Success Story ZF Sachs (nur auf Englisch)

Augmented security in the production network of ZF Sachs

ZF Sachs, an international automotive supplier for drive and chassis components headquartered in Schweinfurt / Germany, has permanently improved the security of its industrial networks. The starting point: a decentralized security architecture with industrial firewalls.

The reasons for stronger security in the production plants included virus problems in the office network. Compared to the manageable risk of an office computer infection, the risk potential for production facilities was considered to be significantly higher. In order to minimize the risk of possible disturbances or even production downtimes through faulty accesses or malware, ZF Sachs decided to implement additional security precautions.

Decentralized security philosophy

The task of the new security architecture was to protect the production plants from both undesirable external and internal accesses and limit the spread of infiltrating virus attacks.

Sealing off the office network from the production network was considered to be the most suitable strategy; this was carried out with a large firewall and structured security architecture (defense in depth), with which critical individual systems could also be safeguarded. The control and filtering of network traffic through firewalls took on a key role. More perfectly organized and distributed protection, along with the greater degree of flexibility for a typical industry network design and lower investment/operating costs: all these factors argued in favor of a decentralized architecture with firewalls. The segmentation through VLAN-compatible switches into logically separated segments was evaluated and rejected, as virtual LANs were considered to be too difficult to control from a security point of view.

The automation technology and machine maintenance departments were responsible for the implementation, in coordination with the IT department. Along with the use of virus scanners in the production area, the most important measure became the segmentation of the production network into small and manageable machine networks. The assignment was conducted spatially based on building zones with additional Profinet components for individual installations. A total of 40 decentralized machine networks were implemented and each of these subnetworks was secured by an mGuard firewall from Phoenix Contact and Innominate.

"We evaluated different firewall security products under two main criteria. Industrial suitability with, e.g., an extended temperature range was particularly important to us. We also needed a solution that could be integrated as flexibly as possible and with a low level of complexity into our automation component environment", says Asmund Hey, head of automation technology for ZF Sachs technical services, in explaining the decision for the mGuard security solution. Download the complete Success Story...