Securing and Consolidating Industrial Automation Systems Based on Intel® Architecture Using Open Source Technology
Total Page:16
File Type:pdf, Size:1020Kb
White Paper Intel® Trusted Execution Technology and Intel® Virtualization Technology Design House and Platform Solutions Securing and Consolidating Industrial Automation Systems Based on Intel® Architecture Using Open Source Technology Using open source components, Intel demonstrates how Intel® Trusted Execution Technology and Intel® Virtualization Technology complement existing security measures for networked industrial systems based on Intel® Architecture. Executive Summary This paper presents an overview of the importance of security for today’s connected industrial automation systems and highlights the benefits of Intel® Trusted Execution Technology (Intel® TXT) and Intel® Virtualization Technology (Intel® VT) in complementing existing security measures. Furthermore, a demonstration system (a product separation industrial machine) using open source technology is described with a procedure that may be considered to set up the system. “This demonstration of a security solution for Background industrial automation Industrial automation systems are unknown security vulnerabilities in increasingly connected to each other the operating system and application systems uses open source in a manufacturing environment as software in order to access confidential technology with Intel® part of the Internet of Things (IoT) data or to manipulate processes in concept where real-time information connected systems. The potential Architecture. By designing from connected devices can be consequences of a security breach on security into its processors, consolidated, analyzed, and acted connected systems may include loss upon. This connected approach to of productivity, harm to corporate Intel ensures security manufacturing is not limited to a single reputation, and damage to equipment. site; the approach has evolved to a is inherent in deployed Securing industrial automation systems site communicating with other sites, requires a comprehensive solution with systems based on Intel® enabling decision-making at a higher- multiple layers of security measures level by connecting the information Architecture with Intel® without impacting performance or from the device level to enterprise limiting accessibility. One of the layers vPro™ technology.” resource planning (ERP) systems at the is Intel® TXT, which provides security enterprise level. at the hardware level even before the With the rise of connected devices operating system is running to ensure in the manufacturing environment, a trusted computing base. After the Yau, Wai Yeong the focus is now on security and operating system loads uncorrupted, Intel Corporation consolidation. Unlike conventional protection is then provided by other Lee, Zhan Qiang closed systems, today’s connected security layers, such as an antivirus Intel Corporation industrial automation systems are software that detects runtime susceptible to cyber threats, such viruses and a security policy that as zero-day rootkits. These threats, compartmentalizes applications and if detected at all, exploit previously the system where access is restricted to specific users. Securing and Consolidating Industrial Automation Systems Based on Intel® Architecture Using Open Source Technology Table of Contents Ensuring Trust with a Hardware- Consolidating Workload and Based Security Foundation Enhancing Control Executive Summary .............1 The computing infrastructure of an The 4th generation Intel® Core™ vPro™ Background ....................1 industrial automation system only processor supports hardware-based Ensuring Trust with a Hardware- offers protection — for example, virtualization in the form of Intel® VT2, Based Security Foundation. 2 through the installation of third- which increases the robustness of the party security software and the virtualized environment by ensuring Establishing a Measured and implementation of security policies — virtual machines do not interfere Verified Boot ..................2 after the operating system loads. The with each other and accelerates data Consolidating Workload and challenge is ensuring the operating transfers by directly and securely Enhancing Control .............2 system can be trusted before it loads. assigning I/O devices to the guest Demonstrating a Security Solution operating systems. Establishing a Measured and Verified for Industrial Automation Systems The separation of software from Boot with Intel® Architecture ..........3 hardware in virtualization allows Security Demonstration .......3 The 4th generation Intel® Core™ several operating systems to run on processor with Intel® vPro™ technology1 a single computing platform, with Setting Up the System Using Open offers integrated hardware support individual virtual machines managed Source Components .............3 for intelligent management functions, by a hypervisor or a virtual machine Conclusion ......................4 virtualization, and platform security. To monitor (VMM). The hypervisor complement existing security measures abstracts the hardware requirements that ensure trust in the computing for software, so each virtual machine infrastructure of industrial automation appears to run on its own computing systems, the combination of the Intel® platform. Core™ vPro™ processor, chipset, the This consolidation of computing Trusted Platform Module (TPM), and infrastructure for industrial automation firmware compose Intel® Trusted systems allows greater flexibility Execution Technology (Intel® TXT). when it comes to enhancing security. Intel® TXT is a hardware-based security Consolidating the computing foundation that provides a trusted infrastructure results in fewer starting point for the operating system, computing platforms that require prevents unauthorized software, and security solutions. Fewer computing enforces trusted configurations. platforms also reduces the points of Before the operating system is attack by unauthorized users. launched, restarted, or resumed from Simplifying the efforts towards sleep, Intel® TXT establishes a trusted these goals is the Intel® Industrial computing platform by ensuring the Solutions System Consolidation Series, launch environment (such as BIOS and which is a solution that includes the virtual machine managers) is secure essential hardware and software. A by measuring critical elements in demonstration of using this solution comparison with a known good source with a commercial security software is and verifying the launch components detailed in the solution brief at http:// using cryptographically generated www.intel.com/content/www/us/en/ digital signatures. Therefore when industrial-automation/mcafee-how- the operating system is running, it to-secure-manage-industrial-systems- is running on a trusted computing brief.html. platform. However, the computing platform still requires security However, the demonstration presented measures against runtime threats and in this paper uses open source malicious intentions via third-party components to enable the security solutions. and consolidation of the computing 2 Securing and Consolidating Industrial Automation Systems Based on Intel® Architecture Using Open Source Technology platform in an industrial automation Security Demonstration To enable Intel® TXT on both virtual machines to perform a measured and system. In this demonstration, a USB flash verifed launch of the Hypervisor, an drive infected with a rootkit virus is open source pre-kernel module called Demonstrating a Security Solution plugged into the computer. The runtime Trusted Boot* (tboot) is installed. for Industrial Automation Systems security layer detects the intrusion and Using Intel® VT, platform resources with Intel® Architecture prevents the rootkit virus from running are securely assigned to each virtual automatically. When the computer is This demonstration is a product machine, ensuring the trustworthiness restarted, Intel® TXT determines the separation industrial machine that of the launch environment. sorts a product by its color using integrity of the operating system has vision inspection and control system. It been compromised and prevents the The following is a general procedure consists of two virtual machines (VM1 operating system from loading. This to set up the open source components and VM2) running on a single computer effectively stops the rootkit virus from of the product separation industrial powered by the 4th generation Intel® affecting other parts of the product machine that demonstrates the Core™ vPro™ processor. The system is separation industrial machine. capabilities of Intel® TXT and Intel® VT. set up using open source components 1. Set up the computer BIOS as Setting Up the System Using Open that support Intel® TXT and Intel® VT. follows3: Source Components Both virtual machines are connected • In Processor configuration, enable The computing platform used in the on the same network. VM1 performs Intel® VT and Intel® TXT. * the function of a machine vision system demonstration uses the Hypervisor that detects the color of the product from Xen Project, which hosts two • In Security, enable TPM. instances of virtual machines as the via a machine vision camera. VM1 • Enable and set up an adminstrator guest operating system. The software then communicates with VM2, which password. controls an actuator, a conveyer belt, required to run the vision inspection and a warning system. The actuator is installed into VM1 (machine vision • Save the settings, and restart the separates the product into the system) and the software to control computer.