At the beginning of the year, KW-Software and Innominate decided to combine their technologies IEC 61141, Safety, Profinet and Security in one technology platform. The aim was to generate a solution that will resist the theft of know-how, malicious software attacks and attacks from hackers. Boris Waldeck reports of what has become of this project.
Mr. Waldeck, your decision for the technology platform was made before the high-profile occurrence of the Stuxnet worm. Chance or foresight?
Waldeck: Well, ultimately the Stuxnet worm was an occurrence which had to happen sooner or later. Already before Stuxnet, there have been cases of malicious software in automation systems that were secretly known. And so it was only a matter of time until security would play an important role in automation. But without any question: The occurrence of the Stuxnet worm has confirmed this view sooner than expected.
What exactly have you implemented?
Waldeck: At the SPS/IPC Drives, KW-Software and Innominate together with Wind River have presented the HyperSecured PLC. With the HyperSecured PLC, we made the trend for virtualization and hardware consolidation for automation users accessible.
What does this really mean?
Waldeck: For the first time, we have integrated a Profinet-capable software PLC and a security appliance on an embedded IPC with the Hypervisor as virtual machines to form a secured control solution against network attacks.
How does virtualization relate to security?
Waldeck: Up to now, a safe control solution could only be configured with respective dedicated hardware for the PLC and for the security appliance. With the trend to virtualization, now more cost-effective solutions integrated on one CPU can be created. The virtualization offers two great advantages. First, software which up to now was running on different devices is integrated on one CPU. And secondly, the different virtualized applications have separate resources which are administered completely independently of each other. This creates ideal conditions for efficiently integrating the security functionality into a device.
What does the solution look like?
Waldeck: Based on an Intel ATOM Z530 processor, the embedded hardware is divided into two virtualized applications by the Hypervisor. The security application, the virtual mGuard, runs under Linux and monitors communication with the network. The Profinet PLC, the second application, runs under VxWorks and communicates with the outside world only through mGuard. A desktop PC is used for IEC 61131 programming and Profinet configuration. The mGuard is configured via the browser's web interface.
KW-Software and Innominate are sister companies in the Phoenix Contact group. The cooperation of the companies is obvious. But why did you cooperate with Wind River?
Waldeck: With Hypervisor, Wind River provides an existing base technology which can easily integrate the existing components. The security appliance runs under Linux and the IEC 61131 PLC and the Profinet stack under VxWorks. In addition, further systems such as Windows-based systems can be executed on the same CPU. These are ideal conditions for the development of a high-end control solution providing a significant cost-saving potential through the combination of the different technologies on only one hardware.
How would the HyperSecured PLC have behaved in case of a Stuxnet attack?
Waldeck: The original Stuxnet worm was specialized in attacking Siemens configuration software and PLCs and, therefore, would not have been a threat for our HyperSecured PLC. But also a Stuxnet-like attack on our runtime components would also have little chance of success. The virtual mGuard user firewall prevents unauthorized configuration access to the PLC and the mGuard integrity monitoring method detects manipulations to engineering PCs promptly - even through so far unknown malicious software.
Company
