White Paper It Security en 30605

White Paper

IT Security in the Manufacturing

Environment

2004

Created for:

KUKA Roboter GmbH

Hery-Park 3000 D-86368 Gersthofen

Telephone +49 821 797-4000

E-mail: [email protected] Version 1.9 Author: DS DATA SYSTEMS GmbH Headquarters Christian-Pommer-Strasse 15 38112 Braunschweig Telephone +49 531 23731 -0

Page 2 of 50

KUKA Roboter GmbH

DS DATA SYSTEMS GmbH � Christian-Pommer-Straße 15 � 38112 Braunschweig �Tel.: 0531 / 2 37 31-0 � Fax: 0531 2 37 31-11 � Internet www. datasystems.de � E-mail

FO-

Form

layo

ut 2

2.07

.02

DS DATA SYSTEMS GmbH contacts Name Function E-mail Dipl.-Ing. D. Kilian Senior Consultant,

Licensed BSI Auditor [email protected]

Dipl.-Ing. T. Beyer Systems Engineer [email protected] Note: This document is designed to make the reader aware of IT hazards in the manufacturing environment. This is not a recipe for responses, but rather a presentation of procedures and technologies used to assure business processes. Due to the complex dependencies within the production process, we recommend individual company-related consultation as well as a weak-point analysis.

Page 3 of 50

KUKA Roboter GmbH


FO-

Form

layo

ut 2

2.07

.02

Contents

1 Background and Goals .............................................................................. 5

2 IT System Security .................................................................................... 6

3 Identifying Attack Vectors .......................................................................... 9

3.1 Computer Viruses ........................................................................................ 9 3.2 Worms ..................................................................................................... 10 3.3 Trojan Horses............................................................................................ 11 3.4 Denial of Service Attacks ............................................................................. 11 3.5 Electronic Eavesdropping ............................................................................ 12 3.6 Attacks via NetBIOS/DCOM Shares .............................................................. 12

3.6.1 NetBIOS ............................................................................................ 12 3.6.2 DCOM ............................................................................................... 12

3.7 Browser Hijacking ...................................................................................... 13 3.8 Microsoft Browser Attacks............................................................................ 13 3.9 Attacks on the Microsoft IIS Web Server......................................................... 13 3.10 Example: Sasser worm ............................................................................ 14

4 KUKA Security Strategy ........................................................................... 15

5 Technology Consulting: Ethernet – the next Step ......................................... 17

6 Escalation Management ........................................................................... 19

7 Recommendations for Network Security ..................................................... 20

7.1 General Network Design.............................................................................. 22 7.2 Segmentation ............................................................................................ 23 7.3 Segregation of Production and Office Communication Networks ......................... 25 7.4 Remote Access ......................................................................................... 27 7.5 Maintenance Access................................................................................... 28 7.6 Security on the Port and MAC Level .............................................................. 30 7.7 Distribution of Virus Signatures ..................................................................... 31 7.8 Logging .................................................................................................... 34 7.9 Control Computer with its own Firewall – Using the Example of the Eagle Firewall . 34 7.10 Redundant Network Connections............................................................... 36 7.11 Intrusion Detection Systems ..................................................................... 37

Page 4 of 50

KUKA Roboter GmbH


FO-

Form

layo

ut 2

2.07

.02

7.12 Organizational Measures.......................................................................... 37 7.13 Summary: Secure Network – How? ............................................................ 38

8 Protecting Components ........................................................................... 39

8.1 Safeguarding Windows 95 Systems............................................................... 39 8.2 Safeguarding Windows XPe Systems ............................................................ 40 8.3 Data Consistency Checking using Hash Values ............................................... 42

9 Final remarks ......................................................................................... 43

10 Appendix .............................................................................................. 44

10.1 Features of Agnitum Firewall for Windows 95............................................... 44 10.2 Modification of Start Algorithms for Windows XPe ......................................... 44

11 Glossary ............................................................................................... 47

12 Sources ................................................................................................ 50

Page 5 of 50

KUKA Roboter GmbH


FO-

Form

layo

ut 2

2.07

.02

1 Background and Goals With the innovative introduction of Ethernet to the robotic environment, KUKA Roboter GmbH (hereafter KUKA) is relying upon an open and manufacturer-independent technology which has been in highly successful use for many years in office communication. The use of Ethernet in the manufacturing environment has resulted in increased added value for the customer. Standard components adapted to the new environmental requirements are now used instead of proprietary components. As a result, increased competition among vendors has provided more favorable pricing; in-house system maintenance can be more fully utilized, since existing expertise can be called upon. This affects all phases of the total life cycle and protects the investment compared to the use of proprietary components of a single provider. In addition to cost advantages, Ethernet also offers significant advantages for a consistent communication structure from the cell level through the ERP system. Data which previously could be generated with great cost and effort can now be collected and evaluated online. In addition to these advantages, however, there are disadvantages, since increased networking also poses additional risk to the production network. As a system provider, KUKA Roboter GmbH is responsible for the security of supplied components. Since these components must be installed and operated in environments beyond the scope of KUKA's responsibilities, the system operator must also take into account these factors when considering the system interrelationships. Therefore is it necessary for all involved, from the system vendor and operator to the Service Center, to be included in an integrated security concept. This White Paper discusses not only the utility of a uniform communication structure for the production network; it intends to create an awareness of the topic of IT security while presenting a means of minimizing risks through organizational and technical measures.

Page 6 of 50

KUKA Roboter GmbH


FO-

Form

layo

ut 2

2.07

.02

2 IT System Security Information has become an important aspect of company operations. Information is generated, processed and stored within all business processes of a company. In the production network, this starts on the sensor level and extends to the ERP system. Information is transferred and processed even during data transmission when remote maintenance is performed. The information spectrum starts with handwritten meeting records to TCP/IP data communication or other communications protocols. The common aspect of all this information is that it must be protected against external threats, since these pose a risk to business processes. What is information security? In general, this means the preservation of confidentiality, integrity and availability of the data.

Figure 1: Foundations of IT Security Preservation of confidentiality means protection of information against unauthorized access by non-authorized persons or systems. In addition to data encryption, this also includes strict user authentication, either at log-in on a control computer or a dial-up into a system network for troubleshooting purposes. Integrity refers to protecting information against corruption or incomplete transmission. In the worst case, loss of integrity can result in system failure or the execution of an incorrect control command. Availability refers to assurance of information access and the maintenance of related business processes. Loss of vital information or the provision of excess or non-required information can result in the breakdown of entire systems, such as occurs during a denial of service (DoS) attack. Typically, availability is assured by component redundancy, for example by replacing a PLC control module in the event of a failure.

DATEN

IT-SecurityVertraulichkeit

Verfü

gbarkeit

Integrität

DATA

IT Security

Con

fiden

tialit

y

Ava

ilabi

lity

Inte

grity

Page 7 of 50

KUKA Roboter GmbH


FO-

Form

layo

ut 2

2.07

.02

Preservation of information security does not require an absolute overhaul of the production environment; measures need only be adapted to the new overall requirements for this environment. The mechanical engineering firm is the system operator's first contact for IT security measures within the production line during its operating phase. The system integrator is responsible for the IT security of the basic design of a production line.

Operator

System integratorMechanical engineering firm (component supplier)

Production line

Communication during planning, set-up, start-up

Communication during planning, set-up, start-up

Communication during operating phase

Figure 2: Typical Communications Structure

In many instances, securing IT systems relating to the production line has been an afterthought during the planning phase. The mechanical engineering firm provides the components according to the system integrator's requirements list; in turn, the system integrator installs these components into the operator's network. The result is a highly restricted opportunity for the mechanical engineering firm to participate in developing appropriate security mechanisms for the network. The possibility of increasing IT security afterward is limited for the mechanical engineering firm, since total security depends upon the interaction of the security settings of the individual systems and components. During the planning phase, the operator, mechanical engineering firm and system integrator must work closely together to increase total security and assure business processes.

