As the networking of machines and production plants becomes more prevalent and comprehensive, IT security (IT = information technology) is becoming more and more important. Current reports about successful attacks on industrial control systems highlight the urgent need for improved IT security. From an occupational safety and health perspective, the aspects of IT security that affect product safety and operational safety are of particular importance.
The aim of this project was to develop a security demonstrator that is able to demonstrate the risks to a machine that can arise as a result of insufficient IT security. On the one hand, the demonstrator should be used to show how easily machines can be manipulated when IT security measures are not implemented correctly or lacking entirely. On the other hand, the risks resulting from the attack should be presented and explained in order to increase the training participants’ or supervisors’ understanding of the risks associated with insufficient IT security. Possible countermeasures to mitigate the effects of the attack should also be demonstrated.
The attack scenario was developed in cooperation with T-systems Int. GmbH. T-systems already had previous experience in developing and building a security demonstrator. This attack scenario is now being expanded and applied to functional safety components. The aim of this attack was to target the safety protocol. This could be done in two ways:
A mobile demonstrator was developed for demonstration and training purposes.
In addition, a small compressor for blowing up balloons was installed in a robust case. The compressor is controlled via a programmable industrial controller. The process of blowing up the balloons represents a dangerous industrial process. A proximity sensor continuously monitors the fill level of the balloon and stops the filling process as soon as the balloon reaches the configured target fill level.
The process can also be interrupted at any point in time by pressing an EMERGENCY STOP button. In this case, the plant is switched into a safe state as quickly as possible and the pressure vessel (balloon) is vented via an emergency relief valve.
A new filling process can only be initiated after the EMERGENCY STOP button has been reset and after the emergency stop has been acknowledged. The industrial controller is connected to the network to enable remote maintenance, which means that it is susceptible to an attack via the network. In this case, the EMERGENCY STOP button has no effect and the compressor no longer switches off when the target value is reached.
As a result, the pressure vessel is filled beyond the permitted level. The EMERGENCY STOP button is connected to a long cable so that it is within reach of the audience, but it does not work. The audience is forced to watch on helplessly as the pressure vessel is overfilled and subsequently bursts. The demonstrator can be incorporated in a variety of ways into demonstrations at trade fairs, conferences or seminars. It is a very effective tool for promoting awareness and increasing understanding of attacks targeting networked controllers. It is also possible to monitor data traffic and explain different defensive measures.
The case is also a useful training tool for testers of networked components. The design can be expanded in such a way that the case can be used in the testing of components according to IEC 62443.
mechanical engineeringType of hazard:
questions beyond hazard-related issuesCatchwords:
plant safetyDescription, key words: