Industrial Automation & Control System

As the Industrial IoT (IIoT) demand continues growing , the closed industrial networks is facing challenges to be accessible over the public Internet. While it enhances operational efficiency, however, it brings more cyber security threats. The governments and enterprises are more concerned about the potential cyber security damages. 

The IEC 62443 Standard includes up-to-date security guidelines and a list of best practices for different parts of a network. It also includes information for those who perform different responsibilities on the network in order to protect against known security leaks and unknown attacks. The ultimate goal of the standard is to help improve the safety of networks and enhance industrial automation and control settings security.

At present, many system integrators, such as Siemens and ABB, require component suppliers to comply with the IEC 62443-4-2 subsection that specifically pertains to the security of end devices. This subsection defines four security threat levels.

.Level 1 is to protect against accidental and unauthenticated access.
.Level 2 is the baseline requirement of the automation industry. It relates to cyber threats posed by hackers, which is the most common attack experienced by system integrators.
.Levels 3 and 4 are against intentional access by hackers who utilize specific skills and tools.


From the viewpoint of cyber security experts, the major cyber security threats that can affect internal networks include unauthorized access, unsecured data transmission, unencrypted key data, incomplete event logs, and operational errors.

WoMaster provides SW & HW(ASIC) integrated protection mechanism, which applies the latest Application-Specific 
Integrated Circuit (ASIC) secure technology (L2-L7 packet classification), multi-level authentication, secure data transmission, encrypted key data, complete event logs/traps, operational errors prevention, and even logs, and operational errors exceeds IEC62443-4-2 Level 2 requirements to build most secure systems for industrial applications.

Advanced Port Based Security
IEEE802.1 x MAB (MAC Authentication Bypass)

​MAB enables port-based access control by bypassing the MAC address authentication process to TACACS+/Radius Server. Prior to MAB, the endpoint's (ex. PLC) identity is unknown and all traffic is blocked. The switch examines a single packet to learn and authenticate the source MAC address. After MAB succeeds, the endpoint's identity is known and all traffic from that endpoint is allowed. The switch performs source MAC address filtering to help ensure that only the MAB-authenticated endpoint is allowed to send traffic.

In addition to MAB, the authentication can also be done by the pre-configured static or auto-learn MAC address table in the switch.
.MAC address Auto Learning enables the switch to be programmed to learn (and to authorize) a preconfigured number of the first source MAC addresses encountered on a secure port. This enables the capture of the appropriate secure addresses when first configuring MAC address-based authorization on a port. Those MAC addresses are automatically inserted into the Static MAC Address Table and remain there until explicitly removed by the user.
.The port security is further enhanced by Sticky MAC setting. If Sticky MAC address is activated, the MACs/Devices authorized on the port 'sticks’ to the port and the switch will not allow them to move to a different port.
.Port Shutdown Time allows users to specify for the time period to auto-shut down the port, if a security violation event occurs.

DHCP Snooping

DHCP snooping acts like a firewall between untrusted hosts and trusted DHCP servers. It performs the following activities:
.Validates DHCP messages received from untrusted sources and filters out invalid messages.
.Rate-limits DHCP traffic from trusted and untrusted sources.
.Builds and maintains the DHCP snooping binding database, which contains information about untrusted hosts with leased IP addresses.
.Utilizes the DHCP snooping binding database to validate subsequent requests from untrusted hosts. DHCP snooping is enabled on a per-VLAN basis. By default, the feature is inactive on all VLANs.You can enable the feature on a single VLAN or a range of VLANs.

Dynamic ARP Inspection (DAI)

DAI validates the ARP packets in a network. DAI intercepts, logs, and discards ARP packets with invalid IP-to-MAC address bindings. This capability protects the network from some man-in-the-middle attacks.

DAI ensures that only valid ARP requests and responses are relayed. The switch performs these activities:
.Intercepts all ARP requests and responses on untrusted ports
.Verifies that each of these intercepted packets has a valid IP-to-MAC address binding before updating the local ARP cache or before forwarding the packet to the appropriate destination
.Drops invalid ARP packets.

DAI determines the validity of an ARP packet based on valid IP-to-MAC address bindings stored in a trusted database, the DHCP snooping binding database. This database is built by DHCP snooping if DHCP snooping is enabled on the VLANs and on the switch. If the ARP packet is received on a trusted interface, the switch forwards the packet without any checks. On untrusted interfaces, the switch forwards the packet only if it is valid.

IP Source Guard (IPSG)

IP source guard provides source IP address filtering on a Layer 2 port to prevent a malicious host from impersonating a legitimate host by assuming the legitimate host's IP address. The feature uses dynamic DHCP snooping and static IP source binding to match IP addresses to hosts on untrusted Layer 2 access ports.

Initially, all IP traffic on the protected port is blocked except for DHCP packets. After a client receives an IP address from the DHCP server, or after static IP source binding is configured by the administrator, all traffic with that IP source address is permitted from that client.

Traffic from other hosts is denied. This filtering limits a host's ability to attack the network by claiming a neighbor host's IP address.

IPv4/v6 Access Control List (ACL)

Packet filtering limits network traffic and restricts network use by certain users or devices. ACLs filter traffic as it passes through a switch and permits or denies packets crossing specified interfaces. An ACL is a sequential collection of permit and deny conditions that apply to packets. When a packet is received on an interface, the switch compares the fields in the packet against any applied ACLs to verify that the packet has the required permissions to be forwarded, based on the criteria specified in the access lists.

WoMaster supports L2-L7 ACLs, parsing up to 128 bytes/packet and L2-L7 packet classification and filtering IPv4/IPv6 traffic, including TCP, User Datagram Protocol (UDP), Internet Group Management Protocol (IGMP), and Internet Control Message Protocol (ICMP).

Multi-Level User Passwords
Different centralized authentication server is supported such as RADIUS and TACACS+. Using a central authentication server simplifies account administration, in particular when you have more than one switches in the network.

Authentication Chain is also supported. An authentication chain is an ordered list of authentication methods to handle more advanced authentication scenarios. For example, you can create an authentication chain which first contacts a RADIUS server, and then looks in a local database if the RADIUS server does not respond.

Network Management Software

​​NetMaster is the network management software for WoMaster devices. It can automatically discover network devices, and put a topology diagram for the links. The batch configuration and upgrade helps system integrators install the system more easily. NetMaster can also put alarm and reminder for cyber security.