Embedded Virtualization & Cyber Security for Industrial Automation HyperSecured PC-based Control and Operation



Similar documents
evm Virtualization Platform for Windows

Virtualization for Hard Real-Time Applications Partition where you can Virtualize where you have to

print close Building Blocks

Highly available embedded server for secure teleservices Kontron KISS servers in use as a high-end firewall & VPN gateway for industrial teleservices

Industrial Security Solutions

Introduction to the NI Real-Time Hypervisor

Industrial Network Security for SCADA, Automation, Process Control and PLC Systems. Contents. 1 An Introduction to Industrial Network Security 1

Enabling Technologies for Distributed Computing

NetScaler VPX FAQ. Table of Contents

Enabling Technologies for Distributed and Cloud Computing

Applying Multi-core and Virtualization to Industrial and Safety-Related Applications

Flight Processor Virtualization

Basics in Energy Information (& Communication) Systems Virtualization / Virtual Machines

FIREWALL. Features SECURITY OF INFORMATION TECHNOLOGIES

Special FEATURE. By Heinrich Munz

Parallels Server 4 Bare Metal

EECatalog SPECIAL FEATURE

Who s Endian?

GE Measurement & Control. Cyber Security for NEI 08-09

Virtualization. Dr. Yingwu Zhu

Post-Stuxnet Industrial Security

Servervirualisierung mit Citrix XenServer

IOS110. Virtualization 5/27/2014 1

CSE 501 Monday, September 09, 2013 Kevin Cleary

Virtualization for Cloud Computing

White Paper. Recording Server Virtualization

Securely Architecting the Internal Cloud. Rob Randell, CISSP Senior Security and Compliance Specialist VMware, Inc.

What is Really Needed to Secure the Internet of Things?

Cisco Nexus 1000V Switch for Microsoft Hyper-V

THE IMPORTANT ROLE OF THE NETWORK IN A VIRTUALIZED WORLD

QRadar Security Intelligence Platform Appliances

Parallels Virtuozzo Containers

NET ACCESS VOICE PRIVATE CLOUD

How To Compare Performance Of A Router On A Hypervisor On A Linux Virtualbox 2.5 (Xen) To A Virtualbox (Xeen) Xen-Virtualization (X

Virtualization: Hypervisors for Embedded and Safe Systems. Hanspeter Vogel Triadem Solutions AG

A guide to CLARiSUITE TM network solutions

Total Defense Endpoint Premium r12

Proven LANDesk Solutions

Before we can talk about virtualization security, we need to delineate the differences between the

Using Innominate mguard over BGAN

Unisys Internet Remote Support

Bivio 7000 Series Network Appliance Platforms

InfiniBand in the Enterprise Data Center

Full and Para Virtualization

Security all around. Industrial security for your plant at all levels. siemens.com/industrialsecurity. Answers for industry.

Securing the Intelligent Network

Ignify ecommerce. Item Requirements Notes

Red Hat Network Satellite Management and automation of your Red Hat Enterprise Linux environment

Intro to Virtualization

Keyword: Cloud computing, service model, deployment model, network layer security.

Data Centers and Cloud Computing

Cisco Virtualization Experience Infrastructure: Secure the Virtual Desktop

HP Compaq dc7800p Business PC with Intel vpro Processor Technology and Virtual Appliances

International Journal of Advancements in Research & Technology, Volume 1, Issue6, November ISSN

Security Appliances. for a wide field of application. Comprehensive threat management, secure Internet access, and secure remote access.

MODULE 3 VIRTUALIZED DATA CENTER COMPUTE

SIMATIC Remote Services. Industry Services

Oracle Database Scalability in VMware ESX VMware ESX 3.5

Astaro Gateway Software Applications

NEXT GENERATION VIDEO INFRASTRUCTURE: MEDIA DATA CENTER ARCHITECTURE Gene Cannella, Cisco Systems R. Wayne Ogozaly, Cisco Systems

Virtualizing the Client PC: A Proof of Concept. White Paper Intel Information Technology Computer Manufacturing Client Virtualization

Analysis on Virtualization Technologies in Cloud

- Introduction to PIX/ASA Firewalls -

RED HAT ENTERPRISE VIRTUALIZATION FOR SERVERS: COMPETITIVE FEATURES

Increase Simplicity and Improve Reliability with VPLS on the MX Series Routers

Unified Computing Systems

SonicWALL Advantages Over WatchGuard

Cisco Nexus 7000 Series Supervisor Module

9/26/2011. What is Virtualization? What are the different types of virtualization.