Page 8 of 50

KUKA Roboter GmbH


FO-

Form

layo

ut 2

2.07

.02

Attacks upon the IT systems in the manufacturing environment can take place on three levels (application, machine, network). The security concept must be considered separately for each level.

Threat(virus, worms, Trojan horses, espionage)

Threat(improper operation, vandalism, force majeure)

Threat(denial of service, attempted access)

Application

Machine

Network

Figure 3: Points of Attack Protection of applications and machinery must be assured by the manufacturer. Security options must be included at the early stages of conception of applications and machines. Once these systems have been delivered, the operator is required to implement these security mechanisms; existing security measures must not be deactivated. For example, secure passwords must be issued; group accounts must not be distributed to third parties. In addition, increased security requirements demand more extensive measures, such as the selection of a secure installation site with sufficient climate control. As a rule, the network is secured by the operator, who will plan, implement and maintain the system network either himself or through a service contract. In this instance, the system vendor has only limited influence upon network design and security. For this reason, this White Paper makes recommendations regarding network security. These recommendations are based upon a typical or ideal installation of a production cell or line, such as recommended by KUKA. The model solution does not provide a general recipe accommodating individual differences among various installations; nevertheless, partial solutions may be adapted to specific environments.

Page 9 of 50

KUKA Roboter GmbH


FO-

Form

layo

ut 2

2.07

.02

3 Identifying Attack Vectors Threats to a production network may come from several sources. They may be based on both technical and organizational weaknesses. A threat always signifies the risk of loss of confidentiality, integrity or availability of individual systems, facilities or services. A risk may arise both internally and externally. Threats such as the failure of a manufacturing network due to fire, water, electrical overload resulting from lightning strikes, or theft of system components are not considered here. This White Paper presumes that the reader is aware of these "typical" issues, and assumes that appropriate safety precautions against these risks are in place.

• The focus of this study is therefore the threat related to the increasing degree of networking of manufacturing systems.

• In addition, users may precipitate security-critical events through incorrect operation. • An attack upon production-related equipment may be the result of a conscious

manipulation. Such manipulations are generally based within the internal network; firewalls designed to protect the company network against Internet attacks are not effective against internal interference. Such attacks are frequently facilitated by a flat network structure in the manufacturing environment. Missing hierarchies in the network structure (broadcast domains) facilitate the intended effects of a denial of service attack. An effective safeguard of a manufacturing network is described in the section "Recommendations for Network Security". The following short summary offers an introduction to different types of threats to networked systems. This list presents a selection of current attack vectors.

3.1 Computer Viruses

A computer virus is a non-independent program routine which replicates itself and carries out manipulations in systems areas, other programs or their environments beyond the user's control.1

The purpose of a virus is to cause damage. This damage may manifest itself in different ways. In particular, data loss or the integrity of data and programs may be affected. In general, there are three types of virus: boot, file and macro viruses. Boot viruses hardly ever appear in the office environment any more, since data are generally no longer distributed via diskette. During booting, these viruses are transmitted from an infected diskette to the master boot record of a hard drive; the next time the computer is started, the viruses result in undesired modifications of the system. If data exchange must take place via diskette, the diskette must be first scanned on a standalone PC using an up-to-date virus scanner to eliminate any viruses present.

Page 10 of 50

KUKA Roboter GmbH


FO-

Form

layo

ut 2

2.07

.02

File viruses are activated when a program is started. Viruses of this type are generally distributed via e-mail attachments or downloads from the Internet. The user expects a useful program and, due to insufficient awareness, does not anticipate the threat. Macro viruses generally are related to Microsoft Office documents, since they are programmed using Visual Basic scripts. This type of virus likewise damages program functionality. It is not possible to predict which viruses will attack specific manufacturing environments; due to the lengthy production cycles of more than eight years, older viruses, almost extinct in the current office environment, such as boot viruses, must be reckoned with, in addition to "modern" viruses.

3.2 Worms

A worm is an independent program that runs permanently on its own. Unlike viruses, it does not affect other programs. Worms also replicate themselves. This is accomplished by creating an exact copy of themselves, then running the copies. The result is therefore another independent program. 2

Worms can spread through e-mail attachments as well as across the network. In contrast to propagation via e-mail, where the local virus scanner can prevent the spread of viruses using current virus patterns, worms spreading across the network are more difficult to detect, since the worm generally exploits a weak point in the operating system. The spread of worms to components across the LAN can only be prevented if the operating system has been secured with patches recommended by Microsoft. The velocity of propagation increases steadily, requiring increasingly shorter response times by the system administrators. Recent examples of worms include the Sasser worms which exploit a known weakness of the Windows operating system.

Page 11 of 50

KUKA Roboter GmbH


FO-

Form

layo

ut 2

2.07

.02

3.3 Trojan Horses

Trojan horses are programs which, in addition to containing apparently useful features, also have undocumented, harmful functions which are executed independently of the computer users and without their knowledge. Unlike computer viruses, Trojan horses cannot spread on their own.3

In most cases, Trojan horses serve to obtain secret passwords or other information on the target computer. Almost all known Trojan horses launch an operation on the infected computer without the user's knowledge, thus allowing an attacker to operate the computer remotely. Once the attacker has obtained the relevant passwords, he can control and modify the computer's functions using remote operation.

3.4 Denial of Service Attacks In contrast to viruses, worms and Trojan horses which propagate themselves independently, manual attacks are generally focused upon immediately disturbing the functions of the target computer. A denial of service attack seeks to drag down the availability of data and the IT system. This type of attack attempts to bombard the target computer with useless data packets such that it is no longer able to perform its specified function (e.g., control and monitoring of production systems). The massive flow of data can cause a crash of the system.

Server

Communicationno longerpossible

Useless data packets





Figure 4: Denial of Service Attack

Page 12 of 50

KUKA Roboter GmbH


FO-

Form

layo

ut 2

2.07

.02

3.5 Electronic Eavesdropping One means of obtaining passwords is by "sniffing" in the network. Network connections, such as TCP/IP connections, transmit information, including passwords, in plain text over the network. This affects most common protocols, such as HTTP, FTP, Telnet, etc. Using an analyzer, an attacker can store the data traffic, thus obtaining access data for the control computer. Encrypting the connection can prevent this; this measure, however, is seldom used.

3.6 Attacks via NetBIOS/DCOM Shares

3.6.1 NetBIOS Under Windows, NetBIOS resources can be used via the DNS or IP address. If a local drive on the target computer has been shared without restrictions, the command <net use> allows access to the contents of this drive from the entire local network. To do so requires only the name or IP address of the target computer. In addition to limiting access rights, this type of attack can be prevented by using a firewall which allows access only to certain computers.

3.6.2 DCOM The Distributed Component Object Model (DCOM) is a protocol allowing installed software the option to communicate directly on the network. Access via DCOM is performed similarly to HTTP access. If this service has been activated on the target computer and is not protected by an additional firewall, every program can access the computer via DCOM. Under Windows the DCOM service is activated by default. Many worms propagated recently attack the DCOM interface of a Windows PC and replicate themselves using DCOM. If the DCOM service must be used, patches must be applied to the terminal in order to close known security gaps. In general, these patches are provided by the operating system developer; the system administrator is responsible for keeping them current.

