
![]() |
Charlotte Stonestreet
Managing Editor |
Cyber security in edge computing
18 October 2019
From a manufacturing perspective, much of the key technology driving Industry 4.0 is focused on data analytics. To enable this, the development of compact edge computing devices plays a big role in opening up gateways to cloud and data analytics solutions
This is because they are low cost and easy to implement with a wide range of different platforms, providing greater flexibility for the user. You can also retrofit these edge devices to legacy machines, which allow you to access vital machine data and ultimately extend machine lifetime. Not only is access to production data from your machines hugely valuable, the advent of cloud computing enables you to monitor production and manage connections from anywhere in the world.
However, implementing an Industry 4.0 solution in an organisation also adds new network and operational security challenges. This is because you will be introducing cloud connectivity to your computing environment at the shop floor level. Unfortunately, unlike IT networks which can look back on 25 years of security, there are very few specific instructions on how to implement Industry 4.0 securely at the device, network and system levels.
At Harting, we have given much thought into how our edge computing device can be securely integrated into manufacturing and production environments. MICA (Modular Industry Computing Architecture) is an open-source, edge computing device which can be adapted with custom hardware, software and interfaces to suit individual requirements. As a result, it provides a quick and easy solution to implement digitisation projects directly at facilities and machines.
The key to securely rolling out Industry 4.0 is taking a thorough look at your production environment and identifying and mitigating potential threat vectors. A practical way of tackling security is to identify thread boundaries, usually contact or handoff points between different systems, and securing both them and the zones between the boundaries. In the case of Industry 4.0, potential threat zones could be between the machine and MICA and the backend, e.g. the Cloud, and between the backend and remote users.
The backend area usually incorporates the normal corporate network, public internet or private and public clouds. Security in this zone is covered by standard IT security practices and you should consider how best to secure the data coming from and going to the MICA. Examples of possible solutions include firewalls, traffic monitors and in some cases, even intrusive methods such as deep packet inspection (DPI). Conversely, you may also want to tunnel data from the MICA through portions of the backend zone using techniques such as virtual private networks, SSH tunnels or other forms of encryption.
In many applications such as condition monitoring, the traffic from the machine zone to the MICA is largely unidirectional, or the sensors might be limited enough that no threat emerges. However, PLCs and sensors are getting more sophisticated, so care should be taken by container developers to safeguard against sneak attacks from compromised machines or sensors. In other applications, the MICA is being used to send instructions or data to machines, so this traffic needs to be secured by the developer. One example is the Harting Euromap solution package, which lets only authenticated users send instructions and programs to machinery.
IT security controls
The operating system, called MICA Base, is provided by Harting and uses a busybox2 operating system based on a recent Linux kernel, so it already offers a lot of tried-and-tested IT security controls. Additionally, its containerised software architecture mitigates many threats that endanger other IoT devices.
Due to the uncomplicated nature of the MICA Base, many conventional attack vectors are simply not available. For example, it does not include package managers, email clients or other services that are often used by hackers to gain control of devices. In addition, the MICA Base is not accessible to users or administrators, meaning that it is impossible for these people to load additional kernel modules.
For added security, every MICA comes with three user privilege levels to protect against accidental or deliberate misconfiguration or deletion/installation of containers. To maintain the integrity of the system, operators should only be given access at the lowest level required to fulfil their jobs.
All MICA applications run in individual LXC containers, which in turn run in separate kernel namespaces. This automatically provides numerous containment tools, designed to prevent one process gaining access to another or the MICA Base. Communication between containers only happen using IP protocols. In many cases, container developers choose higher level protocols like MQTT or OPC-UA which are readable and provide some isolation against attacks.
While this does not offer complete protection, these technologies combined will typically prevent any accidental damage of the host, such as when reconfiguring MICA hardware, reconfiguring the kernel or accessing the MICA Base file system.
Install updates
The MICA Base gets updated every three months and Harting recommends that you check the release notes and install updates that fix newly discovered security problems. It is also important to note that 3rd party containers could contain malicious code or exploit other vulnerabilities in your network. For this reason, you should only install Harting certified containers, or containers from another trusted source.
While no system is completely secure, there are some steps you can take to secure your network and protect your operations. As mentioned above, all firmware and applications connected to a network should be updated to the newest and most secure version. Default passwords should be changed immediately and only install firmware and containers from trusted sources. Finally, closely review your network security, especially around the thread boundary immediately above and below the planned edge computing device.
If you’d like to know more about MICA and its applications, please visit www.harting-mica.com/en or email us via salesUK@harting.com
- No related articles listed