Key points
Listen/download the audio version:
FDT technology helps protect critical control networks and devices in process plants
Digitalisation is gaining momentum among process industry manufacturers. A new age of fully automated plants competing on a global scale is approaching. But what will this world mean to the critical process control applications?
As new technologies such as the Industrial Internet of Things (IIoT), mobile applications and robotics created unprecedented disruption, industrial organisations are under pressure to rethink not just their technology investments, but their entire operational strategy—particularly as it relates to the security of control assets.
Today’s Operating Challenges
As digital operations and processes become more prevalent, the security of field devices is increasingly on the mind of plant operators. The industrial control system (ICS) was once protected by having no connections to external networks.
However, since external connections have become unavoidable due to the growing use of big data and the IIoT, these systems are becoming increasingly vulnerable to security threats.
In a typical process industry facility, device management is a crucial concern. Automation systems are built from many devices and components connected or networked together.
Field devices such as sensors, actuators and smart systems are connected to controllers. These devices must be supported throughout their lifecycle, from planning, configuration and start up to diagnostics and maintenance.
In order to obtain status information from a host of different devices, operators must deal with different communication types and network transitions between various bus systems. This is necessary for complete integration of diagnostic information into control and maintenance systems.
Meeting Security Demands
The IIoT sees networks of connected industrial devices working together to collect and analyse data in order to help deliver new insights and optimise business success. It has the potential to bridge gaps in the performance of industrial processes and offer better results in terms of efficiency, output and production.
While the IIoT is revolutionising the entire manufacturing sector with intelligent operations and automated processes, it is essential to address security requirements for industrial automation systems.
What was previously a separate network for plant operating systems—responsible for monitoring and controlling physical devices—may now be linked to a broader business network, creating a larger attack surface.
Operating companies need to ensure end-to-end security for OT networks, field instruments and control applications in both greenfield and brownfield facilities.
Due to the criticality of control systems and devices in process industry environments, including those found in petrochemical, pharmaceutical and food & beverage operations, among others, security architects and engineers must find ways to secure IIoT applications within their diversified network architectures.
This often requires authentication of the data endpoints and the ability to provide integrity and confidentiality protection of exchanged information.
Enabling Open Integration
Introduced in the late 1990s by FDT Group (an independent, international, not-for-profit standards association), FDT® technology (IEC62453, GB/T 29618-2017 and ISA103) standardises the communication and configuration interface between field devices and host systems. It is regarded as the de-facto integration and information exchange standard and is deployed for millions of devices around the world.
Today, FDT Group is preparing to officially introduce a new, modernised FDT 3.0 standard that is embodied in the FDT IIoT Server (FITS™) solution. FITS will advance open, standardised integration in the digital age with a choice of cloud, on-premise and desktop deployment options, allowing the end-users to take control and implement their internal secure best practices for effective device asset management.
The concept for a client/server architecture, which is currently available in FDT 2.0, will systematically remain in use in the updated FDT 3.0 standard. The latest technology updates will enable access to FDT Device Type Managers™ (FDT/DTMs™) from mobile devices (web-based) and via the OPC Unified Architecture (OPC UA).
Furthermore, FDT becomes platform-independent by migrating the fundamental technology on which it is built from the Windows-based .NET Framework to an open .NET Core as well as HTML5 and JavaScript.
FITS is set to empower the intelligent enterprise with native integration of OPC UA, as well as comprehensive control and Web Services for mobile applications and a new FDThub for DTM storage and management.
As the architecture becomes a technical standard infrastructure throughout the process automation field, it will be deployed across different control system platforms—offering freedom of choice for field device integration.
FITS will revolutionise current process automation architectures by making health and configuration data from connected devices available through a highly secure, embedded OPC UA server in an off-line view or instant, on-line view via authenticated, client-based applications.
This information can then be leveraged by stakeholders throughout an organisation’s information technology (IT) and operational technology (OT) domains.
Remote access with Web Services will enable 24/7 observation of devices, providing a standardised mobile access approach utilising browsers, apps or anything else capable of interfacing via web sockets.
Any mobile device authenticated by the FDT Server and operated by an authenticated user will have full access to the topology with a tunneling capability to manage assets on any network.
These features will result in the development of new apps to optimise asset management, preventive maintenance and other critical functions at modern process plants.
Securing Control Assets
While the severity of a security-related event in a process plant is much greater than in a typical factory application, the threats to automation assets are the same across all sectors. Cybersecurity vulnerabilities related to hackers, viruses and other issues place a manufacturer’s control architecture in serious peril.
