Bill Lydon for Automation.com
As Industrial Ethernet protocols have proliferated in industrial production, IP devices have become vulnerable to cyber threats. As one security expert noted: “Any device with an IP address can be hacked.” Oddly enough, at the same time, when the importance of protecting against cyber threats is strongly emphasized, the organizations involved in the development and promotion of Industrial Ethernet do not yet have solid plans to migrate to new standards, although they offer higher security.
Integration of production and business
The value of using Ethernet technology is obvious. Ethernet allows companies to implement new approaches to production, including “custom-made” and mass customization - which require “flexible” industrial enterprises and interactive communication with all participants in the process, including customers, purchasing departments, equipment, conveyors, workers. Ethernet is becoming a unifying communications technology to increase production flexibility and better meet customer requirements. However, there is a serious challenge - the integration of business and production automation systems. It is described by international standards such as ISA-95 and others, which serve as the basis for the development of standard interfaces between automation systems, ERP, MES, etc.). Historically, multilevel configurations have been driven by the cost of computing resources and network bandwidth. In the new model, controllers send information to all levels directly, from levels 0 and 1 to levels 4 and 5, using the appropriate protocols, primarily web services information security job description.
Ethernet communications made it possible and desirable to create streamlined 2- or 3-level automation systems that can increase productivity and reduce costs (see the material “Simplifying the hierarchy of automation systems” ).
Industrial Ethernet technology lags behind
Ethernet technology is moving towards IPv6 for new features and enhanced security. Meanwhile, Industrial Ethernet network standards have not yet been brought into compliance with IPv6 requirements. Most consider IPv6 only as a way to increase the number of IP addresses available, however, the benefits are, in fact, much greater.
Routing Simplification - IPv6 reduces the size of routing tables and makes them more efficient and hierarchical. In addition, in IPv6 networks, fragmentation is not carried out by the router, but by the sender, which determines the Maximum Transmission Unit (MTU).
More efficient packet processing - Simplified packet headers in IPv6 allow you to process them more efficiently. Compared to IPv4, IPv6 does not use IP-level checksums and does not need to be constantly checked. This is made possible because most link layer technologies already use checksums and error control functions. In addition, most transport layers also use checksums to detect errors.
Managed data streams - IPv6 supports a modern multicast method that saves bandwidth. There is a new field in the IPv6 header, called a stream label, that allows packets that belong to the same stream to be identified.
Simplified network configuration - IPv6 has built-in address auto-configuration. The router sends the subnet prefix in its “router advertisement” message, and the host uses a unique interface identifier. By connecting them together, the host receives an IPv6 address.
Support for new services - refusal from network address translation (from English: Network Address Translation or NAT), allows you to return to end-to-end connections at the IP level. Peer-to-peer networks are becoming easier to build and maintain, and services such as VoIP or Quality of Service (QoS) are becoming more reliable.
Security - IPv6 provides a set of IPSec protocols to ensure confidentiality, authentication, and data integrity. Due to their ability to contain malicious software, ICMP packets in IPv4 are often blocked by corporate firewalls, but ICMPv6 - an implementation of the Internet Control Message Protocol for IPv6 - may be skipped because IPSec can be applied to ICMPv6 packets.
The IT industry fully and fully supports this movement, as comments from industry leaders show. John Chambers, president and CEO of Cisco Systems, said: “If we do not overcome the IPv4 problem, we will slow the growth of the Internet and, accordingly, the pace of industry development. IPv6 matters to us all - to almost all people around the world. It is critical to our ability to connect people and devices together. ”
Cisco has an interesting interactive page that provides information on the distribution of IPv6 in different countries. Statistics are updated daily, both globally and at the country level.
Internet Protocol Security (IPsec)
A fundamental improvement to IPv6 is Internet Protocol Security (IPsec), a set of protocols for securing IP communications, by authenticating and encrypting each packet in an IP communication session. IPsec also includes protocols for mutual authentication of agents at the beginning of a session and negotiation of the cryptographic keys to be used during the session. IPsec is an end-to-end Internet-based security scheme in the Internet Protocol Suite. It can be used to protect data flows between a pair of hosts (host-host), between a pair of security gateways (network-to-network), or between a security gateway and a host (network-to-host). Other common Internet security systems, such as Secure Sockets Layer (SSL), Transport Layer Security (TLS), and Secure Shell (SSH), operate in the upper layers of the TCP / IP model. In this way, IPsec protects any application traffic on the IP network. Applications do not need to be specifically adapted to use IPsec. In contrast, the use of TLS / SSL and other methods with IPv4 requires appropriate adaptation of applications to protect protocols. This greatly increases the user's dependence on the vendor.
But what about industry?
I interviewed the major groups involved in the development of Industrial Ethernet protocols regarding plans for IPv6 and at this stage no one said anything specific. The main strategies for today include the continued use of Industrial Ethernet protocols based on IPv4, using private spaces of IP addresses VPN, as well as network address translation (NAT). Using NAT, however, is contrary to the policies of many IT organizations. In general, standardization organizations and vendors in the field of industrial automation do not yet have a solution to the IPv6 problem.
Thoughts & Observations
The fusion of business and manufacturing processes is the main driving force behind data integration in enterprise and industrial Ethernet. It is not so easy to achieve the implementation of this concept, which has already received various names, such as “IT for automation”, “Industry 4.0”, “IP advantages in industry”, “Integrated industry”. First you need to solve some technical problems. In my opinion, the lack of clear plans for IPv6 in the industrial automation industry is a worrying phenomenon, as the IT industry is already actively taking advantage of IPv6, especially in the area of information security.
