More performance and IT security in production

In modern production environments, a high-performance network connection provides a crucial competitive advantage. Moreover, networked production systems dynamically receive production orders to ensure optimal utilization. For process analysis, production data is essential to understand and optimize subprocesses or entire processes. Additionally, it is important to securely archive quality-related information, such as calibration protocols.

The network should be clearly structured or segmented to perform various tasks effectively. Network segmentation enhances performance and IT security by preventing unnecessary data traffic and reducing potential attack vectors. Important production systems can be redundantly coupled for seamless communication during failures. Segmentation simplifies administration and monitoring, making it easier to identify affected areas during problems.

Production network as a connection network between IT and OT

For effective production network segmentation, IT and OT must collaborate closely to create a holistic security concept. Phoenix Contact, certified under IEC 62443-2-4, offers expert support. Comprehensive solutions are essential, as individual measures can be bypassed, compromising security. Phoenix Contact also faced challenges in segmenting its own large subnetworks, requiring clear responsibility agreements between IT and OT.

To optimize the network connection between IT and OT, IT established a production network linking both areas. Individual production segments were connected to this network. Machine communication was analyzed to ensure optimal operation, identifying the data exchange protocols used. For instance, Layer 2 protocols, like Profinet, must operate within the same segment.

The segments are protected by an mGuard firewall in Router mode, using communication relationships to create firewall rules. The segment firewall allows necessary connections with external devices. The mGuard firewall’s 1:1 NAT function translates IP addresses outside the segment, eliminating the need for IP changes or special configuration tools.

VPN and local notebook access can be enabled and disabled on site

To integrate additional network components into brownfield systems, a scalable control cabinet solution was developed. This allowed easy system conversion. The expert team included additional functions in the control cabinet concept. Besides firewall functions, the mGuard Secure Cloud platform provided VPN access to segments, controllable on-site by OT personnel. A light on the control cabinet indicates the connection status to production employees.

The DMZ port of the mGuard firewall is configured for local service, allowing a service notebook to communicate only within the segment. This access can be toggled on-site. An integrated redundant, uninterruptible power supply boosts availability. A built-in door switch indicates when the control cabinet door is open. Diagnostic information and alarms are sent via SNMP traps by the mGuard firewall and managed switch to signal voltage failures, additional component connections, or door openings.

Central management software simplifies device management

Production systems were gradually connected to the new OT production network using the in-house developed control cabinet solution, in cooperation with IT. Firewall rule sets were adapted based on mGuard firewall protocol files to allow only necessary connections. Unrequired connections are discarded but listed in the firewall protocol, identifying necessary and unnecessary connections if component documentation is incomplete.

After initial commissioning, individual firewalls were integrated into the mGuard Device Manager for simplified management. Consequently, all mGuard devices can be centrally configured and administered via templates. Firewall rules and NAT settings are uploaded with a click. Furthermore, the FL NETWORK MANAGER software supports initial commissioning and management of FL 2000 series switches, handling IP address assignment, firmware updates, and VLAN configuration. Configurations can be changed, archived, or restored on selected switches via menus or SNMP scripting.

New features in accordance with the EU Directive NIS 2.0

Previously, people often thought, “IT security doesn’t concern me; nothing will happen.” However, reality shows that any company can be targeted, as evidenced by the daily flood of phishing emails designed to steal information or infect systems with harmful attachments.

The EU Directive for Network and Information Security (NIS 2.0), presented in December 2020, sets increased requirements for eight critical sectors, including medical devices, computers, electrical systems, machine building, automobiles, and transportation. Supply chain suppliers are also affected. Operators must implement minimum standards to protect IT systems and networks. Published in the Official Journal of the European Union on December 27, 2022, member states must transpose the Directive into national law by October 2024. Operators should be aware of the growing threat of attacks and develop a multilayered strategy to mitigate this danger.

Learn more about digital factory and industrial communication