by Christophe Tremlet
As highlighted in this article, 10BASE-T1L opens a new era for field instrument connectivity. Process plants are being modernized by adding high speed Ethernet to field instruments deployed in remote and intrinsically safe environments, enabling access to new data and unlocking key insights to increase productivity while also reducing energy consumption and unplanned downtime. However, with the numerous benefits of this technology, new cybersecurity challenges are introduced. For example, compared to legacy connectivity means such as 4-20mA current loop, with IP addressability now from the cloud all the way to the edge sensor, 10BASE-T1L implementations, unfortunately, increase the attack surface and create new opportunities for attackers. This blog highlights some of the newly created security vulnerabilities, provides guidance on security by design, and examines how Analog Devices security solutions can help in the protection of field instruments against the most common threats.
The first class of vulnerabilities is due to the network infrastructure itself. Because 10BASE-T1L is an Ethernet type network, it eliminates the need for gateways to connect to a higher level enterprise network. By default, field instruments are directly linked to the entire Ethernet corporate network as the various switches do not bring any kind of isolation between field devices and other parts of the network while gateways would. Consequently, each field instrument becomes an entry door for all kinds of malware.
Good practices for a secure converged network are:
- Authenticating each device connecting to the network
- Making sure each device is trustworthy
Figure 1. 10BASE-T1L typical interconnection in an industrial infrastructure
Zoning consists in defining subsections of the network and isolating them from each other in order to limit the impact of a potential malware to only a portion of the network infrastructure. This practice is recommended by the IEC 62443 standard but detailed implementation is out of the scope of this blog.
Another fundamental aspect of securing a network is authentication of each new device attempting to connect to the network. It consists of checking that the device is genuine before authorizing any network transaction with it. The modern techniques to authenticate a device remotely rely on public key cryptography and certificates as explained here. The DS28S60 and MAXQ1065 are ADI secure authentication ICs with functionality including:
- Enable public key cryptography even in the most power and computing resources constrained designs
- Secure storage and management of both the keys and certificates used in public key cryptography
We will explain further in this blog how the TLS (Transport Layer Security) protocol protects data in transit. TLS includes the device authentication step we have just described.
Thirdly, establishing trust in a device is achieved by making sure it has the expected configuration and runs the expected software - clear of uncontrolled modifications. Secure boot is a must-have to make sure that the field equipment is executing only software coming from a trusted source. This is enabled by verifying the digital signature of the firmware. Here again, public key cryptography is the way to go: the firmware is signed in the trusted R&D facility and it is further verified in the field using asymmetric cryptographic algorithms such as ECDSA. As described here in The Fundamentals of Secure Boot and Secure Download: How to Protect Firmware and Data within Embedded Devices (maximintegrated.com), secure authentication ICs such as DS28S60 and MAXQ1065 efficiently support these requirements.
Figure 2. Public key based secure boot and secure update
As well as the challenges posed by the converged nature of the 10BASE-T1L network, the higher bandwidth creates a second type of potential security vulnerability. While it would be impossible to send a new version of the firmware to a field instrument through the slower legacy 4-20mA current loop, it can be easily done through a 10BASE-T1L implementation. Therefore, it is absolutely critical to guarantee the authenticity and integrity of the upgraded firmware using the same technique as for secure boot. Configuration and parametrization information can similarly be updated through the network. This data is also sensitive as rogue parameters could cause the equipment to malfunction. Here again, digital signature will help to guarantee authenticity and integrity of this sensitive information.
As well as increasing the risk of a rogue version firmware being deployed, the increased bandwidth of the 10BASE-T1L implementation also enables a larger volume of process data to be exchanged. This data can often be key inputs to process regulation loops and are responsible for triggering crucial process decisions. This data needs to be protected. The first level of protection should ensure that the data is coming from a trusted instrument and has not been modified in transit. This prevents an attacker from disrupting the process flow by injecting rogue, untrusted information. Authenticity and integrity are guaranteed by digital signature of the data. As described in this article, ECDSA is a modern digital signature algorithm. The DS28S60 and MAXQ1065 are also designed to compute ECDSA signatures on payload data out of sensors. These products offload the main microcontroller of the field instrument from intensive signature computation.
Figure 3. Measurement data signature
Sometimes, disclosure of the measured data could reveal valuable information about industrial recipes. In this case, the solution is to encrypt the data between the point of collection and processing units. The DS28S60 and MAXQ1065 can compute a session key to be further used as an AES encryption key. Then, depending on the bandwidth and latency required:
- Keep the session key and compute AES within the secure IC
- Transfer the session key to the microcontroller which will run the AES encryption
The IEC 62443-4-2 requires the protection of data exchanged over the network as follows:
- The capability to encrypt the data must be supported at all levels (1 to 4)
- Authentication and integrity are required for levels 2 to 3
The authenticity, confidentiality, and integrity requirements described above can be fulfilled by TLS (Transport Layer Security). TLS 1.2 is standardized as per RFC 5246, and TLS 1.3 is defined by RFC 8446. TLS is also compliant with industrial busses such as Modbus.
The MAXQ1065 comes with a full TLS stack. As highlighted in this application note, a security IC enhances the intrinsic security of the TLS protocol and improves performance by offloading the main microcontroller from heavy cryptographic calculations.
This blog has discussed the merits of the DS28S60 and MAXQ1065 in terms of tackling some of the key security challenges posed in the design of 10BASE-T1L field instrument network implementations. Namely, they enable secure identity of network nodes, device trusted operation, and secure data in transit.
Another challenge to be considered is that of the power budget. The DS28S60 and MAXQ1065 are ultra-low power devices featuring a standby current as low as 100nA and are thus very well adapted to resource-constrained environments such as field instruments.
Overall, the DS28S60 and MAXQ1065, as “Swiss army knives” for field instrument security, are the perfect companion to your 10BASE-T1L design. This is a Comparison of these parts.