Prior to the development of the FITS standard, FDT Group’s technology was primarily a desktop solution. To meet the needs of IIoT applications running in global plant operations, the organisation evolved the FDT standard to a server-based architecture with security at its core and offering flexible and scalable deployment options.
This move necessitated effective cybersecurity measures to address issues such as device authentication and authorisation in order to minimise the attack surfaces present in a distributed environment.
Modern client-server industrial automation systems have moved to edge-to-cloud architectures for cost and flexibility. They have security challenges that result from greater interconnections. Regardless of application, ensuring security begins by establishing a chain of trust between devices, data and systems. Everything within the trusted system must be authenticated and validated to ensure trusted interoperability and integrity at every point.
Providing consistency across different operating system platforms, FITS features robust multi-layered security and leverages vetted industry standards such as Transport Layer Security (TLS) enabling Web Sockets Secure (WSS) and Hyper Text Transfer Protocol Secure (HTTPS). This security strategy encompasses:
- Encrypted communications using TLS
- Role-based user security
- X.509v3 certificates for device authentication
- On-the-wire-security for enabled industrial control protocols
FITS incorporates industry-proven technologies to provide an end-to-end security solution for field device and sensor installations. It was co-developed by a dedicated FDT Group Security Team to ensure secure communications for valuable plant information and operating data.
The team focused on different points of ingress and egress in the architecture so secure connections were provided for mobile applications, and access to the server was limited to authorised users and devices.
It also leveraged recognised and well-accepted security standards within the process industries. End-users of all industrial networks will benefit from this robust security approach.
FITS utilises TLS to establish a hardened shell and encrypt all communications throughout its architecture to avoid the possibility of plant data being intercepted, misdirected or manipulated. The FITS security architecture offers a level of security rarely seen with consumer grade TLS implementations.
Data packets are TLS encapsulated to provide both authentication and message-integrity protection, and X.509v3 digital certificates are leveraged for authentication of the server and client. The security features enable authorisation of all mobile devices connected to the server.
The security strategy not only verifies an authorised device communicating with the server, but also verifies authorised users of the device itself. Role-based security is employed to determine the user’s role and rights within the application as part of a multi-layered, defence-in-depth security strategy.
From an IT/OT perspective, administrators can therefore ensure that authenticated client devices have appropriate virus protection and meet other corporate security guidelines to ensure they are not the source of contamination via connection to the server. Security Engineers can freely select the level of security they wish to enable under the FITS architecture to fit their security profiles.
The addition of security-on-the-wire to the FDT standard via protocols such as CIP Secure on Ethernet/IP will result in a complete solution for comprehensive, end-to-end protection from sensor to cloud. This approach will allow the control system to inherently defend itself from unauthorised and/or malicious access.
Figure 2. FDT optimises secure, real-time asset management strategies for plant operators
Improving Plant Operations
FDT Group’s visionary approach to the FDT 3.0 standard, as implemented in the FITS solution, offers valuable benefits to process industry organisations seeking to secure their crucial control systems, devices and applications in an increasingly digital operating environment. This approach is especially key to optimising asset management strategies.
For example, FITS supports real-time monitoring and predictive maintenance applications requiring uniform access to field devices across diverse automation platforms. The solution’s inherent platform independence enables enterprise control so that a single control room can monitor multiple plants at a time on a remote basis.
FITS offers OPC UA connectivity with standardised data models for all types of field devices and across all protocols, including web access via mobile devices.
Web Service features with the FDT Server will be particularly useful for monitoring device status remotely, while convenient smart phone usage is an advantage for work in the field.
FITS OPC UA and mobile remote access will have a significant impact on plant and factory maintenance personnel, who are looking for condition-based maintenance solutions to reduce their cost for periodic, scheduled repair and troubleshooting activities.
OPC UA service opens up all possible parameters in installed devices so end-users can pick specific maintenance-related parameters and observe their trends.
FITS also includes the FDThub, which provides a single DTM repository designed for both cloud-based and on-premise air-gapped system deployment and enables easy access to all certified DTMs.
Conclusion
Process industry stakeholders implementing FDT Group’s FDT 3.0 standard with the FITS solution will have the assurance of utmost security with a choice of flexible deployment options.
With growing reliance on connected systems in plants, and ever-increasing amounts of data, it becomes more important for the control system, its devices, and the data and points of connectivity to be inherently secure.