Page 13 of 50

KUKA Roboter GmbH


FO-

Form

layo

ut 2

2.07

.02

3.7 Browser Hijacking Browser hijacking involves diverting the browser URL to a different page than the one desired. During browser hijacking, the settings of Internet Explorer are modified so that when the browser starts up, the wrong page is displayed. Most hijacker variants change values in the Windows registry, thus permanently changing the behavior of Internet Explorer. In particular, active contents (Java script or ActiveX components) are involved. In addition to changes to Internet Explorer, frequently a Trojan horse is installed which, for example, will steal a password. Hijacking plays no role in manufacturing networks, since communication only takes place internally within a company, if direct access to the Internet has been blocked. Otherwise, internal web servers must be treated as described under Section 3.9.

3.8 Microsoft Browser Attacks This involves exploitation of browser weaknesses. As in hijacking, browser settings are modified and additional spy software (Trojan horse) is installed.

3.9 Attacks on the Microsoft IIS Web Server There is a particularly high risk of this type of attack due to the world-wide use of the Microsoft IIS server. Use of a firewall can ward off many types of attackers. Access to the server using HTTP or HTTPS must be permitted, however. Many risks can be prevented if the administrator performs the following:

• Installing Windows updates • Removing the default web page (empty start page) • Uninstallation of all unused services and protocols • Permanent monitoring of initialized services • Control of write-access to the server • Use of complex passwords • Elimination or restriction of shares • Deactivating NetBIOS • No operation with administrator rights

Page 14 of 50

KUKA Roboter GmbH


FO-

Form

layo

ut 2

2.07

.02

3.10 Example: Sasser worm This worm does not spread via e-mail messages, but instead scans Port 445/TCP for systems vulnerable to the LSASS weak point (Local Security Authority Subsystem). The IP addresses are scanned randomly; a wide variety of IP address areas are thus affected. The worm compromises new systems using the LSASS weak point and copies the worm code to new servers using an FTP server which has been installed for this purpose on the system under attack. The FTP server sniffs infected systems for Port 5554. In addition, the worm installs a back door to various ports (e.g., 9996). Spontaneous rebooting is a symptom of an infected system. Failed attempts at infection may also result in a restart.

Three protective measures may be used against the Sasser worm; these may also be used successfully against other attacks:

1. Use of current virus signatures 2. Sharing only of required services on the firewall 3. Timely application of required patches

The LSASS weak point has been known since April 13, 2004. 16 days after discovery, variants of this worm were discovered which likewise exploited this vulnerability. In comparison, 26 days elapsed after the discovery of the Blaster worm in August 2003 before new variants appeared. This is proof that the propagation velocity of worms across the Internet has been increasing, and that there is barely time to keep the virus signatures current. Therefore procedures must be developed so that patches need not be installed immediately, thus keeping production down-time to a minimum. This is discussed in detail in Section 8.3.

Page 15 of 50

KUKA Roboter GmbH


FO-

Form

layo

ut 2

2.07

.02

4 KUKA Security Strategy The use of Ethernet in automation engineering takes advantage of products and processes which formerly were only available as applications in the office environment. Previously robot controllers were completely operated using separate systems (fieldbuses) with no transfer point or link-up to the "office world." By merging both network areas, the problems of an office network (threats by viruses, worms, outside attacks, etc.) have started to affect the production network. Now it is imperative to adapt security measures and create a consistent and uniform security concept. All participants must be included in the development of this concept. There are also numerous advantages related to the implementation of Ethernet in automation engineering; expertise from other areas (e.g., the IT department) can be utilized. Technologies can now be used which have long been in operation in the office network environment.

• Shifting to standard network or standard PC components has led to cost savings (economical solution).

• Availability of online information (e.g., current production capacity) for a selected group of users.

• Active access to material management and HR planning via the online information. Using these new opportunities while maintaining the security of the production network requires implementation of measures by both the component manufacturer and the system operator. As a strategy for responding to the new situation, KUKA has developed a "Lines of Defense" security concept.

Figure 5: KUKA Lines of Defense

Potential attackers

• 1st Line of Defense (Consulting)

• 2nd Line of Defense(Communication)

• 3rd Line of Defense (Network)

• 4th Line of Defense (Component)

Page 16 of 50

KUKA Roboter GmbH


FO-

Form

layo

ut 2

2.07

.02

KUKA is convinced that an integrated security concept can be implemented only through the interaction of all concerned parties. The Lines of Defense include:

• Consulting In the 1st Line of Defense, the customer, during planning and implementation of production lines, is provided with general recommendations and concrete support in responding to relevant security problems. Thus the customer (system integrator or operator) is actively supported with consulting expertise provided by KUKA and DS DATA SYSTEMS in the security environment.

• Communication

In the 2nd Line of Defense, communications channels are set up between KUKA and the customer. These communications channels are used to provide information between the manufacturer and customer regarding virus definition updates and system patches. Further, this Line of Defense also involves escalation management which specifies which customer employees will have the right to disconnect a system from the network in the event of a security-related event, or who will be authorized to test new patches.

• Network

In the 3rd Line of Defense the relationship of the production network to the office environment is delineated. KUKA makes recommendations regarding security of the network side which the system operator will have to accommodate.

• Component

In the 4th Line of Defense KUKA implements component security. This includes measures on the part of the system integrator designed to make the system resistant to outside threats.

Implementation of these Lines of Defense both technically and organizationally through cooperation of all involved will lead to increased overall security in the manufacturing environment.

Page 17 of 50

KUKA Roboter GmbH


FO-

Form

layo

ut 2

2.07

.02

5 Technology Consulting: Ethernet – the next Step

In the 1st Line of Defense KUKA provides know-how to the customer. This includes the justification for the move away from the fieldbus as well as an explanation of how to deal with the new threats in the Ethernet environment. Future developments in production processes will pose new challenges to the network as well as to the merging of the various software processes from ordering a product to its manufacture. Currently there is a significant gap between ERP systems on the one hand, and

production control systems on the other. This means: at present, employees in the manufacturing environment are forced to process ERP system data manually or at best semi-automatically at several stages in order to prepare the data for additional processing by the production system. Such a process contains risks to data integrity as well as the speed at which they can be processed. The interval between a customer order and production and/or shipment of a product can be significantly reduced through process optimization. For this reason KUKA is working on integrating production control into the ERP system. One group of functions previously managed by the Manufacturing Execution System (MES) is broken down through this solution: these are assumed by robots and the ERP system. The result is a reduction of interfaces and consequently, the Total Cost of Ownership (TCO). The possibility of optimizing production processes in a single step from ordering to manufacturing a product is highly desired by manufacturing plants. For example, shortening of the turnaround time is essential in order to avoid relying upon a large inventory for production. Modifications to product configuration must be possible right up until the start of production of a component. This necessitates an assured and readily available link between the ERP and production systems, since the data required must be available to the other system in a timely fashion. In the future, manufacturing systems will no longer consist of individual robots functioning independently, but rather will be made up of a robotic group which will function as a production unit. The robots within a production unit will communicate and cooperate flexibly and dynamically to perform concrete production tasks. The direct connection between the robotic group and the ERP system will allow interpretation of production data such as materials lists, production plans, assembly procedures or configuration data which will then be fed into production. In order to establish networking between the robot and ERP system, it will be necessary for the physical infrastructures to communicate directly with one another (without relying upon the detour through the fieldbus system). Ethernet technology will form a basis for the convergence of the physical structures. Over the years, Ethernet has demonstrated its effectiveness in office communication and is considered a mature technology. In addition, existing expertise in the IT department can be utilized without having to develop know-how separately in the manufacturing departments. Merging of the production areas with the office environment offers additional synergies with regard to maintenance scenarios and web portals. When performing robot maintenance, the manufacturer can access the robot directly, even externally (for example, via a secure

Page 18 of 50

KUKA Roboter GmbH


FO-

Form

layo

ut 2

2.07

.02

Internet connection with strong authentication), without requiring an on-site expert. This results in a more rapid response time and therefore increased availability of the individual components. An additional scenario is the use of process and field information which currently must be obtained with considerable expense and which is error-prone. It is possible to imagine automatic data preparation which would then be processed in an automatic procedure in order to meet production area requirements for quality assurance and the need for production data archiving. The advantages of networking also possess related risks: hazards posed by potential viruses, worms and attackers. In order to guarantee the best possible protection, KUKA has been working with Microsoft to secure the Windows XPe (embedded) against attacks of all types. This alone will not suffice, since access protection within the company network must be reinforced in production-related areas. The non-real-time capability of Ethernet is of less importance in this instance, since process-related communication between the relevant robots takes place via a real-time connection within the production cell. KUKA considers all other connection types as non-time-critical (see Section 7, "Recommendations for Network Security").

