Defense in Depth Security – A License-based Approach to Embedded Protection
2019-06-04 Daniela Previtali
As has been written in this space many times before, the risks to modern, connected industrial control systems are quite real, from loss of system control and destruction to stealing machine designs and intellectual property (IP).
Vulnerabilities exist in both development software and Programmable Logic Controller (PLC) hardware. Rockwell Automation pointed out some of those vulnerabilities in a recently published white paper, License-based Protection Versus a Software Solution.
In development software, Rockwell noted that legacy Operating Systems and software packages typically included few embedded security features, and if the OS or software vendor stopped updating their products, existing security vulnerabilities would eventually compromise the system. More recently, password authentication was introduced to protect IP, but as we know now, password protection alone does not guarantee security.
With PLC hardware, Rockwell noted that legacy controllers were typically built with default backdoor passwords for emergency access to the PLC, but that in itself posed security risks. More modern Programmable Automation Controllers (PACs) have eliminated the backdoor threat, but continue to maintain password authentication capabilities.
The commonality in both software and hardware vulnerabilities was the use of password authentication, and the difficulty in maintaining the process, particularly in the modern social engineering environment where there are many ways unscrupulous hackers can get access to the passwords – e.g. social media, phishing email schemes, etc.
In their white paper, Rockwell offered a novel license-based protection solution that they believe far surpasses the password authentication of the past. The solution is based on the concept of Root of Trust espoused by the Trusted Computing Group (TCG). As defined by the National Institute of Standards and Technology (NIST), Roots of trust are “are highly reliable hardware, firmware, and software components that perform specific, critical security functions. Because roots of trust are inherently trusted, they must be secure by design. As such, many roots of trust are implemented in hardware so that malware cannot tamper with the functions they provide. Roots of trust provide a firm foundation from which to build security and trust.”
Rockwell’s license-based protection solution, which is part of the Rockwell Software Studio 5000 Logix Designer v30 software, was developed in collaboration with Wibu-Systems and based on our CodeMeter technology. Several years ago, we joined the Trusted Computing Group and expanded our hardware compatibility family of secure hardware elements to include support for TCG’s Trusted Platform Modules (TPMs).
The comprehensive Rockwell protection solution includes elements of CodeMeter encryption, access control, and secure hardware elements, all working together to protect source and execution code without the use of passwords and the vulnerabilities that come with them. Rockwell refers to it as a Defense in Depth strategy.
The new License-based Protection feature is available for the Rockwell ControlLogix 5580 and CompactLogix 5380, 5380S and 5480 PAC controllers.
You can read a more detailed description of CodeMeter and License-based Protection in Rockwell’s white paper.
Wibu-Systems Global Marketing Director – IIC Marketing WG Co-Chair
Daniela is a marketing veteran who has dedicated more than twenty years of her career to the service of world-leading IT security vendors. Throughout her journey in this field, she has covered executive positions in international sales, product marketing, and product management and acquired comprehensive knowledge of both digital rights management solutions and authentication technologies. Working from the German headquarters of Wibu-Systems, she is currently leading both corporate and channel marketing activities, innovating penetration strategies, and infusing her multinational team with a holistic mindset.