web server is HTTP (hypertext transfer protocol) digest access authentication (DAA). It provides a secure challenge/response mechanism for user authentication. Apart from this, its definition has foreseen other features which are not implemented in currently available servers, but could be very valuable to extend the application range of DAA. This paper outlines the general functionality of digest authentication defined by its RFC and investigates the most widely distributed implementations on server and browser side. The results of functionality and interoperability tests are presented.