Upload
buihanh
View
214
Download
1
Embed Size (px)
Citation preview
Dr. Johan Åkerberg, ABB Corporate Research, Sweden, 2014-11-20
Communication in IndustrialAutomation
Outline
§ Industrial Applications
§ Industrial Automation
§ Safety vs. Security
§ Safety Critical Communication
§ Cyber Security in Industrial Applications
§ Industrial Wireless Communication
§ Safety Critical Wireless Communication
§ Concluding Remarks
January 26, 2015 | Slide 2
Industrial ApplicationsExamples of Power Systems
Grid stabilization and longdistance power transmission
with low power losses
January 26, 2015 | Slide 5
Industrial ApplicationsExamples of Substation Automation
Continuous electrification andload management of cities and
industries
January 26, 2015 | Slide 6
Industrial ApplicationsProcess Automation
§ Definition:
§ “Process manufacturing is the branch of manufacturing that isassociated with formulas and manufacturing recipes”
§ Once an output is produced by the process, it cannot bedistilled back to its basic components
§ Examples: paper, steel, petrol, food, etc.
Industrial ApplicationsExamples of Process Automation
Continuously stabilizingunstable and unsafe
processes
January 26, 2015 | Slide 8
Industrial ApplicationsDiscrete Automation
§ Definition:
§ “In discrete manufacturing, the manufacturing floor works offorders to build something”
§ Output is easier to “distill” back to original components
§ Examples: cars, consumer electronics, etc
Industrial ApplicationsExamples of Discrete Automation
High speed assembly,packaging and palletizing
January 26, 2015 | Slide 10
Industrial AutomationThe Control Pyramid
Several products and protocols in order to meet therequirements
January 26, 2015 | Slide 12
Industrial AutomationFieldbus Communication
• The distributed control systems collect information from theprocess in order to control and actuate using for example
• High voltage to low voltage switchgears
• Electrical machines ranging from MW to kW
• Process instrumentation and control valves
Installed multi billion equipment have an expected life time of up 20years and only subsystems are upgraded due to cost issues
January 26, 2015 | Slide 13
Industrial Automation
§ Safety and Security
§ High availability, redundancy protocols
§ Deterministic communication
§ Low latency and jitter
§ Efficient deployment and maintenance
§ Flexible topologies
§ High throughput
Basic Properties
Often contradicting requirements!
January 26, 2015 | Slide 14
Industrial AutomationControlling Machinery and Processes
Protect worker safety and Return of Investment
January 26, 2015 | Slide 15
Industrial AutomationControlling Machinery and Processes
Failsafemode
Protect worker safety and Return of Investment
January 26, 2015 | Slide 16
Industrial AutomationControlling Machinery and Processes
Protect worker safety and Return of Investment
January 26, 2015 | Slide 17
Industrial AutomationControlling Machinery and Processes
Failsafemode
Protect worker safety and Return of Investment
January 26, 2015 | Slide 18
Industrial AutomationControlling Machinery and Processes
Protect worker safety and Return of Investment
January 26, 2015 | Slide 19
Industrial ApplicationsExamples of Different Communication Requirements
Application Domain Update Rate Nodes / 10 m2
Process Automation 10 – 1000 ms 1 – 20Factory Automation 500 µs – 100 ms 20 – 100Substation Automation 250 µs – 50 ms 1 – 10High Voltage DC control 10 – 100 µs 300 - 500
These numbers include processing time for crypto, etc.!
January 26, 2015 | Slide 20
Ø A journey from electromechanical relays
Ø to centralized control systems and
Ø today decentralized control systems
Industrial AutomationWhere do we come from?
