The completely networked machine is at the centre of digitalization, the future Industry 4.0 project and the Internet of Things (IoT). How can users’ access to such a highly communicative application be designed securely? With the wireless module WLAN Phoenix Contact is providing an access point that carries out this task in a user-friendly way.

 

In the past, protecting the machine network against malware and harmful actions proved to be simple: it was operated as a local island, to which only a restricted group of people – mostly service engineers – needed access directly on-site or by remote maintenance. In contrast, many people can access the networked machine, which is why new secure access concepts are required here. The challenges and their solution can be seen in the example of wireless LAN access to the machine network for communication with smart devices, such as a tablet PC. 

 

As previously mentioned, the network was protected until now by operating it as a local network island that could only be accessed - if at all - on-site in the control cabinet via an open Ethernet port. Simple mechanical safety equipment, such as locking the control cabinet, therefore frequently provided the necessary security. Nevertheless, with increasing networking and the integration of further interfaces for remote access, for example via wireless LAN, the network is also open to remote access. The user no longer needs to have direct mechanical access to the machine, but instead can penetrate the machine network unnoticed even from outside the company premises if within a sufficient range. If safety systems have been fitted there or the machine network is connected in an unprotected way to the production network, this poses incalculable dangers for the machine user and operator. In connection with this, mandatory electronic security measures must be implemented in the network. 

 

A wireless LAN password is not sufficient for numerous users

Most network devices allow access protection by the user authenticating himself via a common device password. A secure password such as this provides a high degree of protection against unauthorized harmful actions. However, the generation of an appropriate password as well as secure documentation for it becomes a great effort for the machine operator. Since the users often assume that access to the network is protected mechanically, they frequently lack the sensibility for problems in practice. This can be seen in network devices that are usually protected only by the password provided by the manufacturer or a simple default password specified by the mechanical engineer. This statement often also applies to the wireless LAN password (WPA-PSK) that protects access through the WLAN access point to the machine network. Therefore, anyone who knows the passwords or knows where they are stored has free access to all devices in the network. 

 

Indeed, WPA-PSK is sufficient for securely encrypting the data traffic in wireless LAN networks. Although one password is suitable for all users of home networks, this procedure does not protect against unauthorised accesses in machine networks with a large number of frequently changing users. This is because due to constant disclosure, the secret password quickly becomes commonly known. The password must be renewed at the latest after a user or tablet PC has merely been given temporary access to the network. This is the case, because both user and tablet PC know the access data. Smart devices also remember this data and connect with the network automatically as soon as they are in its range - and this is the case, even if the access is not wanted or no longer allowed. 

 

The machine control system manages the automated network administration

However, in an IT network, individual passwords are assigned to the users centrally by an administrator and distributed to the network devices by a server, for example a radius server. If the access rights of a user change, the administrator specifies this in the central server. IT networks therefore use the Security Mode WPA Enterprise instead of WPA-PSK for wireless LAN. During this process, the WLAN access point negotiates the connection inquiries of the clients, for example a tablet PC, using a downstream radius server via the protocol IEEE 802.1x. Machine networks are not maintained by network administrators. As a rule, the user rights and passwords once configured therefore remain unchanged and valid for the complete duration of the use of the machine. In connection with this, the implementation of IT services - such as the integration of a radius server into the machine - also does not provide a solution as it is not maintained by one administrator .

 

The challenge depicted can be bypassed by automating the network administration and having it carried out by the machine control system. Such an approach is not only cost-neutral and practical, but furthermore enables the mechanical engineer to have full control and flexibility in its implementation. An important prerequisite, however, is that the network device - in this case, the WLAN access point - includes an interface through which the machine control system can be controlled at the runtime. Phoenix Contact has therefore installed a web API interface into its network components that have been specially developed for machine building. Individual functions of the network devices can be controlled by sending HTTP-GET messages at the runtime. Furthermore, the complete module can be configured easily by the machine control system. The syntax of the commands thereby corresponds to the standard Command Line Interface.

 

One-time password is generated with every connection established

The user who would like to connect with the machine network with their tablet PC registers their access request, for example, using the operation and monitoring terminal. The control then generates a random one-time password. It then configures and activates a virtual access point in the by HTTP-GET message. The one-time password to the new WLAN network is allocated to the user subsequently using the operation and monitoring terminal. The output as a QR code that can be read by the camera of the tablet PC and thus configure the WLAN connection automatically has proven to be a more convenient option. If the user no longer needs the connection, the controller deactivates the virtual access point. Knowledge of the WLAN password as well as automatically storing it in the tablet PC will therefore no longer be seen as a security risk in future because a new one-time password is created and used the next time a connection is established. 

 

The WLAN by Phoenix Contact provides additional options for simple and nevertheless secure access to the machine network. Therefore, up to two virtual access points can be established with individual WLAN security settings simultaneously. In addition to a unique WLAN password, the machine operator can use a configurable IP filter to limit the number of simultaneous connections for each point of access as well as limit the access to the network to the installed devices. In this way, it provides complete network access for the service engineer and simultaneously access, for example, for the machine operator who may only be permitted to view the visualization server. Furthermore, a port-based DHCP server allocates individual and independent IP addresses to the WLAN clients for every virtual WLAN access point.

 

Web API interface is integrated into the components

The number of users who must have access to the devices installed in their network also increases due to the networking of the machine increasing. To this end, a security concept is required for allocating user rights and managing passwords. In contrast to IT networks, the machine control system can manage the administration of passwords and user rights in the network in an automated way. However, the network components at runtime must be able to be controlled by the machine control system via a simple interface.