Inadequate protection of the connections between production infrastructure and the Internet is a major security flaw at many companies. At CeBIT, Airbus CyberSecurity is showcasing its cyber security products and services for production infrastructure connectivity.
The steady increase in the level of digitalization will translate into exponential growth in intercommunication between industrial plant and equipment, creating the danger of numerous unprotected connection points at open network nodes, occurring primarily due to coordination deficits in the way remote maintenance access points are assigned to external service technicians or machine manufacturers.
These groups require direct access to plant and equipment so they can perform updates and troubleshooting.
The Airbus CyberSecurity division is showcasing a practical approach to improving this situation at its CeBIT stand. The exhibit will demonstrate how protecting and documenting access points leads to a secure remote maintenance concept.
This structure displays a genuine security architecture which can be integrated without major expenditure into existing access mechanisms, expanding them by adding critical security and monitoring functions. The rendezvous server, which is located in a high-security Airbus computer center, is connected with the production equipment via a permanent VPN tunnel.
External access to the maintenance portal is available exclusively via an encrypted connection and requires authentication vis-à-vis a central directory service. If a particular maintenance order needs to be carried out, for example a PLC update, the external service technician must first request access via the portal, where he is required to identify himself, define the target system and describe the length and type of maintenance procedure.
Afterwards a company employee explicitly approves the maintenance order. Only then does the external service technician receive temporary access to the system listed on the maintenance ticket.
After the maintenance time stored on the ticket expires, the connection is automatically severed and access authorization is removed. Passive sensors additionally record key network parameters which can be called up by the ICS Security Operations Center (SOC) at Airbus at any time