As Industrial Ethernet protocols have proliferated in industrial production, IP devices have become vulnerable to cyber threats. As one security expert noted: “Any device with an IP address can be hacked.” Oddly enough, at the same time, when the importance of protecting against cyber threats is strongly emphasized, the organizations involved in the development and promotion of Industrial Ethernet do not yet have solid plans to migrate to new standards, although they offer higher security.
Integration of production and business
The value of using Ethernet technology is obvious. Ethernet allows companies to implement new approaches to production, including “custom-made” and mass customization - which require “flexible” industrial enterprises and interactive communication with all participants in the process, including customers, purchasing departments, equipment, conveyors, workers. Ethernet is becoming a unifying communications technology to increase production flexibility and better meet customer requirements. However, there is a serious challenge - the integration of business and production automation systems. It is described by international standards such as ISA-95 and others, which serve as the basis for the development of standard interfaces between automation systems, ERP, MES, etc.). Historically, multilevel configurations have been driven by the cost of computing resources and network bandwidth. In the new model, controllers send information to all levels directly, from levels 0 and 1 to levels 4 and 5, using the appropriate protocols, primarily web services information security job description.
Ethernet communications made it possible and desirable to create streamlined 2- or 3-level automation systems that can increase productivity and reduce costs (see the material “Simplifying the hierarchy of automation systems” ).
Industrial Ethernet technology lags behind
Ethernet technology is moving towards IPv6 for new features and enhanced security. Meanwhile, Industrial Ethernet network standards have not yet been brought into compliance with IPv6 requirements. Most consider IPv6 only as a way to increase the number of IP addresses available, however, the benefits are, in fact, much greater.
Routing Simplification - IPv6 reduces the size of routing tables and makes them more efficient and hierarchical. In addition, in IPv6 networks, fragmentation is not carried out by the router, but by the sender, which determines the Maximum Transmission Unit (MTU).
More efficient packet processing - Simplified packet headers in IPv6 allow you to process them more efficiently. Compared to IPv4, IPv6 does not use IP-level checksums and does not need to be constantly checked. This is made possible because most link layer technologies already use checksums and error control functions. In addition, most transport layers also use checksums to detect errors.
Managed data streams - IPv6 supports a modern multicast method that saves bandwidth. There is a new field in the IPv6 header, called a stream label, that allows packets that belong to the same stream to be identified.
Simplified network configuration - IPv6 has built-in address auto-configuration. The router sends the subnet prefix in its “router advertisement” message, and the host uses a unique interface identifier. By connecting them together, the host receives an IPv6 address.
Support for new services - refusal from network address translation (from English: Network Address Translation or NAT), allows you to return to end-to-end connections at the IP level. Peer-to-peer networks are becoming easier to build and maintain, and services such as VoIP or Quality of Service (QoS) are becoming more reliable.
Security - IPv6 provides a set of IPSec protocols to ensure confidentiality, authentication, and data integrity. Due to their ability to contain malicious software, ICMP packets in IPv4 are often blocked by corporate firewalls, but ICMPv6 - an implementation of the Internet Control Message Protocol for IPv6 - may be skipped because IPSec can be applied to ICMPv6 packets.
The IT industry fully and fully supports this movement, as comments from industry leaders show. John Chambers, president and CEO of Cisco Systems, said: “If we do not overcome the IPv4 problem, we will slow the growth of the Internet and, accordingly, the pace of industry development. IPv6 matters to us all - to almost all people around the world. It is critical to our ability to connect people and devices together. ”
Cisco has an interesting interactive page that provides information on the distribution of IPv6 in different countries. Statistics are updated daily, both globally and at the country level.
Internet Protocol Security (IPsec)
A fundamental improvement to IPv6 is Internet Protocol Security (IPsec), a set of protocols for securing IP communications, by authenticating and encrypting each packet in an IP communication session. IPsec also includes protocols for mutual authentication of agents at the beginning of a session and negotiation of the cryptographic keys to be used during the session. IPsec is an end-to-end Internet-based security scheme in the Internet Protocol Suite. It can be used to protect data flows between a pair of hosts (host-host), between a pair of security gateways (network-to-network), or between a security gateway and a host (network-to-host). Other common Internet security systems, such as Secure Sockets Layer (SSL), Transport Layer Security (TLS), and Secure Shell (SSH), operate in the upper layers of the TCP / IP model. In this way, IPsec protects any application traffic on the IP network. Applications do not need to be specifically adapted to use IPsec. In contrast, the use of TLS / SSL and other methods with IPv4 requires appropriate adaptation of applications to protect protocols. This greatly increases the user's dependence on the vendor.
But what about industry?
I interviewed the major groups involved in the development of Industrial Ethernet protocols regarding plans for IPv6 and at this stage no one said anything specific. The main strategies for today include the continued use of Industrial Ethernet protocols based on IPv4, using private spaces of IP addresses VPN, as well as network address translation (NAT). Using NAT, however, is contrary to the policies of many IT organizations. In general, standardization organizations and vendors in the field of industrial automation do not yet have a solution to the IPv6 problem.
Thoughts & Observations
The fusion of business and manufacturing processes is the main driving force behind data integration in enterprise and industrial Ethernet. It is not so easy to achieve the implementation of this concept, which has already received various names, such as “IT for automation”, “Industry 4.0”, “IP advantages in industry”, “Integrated industry”. First you need to solve some technical problems. In my opinion, the lack of clear plans for IPv6 in the industrial automation industry is a worrying phenomenon, as the IT industry is already actively taking advantage of IPv6, especially in the area of information security.