21 May 2024

Managing devices as part of a proactive security strategy

Phoenix Contact provides the Device and Update Manager as an ideal solution

Phoenix Contact discusses the management of devices as part of a proactive security strategy.

The increasing interconnection of systems, components, and devices as well as the growing amount of data to be transmitted and stored (in a word: the achievements of Industry 4.0) result in a higher risk of cyber attacks. Therefore, the best possible protection against cyber attacks, threats, and abusive or erroneous data misuse/manipulation must be one of the highly prioritised consequences of this trend.

With regard to security, a distinction must be made between different types of technology or networks:

IT Information Technology Office (accounting, sales, management, …) – Here, the ISO 27001 standard for the plant owner is typically applied.

“Intermediate Layer” Factory Backbone (inventory management etc.) . Enterprise Resource Planning (ERP) or Product Lifecycle Management (PLM) domain, no classic automation – Here, the ISO 27001 standard is typically applied.

OT Operational Technology Production area / Factory Floor with its machines and plants (ICS) – Here, the IEC 62443 standard is typically applied.

In terms of security, these technology areas must not be considered separated from each other. Rather, they must be considered in conjunction. In order to completely serve security in OT, the measures defined by IT must be extended by additional relevant activities.

In the field of automation, the focus is on physical processes such as drilling, measuring, assembling, etc. Plants are operated as long as they allow economical production. The life cycle is much longer than in an IT environment. The broader challenges in automation are apparent: Any disruption leads to reduced productivity. In addition, the possibilities for eliminating vulnerabilities are limited, since restarts are only feasible to a limited extent and every change to an automation system entails the risk of further malfunctions.

However to maintain system integrity over this life cycle, Plant Operators and Integrators, must plan for the update of devices. Not just of the device configuration, but also operating systems, firmware and even security certificates. Otherwise, systems are at risk of compromise from future threats and vulnerabilities.

This process can be summarised in 4 steps:

Take Inventory – Make an inventory of devices, there status and configurations.

Identify Tasks – Required updates, new vulnerabilities, and device problems.

Evaluate and Plan – Risk analysis, prioritise updates and rollout planning.

Provide – Installation of updates, tracking of progress and errors.

While this process may be feasible to run manually for smaller systems. For operators of larger numbers of devices, this may become a difficult process to run and maintain. Today updates are generally published on a products website, but how should operators update their equipment without centralised management?

Phoenix Contact provides the Device and Update Manager as an ideal solution to overcome these problems. The Device and Update Manager is provided as an app on the PLCnext Store for the EPC Edge controllers for easy install and start up.

Once running it uses the OPC UA standard to connect to devices and provide information about all assets. From there it can securely connect to the Phoenix Contact Repository server and automatically download updated firmware for Phoenix Contact devices to provide a local repository of updates.

Not just device updates, but configuration and program updates can also be downloaded to the repository. From there update plans can be created to update various aspects of multiple devices. These updates to a device can then be automatically released or manually triggered by an authorised party. Some updates can even be downloaded while the device is running ready to be applied when it is safe to do so (during plant downtime for example).

Using a centralised management system for device updates is critical in the modern industrial environment where device security and uptime is key. Especially if you have lots of devices, potentially installed in remote or hard to reach locations. Not only performing updates, but knowing which devices are installed and their current status makes management of this new industry security task far easier. With the concept of 360 degree security, Phoenix Contact has positioned themselves as a competent partner for holistic security of products, security solutions and the corresponding security services.

Company info: Phoenix Contact Ltd