Many plants have two or three generations of systems in operation
January 26, 2015 | Slide 21
Industrial AutomationCommunication Networks
1980s
1990s
2000s
100 ms
µs-ms
n Commonphysical layer
n Single network technologyn Integrated switchingn Legacy network
integrationn Technical
advances
PROFINET IO
IEC-61850
Fieldbus Foundation
EtherCATEtherNet/IP
Internet technologies
Phone modems, HVPLC
Fiber optics
Public cellular
Ethernet Penetration
January 26, 2015 | Slide 22
© ABB GroupJanuary 26, 2015 | Slide 23
Industrial AutomationCommunication Architecture in Process Automation
© ABB GroupJanuary 26, 2015 | Slide 24
Industrial AutomationBasics of PROFINET IO
§ PROFINET IO uses switched 100 Mbit/s Ethernet networks totransmit both real-time and non real-time data
§ For non real-time data Remote Procedure Calls are used ontop of UDP/IP
§ For real-time data PROFINET IO defines a layer on top of theEthernet layer
§ Both unicast and multicast communication is possible for real-time data
Application Relationship
Record Data CRIO Data CRAlarm CR
UDP Channel (context,diagnostics)
RT Channel (IO Data) RT Channel (Alarms)
© ABB GroupJanuary 26, 2015 | Slide 25
Industrial AutomationBasics of PROFINET IO
§ PROFINET IO devices are modeled in a XML file, GeneralStation Description Markup Language (GSDML) file
§ The GSDML file is imported into the control system andknowledge is gained regarding the devices
§ Modules and Submodules
§ Parameters
§ Data types
Safety vs. SecurityWhy safety for industrial automation?
Because I care about the environment and worker safety!
January 26, 2015 | Slide 31
Safety vs. SecurityWhy security for industrial automation?
Because I cannot unplug the correct network cable in time?
January 26, 2015 | Slide 32
Safety vs. Security
§ Safety§ To reduce the risk of damage to person, property or
environment§ All possible error cases are determined pre-runtime, and
must not change over time§ Examples: A faulty device causes environmental pollution or
an uncontrolled chemical process§ Examples of solutions: Diagnostics, redundancy, voting, and
hardware and software diversity
§ Security§ To reduce the risk of unauthorized access or sabotage to a
system§ Security threats will change over time§ Examples: A deliberate security attack causes loss of
production or degraded production§ Examples of solutions: cryptography, firewalls, intrusion
detection systems
January 26, 2015 | Slide 33
© ABB GroupJanuary 26, 2015 | Slide 37
Safety Critical CommunicationThe Principle of the Black Channel
§ PROFIsafe is based on the experiences from the railwaysignaling domain and is documented in IEC 62280-1/2
§ Safe and standard applications can share the samestandard PROFIBUS/PROFINET communication system
§ The communication system can be excluded fromfunctional safety certification
§ PROFIsafe is certified for Safety Integrity Level 3
PROFIsafe
PROFIBUS /PROFINET
PROFIsafe
PROFIBUS /PROFINET
Safetyapplication
Standardapplication
Safetyapplication
BlackChannel
Safetyprofile
© ABB GroupJanuary 26, 2015 | Slide 38
Safety Critical CommunicationPROFIsafe – Identified Communication Errors
© ABB GroupJanuary 26, 2015 | Slide 39
Safety Critical CommunicationPROFIsafe - Deployed Safety Measures
© ABB GroupJanuary 26, 2015 | Slide 41
Safety Critical CommunicationPROFIsafe - Safety Container Structure
§ A PROFIBUS or PROFINET IO real-time frame can containone or more PROFIsafe containers
§ Different requirements for processing speed and number ofI/O. There are two modes of operation
§ safety I/O data up to 12 bytes together with a 24 bitCRC2 or
§ safety I/O data up to 123 bytes together with a 32 bitCRC2.
F input/output data Status /control byte CRC2
Max. 12 / 123 Bytes 1 Byte 3 / 4 Bytes
PROFIsafe Container
Safety Critical CommunicationPROFIsafe - Consistency Check of Safety Container
© ABB GroupJanuary 26, 2015 | Slide 42
§ The safe host and safe device/modules produces a 2byte CRC1 signature over the safety parameters (F-Parameters)
§ Only the CRC2 is calculated for each cyclic PROFIsafecontainer
CRC1Initialvalue
forCRC2
2 Bytes
VCN
F-HostConsecutive
Number
3 Bytes
F-Output data
Max. 12 or 123 octets
CRC2Across
F-Output dataand F-Parameter
and VCN3 or 4 Bytes
F-Parameters
ToggleB
it
1 Byte
Control Byte
© ABB GroupJanuary 26, 2015 | Slide 43
Safety Critical CommunicationPROFIsafe - Virtual Consecutive Number
§ The consecutive number is not visible in the safetycontainer, thus called virtual consecutive number
§ 24 bit counter, wrapping over to 1 at the end. Number 0is reserved for error conditions and synchronization
§ The toggle bit in the Control/Status byte indicates anincrement at each edge
0 1 2 3 4 5
0 1 2 3 4
F-Host Consecutive Number
F-Device Consecutive Number
Toggle_h(from F-Host)
Toggle_d(from F-Device)
Cyber Security in Industrial ApplicationsThe need for secure systems and communication
Firewalls
IntrusionDetectionSystems
Access Control /User AccountMgmt
Antivirus
Whitelisting
SecureCommunication
Code Signing
Classical security mechanisms are necessary, but no longer sufficient.