Cisco Integrated Services Routers Performance Overview

Securing Virtual Applications and Servers

LANDesk White Paper. LANDesk Management Suite for Lenovo Secure Managed Client

White Paper. Innovate Telecom Services with NFV and SDN

Cloud Computing. Chapter 8 Virtualization

Operational Guidelines for Industrial Security

VMware ESXi 3.5 update 2

Cisco Application Networking for BEA WebLogic

Red Hat Satellite Management and automation of your Red Hat Enterprise Linux environment

Getting Started with HC Exchange Module

Understanding VPN Technology Choices

Overcoming Security Challenges to Virtualize Internet-facing Applications

Cyber Security Where Do I Begin?

Reducing Cost and Complexity with Industrial System Consolidation

Intel Virtualization Technology (VT) in Converged Application Platforms

Small Business Server Part 1

The Advantages of Multi-Port Network Adapters in an SWsoft Virtual Environment

Cisco ASA 5500 Series Firewall Edition for the Enterprise

Managing the Real Cost of On-Demand Enterprise Cloud Services with Chargeback Models

SCADA System Security. ECE 478 Network Security Oregon State University March 7, 2005

Hosted SharePoint: Questions every provider should answer

Cisco Application Networking for IBM WebSphere

Windows Embedded Security and Surveillance Solutions

M.Sc. IT Semester III VIRTUALIZATION QUESTION BANK Unit 1 1. What is virtualization? Explain the five stage virtualization process. 2.

Lecture 2 Cloud Computing & Virtualization. Cloud Application Development (SE808, School of Software, Sun Yat-Sen University) Yabo (Arber) Xu

Building A Secure Microsoft Exchange Continuity Appliance

Virtualization Technologies and Blackboard: The Future of Blackboard Software on Multi-Core Technologies

Deploying Firewalls Throughout Your Organization

COS 318: Operating Systems. Virtual Machine Monitors

Embedded PC The modular Industrial PC for mid-range control. Embedded PC 1

Security appliances with integrated switch- Even more secure and more cost effective

Transcription:

Embedded Virtualization & Cyber Security for Industrial Automation HyperSecured PC-based Control and Operation Industrial controllers and HMIs today mostly lack protective functions for their IT and network security. Upstream security appliances with dedicated hardware could provide an add-on solution. Cost pressure and the ever increasing processing power of CPUs though tend to result in a demand for hardware consolidation. Therefore, the IT mega-trend and cost-cutting technology of virtualization is about to make inroads into the industrial automation market as well, especially in embedded flavors. Introduction The networking of machinery and equipment results in new options for the IT integration of processes and for remote services across wide area connections but also in new challenges in the area of cyber security. Solutions with dedicated security devices are advantageous in that they physically separate the actual functionality of a system from its protective security measures, avoiding mutual side-effects and allowing independent development of both by respective specialists. Yet their deployment often fails due to the additional hardware needs and cost restrictions. At the same time, the price-performance ratio of processors, memory, and peripheral components keeps constantly improving (Moore s law). This gives rise to a shift from specialized hardware to software functions on a common platform, limited by the necessary degree of modularization to cope with technical risks and enable the integration of subsystems from different suppliers. Virtualization is the key to combine the cost savings of advanced hardware consolidation with such a modular design. This leads us to the concept of virtual security appliances for industrial automation. Virtualization in IT and Automation Virtualization of both client and server systems is state-of-the-art technology in enterprise IT today. Typically, the virtual systems are operated on a server farm in the network. The provision and coordinated operation of multiple virtual machines on a shared hardware are effected by a layer of software called hypervisor or virtual machine manager. Two types of hypervisors and two approaches to virtualization are usually being distinguished. Type 1 hypervisors run directly on the bare hardware and only coordinate the available hardware resources. Type 2 hypervisors run as applications in a host system. The achievable performance is reduced by the additional operating system layer. Copyright Innominate Security Technologies AG and TenAsys Corporation, 2013 Page 1