Page 19 of 50

KUKA Roboter GmbH


FO-

Form

layo

ut 2

2.07

.02

6 Escalation Management

In the 2nd Line of Defense, KUKA has provided an escalation and management process. This process includes clearly defined interfaces. The modifications KUKA has made to Windows XPe as described above will not permit a virus signature to be sent to a customer as a release without prior testing.

Security-critical event

ToDoKUKA Roboter

CustomerTest of virus

pattern/system patches

Developer

Newpatch

ToDoKUKA Roboter

Shipping patchto customer

Propagation

Information

Information/Installation instructions

Test preparation

Test successful!

Figure 6: KUKA Escalation Management Workflow

KUKA tests patches released by the manufacturer with regard to compatibility with VxWin and the robot controller. Once the tests have run successfully, they are made available to the customer together with related modifications and altered virus patterns, if any.

Page 20 of 50

KUKA Roboter GmbH


FO-

Form

layo

ut 2

2.07

.02

7 Recommendations for Network Security

The 3rd Line of Defense provides an examination of network structure. The security of a production environment involves the interaction of security settings of all machinery and components engaged in the manufacturing process. In order to implement a security concept in response to requirements, it is not sufficient to take into account only the security functions of the

components. The components function in a networked environment with all related advantages and risks. Therefore it is essential that the entire environment be considered. An effective security concept must absolutely include the network structure and must not be based solely upon the security of the connected components. Since each network has its own specific characteristics, a generally applicable recipe for creating a secure production network cannot be provided. Therefore, the following provides an overview of a secure production network based upon a model solution developed by KUKA and DATA SYSTEMS.

Modem

RT

NRT

Operator station PLC Technology control

WEB, PLC, RDP, OPC, BKP, SP

WEBRDP

BKPProp

OPCProp.

Figure 7: Model Cell Real-time communication within a cell uses separate communication paths (independent of the Ethernet), since particularly important data of the individual robots, such as position vectors, are communicated among the robots. Non-real-time communication is via Ethernet, since the time reference when the packets arrive is not essential.

Page 21 of 50

KUKA Roboter GmbH


FO-

Form

layo

ut 2

2.07

.02

Databases Office PCs(office network)

ERP, BKP, PPS Notebooks(outside companies)

RT

NRT

Modem

RT

NRT

Modem

Cell 1 Cell 2 Line OS Line PLC

Line 2..n

RT

NRT

Modem

RT

NRT

Modem

Cell 1 Cell 2 Line OS Line PLC

Line 1Router

LAN structure

Figure 8: Model Production Structure

Figure 8 shows a segmented production structure model. Various cells are combined into one production line. The overall production line is composed of different individual lines. There is one operator station (OS) with a PLC per line. The lines communicate with one another as well as with other components using Ethernet (non-real time). This assures that employees can also access the controllers from the office network or the notebook area. Using this arrangement, central components such as the ERP system, databases and backup servers need be provided only once. This leads to further cost savings, since all production-related controllers can access the same database structure. The cloud image represents the network outside the lines, as described in the following sections.

Page 22 of 50

KUKA Roboter GmbH


FO-

Form

layo

ut 2

2.07

.02

7.1 General Network Design The design of a manufacturing environment is considered with respect to security aspects. The model cells and their structure described above are presented below in a graphically abstracted form.

Remote access(e.g., via VPN)

Office communication network

DMZ 1 –maintenance access

Control computers

VPN connection via IPSEC

DMZ 2 –production network

server

DMZ 1 –central web server

Inte

rnet

Offi

ce c

omm

unic

atio

n ne

twor

k w

ith s

ecur

e D

MZ

Prod

uctio

n ne

twor

kD

MZ

for p

rodu

ctio

n ne

twor

k

Firewall

Firewall

RouterLine 1

Line 2

Figure 9: Logical Layout of the Network Structure

Page 23 of 50

KUKA Roboter GmbH


FO-

Form

layo

ut 2

2.07

.02

In many companies, the office communication network is protected by an Internet firewall. This firewall possesses a DMZ (Demilitarized Zone) containing all the publicly accessible company information servers. In some cases it is possible to connect to the company network using a VPN. A second firewall must be used in order to provide a separation between the office communication network and the production network. Additional DMZs may be used here, for example, to provide access for maintenance.

7.2 Segmentation Consolidation of several (model) cells into a single line is performed with the goal of optimizing production control. This means that processes building upon one another are combined into one production line. Since communication within a line should be impaired as little as possible, segmentation of the network must be into various broadcast domains. Overflow of the complete production network caused by broadcast traffic is thereby prevented. Such traffic can be caused by a defective network card, for example. In this case, the other network devices are busy responding to broadcast requests so that under some circumstances, required communication is not possible within the broadcast domains. A broadcast domain always terminates at a router. It is advisable to make the IP network structure identical to the broadcast structure of a network.

Control computers

Line 2

Line 1

Prod

uctio

n ne

twor

k

Production network firewall

Router

Segment 1

Segment 3

Segment 2

Figure 10: Segmentation of the Production Network

Page 24 of 50

KUKA Roboter GmbH


FO-

Form

layo

ut 2

2.07

.02

Segmenting the network maps the production structure to the network. Nevertheless, network failures may still occur within a broadcast domain, but they will not be distributed to the whole production network. In this way, network interruptions remain local and do not degrade the entire production network. In addition to restricting broadcasts, routers can also filter packets on the IP level. This is a good complement to the upstream firewall systems, since the firewall has no influence upon traffic between the lines. Access lists (ACL) prevent unauthorized data traffic between the individual lines. Redundancies and redundancy mechanisms must be considered for central and particularly important areas. The spectrum of redundancy mechanisms may range from manual intervention to fully automatic switch-over. A general statement cannot be made regarding which variants are advisable for a specific production area; instead redundancy mechanisms must be adapted to existing conditions such as technical and organizational structures. The simplest option for providing redundancy is to have on hand replacement components for network and server systems. Redundant server components can be linked using different automated redundancy mechanisms; on the other hand, these additional components also provide further sources of failures and points of attack. Therefore, in practice a compromise between redundancy and security mechanisms must be found. This is described in detail in Section 7.10.

Page 25 of 50

KUKA Roboter GmbH


FO-

Form

layo

ut 2

2.07

.02

7.3 Segregation of Production and Office Communication Networks A firewall must provide separation of the office communication and production networks. Only in this way can secure access from the office network into the production network be enabled for a limited group of employees. A communication matrix must be created in order to make the required settings (which systems communicate with each other using which protocol?)