January 26, 2015 | Slide 45
Cyber Security in Industrial ApplicationsFrom the Product Lifecycle to the Plant Lifecycle
Product Lifecycle
Project Lifecycle
Plant Lifecycle
Design Implemen-tation Verification Release Support
Design Engineering FAT Commissioning SAT
Operation Maintenance Review Upgrade
January 26, 2015 | Slide 46
Cyber Security in Industrial Applications
§ Why not applying security best practices from the ITdomain directly?
§ We do, but locking down systems for sake of security mighthave a negative impact on safety
§ Patching 10.000 – 30.000 embedded systems in a plantevery year hamper the production rate
§ How to keep things secure with all different actors involvedover the complete lifecycle of a plant?
§ Maintenance and commissioning personnel are not cryptoexperts, but process experts
§ They cannot enter a RSA key pair in a device or install digitalcertificates on New Year’s Eve when the plant managerdemands full production after a component failure
Challenges
January 26, 2015 | Slide 47
Cyber Security in Industrial Applications
§ How to deal with key distribution over the completelifecycle with different vendors over time?
§ Most security solutions demand ”out-of-channel”communication to establish a secure channel, this ischallenging in high availability systems
§ Solutions needed to deal with multiple involved parties overtime is needed
§ Security/cryptography is all about trust, so whom to trustthen?
§ Most likely one-solution-fits-all is not feasible
§ How to deal with trust over 20-30 years of operation andvendors are entering and leaving the plant due to competitionand market economics.
Challenges
January 26, 2015 | Slide 48
© ABB GroupJanuary 26, 2015 | Slide 49
Cyber Security in Industrial ApplicationsPROFINET is vulnerable to man-in-the-middle attacks
§ We have shown that it is possible to deploy a man-in-the-middle attack on PROFINET IO from IEC 61784 and IEC61158 and change process data without any peer detectingthe attack
§ In case of identified security threats and vulnerabilities,how to guarantee safety?
Attacker Controller Device
Period time
n
n+1
n+2
n+3
AttackerController Device
nARP-poisoning
m
n+1 n+1
n+2 n+2
Period time
m+1m+1
© ABB GroupJanuary 26, 2015 | Slide 50
Cyber Security in Industrial ApplicationsPROFIsafe is vulnerable to man-in-the-middle attacks
§ We have shown that it is possible to deploy a man-in-the-middle attack on a SIL3 certified implementation ofPROFIsafe from IEC 61784, and change safety-relatedprocess data without any peer detecting the attack
§ Safety does not necessarily include security
CRC1Initialvalue
forCRC2
2 Bytes
VCN
F-HostConsecutive
Number
3 Bytes
F-Output data
Max. 12 or 123 octets
CRC2Across
F-Output dataand F-Parameter
and VCN3 or 4 Bytes
F-Parameters
ToggleB
it
1 Byte
Control Byte
Cyber Security in Industrial Applications
§ Security is important, but remember that§ Security should be deployed based on a risk/benefit
assessment§ Example IEC 61850 with RSA crypto
§ Security is a process and not a state you enter§ How to deal with trust and privacy during a plant life time of
more than 20-30 years
§ ”Air-gaps” will not keep you secure§ Use multiple counter measures, defense in depth and hide
information from possible attackers
§ Security is not better than the weakest link§ Will an adversary stubbornly try to get through the armored
main gate, or be scared by a formal proof on an abstractlevel?
§ And is in most cases based upon the assumption of”computationally infeasible”
Remarks
January 26, 2015 | Slide 51
Cyber Security in Industrial Applications
§ The safest and securest critical infrastructure is the onethat is never taken in to operation!
§ But that would be the worst multi billion investmentever…
§ So, should we go back to electromechanical relays?
§ Or will it be more cost efficient to secure real-timeembedded systems that control critical infrastructure?
§ But more important, just because we can add for exampletechnologies like IoT, IPv6, Cloud, M2M, etc., are thebenefits worth the risks?
Remarks
January 26, 2015 | Slide 52