The Case Of ICS Continuity At A German Automotive Manufacturer

– Guest posting by Klaus Mochalski, CEO, Rhebo GmbH

Klaus Mochalski Rhebo
Klaus Mochalski, Rhebo

The digitization has brought its own pitfalls to the equation. As the pilot installation of the industrial anomaly detection Rhebo Industrial Protector shows, it’s not only security issues automation companies should worry about.

The vision of the Industrial Internet of Things (IIoT) can only be successfully implemented, if Industrial Control Systems (ICS) are managed as the vital nervous system for assuring production continuity.

A German car manufacturer therefore decided to test and protect its ICS using an industrial anomaly detection. The monitoring tool undisruptingly analyzes all communication exchanged within the ICS. Suspicious incidents are flagged with a risk score and are reported to the network operator in real-time.

Complexity In ICS Increases

The pilot installation was to address five fundamental challenges of Industry 4.0 in a complex production cell, which have not yet been covered by conventional monitoring or existing IT security solutions:

  1. Complete visibility of all assets and communication within the production cell;
  2. Detailed analysis of communication on content level, particularly for Profinet and Siemens S7;
  3. Comprehensive notification of all anomalies within the ICS in real-time;
  4. Identification of optimization potential for the the feldbus infrastructure (Profinet) based on a detailed, continuous analysis of communication pattern;
  5. Strengthening of industrial security by means of real-time notification of any suspicious access to the network – known and unknown, external and internal – including all incident details.

The industrial anomaly detection was installed in a complex production cell within a very short time and without interrupting production. The first analysis within the scope of a Rhebo Industry 4.0 Stability and Security Audit already showed a strong heterogeneity and complexity within the system architecture. In the monitored production cell alone, over 300 components from Siemens, SICK, SMC, SEW, IMI and Norgren, among others, were identified which exhibited a wide variety of configurations and communicated freely with each other.

Rhebo Industrial Protector visualizes the entire digital asset inventory in real-time (Rhebo)
Rhebo Industrial Protector visualizes the entire digital asset inventory in real-time (Rhebo)

Cyber Security Is Not The Only Factor For Continuity

Subsequently several risks were identified that affected both OT security and plant productivity.

OT security issues included:

  • Unknown network participants, partly with fallback IP addresses, suspicious operations and insecure configurations;
  • Double IP addresses;
  • Possible man-in-the-middle attack through misuse of Address Resolution Protocols (ARP).

The Overall Equipment Effectiveness was affected by hidden ICS network problems including:

  • Increased payload caused by erroneous data packets (e.g. IP fragments, retransmissions) which caused – among others – the failure of cyclic real-time telegrams;
  • Profinet error notifications of single components indicating operational disruptions;
  • Disruption of real-time processes through communication failures.
Example of anomaly notification caused by technical communication faults in the ICS (Rhebo)
Example of anomaly notification caused by technical communication faults in the ICS (Rhebo)

Assuring And Increasing Productivity And Industrial Security

By integrating the industrial anomaly detection, the car manufacturer achieved complete transparency of any assets and communication in the monitored production area. Misconfigurations and potential security risks were clearly identified. The detailed storage of any anomalies in the ICS with metadata and raw data (as PCAP) enabled the operators to react quickly to threats. This also significantly reduced the time for forensic analysis, troubleshooting and recovery.

The car manufacturer was able to increase its protection against cyber attacks, but also to improve process stability and operational continuity.

Find The Saboteur – Protection of interference-free operation of networked industrial plants‘ (original title: ‘Finde den Saboteur – Absicherung des störungsfreien Betriebes vernetzter Industrieanlagen‘) will be the key impact of the lecture by Dr. Frank Stummer, Business Development, Rhebo GmbH, on Tuesday, 20 June, 2018, 12:00 pm, at automatica 2018, hall B4.
Get more in-depth information about cybersecurity – especially industrial IT security – and production enabled by IIoT at IT2Industry subject area of automatica 2018 – 19 to 22 June, Messe München.
– Register for automatica 2018 ticket.


Leave a comment

Your email address will not be published. Required fields are marked *

In order to give you a better service this website uses cookies. Please find more information and opt-out links in our privacy policy. If you continue we assume that you consent to receive cookies for this website.