- By Brian Romansky & Mark Prince
- June 10, 2021
Critical Infrastructure operators have long been concerned about introducing potential threats from opening their operational networks for OEMs to extract data. The high expectation for reliable and continuous plant operation leaves no room for vulnerability. While the air gap can be bridged, effective defense-in-depth requires security enforcement at every network interface.
Original equipment manufacturers (OEMs) serving the Critical Infrastructure sector have a new opportunity to bundle advanced data analytics with their products. Innovative services like predictive maintenance and automatic ordering of supplies and spare parts are driven by data that must be delivered from an operating machine back to the OEM.
But Critical Infrastructure operators have long been concerned about introducing potential threats from opening their operational networks for OEMs to extract data. Traditionally, operational technology (OT) systems have been air-gapped, meaning they are physically isolated from other networks that run information technology (IT) systems. Some operators have moved to merge their OT and IT networks, but obtaining authorization to connect the two is challenging. Implementation is then complex, expensive and escalates maintenance requirements. That causes many operators to delay adopting advanced connected services that would otherwise be beneficial to both them and their OEMs.
All security is not created equal
The high expectation for reliable and continuous plant operation leaves no room for vulnerability. While the air gap can be bridged, effective defense-in-depth requires security enforcement at every network interface.
Unfortunately software-based network security falls short. For one, it requires frequent updates to remain effective. Also, applications that require 2-way remote connections, like centralized management of remote locations, must enforce application-specific policies on data that can be changed.
For instance, merely protecting the login and the connection is not good enough. If login information or credentials are stolen or compromised, further security is needed to place reasonable limits on the rate and extent of changes that can be made to critical systems. That requires an application-aware policy enforcement mechanism.
Fortunately, the choice is not just either air-gapping or bi-directional access using software-based security. Hardware-enforced network protection is more resilient against attack and is not susceptible to zero-day threats that would penetrate an OT network. Effective network security in the form of embedded modules or IP cores can be integrated into new and existing designs. That way, OEMs can support operators in significantly expanding defensive coverage and reducing their OT network threat surface while sharing operational data.
Use case: Transferring PI data via a Proxy PI server
A useful example to consider is the movement of operational historian data. The OSIsoft PI system is commonly used in many plants to document things like sensor information, thermal performance, efficiency and more. PI servers provide insight into how staff is maintaining the plant as well as critical forensics information for plant equipment failures. Analyzing this data is very valuable to safety, efficiency and cost. But bi-directionally sharing it through a firewall or other software security mechanism creates the risk of compromise either outbound or inbound.
Instead, the need for better security and data sharing can be the driver behind installing hardware security mechanisms known as data diodes, in which data can only flow in one direction, thereby blocking potential breaches. One-way data enforcement makes it easy to approve and integrate data feeds from an OT environment to one or more OEM networks.
Depending on the environment, there are several design strategy options for implementing diodes for PI data transfer.
At a basic level, a diode can replace a firewall and provide physical security between a single source (i.e. OPC server) and the corporate PI server to which it is feeding data. The diode extracts the payload from the incoming data packets; data is placed in a proprietary protocol thereby creating a protocol break; data is then sent to the other side of the diode; the data packets are rebuilt before being sent to the destination PI server. Depending on the network architecture, this method can omit the need for other network security devices like interior firewalls.
The corporate PI server might also get data from multiple control systems, each using different interface protocols. In this case, the required proxies are configured on the source side of the diode, allowing it to interface with all control systems regardless of protocol. All data generated by the control systems will automatically propagate to the other side of the data diode for transfer to the PI server. This configuration requires multiple proxies but only a single PI server at the destination. It offers full flexibility as more interfaces are set up or the type of interfaces change with control system upgrades.
Diode products enable operators to mix many different protocols simultaneously through the same device without adding a Windows server for each. This flexibility is what allows end users to implement creativity in front-end engineering of PI installations, and also in service delivery. For instance, new subscription pricing models can shift the cost of security technology from a capital expense to an ongoing operational cost that can be incorporated into rate-based pricing adjustments.
Safely sharing critical historian or other OT data creates meaningful new opportunities for OEMs to offer advanced analytics services, and for operators to improve from those deep analytical insights. With the right security strategy that includes a hardware-enforced layer in the full security stack, operators can safely bridge the traditional air gap, and move forward with innovative connected services that will bring a new era in plant efficiency and reliability.
Did you enjoy this great article?
Check out our free e-newsletters to read more great articles..Subscribe