Cyber-Security @IoP
The topic of security in production has an important status in the context of the Internet of Production (IoP). Because as soon as production machines are networked with each other and with the Internet, thus creating a variety of communication channels, not only the immense advantages of networked production arise - but also new challenges in protecting this sensitive data and the corresponding infrastructure. As part of the Cluster of Excellence research, the two scientists Jan Pennekamp and Markus Dahlmanns are dealing with the important, yet sometimes underestimated topic of security, which equally affects data, their processing, systems and networks.
Securing production networks with appropriately configured security protocols is essential for companies to maintain profitability and competitiveness and, for example, to protect sensitive customer data. However, the topic does not always receive the attention it deserves, and companies are sometimes not sufficiently informed about how they can specifically protect their networks. As early as the end of 2020, a team of researchers within the framework of the Internet of Production published a paper entitled "Easing the Conscience with OPC UA" to raise awareness of this topic and, with its high visibility, demonstrated the discussion potential of the topic of secure communication protocols. And rightly so, considering the potential consequences of insecure communication paths in a company with numerous networked production machines. Pennekamp and Dahlmanns provide information about specific challenges of IT security in the company and the necessary awareness that companies need to secure their data.
OPC UA stands for Open Platform Communications Unified Architecture. This is a communication protocol, a collection of standards for data exchange in industrial automation. It is one of the most important protocols in the context of Industry 4.0. and enables standardized access to machines, devices and other systems in the industrial environment. This type of communication is cross-platform and thus enables manufacturer-independent data exchange. The security standard is high - for example, a certificate exchange can be used here for cross-network communication, so that each client must uniquely authenticate itself via certificate before access.
Like Markus, Jan works at the Chair of Computer Science 4: Communication and Distributed Systems in Computer Science (COMSYS) as a researcher in the Cluster of Excellence Internet of Production. Jan is head of the A.I. workstream there. "There, we deal with the infrastructure of an Internet of Production, which means we look at data processing. Or more specifically, how information is collected, then processed in the edge or in the network until it ends up in our so-called "data lake". But we also look at the transfer of information, e.g., between companies. In this context, it's not just about data security, but also about network security in general, since machines are now being connected to the Internet that were previously operated in isolation in their own networks, which is why corresponding security requirements usually did not exist. I am mainly concerned with security and privacy, especially with the exchange of data across company boundaries. Topics like network security and similar aspects around the big topic "security" were already one of my main focuses during my studies.
During my time as a student assistant, I was already involved in a project in this thematic area of privacy, in which we analyzed cloud use on smartphones. It was about user protection and the fact that valuable personal information is disclosed. By analogy, I also took part in a research focus class as a student, in which students are given independent research tasks. There, it was about protecting DNA information during the analysis of physicians in the cloud. We participated as a team with several students in a medical informatics competition in America and won second place. The techniques are quite similar to what I am working on and researching today. In the consumer area or in the industrial area there are of course specific features, involved stakeholders, their interests and also the amounts of data differ. But the focus of my research has remained relatively similar, except that it is now about a different application area. The good thing about this field is that there is still relatively much that can be done here, because there are not so many approaches yet. In the production context, it is still a rather young research direction.
The underlying building blocks of secure computing or confidential computing that we use are the same. For the most part, they promise security and privacy "by design" if used properly. Then only the information you want to give away is given away. Of course, that's the same in the healthcare and industrial sectors. In healthcare, it's sensitive patient data; in industry, it might be confidential parameters for machines that I don't want to reveal to the competition. Equally, though, as a company I might still be interested in sharing specific data with selected recipients in order to optimize processes, for example, in coordinating supply chains."
How do security protocols like OPC UA come into play?
Jan Pennekamp: "In the past, industrial networks were separate from office networks because there was little to no reason to exchange information between them. As digitization continues, the boundaries of these networks are blurring and data is increasingly being exchanged between them as well. One problem here is that these industrial networks sometimes run very old protocols that offer no security standards whatsoever, which means that there are risks of cyberattacks and data leaks - especially in view of an Internet of Production in which information, machines and data are also to be globally accessible.
So in the past, protocols were not designed with security in mind because it was not needed due to the application scenarios. With the global networking of machines and companies, it is now necessary that security is also considered. One candidate for this is OPC UA, where security has explicitly played a role in the design and thus also meets today's security requirements."
His colleague Markus Dahlmanns, also in Workstream A.I, is also an expert on the topic of network security in the context of IoP and focuses primarily on corresponding protocols, among other things, especially with regard to OPC UA. "OPC UA is relatively new compared to other protocols and has only been in use since 2008. It unfolds its relevance especially for modern industrial communication because various manufacturers are involved."
What challenges arise when using OPC OA?
Jan Pennekamp: "The German Federal Office for Information Security (BSI) has certified that OPC UA offers 'Security by Design'. This means that the security aspect is already considered during product development and is inserted into the life cycle of the product. In this case, it means that the protocol was specifically developed with data security in mind. What OPC UA does not offer, however, is 'Security by Default'. Security by default means that the security aspects are integrated into the product in such a way that they already run in the background without extra configuration and the user does not have to take care of setting them up himself. With OPC UA, companies have to configure the protocol themselves to use it securely. Our research has shown that this is unfortunately not always successful in practice.
What do companies need now to optimize their use of Internet of Production offerings?
Markus Dahlmanns: "When set up correctly, OPC UA is quite secure: Authentication takes place, so not just anyone can connect to the corresponding devices. In addition, communication is also protected against eavesdropping attacks and modifications if the protocol is configured correctly. However, the emphasis here is on the "if". The study carried out looked at whether devices that were accessible via OPC UA from the Internet were configured securely accordingly. Since this was often not the case, the follow-up question is how to prevent the identified configuration errors in the future. Production systems have to be installed as quickly as possible, and the users who set up the devices often do not have time to worry about IT security, or they are not aware of the effects of the corresponding settings. One option to explore would be automated setup support, for example."
Jan Pennekamp: "While in the past configuration decisions had mainly local effects, the Internet connection of machines adds global effects. This means that secure configuration of machines and networks is essential to ensure IT security. In this wake, it is important that companies also have the necessary awareness that such a configuration must be set securely at all times. Of course, to convince companies of the idea of an Internet of Production, we also need to consider security. That is, companies do not want their data to flow out uncontrolled and, equally, they do not want to fall victim to cyberattacks. In this context, it is important that we demonstrate solutions for how secure data communication can function within the framework of an Internet of Production, but also how companies can independently check whether their networks and machines are configured securely. And we are currently working on these things."
Apart from OPC UA, what about the security of network protocols in the context of plants and production networks?
Markus Dahlmanns: "In a follow-up study (Missed Opportunities: Measuring the Untapped TLS Support in the Industrial Internet of Things), we examined ten insecure protocols for which there are also 10 secure variants or further developments in order to investigate whether, in the event that secure versions become available, these are also used in productive applications. Unfortunately, the picture is similar here as well: In the systems we found, only 6.5% use the secure version of the protocol. At the same time, we discovered similar problems in many of these supposedly securely configured systems as with the OPC UA communication protocol we looked at earlier. Here, too, systems are only seemingly protected in practice due to outdated or insecure configurations."
Jan Pennekamp: "So we see that there is still a long way to go before systems are reliably protected. In order to continue on this path, we also see it as essential that operators are supported in configuring their systems securely and also in keeping them secure. In addition to an understanding of this problem, companies should ideally also acquire their own knowledge and know-how. We hope that future studies will then also show corresponding progress."