Design goals for security

Beckhoff’s Industrial PC (IPC) hardware has been designed for general use like a normal PC for office environments but with significant robustness added for use within industrial environments. The complete board has been designed for reliable and highly deterministic operation within such environments. Still the hardware supports general purpose operating systems like Windows® and TwinCAT/BSD which is based on FreeBSD. Consequently, the hardware is designed to support conventional and office-IT grade security mechanisms as provided by the operating systems. It is the duty of the one who integrates the IPC into an operational environment to configure these security features appropriately for the specific environment. Also, that person needs to provide guidance on secure use to the operator. Such configuration and usage guidelines should be the result from or be conformant with a holistic security concept for the specific environment.

Beckhoff’s IPCs can be ordered with and without an operating system. Among these operating systems Windows 10 and TwinCAT/BSD are available. These are provided in a way which is called “secure by default” unless specifically ordered otherwise. This means, that only services are enabled with the default configuration such that all access to the device is authenticated and the only pre-configured user is one for administrative access. For historical reasons, the pre-configured user is “Administrator”. Beckhoff offers the named operating system images pre-installed on the IPC in two fashions: One fashion has a random password pre-set for “Administrator” which can be read from a label on the device. The second fashion has the well-known password preconfigured for this as documented. Please note: The latter is not “secure by default” with respect to the requirements of some environments while it serves well for others.

The named operating systems are not developed by Beckhoff. The basis of Beckhoff’s Windows 10 images is developed and maintained by Microsoft Corporation. The basis of TwinCAT/BSD is developed and maintained by “The FreeBSD Project”. Both bases are well reputed regarding their security features since decades for use in office and server environments. They contain and provide state of the art security features. Specific environments and applications have specific needs for the configuration and use of these security features. Because Beckhoff provides the named operating systems for general purpose use and does not want to restrict which applications are implemented by this, Beckhoff cannot foresee the specific security needs which emerge from specific use or integration. Guidance on the secure configuration and use thus needs to be created by the one who integrates the operating system into an environment for specific use. Nonetheless, Beckhoff provides guidance on how to use the IPC and its operating system securely within this guide. Such guidance is to be considered as general hint and not as a complete and sufficient reference. The developers of the operating systems provide complete documentation for the security features of the operating systems.

Beckhoff created extensions to these operating systems, especially to optimize the deterministic behavior of the operating system for use with real-time applications of the automation industry. The extensions are integrated in operating system images distributed by Beckhoff. For those extensions robustness and determinism for availability is the primary target of their design. Still, Beckhoff cares that these extensions do not compromise the security features of the basis of the operating system unless noted otherwise.

Beckhoff distributes a high variety of software products. One example is the product “TwinCAT 3.1 – eXtended Automation Runtime (XAR)”, which is called TwinCAT 3.1 XAR in short. For some IPCs this can be ordered pre-installed within the operating system. The primary purpose of this specific software is to provide a deterministic and robust but highly customizable runtime for automation applications. When it is installed on an IPC then it turns that device into a Programmable Logic Controller (PLC). Besides availability (through robustness and determinism) the software has been added with perimeter security during its development. This means that it can be configured and used in a way that it securely authenticates access through the protocols which are implemented by TwinCAT 3.1 XAR. The perspective for this perimeter security is that the network interfaces of the IPC mark the boundary. The security risk identified by Beckhoff for this kind of security is that an unauthorized user gets access to the IPC via protocols implemented by TwinCAT 3.1 XAR. For historical reasons and backward compatibility TwinCAT 3.1 XAR still provides protocols which do not authenticate before such access. Some IPCs with TwinCAT 3.1 XAR pre-installed have a configuration for TwinCAT 3.1 XAR which is secure by default. That means that this default configuration enables only secure protocols of TwinCAT 3.1 XAR. Please note that lots of IPCs which are shipped with TwinCAT 3.1 XAR pre-installed do not have a configuration which is secure by default for backward compatibility. This security guide contains a complete list of the protocols which are supported by TwinCAT 3.1 XAR and advises about which are secure, please see: Important TCP/UDP ports. The other software products come with their own documentation and guides. Please note: The latter is true also for TwinCAT functions which can be added via separate installer to TwinCAT 3.1 XAR.