Building a Cyber Security Infrastructure

Tempered Networks presents alternative architecture approach

By Bill Lydon, Editor

A company called Tempered Networks has developed an interesting, alternative approach to cyber-protection architecture for industrial control systems. The architecture goes beyond a software only solution and includes both hardware and firmware components to create a secure industrial automation network. Tempered Networks, formerly Asguard Networks, was founded by David Mattes, current Chief Technology Officer (CTO), in April 2012. Meeting multiple international standards, the Tempered Networks solution is based on Mattes’ 7-years of Boeing R&D experience. Jeff Hussey was recently appointed President and is a successful entrepreneur who previously founded F5 Networks, Inc. The company has an installed base of 15 customers in manufacturing, oil and gas, utilities (water, power and energy) industries. The first installation was completed in December 2012.

Tempered Networks has an alternative cyber security protection approach to the many software-only approaches. Other solutions reside on the same computers with many other applications that are subject to constant software updates, configuration changes, and operating system updates. Because of this, other solutions are potentially very brittle, susceptible to many faults, and create an opportunity for cyber security breaches. Furthermore, as Industrial Ethernet protocols have proliferated on the factory floor, IP devices have become vulnerable to cyber threats. While the importance of cyber security protection is being emphasized, the industrial Ethernet protocol associations behind EtherNet/IP and PROFINET do not yet support IPv6, the latest computer networking standard. IPv6 incorporates higher levels of security, more efficient routing and packet processing, superior multicast, simplified network configuration, and other benefits.

Tempered Networks Architecture

The Tempered Networks solution is an overlay network architecture that cloaks critical infrastructure devices, while allowing them to communicate over secure channels. The solution offers centralized governance and oversight. Tempered Networks strategy uses hardware, software and firmware to create a cyber-secure architecture that works with existing automation controllers and industrial protocols. Cyber security best practices are embedded in hardware appliances that simplify deployment and administration. This solution is based on standards from the Trusted Computing Group (TCG), the Internet Engineering Task Force (IETF), and the International Society of Automation (ISA).

Users add security appliances at each controller and PC node associated with industrial automation (HMI, historians, etc.). This appliance, called a HIPswitch, is an industrially hardened, small form factor device. The HIPswitch connects to the controller/PC communications ports and also has another port to connect to the plant Ethernet. Versions are also available with Wi-Fi and cellular communications. Communications and network security is administrated by Tempered Networks HP Switch Conductor appliance, which creates a secure private network (SPN).

The HP Switch Conductor is used to authorize and configure communication security policies for HIPswitch devices on the SPN and provides function to centrally govern, audit, and monitor the networks. Using the HP Switch Conductor, users can selectively authorize access, create secure private networks, and define security policies for each device. The architecture also enables integration of remote devices using cellular communications. This secure overlay network can coexist on a plant network that has normal Ethernet communications, but it is invisible to other network devices. This approach provides a way to create a network and migrate all existing equipment to a cyber-secure environment. It works on both IPv4 and IPv6 networks.

Empowering Philosophy

Based on Mattes’ years of real-world experience, the Tempered Network’s solution is designed so users can implement a secure industrial automation network on their own, as a “drop-in” solution. This approach lowers the barrier for creating secure networks by removing complexity and reducing the risk of configuration errors. Mattes said, “The solution must be easy to deploy, it has to make peoples job easier.” “Security has become such a complex, difficult can of worms. It has to be responsive to the evolving threat today. Users can’t patch software fast enough to keep up. We are doing this today for Fortune 500 companies.”

Related Articles

• Bill's Automation Perspective on Cybersecurity
• Industrial Ethernet Architecture & Cyber Security Risk
• Cyber Security Lessons from a Military Leader
• Industrial Cyber Security Compliance & Enforcement
• Ethernet Infrastructure - Is IPv6 another Y2K?