Control computers

DMZ 2 –production network

server

Offi

ce c

omm

unic

atio

n ne

twor

kPr

oduc

tion

netw

ork

DM

Z fo

rpr

oduc

tion

netw

ork

Firewall

RouterLine 1

Line 2

Figure 11: Segregation of Networks

The great majority of unauthorized accesses to production network resources is by company employees; Internet firewalls are ineffective against this. The firewall to the production network must offer the following features:

• Flexible configuration options; settings via graphical user interface • System stability (redundancy mechanisms) depending upon required recovery time • Sufficient performance • Central logging of connections • Manufacturer support

Page 26 of 50

KUKA Roboter GmbH


FO-

Form

layo

ut 2

2.07

.02

Operating a firewall requires some organizational definitions within the relevant department. Of prime importance is the question of responsibilities. Who may modify firewall rules, for example, after a security event, who must be informed, and who makes the decisions. Further, the rule adoption and release process should be clarified, and it should be decided how it can be integrated into the organizational structure of the company. To increase IT security, several so-called demilitarized zones (DMZ) can be set up on the production network firewall.

Page 27 of 50

KUKA Roboter GmbH


FO-

Form

layo

ut 2

2.07

.02

7.4 Remote Access In this context, remote access refers to access to production systems for maintenance purposes, for example via the Internet using a strongly encrypted VPN connection. The connection uses the IPSEC protocol. All IP protocols can then be tunneled within this protocol. This guarantees that easily spied-upon protocols such as Telnet or FTP can be transported across the Internet in a secure connection. Sniffing this connection will produce no result since the data have been encrypted and are thus protected against unauthorized access. Communication using dial-up connections and dedicated lines should also be encrypted whenever sensitive data are transmitted. Normally, strict user authentication is performed on the company's firewall. The data stream is released in the direction of the office communication network only after the user has been successfully authenticated.

Remote access(e.g., via VPN)


Control computers

VPN connection via IPSECIn

tern

etC

omm

unic

atio

n ne

twor

kPr

oduc

tion

netw

ork

DMZ

for p

rodu

ctio

n ne

twor

k

Proxy serverwith production

applications

Logicalconnection

Production firewall

Company firewall

Line 2

Line 1Router

Figure 12: Remote Access

Page 28 of 50

KUKA Roboter GmbH


FO-

Form

layo

ut 2

2.07

.02

Frequently access is via a proxy server with clearly defined ports. If additional authentication is required on the proxy server, two security levels must be passed through in this communication path before the user is able to open an application in the production network. This setup prevents the transmission of viruses and worms by the employee of a maintenance company, since no data can be distributed to the internal network from the outside. The user is only able to access the functions of the proxy server (using remote desktop applications) in order to operate the controllers in the production environment. The company operating the network and not an outside firm is responsible for keeping the virus scanner up-to-date as well as maintaining current operating system patches on the proxy server.

7.5 Maintenance Access Maintenance access refers to access to the production system using a notebook computer within the production network. Maintenance access must be possible only within the related network segment (e.g., VLAN, virtual LAN); see Section 7.2, Segmentation. This access must be secured using strict authentication, and performed from an internal DMZ through a firewall. This restricts access according to the operator's specifications; in this way the maintenance company may only access those systems for which it has been hired to perform maintenance.


Control computers

Line 2

Line 1

Prod

uctio

n ne

twor

kD

MZ

for p

rodu

ctio

n ne

twor

k Production network firewall

Figure 13: Maintenance Access

Page 29 of 50

KUKA Roboter GmbH


FO-

Form

layo

ut 2

2.07

.02

Segregating maintenance access to a separate DMZ prevents or at least hinders the spread of worms across the network. In addition, some firewalls offer the option to filter for content (e.g., worms, Java script, ActiveX). Defining this interface at the outset allows for later implementation. In the maintenance DMZ, only those IP addresses may be used which are directly controlled and issued by the operator. This permits a check as to which maintenance companies use the various IP addresses. The logging function integrated into the firewall allows all actions by outside companies to be checked after the fact. Automatic distribution of IP addresses would block this security measure and would signify a weakening of the level of security. The use of notebook computers in the manufacturing environment poses the risk of spreading viruses and worms. Setting up a maintenance DMZ minimizes this risk. On the one hand, there is no direct access to additional segments of the production network from this DMZ; on the other hand, protocols not required for communication are blocked by firewall. The result is that a number of ports are suppressed which could be used for spreading viruses.

Page 30 of 50

KUKA Roboter GmbH


FO-

Form

layo

ut 2

2.07

.02

7.6 Security on the Port and MAC Level Another possibility of increasing the security of the production network is to implement port security on the active components of the production network. This means that all ports not actively in use are administratively deactivated on the switches so that network access through unauthorized hook-up to the network connection is actively hindered. MAC address security must be used for all ports in use. To accomplish this, all MAC addresses of known terminals are identified and stored on the relevant switch port. If a computer is removed illegally and a notebook is connected, the switch will recognize the change of MAC address and consequently block the port.

Laptop Switch

Connection is permitted only after the MAC address is verified

Figure 14: Security on the Port Level using MAC Level if this is not desirable, there is the option to send a warning message to the system administrator, who can then initiate further action. To avoid storing MAC databases on network components, EAP (Extensible Authentication Protocol) offers an alternative allowing authentication on a central server using 802.1x and RADIUS (Remote Authentication Dial In User Service). An EAP client must be installed on the terminals, however. The advantages lie in centralizing authentication on a dedicated system server as well as in flexibility, since devices can log on to all shared components. A disadvantage arises in connection with the use of printers, since only a few printers support EAP. Equally problematic is the use of hubs, since various EAP clients are connected to the same switchport via the hub. EAP permits only one authenticated client per switchport.

RADIUS ServerLaptop Switch

Connection is permitted only after the MAC address is verified

EAP via RADIUS

Accept / Deny

EAP via 802.1x

Figure 15: Security on the Port Level using EAP

Page 31 of 50

KUKA Roboter GmbH


FO-

Form

layo

ut 2

2.07

.02

7.7 Distribution of Virus Signatures Distribution of new patterns to update the virus scanner on the control computers should take place centrally using a separate server for the production network. This computer can be specially secured in a DMZ of the production network firewall. Such placement can assure that the control computers can obtain updates only from one specified, secure source. This server must likewise be secured using a virus scanner, perhaps provided by an additional manufacturer. Use of a second provider offers an additional security aspect, since providers produce virus patterns at a different rate. In addition, the anti-virus program used by the update server requires no special attention by KUKA, since the providers can configure the updates directly. The update server for the production network obtains its updates from the central company server or communicates directly with the corresponding server of the update provider. In both instances, managing data flow via firewall is required. To ensure that the pattern is not changed during transmission via a non-controllable medium, the virus pattern provider can generate MD5 hash values. In this way the correctness of the patterns can be checked on the customer's update server using an integrity check. Encrypting the file is another way to secure the virus pattern during transmission. A secure password must be provided if the file is encrypted. The password should consist of at least eight characters, including several special characters and numbers. Passwords which might be found in a lexicon are absolutely to be avoided, since all password cracking tools use a dictionary attack.

Page 32 of 50

KUKA Roboter GmbH


FO-

Form

layo

ut 2

2.07

.02


Control computer

DMZ 2 –virus update server for

production network

Line 2

Line 1

Inte

rnet

Offi

ce c

omm

unic

atio

n ne

twor

k Pr

oduc

tion

netw

ork

DM

Z fo

rpr

oduc

tion

netw

ork

Virus patternServer

(e.g., KUKA)

Centralvirus update

server

Company firewall


Figure 16: Distribution of Virus Signatures Updating virus signatures requires special attention by the person responsible. On the one hand, an up-to-date anti-virus program protects the components; on the other hand, the

Page 33 of 50

KUKA Roboter GmbH


FO-

Form

layo

ut 2

2.07

.02

components frequently have to be rebooted, resulting in production down-time. Therefore special down-time arrangements must be made.

