DS28S60
Recommended for New Designs
The DS28S60 DeepCover® cryptographic coprocessor easily integrates into embedded systems enabling confidentiality, authentication and integrity of information...
Datasheet
DS28S60 on Analog.com
MAXQ1065
Recommended for New Designs
The MAXQ1065 is a security coprocessor that provides turnkey cryptographic functions for root-of-trust, mutual authentication, data confidentiality and...
Datasheet
MAXQ1065 on Analog.com
by Christophe Tremlet
As highlighted in this article, 10BASE-T1L opens a new era for field instrument connectivity. Process plants are being modernized by adding high-speed Ethernet to field instruments deployed in remote and intrinsically safe environments, enabling access to new data and unlocking key insights to increase productivity while also reducing energy consumption and unplanned downtime. However, with the numerous benefits of this technology, new cybersecurity challenges are introduced. For example, compared to legacy connectivity means such as 4-20mA current loop, with IP addressability now from the cloud all the way to the edge sensor, 10BASE-T1L implementations, unfortunately, increase the attack surface and create new opportunities for attackers. This blog highlights some of the newly created security vulnerabilities, provides guidance on security by design, and examines how Analog Devices security solutions can help in the protection of field instruments against the most common threats. See the previous blog post here.
Challenges of Converged 10BASE-T1L Network
The first class of vulnerabilities is due to the network infrastructure itself. Because 10BASE-T1L is an Ethernet-type network, it eliminates the need for gateways to connect to a higher-level enterprise network. By default, field instruments are directly linked to the entire Ethernet corporate network as the various switches do not bring any kind of isolation between field devices and other parts of the network while gateways would. Consequently, each field instrument becomes an entry door for all kinds of malware.
Three Good Practices for Securing a Converged Network
Good practices for a secure converged network are:
Figure 1. 10BASE-T1L typical interconnection in an industrial infrastructure
Zoning consists of defining subsections of the network and isolating them from each other in order to limit the impact of potential malware to only a portion of the network infrastructure. This practice is recommended by the IEC 62443 standard but detailed implementation is out of the scope of this blog.
Another fundamental aspect of securing a network is the authentication of each new device attempting to connect to the network. It consists of checking that the device is genuine before authorizing any network transaction with it. The modern techniques to authenticate a device remotely rely on public key cryptography and certificates as explained here. The DS28S60 and MAXQ1065 are ADI secure authentication ICs with functionality including:
We will explain further in this blog how the TLS (Transport Layer Security) protocol protects data in transit. TLS includes the device authentication step we have just described.
Thirdly, establishing trust in a device is achieved by making sure it has the expected configuration and runs the expected software - clear of uncontrolled modifications. Secure boot is a must-have to make sure that the field equipment is executing only software coming from a trusted source. This is enabled by verifying the digital signature of the firmware. Here again, public key cryptography is the way to go: the firmware is signed in the trusted R&D facility and it is further verified in the field using asymmetric cryptographic algorithms such as ECDSA. As described here in The Fundamentals of Secure Boot and Secure Download: How to Protect Firmware and Data within Embedded Devices (maximintegrated.com), secure authentication ICs such as DS28S60 and MAXQ1065 efficiently support these requirements.
Figure 2. Public key based secure boot and secure update
The Challenge of Higher Bandwidth 10BASE-T1L Network
As well as the challenges posed by the converged nature of the 10BASE-T1L network, the higher bandwidth creates a second type of potential security vulnerability. While it would be impossible to send a new version of the firmware to a field instrument through the slower legacy 4-20mA current loop, it can be easily done through a 10BASE-T1L implementation. Therefore, it is absolutely critical to guarantee the authenticity and integrity of the upgraded firmware using the same technique as for secure boot. Configuration and parametrization information can similarly be updated through the network. This data is also sensitive as rogue parameters could cause the equipment to malfunction. Here again, a digital signature will help to guarantee the authenticity and integrity of this sensitive information.
The Challenge of Securing Valuable Measurement Data
As well as increasing the risk of a rogue version of firmware being deployed, the increased bandwidth of the 10BASE-T1L implementation also enables a larger volume of process data to be exchanged. This data can often be key inputs to process regulation loops and are responsible for triggering crucial process decisions. This data needs to be protected. The first level of protection should ensure that the data is coming from a trusted instrument and has not been modified in transit. This prevents an attacker from disrupting the process flow by injecting rogue, untrusted information. Authenticity and integrity are guaranteed by digital signature of the data. As described in this article, ECDSA is a modern digital signature algorithm. The DS28S60 and MAXQ1065 are also designed to compute ECDSA signatures on payload data out of sensors. These products offload the main microcontroller of the field instrument from intensive signature computation.
Figure 3. Measurement data signature
Sometimes, disclosure of the measured data could reveal valuable information about industrial recipes. In this case, the solution is to encrypt the data between the point of collection and processing units. The DS28S60 and MAXQ1065 can compute a session key to be further used as an AES encryption key. Then, depending on the bandwidth and latency required:
The IEC 62443-4-2 requires the protection of data exchanged over the network as follows:
The authenticity, confidentiality, and integrity requirements described above can be fulfilled by TLS (Transport Layer Security). TLS 1.2 is standardized as per RFC 5246, and TLS 1.3 is defined by RFC 8446. TLS is also compliant with industrial busses such as Modbus.
The MAXQ1065 comes with a full TLS stack. As highlighted in this application note, a security IC enhances the intrinsic security of the TLS protocol and improves performance by offloading the main microcontroller from heavy cryptographic calculations.
This blog has discussed the merits of the DS28S60 and MAXQ1065 in terms of tackling some of the key security challenges posed in the design of 10BASE-T1L field instrument network implementations. Namely, they enable the secure identity of network nodes, device-trusted operation, and secure data in transit.
Another challenge to be considered is that of the power budget. The DS28S60 and MAXQ1065 are ultra-low power devices featuring a standby current as low as 100nA and are thus very well adapted to resource-constrained environments such as field instruments.
Overall, the DS28S60 and MAXQ1065, as “Swiss army knives” for field instrument security, are the perfect companion to your 10BASE-T1L design. This is a Comparison of these parts.
Find the next blog in this series here.