The hardware virtualization approach presents each original guest system with a complete (simulated) computer of its own. The unmodified guest system is run with its own time-slice scheduler not being aware of the virtualized environment which typically prevents real-time capability. Depending on platform and implementation, the guest system may have direct access to (parts of) the underlying hardware components. Other components may be completely simulated, requiring a fairly complex hypervisor or a hardware platform with virtualization support. Guest system performance can be equivalent to a stand-alone system as long as no I/O operations are performed via simulated components. Under the para-virtualization approach in contrast, the guest systems need to be modified for better cooperation with the respective hypervisor. Time-slice and memory management can be more tightly integrated and real-time capability thus be achieved. The internal communication between guest systems or guest system and hypervisor is carried out through efficient specialized interfaces. In industrial automation and control however, the requirements are different from those in enterprise IT. The systems deployed here run on dedicated hardware with little or no operator intervention. Controller components typically have real-time requirements whereas human-machine interfaces (HMIs) are mostly applications on a Windows operating system. In this environment, embedded virtualization taking a hybrid approach and combining native Windows installations with additional unmodified guest systems on a thoroughly partitioned multi-core PC platform with virtualization support is of particular value. HyperSecured Industrial PCs Under the HyperSecured concept developed by Innominate, automation components such as an HMI or controller and a virtual mguard security appliance are integrated onto a single hardware by means of an embedded virtual machine manager. This provides the automation components with all the benefits of an upstream security appliance at reduced hardware costs. The automation components can thus be efficiently protected from unauthorized access and malware attacks. With their exhibit of a HyperSecured IPC, technology partners Innominate and TenAsys showcase a joint solution to demonstrate that embedded virtualization and cyber security are ready for production use. The exhibit uses TenAsys evm for Windows embedded virtual machine manager to integrate an original Windows operating system with a virtual mguard security appliance on a standard industrial PC. Copyright Innominate Security Technologies AG and TenAsys Corporation, 2013 Page 2

HyperSecured Industrial PC Architecture Network communication between the Windows system and the external environment has to pass through and is controlled by the virtual mguard security appliance which provides firewall, virtual private network (VPN), and integrity monitoring services to the PC system. The internal communication between the Windows system and the security appliance is done through a virtual Ethernet interface. Copyright Innominate Security Technologies AG and TenAsys Corporation, 2013 Page 3

The hardware used for the exhibit is an off-the-shelf Valueline IPC from Innominate s parent company PHOENIX CONTACT featuring an Intel Core 2 Duo CPU with VT-d support, 2 GB RAM, and dual Gigabit Ethernet ports. The TenAsys evm embedded virtual machine manager is a very compact package installed and administered through Windows. It partitions the CPU into two cores and system domains for Windows and the mguard guest system. Both Windows and the mguard guest system boot natively, exactly as if they were running stand-alone. Peripheral components, in particular the Ethernet interface, are exclusively assigned to one of the systems. Virtual mguard Security Appliance Thanks to TenAsys evm, no para-virtualization and modification of the mguard system is necessary on Intel platforms with VT-d support. The original Linux-based mguard firmware image runs on a dedicated core of the shared x86 CPU. The virtual mguard ensures comprehensive protection of the PCs network communication as the physical Ethernet interface to the external environment is exclusively assigned to it. Its DoS protection against denial-of-service attacks will be effective, too, thanks to this direct hardware control: even in an extreme case, only the virtual security appliance could be overloaded and external network packets get delayed or dropped. Due to the strict partitioning of the CPU cores and system domains this will not affect the Windows partition or potential other guest systems. Access to the PC and its Windows system will be blocked by the mguard firewall unless authorized by a general static or user-specific dynamic firewall rule. Integrated virtual private network (VPN) functionality enables secure remote access with authentication and encryption. VPN tunnels are terminated by the virtual mguard, the Windows system gets to see regular IP communication only. Summary and Outlook Virtualization with an appropriate embedded virtual machine manager enables trendsetting consolidation of industrial automation and cyber security functions onto a cost-optimized hardware, preserving the modular design and benefits of dedicated devices. The HyperSecured solution as presented is not generally limited to just one protected Windows system. It will be possible to use additional CPU cores with their own native guest systems including real-time operating systems and controllers. Published in February 2013 Copyright Innominate Security Technologies AG and TenAsys Corporation, 2013 Page 4

About Innominate Security Technologies AG Innominate, a PHOENIX CONTACT Company, is a leading supplier of components and solutions for controlled and secured communication in industrial networks. The German company specializes in the protection of networked industrial systems and the secure remote diagnosis and maintenance of machinery and equipment over the Internet. Its mguard product line of network security appliances provides router, firewall, virtual private network (VPN), as well as quality of service (QoS) functionalities and helps with intrusion detection and antivirus protection. The mguard portfolio is complemented by highly scalable device management software and a Cloud-based Remote Services Portal. Innominate products are marketed worldwide under the mguard brand through system integrators and OEM partners. Further information can be found at www.innominate.com. About TenAsys Corporation Real-time virtualization expert, TenAsys Corporation, specializes in operating software for the embedded computer industry, designed and optimized for Intel x86 platforms using the Microsoft Windows OS and the Visual Studio development environment. Since 1980, customers worldwide have entrusted TenAsys RTOS products to provide reliable deterministic control in a wide array of mission-critical applications including: medical, telecom, industrial control, robotics, test and measurement, and military applications. For more information, visit www.tenasys.com. Copyright Innominate Security Technologies AG and TenAsys Corporation, 2013 Page 5

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information