SKAT: Sichere Kommunikationsnetze (VPN) in der Automatisierungstechnik
In industrial automation technology (AT) products, standardized IT techniques are increasingly used for communication purposes. In particular, applications that use the TCP/IP and UDP/IP protocols via Ethernet should be mentioned here. This enables simple networking with the company network (intranet), which allows, for example, convenient monitoring, control and configuration of AT components from any company location and, by means of an Internet connection, from practically any location. In addition to this importance for providing vertical communication structures, Ethernet and, in the future, certainly increasingly wireless standards such as WLAN (IEEE 802.11), Bluetooth and ZigBee play an important role in networking AT components with each other.
In addition to the advantages of using standardized open protocols and techniques, however, such networks are much more exposed to the risk of unauthorized access by third parties. Various attack possibilities are known for TCP/IP networks, and corresponding hacker tools are freely available on the Internet. These threats to IT security must therefore be taken into account separately and countered by using suitable techniques, such as those already available in principle for securing standard networks (LANs). In particular, the use of firewall and VPN solutions should be considered in this context. However, it is problematic that both firewall and VPN solutions require a rather high administrative effort for configuration and integration into an existing network.
Within the scope of the research project, VPN solutions are to be designed and evaluated that are particularly suitable for the special requirements in the AT environment:
- The configuration of secure connections must be feasible with minimal effort.
- In connection with the last point, a simple uniform security structure must be defined for different network connections of components (also via wireless networks such as WLAN or Bluetooth).
The goals of the project are:
- Integration of the required cryptographic mechanisms must be possible on small embedded platforms.
- Definition of a sufficient subset of the algorithms, protocols, and mechanisms defined by the IPsec protocol suite that, on the one hand, can be implemented on small processor platforms with reasonable effort and sufficient performance, and, on the other hand, avoid known vulnerabilities of IPsec applications.
- Provision of concepts for a user-friendly and largely automated creation of key structures (PKI, Public Key Infrastructure), as required for the operation of a VPN application.
Exemplary Implementations of Demonstrators:
- IPsec implementations for simple IO devices
- IPsec-Gateway
- PKI configuration applications