Page 34 of 50

KUKA Roboter GmbH


FO-

Form

layo

ut 2

2.07

.02

7.8 Logging Logging offers the ability to identify attempts to attack the production network. To use this, the firewall and router must therefore offer the option of a comprehensive record keeping. Most network components provide the ability to send their log data using the Syslog protocol. The Syslog data must be collected on a common Syslog server to allow evaluation of the log files of all network components. The log files of the various firewall providers, unlike those of network suppliers, are generally proprietary and cannot be evaluated together with Syslog data without additional processing. However, with appropriate tools, the data can be converted for further processing. By requiring logging on the firewall, attempts to connect to the production computers can be traced later. It is not possible subsequently to determine the port used by a notebook computer, since under normal circumstances the table for MAC address assignment is deleted after a few minutes. In order to determine connections to MAC addresses, MAC Address Security can be used, as described in Section 7.6.

7.9 Control Computer with its own Firewall – Using the Example of the Eagle Firewall The Hirschmann company developed a firewall in April 2004 designed specially for the manufacturing environment. A similar product is also under development by Siemens.

LANEagle

PLCOperator station Robot

Eagle Eagle

Figure 17: Hirschmann Eagle Providing separate Security for individual Components

With this security solution, Hirschmann is offering a firewall in DIN rail technology, installed directly before the controllers or before each robot. The firewall may be compared to a personal firewall, but with the advantage that it is not dependent upon the operating system of the individual robots. Firewall management can be accessed using the HTTPS protocol. A graphical user interface is used for all configurations (e.g., port blocks). Another application is the creation of encrypted cell communication using VPN technology.

Page 35 of 50

KUKA Roboter GmbH


FO-

Form

layo

ut 2

2.07

.02

A management tool for firewall components is required in order to use the Eagle firewall. Configuration using HTTPS can still be performed on limited applications using approximately five DIN rail firewalls. If, however, an environment comprising a hundred or more devices must be configured and monitored, central management is indispensable for the administration of the firewall rule sets. Individual circumstances and requirements will determine whether this approach is more economical for the operator than a central firewall.

Page 36 of 50

KUKA Roboter GmbH


FO-

Form

layo

ut 2

2.07

.02

7.10 Redundant Network Connections Network availability must be considered in order to gain a complete overview. There are numerous procedures which increase network availability. A distinction can be made using the OSI model. The Rapid Spanning Tree Protocol (RSTP) is used as an example for Layer 2 (switching) and the Virtual Router Redundancy Protocol (VRRP) as an example for Layer 3 (routing). RSTP allows the use of redundant switch connections. The restoration of a connection takes place within a short period. If one active connection fails, the redundant connection is then used.

Activeconnection

Activeconnection

Redundantconnection

Figure 18: Connection Path Redundancy on the Switch Level VRRP allows router redundancy; rapid switch-over is also possible in the event of component failure. Both physical routers are perceived by other network stations as a virtual component. The remaining component assumes communication in the event of device failure.

Figure 19: Network Component Redundancy using VRRP

Common to both these procedures is that they function as additional services on the components. Depending upon defined protocol handling, information is exchanged between the linked components. Both procedures are vulnerable. For example, data might be obtained without authorization. Failures of specific components could be caused.

Page 37 of 50

KUKA Roboter GmbH


FO-

Form

layo

ut 2

2.07

.02

The two mechanisms described here are representative of a number of provider-dependent procedures. Unless absolutely required, it is recommended that all unused mechanisms be deselected on active components. If specific procedures are required, then security mechanisms (e.g., encryption of communication) must be checked.

7.11 Intrusion Detection Systems

Intrusion detection systems (IDS) are an important component in an overall security concept. As a supplement to firewalls, VPNs and content security systems, intrusion detection systems monitor activities in the network and send an alarm to the administrator in the event that typical attack models are detected. Intrusion prevention systems (IPS) build upon IDS; in addition to sending an alarm, they activate counter-measures such as blocking individual connections suspected of being under attack, without impairing other network traffic. Intrusion detection and prevention systems can be employed at strategic points in the network or operated as host-based systems directly on the servers to be protected.

7.12 Organizational Measures Clear rules must be developed on the organizational side. In addition to selecting persons responsible for the operation of individual IT systems, work sequences must also be clearly defined. This includes granting and monitoring of entry and access rights, related training and awareness activities, development of escalation plans as well as the regular performance of emergency and disaster recovery drills. A significant portion of IT security depends upon a certain degree of discipline in operating IT systems. This starts with monitored use of removable data media and ends with regular visual inspection of all components together with removal of all unneeded network connections and accesses.

Page 38 of 50

KUKA Roboter GmbH


FO-

Form

layo

ut 2

2.07

.02

7.13 Summary: Secure Network – How? There are numerous measures available to increase security in the network. These can only be described in general terms since customer requirements for the production network vary from case to case. Measures described here must therefore be adapted to individual circumstances. To this end, KUKA, in conjunction with DS DATA SYSTEMS, offers appropriate support. In general, the following steps to increase IT security may be identified.

Remote access(dial-up or VPN)



Control computers

Internet

DMZ 2 –server for production

network

DMZ 1 –central information

server

Inte

rnet

Offi

ce c

omm

unic

atio

n ne

twor

k w

ith s

ecur

e D

MZ

Prod

uctio

n ne

twor

kD

MZ

for p

rodu

ctio

n ne

twor

k

Internet firewall


RouterLine 1

Line 2

� Secure encryption of external connections

� Strong authentication

� Firewall on interface to the Internet

� Centralization of information servers in one DMZ

� Provision of services required for the production network

� Segregation of the office and production networks by an additional firewall

� Creation of a separate zone for access by outside companies

� Centralization of servers for production in one DMZ

� Production network segmentation

� Updating of virus patterns and OS patches

� Evaluation of hash values� Log evaluation � Monitoring of active ports� Firewalls for systems

requiring high security� Creation of redundancies to

avoid single points of failure

Zone Structure Measures

Figure 20: Overview – Introduction of IT Security in the Production Network

Page 39 of 50

KUKA Roboter GmbH


FO-

Form

layo

ut 2

2.07

.02

8 Protecting Components

Safeguarding the control computer as 4th Line of Defense is the core of the KUKA security strategy and is the final security level if the previous Lines of Defense have been ineffective. KUKA holds the opinion that Ethernet technology offers numerous advantages with regard to future synergistic effects. Therefore KUKA is actively working on integrating robot networking.

Merging the production and office network environments offers various advantages, but it also increases security demands upon the Ethernet components of the robots. KUKA is fully aware that such a step represents increased system vulnerability. Consequently KUKA is working actively in conjunction with Microsoft on making the robot controller operating system secure. Currently the robot controllers are running on two different platforms: Windows 95 and Windows XPe (embedded). However, robot controllers are currently being developed only for the XPe platform. In general, KUKA products are equipped with a virus scanner produced by IKARUS; corresponding virus patterns are tested and then sent to the customer. At the moment, the use of Symantec virus scanners is under evaluation as a replacement for IKARUS products. Both virus scanners contain a central management module allowing all virus patterns to be distributed from a central point.

8.1 Safeguarding Windows 95 Systems KUKA no longer focuses on the development of security options for computers using Windows 95. However, measures such as a personal firewall may be employed for these systems.

KUKA recommends the Outpost Firewall Pro 1.0 by Agnitum, since tests have shown this product to be the most stable personal firewall when used with robot controllers. The version used was specially adapted by Agnitum to KUKA's requirements.

Installation and configuration of the firewall can be performed by KUKA, if the customer so desires. Only those connections required by the control computer for connection with the outside world are allowed. In this way, many different attack types can be blocked up front. This is a limited solution, however, since a personal firewall cannot offer 100% protection. The firewall, for example, can offer no protection against attacks occurring across a permitted port. The features of the Agnitum firewall are described in more detail in the Appendix.

