The business case for connecting OT and IT
Critical Infrastructure companies and organizations have usually two separate and fundamentally different networks: on one hand their regular corporate IT enabling all their support functions such as payroll, HR, procurement, etc., and on the other hand the network hosting their production processes such as SCADA, DCS or in general Industrial Control Systems Operation Technology, ICS OT. Even if today these two types of networks rely on the same COTS technologies such as TCP/IP and MS Windows servers, they are still very different in nature. Corporate IT cybersecurity focuses on the CIA trio: Confidentiality, Integrity and Availability. ICS cybersecurity must protect first and foremost the availability and the integrity of the networks and systems controlling and, more importantly, insuring the safety of the industrial process they control. Whereas corporate employees can comfortably perform their function without the corporate network for few minutes (they can enjoy a cup of tea or coffee while waiting), the Industrial Control System must shutdown the plant if the OT network is unavailable even for a few seconds. The loss of production and the time to restart the process would easily cost few millions USD to hundred millions USD for large plants. Moreover the Confidentiality of data on the ICS OT network is not a major concern because most of the data are meaningless for everyone except the Control Systems of the plant.
Nevertheless Corporate IT users, when they finished their favorite hot beverage, may require production information to perform trend analysis, to do the billing or other production related applications. Therefore the challenge is to provide Corporate IT users with data from ICS OT while preserving the availability and the Integrity of the ICS OT.
The pros and cons of the classical cyber security solutions
The first and the usual solution to protect the ICS OT is the Air Gap, aka Sneaker Net for the people who remember floppy disks. Basically, there is no connection whatsoever between Corporate IT and ICS OT. The data required by corporate users are copied on USB memories or DVD-ROM and manually transported to the Corporate IT network to be uploaded. This is not a real-time data exchange, it requires a lot of manpower performing not the most interesting job. The perception, that Air Gap is the ultimate cyber security, is totally wrong. In general, the USB memories used to transfer the data are not discarded after the transfer and are used over and over to do the transfer. If the corporate network has malware, it can easily infect the USD memory which in turn will infect the OT network once reconnected to it. We have seen customer’s OT networks which have more virus than on Internet. Moreover malware on Air Gap OT networks are harder to clean because of the lack of patching and the difficulty of updating the anti-virus software.
The second solution is to use firewalls at the edge of the OT network so that all connections between OT and IT go through a Firewall. Often there is a Demilitarized Zone (DMZ) between OT and IT protected by firewalls to act as a buffer between the two networks. All connections from IT have to terminate in the DMZ and can’t directly access the OT network. That the best practice and it does offer some security.
The real issue is that the firewalls themselves are very vulnerable. http://cve.mitre.org/ is the website publishing all the publicly known vulnerabilities of all IT products. The leading brand of Firewalls which are supposed to protect your infrastructure have dozen of vulnerabilities and most of them have default hard-coded login/password. These are known as back door to enable Security Services and well informed hackers to get administrative access to them. This defeats totally their purpose, it’s like having a million dollar safe but there is one single master key worldwide. Or this is as efficient as setting your nuclear missile launch code authorization to 00000000. Don’t laugh, it was the default for many years in the US.
Why firewalls are so vulnerable? Because they are build using an operating system, best case scenario some flavor of Linux, which has vulnerabilities, software which has bugs and vulnerabilities, and configurations which are not secure by default. Even if your firewall was setup properly, and it’s a big if, its configuration has the tendency to drift and the firewall will end up looking as a piece of Swiss cheese: full of holes.
The FOX IT Data-Diode: a game changer
So you have actual requirements, which you can’t ignore, to bridge Corporate IT and ICS OT networks, but the usual cybersecurity solutions are ineffective to protect your critical infrastructure which is a target for competent and properly funded/motivated hackers: what to do?
It’s near impossible to secure your Corporate IT networks because of its complexity and openness. The question is not if Corporate IT will be compromised but when it will be hacked and how devastating the impact will be. Therefore you need to be 100% sure, not 99.9% sure, that no hacker can jump from IT to OT. This is why you need to easily transfer data from ICS OT to Corporate IT with a device, being 100% sure, that whatever happens, nothing can be transfer from IT to OT.
The FOX IT Data Diode is a layer-1 one-way pure hardware device, which guarantees that data are transferred from OT to IT while it’s physically impossible to send anything through the Diode from IT to OT. The Diode is a new class of product: it has no Operating System, no firmware, no logic, and no configuration. It is a fairly simple device, hence its beauty. There is only a fiber optic connection in and wired to an electronic transceiver that converts light to electric signal, then a light emitter connected to a single strand of optical fiber out.
It’s physically impossible to send information backward because on the Corporate IT side of the Diode there is only one emitter and no receiver.
The FOX IT Data Diode is the only device in the world certified EAL7+ with the Common Criteria. The best firewalls are certified EAL4+. Because the FOX IT Data Diode has no configuration it can’t be misconfigured: either it works or it doesn’t, there is no maybe. You can give administrative access to the best hacker in the world, Neo obviously, and he won’t be able to send data from IT to OT through the Diode because it’s physically impossible.
You may think “that’s nice but none of my application on IT or OT is compatible with one-way traffic: they all rely on two-way applications and protocols such as TCP/IP.” If you don’t think so, that’s probably because you need a caffeinated beverage.
Actually the Diode is compatible with most protocols and industrial applications as far as the communication is one-way from a business perspective. A proxy on the OT side of the Diode will translate two-way protocols into a one-way communication and send the data one-way through the Diode. At the IT side of the Diode, another proxy will pick up the data, translates them back to two-way protocols and sends them to the IT network.
FOX IT Data Diodes have been successfully deployed in the GCC with Oil & Gas companies, Airports, and governmental organizations. In Europe they also protect Nuclear Power Plants, Electricity Distribution networks, and many other critical infrastructures.
We hope that we have piqued your interest and we’re available for more details on www.gsn.ae.