Device-attached security is way forward on plant

A new hardware approach to network security for manufacturers wanting the benefits of Ethernet at the plant level looks set to deal with current barriers to acceptance – and open a £1bn market. Dubbed mGuard Firewall and launched by German developer Innominate last month, it’s a full-feature network security approach that’s entirely independent of the machines and systems it protects. The firm claims it’s the first professional DIN-mounted hardware firewall device for production environments that also offers virus protection, VPN and hardware encryption along with audit and centralised SNMP-based management. “While the merger of office and production networks presents great potential for increasing efficiency, the security risks involved are not yet being taken seriously by many companies,” says Innominate CEO Olaf Siemens. “Our [device] individually protects automation networks and industrial computers against unauthorised access and all types of threats, regardless of the operating system,” he adds. And it is different: a serious threat with Ethernet on plant isn’t just attacks from viruses, worms, intrusion and the rest, but constantly emerging vulnerabilities that are routinely patched in the commercial world by the main security system vendors. Applying software patches to industrial systems is a dangerous game, requiring verification by the original system vendor – which takes time, leaving users exposed. Innominate’s approach is to bypass all that with separate, ‘invisible’ hardware dev ices attached to the system, that operate in. ‘Multi Stealth Mode’ with no IP address. “The anti-virus is updated regularly and automatically – but that’s on our external hardware devices so there can be no side effects on plant machine systems,” says Siemens. “The approach takes out complexity and risk by separating the machine management system from the security.” And he adds: “There are very few things that our devices cannot handle: for example, worms that use open ports are eliminated by the firewall. And the big problem in manufacturing with service technicians getting access to machines is also handled because no infected machine can spread a virus to the network – it’s protected both ways.” Siemens believes that the long awaited collision of business and plant network worlds can thus now move ahead safely. Even practical and cultural issues around corporate IT security people knowing little about requirements on the production floor, and vice versa are no longer a problem, since the systems are fully equipped and self configuring. “We’re bringing the two worlds of business and factory IT together,” says Siemens. “We’ve built in redundant power supplies, a learning mode, EMI recovery... And we’re offering different form factors: DIN rail modules PCI cards, Blade packs and dongles for Ethernet ports. “Users don’t have to mess with their network topology: they can just plug in pre-configured and managed devices between the machines and the network or production cell. We cannot assure protection 100%, but we can assure that the number of incidences will be greatly reduced.”