Page 40 of 50

KUKA Roboter GmbH


FO-

Form

layo

ut 2

2.07

.02

8.2 Safeguarding Windows XPe Systems In order to meet all requirements, the robot controller requires a real-time operating system. KUKA uses VxWorks by Wind River as the real-time operating system. The VxWin product offers the option of running the VxWorks operating system parallel to Windows XPe. Without hardware add-ons, VxWin allows the combination of robot control and evaluation of operating data in a single system.

Figure 21: Traditional connection 4

Figure 22: PC with VxWin 5

The advantages of this combination can be readily seen in this illustration. The central components of a computer (processor, storage media, network interfaces, ...) can be used by both systems, thus saving hardware costs. Common use of the PC's shared memory components can, in theory, allow both operating systems to be attacked in tandem (via virus, worm or manual attack). In this case, the best possible safeguarding of the host operating system is required.

Page 41 of 50

KUKA Roboter GmbH


FO-

Form

layo

ut 2

2.07

.02

To eliminate a large part of the vulnerability of a Windows XP Professional system, KUKA has chosen to employ an embedded system based upon XP. Some KUKA services which are not directly related to robot operation are deactivated in the embedded system. Hardening of the system is performed in close cooperation with Microsoft. The following vulnerable services were identified and prioritized according to their susceptibility:

• Priority 1: e-mail-related services • Priority 2: attacks via/on CMD (command line) or FTP • Priority 3: attacks via/on DCOM

KUKA has taken the following action to safeguard the system:

• Activation of the personal firewall supplied with Windows XP. All incoming connections are prohibited. This also prevents access via web browser. The enabling of individual connections is currently not possible. This function will be available in Microsoft XP SP2.

• Disabling of e-mail; deactivation and uninstallation of Microsoft Outlook Express. • Renaming of some standard applications which in many cases could be used by

hacking attacks. o CMD.exe o TFTP.exe o FTP.exe o TELNET.exe

• Modification of the start algorithms of various Windows services. Details of this can be found in the Appendix.

• Making sure that control software runs only with limited user rights on the host operating system. This prevents users of the control software from later installing illegal software.

These measures provide component-based security of the control computer. However, the 4th Line of Defense by itself does not provide sufficient protection if the prior lines of defense are disregarded.

Page 42 of 50

KUKA Roboter GmbH


FO-

Form

layo

ut 2

2.07

.02

8.3 Data Consistency Checking using Hash Values Production computers cannot be rebooted after an update during production time. To get around this problem, KUKA has developed a solution to protect the operating system so that each patch need not be installed right away. Using additional third-party software, KUKA generates a hash value for each system file which is then stored centrally. During a virus attack, a worm or virus changes original files in order to propagate itself. Modification of the files results in changed hash values. When programs start or files are run, the software compares the current hash value with the stored value. If these values are not identical, then the program will not start or the file will not be read.

Figure 23: Hash Value Formation Principle (source: CrypTool)

A hash value is a cryptographical function. A hash value is unique due to the selection of a related hash length. Under the current state of the art, a file cannot maintain the same hash value if it has been corrupted. This method relieves the problem of updating, since all patches need not be applied immediately and can be installed during planned down-time.

d%3lg$

d%3lg$

Minor change

Significant difference

Text Text

Page 43 of 50

KUKA Roboter GmbH


FO-

Form

layo

ut 2

2.07

.02

9 Final remarks By using Ethernet in the manufacturing environment KUKA employs a technology that has been successfully implemented in office communication for years. Ethernet solutions offer many advantages for internal communication between ERP and production systems which years ago would not have been considered possible. Particularly notable is online accessibility of production data to determine key production figures. However additional information comes at a cost, namely increased susceptibility of the production network. This vulnerability is minimized by the KUKA Lines of Defense security concept. The security of the entire system is only as strong as that of the individual systems. Therefore single responsibility cannot be assigned; rather the life cycle and production environment as a whole must be taken into account. Like a clock, in which individual gears mesh together, measures must be developed which are tuned to one another and consequently contribute to increased overall security. KUKA Roboter GmbH supports customers by using skilled partners to implement various security measures. As a component supplier, KUKA continuously strives to increase the security of control computers (4th Line of Defense) by maintaining up-to-date patches and by advancing the development of the operating system in order to eliminate vulnerabilities. IT security within a production network is feasible, but a detailed concept adapted to individual security requirements must be developed. In addition, network administrators must be trained and made aware of risks in order to create better comprehension of IT security.

Page 44 of 50

KUKA Roboter GmbH


FO-

Form

layo

ut 2

2.07

.02

10 Appendix

10.1 Features of Agnitum Firewall for Windows 95

The Agnitum Outpost Pro 1.0 firewall (customized for KUKA) has been tested and released for use in safeguarding existing Windows 95 control computers. The firewall offers the following features:

• Simple configuration using a GUI with pre-defined rules. • Available protocols can be individually configured to individual circumstances. • In "Stealth Mode", invisible to other users on the network. • Compatibility with all Windows versions. Restrictions apply only to specially hardened

systems. • Compact firewall consuming few system resources. • Selected restriction of applications having access to the network. • Monitoring and protection of all incoming and outgoing ports. • Blocking or restriction of information requested via the computer. • Blocking or restriction of Java, ActiveX and scripts. • Ability to set up a secure zone for the internal network (LAN). • Restriction on the use of cookies. • Warning and, if necessary, blocking of access to the computer

10.2 Modification of Start Algorithms for Windows XPe The following table contains the modified Windows XPe start algorithms:

Services Status 6to4 Disabled Alerter Disabled Application Layer Gateway Service Manual Application Management Manual ASP.Net State Service Disabled Background Intelligent Transfer Service Disabled Client Service for Netware Disabled Clipbook Disabled COM+ Event System Manual COM+ System Application Manual Computer Browser Disabled Cryptographic Services Automatic

Page 45 of 50

KUKA Roboter GmbH


FO-

Form

layo

ut 2

2.07

.02

Services Status Device Update Agent Automatic DHCP Client Automatic DNS Client Automatic Error Reporting Service Automatic Event Log Automatic Fast User Switching Compatibility Disabled FTP Publishing Automatic Help and Support Disabled HID Input Device Disabled IIS Admin Automatic Indexing Services Disabled Internet Connection Firewall (ICF) Manual IPSEC Services Automatic Logical Disk Manager Manual Logical Disk Manager Administrative Services Manual Message Queuing Disabled Message Queuing Triggers Disabled Messenger Disabled MS Software Shadow Copy Provider Disabled Net Logon Manual Netmeeting Remote Desktop Sharing Disabled Network Connections Manual Network DDE Disabled Network DDE DSDM Disabled Network Location Awareness (NLA) Manual NT LM Security Support Provider Manual Performance Logs and Alerts Disabled Plug and Play Automatic Portable Media Serial Number Disabled Print Spooler Automatic Protected Storage Automatic QOS RSVP Manual Remote Access Auto Connection Manager Disabled Remote Access Connection Manager Manual Remote Desktop Help Session Manager Disabled Remote Procedure Call (RPC) Automatic Remote Procedure Call (RPC) Locator Manual Remote Registry Disabled Removable Storage Disabled Routing and Remote Access Disabled Secondary Logon Service Automatic Security Accounts Manager Automatic Server Automatic Shell Hardware Detection Automatic Simple Mail Transfer Protocol Disabled Smart Card Disabled SNMP Service Disabled

Page 46 of 50

KUKA Roboter GmbH


FO-

Form

layo

ut 2

2.07

.02

Services Status SNMP Trap Service Disabled SSDP Discovery Service Disabled Still Image Service Disabled System Restore Service Automatic Task Scheduler Disabled TCP/IP NetBIOS Helper Automatic Telephony Manual Terminal Services Manual Terminal Services Session Directory Manual Themes Disabled Universal Plug and Play Device Host Disabled Upload Manager Automatic Volume Shadow Copy Disabled WebClient Disabled Windows Audio Disabled Windows Installer Manual Windows Management Instrumentation Automatic Windows Management Instrumentation Driver Extensions

Manual

Windows Time Automatic Wireless Zero Configuration Disabled WMI Performance Adapter Manual Workstation Automatic World Wide Web Publishing Automatic

Modification of the start algorithm hardens the XPe operating system, thus making access more difficult. Of course, there are additional services that are potentially vulnerable, but which are necessary for the operation of other software. Therefore the personal firewall must be correspondingly configured so that only required services and users have access to system resources.

Page 47 of 50

KUKA Roboter GmbH


FO-

Form

layo

ut 2

2.07

.02

11 Glossary 802.1x: Protocol following IEEE standard for the transmission of authentication

protocols. 802.1x is used for communication between a terminal and switch, and contains, for example, authentication parameters of the EAP protocol.

ActiveX: See mobile code Broadcast: A data packet sent to all terminals on a network. The target MAC

address will then contain FF-FF-FF-FF-FF-FF, addressing all stations. Broadcast domain: Group of all terminals receiving the same broadcast packets. This group

is generally limited to one IP network. Denial of Service: Denial of Service is an attack on a network or IT system. The goal of the

attacker is to bring the network or IT system to a standstill. DMZ: Demilitarized zone. These zones are set up in connection with firewalls,

either to provide publicly-available services or to protect confidential IT systems within the DMZ. Data communication into and out of a DMZ must be carefully defined by the rule set in the firewall.

Ethernet: Ethernet functions as a transport protocol for the TCP/IP connection,

which enables data communication. EAP: Extensible Authentication Protocol. Offers the possibility of performing

authentication via a central authentication server (e.g., RADIUS). ERP: Enterprise Resource Planning system. In most cases, this refers to a

system containing all the critical applications (finance, HR, merchandise management) of a company (one example is SAP).

Firewall: Protects the computer against unauthorized access. Filters incoming IP-

based data streams, compares them with the configured rules, then either blocks or permits the connection.

FTP: File Transfer Protocol. Using FTP data may be transferred either

internally or via the Internet. FTP is not encrypted and should be used cautiously when transmitting sensitive data. SFTP can be used instead to provide secure data transmission. As an alternative, it is also possible to transmit unencrypted FTP data within an encrypted VPN.

Page 48 of 50

KUKA Roboter GmbH


FO-

Form

layo

ut 2

2.07

.02

Hash value: The hash value is the result of applying a cryptographic hash function to

an object (text or program) of any length. The hash value has a fixed length (generally 128 or 160 bits) and is a "fingerprint" of the text or program. If one character changes, the hash value changes. There can never be identical hash values for different source objects. To ensure this, secure cryptographical hash functions must be applied.

HTTP: Hyper Text Transfer Protocol. HTTP became known as a result of its use

in the Internet (web pages in the browser). HTTP is not encrypted and should be used cautiously when transmitting sensitive data. Web pages may be encrypted using SSL/TLS.

IDS: Intrusion Detection System for the identification of anomalies in the data

traffic. Integrity: Each data element is in the same state as it was when last accessed by

an authorized user. IP: IP stands for Internet Protocol and forms the basis for higher-layer

protocols such as TCP or UDP. IP is a connectionless datagram delivery service without safeguards against modification, interchanging or packet loss.

IPS Intrusion Prevention System (also Intrusion Protection System) for the

detection of anomalies in data traffic (see IDS) and prevention of unauthorized network connections.

Java, Java Script: See mobile code. MAC address: The address of a network device on Layer 2; physical address of the

network adapter. Mobile code: Java, ActiveX and Java Script are used on web pages to provide more

interactivity. These are tiny programs downloaded when accessing a web page and then run in the browser of the local computer. In addition to providing enhanced functions, these programs also pose a significant security risk.

Patch: A patch is program code used for updating a program. Patches are

published by a software developer to eliminate a malfunction in a program or to close security holes in the software. Security-critical patches should be applied in a timely fashion to prevent possible attacks by viruses or hackers. If it is not possible to apply a patch immediately (no free maintenance window available), then the critical systems should be installed in a protected environment.

Port: (TCP or UDP) Ports are a "refinement" of IP addresses. An IP address

addresses an entire computer. Ports are addresses of applications on a computer.

Page 49 of 50

KUKA Roboter GmbH


FO-

Form

layo

ut 2

2.07

.02

Proxy: A proxy is an application on a computer which accepts connections with clients and creates independent connections to the servers requested by the client. The proxy is thus a stand-in for the (internal) clients which create a connection to another network segment indirectly via the proxy. Typically a proxy is employed as a firewall to segregate networks with varying security requirements.

RADIUS Remote Authentication Dial In User Service. Service used for

authentication and authorization of users. Sniffer: Using software or hardware sniffers, data packets transmitted on a

network can be captured, processed and saved. In addition to use in network analysis and troubleshooting, sniffers may also be misused to obtain passwords transmitted in unencrypted protocols.

SSL: SSL and its successor TLS safeguard a protocol used by an application

via encryption. HTTPS, based upon SSL, is the most frequently used protocol. SSL and TLS allow the use of encryption algorithms of varying strengths.

TCP: Transmission Control Protocol is an IP-based, connection-oriented

protocol. TCP safeguards data communication against random modifications, interchanging or similar events.

Telnet: Telnet is a protocol primarily employed for the configuration of network

components or IT systems. Telnet is unencrypted. SSH is an encrypted alternative to Telnet.

UDP: UDP is an IP-based protocol (Level 4); as an improvement over IP, it

permits multiplexing of connections across ports. Virus pattern: A virus pattern contains the signatures of common viruses. Virus

scanners require the current virus pattern in order to detect new viruses. Regular updating is essential for the proper functioning of the virus protection.

VLAN: Virtual Local Area Network. During transmission in the local network,

data packets are tagged with a unique identification number. Using this, terminals can only communicate with others that belong to the same VLAN group. Since this segregation is logical and not physically based upon a separate connection, this is often referred to as a virtual LAN. VLANs increase security in a network.

Page 50 of 50

KUKA Roboter GmbH


FO-

Form

layo

ut 2

2.07

.02

VPN: Virtual Private Network. This is a virtual private connection across a

public network. Encryption is used to transmit data securely and confidentially.

VxWin: Allows installation of a real-time operation parallel to the Windows

operating system. Windows XPe: Windows XP Embedded has a modular design and can be exactly

adapted to the requirements of the environment. Due to the minimum 10 MByte size of its operating system, it is suitable for smaller devices such as terminals. Since it represents an exact image of Windows XP Professional components, compatibility with applications and drivers is assured.

12 Sources 1 Extract from “BSI-Kurzinformationen zu aktuellen Themen der IT-Sicherheit, Computer Viren --- Definition und Wirkungsweise (BSI briefing on current IT security issues, computer viruses --- Definition and description of their functioning)”; Bundesamt für Sicherheit in der Informationstechnik (German Federal Office for Information Security) – January 2003 2 Extract from RZ notice no. 9213/06/001121; University of the Bundeswehr Munich (IT Center) 3 Extract from “BSI-Kurzinformationen zu aktuellen Themen der IT-Sicherheit, Trojanische Pferde --- Definition und Wirkungsweise (BSI briefing on current IT security issues, Trojan horses --- Definition and description of their functioning)”; Bundesamt für Sicherheit in der Informationstechnik (German Federal Office for Information Security) – January 2003 4 Extract from VxWin RT; VxWorks together with Windows XP on the same PC: KUKA Roboter GmbH – March 2003 5 Extract from VxWin RT; VxWorks together with Windows XP on the same PC: KUKA Roboter GmbH – March 2003

Documents

White Paper It Security en 30605