OT data poses a challenge to safely execute a smart manufacturing strategy.
Cybersecurity and intelligent manufacturing
Data from automation systems were used to maintain. It was produced by sensors, PLCs and recorders; stored on local OPC servers and databases; and accessed by a number of qualified operators and engineers. Although very secure, access to the data was limited.
Smart manufacturing and the IoT are driving a variety of positive business results and data needs to be shared with new systems, new networks and various tools for various users and roles. It’s hard to find the best security strategy for smart manufacturing efforts, but this article offers a brief review of these key security issues:
New applications and data destinations
New user roles and expectations
Landscape of evolving threats
Data collection and analysis represent a significant competitive advantage. The data is the new oil; data access and expert analysis can lead to significant cost savings and revenue increases. The trendy words of the IoT and ad-hoc technologies have given way to real solutions that generate measurable business results. The challenge is to create and execute a digital transformation strategy to become a secure intelligent manufacturing environment.
The networks of operations were walled gardens, managed by groups other than those who managed the business infrastructure. Over the past twenty years, business intelligence, network analytics, data collection, and real-time analytics have become commonplace. Data exchange and analysis of manufacturing systems can no longer be stopped in specific software solutions, monitoring control applications, autonomous statistical process control, process historians, and relational databases.
New applications enable digital transformation. They don’t normally need to occupy the 0/1/2/3 layers of a Purdue model manufacturing network (nor should they!), But it’s essential to get data from these layers. How do we allow secure access between business systems and process control networks? How do we secure data in the cloud?
Purdue and ISA define network layers, and many standards, protocols, and applications can move data securely. Especially for critical operations infrastructure, “air gaps” can be maintained while accessing data is provided. Custom hardware-based data diodes provide a physical gap (true network isolation) through unidirectional physical media where not a single electron can return to the control network. These use custom protocols that flow over the one-way cable from the diode input hardware to the diode output hardware. In outbound hardware, data server interfaces facilitate the passage of data to higher-level applications such as Kepware Server or the target application. These interfaces can include HTTP / HTTPS, MQTT, OPC DA or OPC UA.
While a true data diode air gap is one of the best ways to prevent unwanted access, it may be sufficient to implement data diodes using standard Ethernet hardware. Unidirectional protocols, such as Ethernet Global Data over UDP, can be sent by bidirectional means such as CAT5 or CAT6 with Ethernet infrastructure and network rules, operating systems, and application stacks to avoid bidirectionality; inbound access to the control network is not allowed.
Transport layer and secure socket layer security protocols have become commonplace for two-way demilitarized zone (DMZ) protocols or higher-level network segments that interact with control network systems. TLS and SSL offer unequivocal identification of the applicant and the applicant, authenticity of the message and encryption of messages. The ease of integration of plug-and-play protocols such as OPC UA that require a single open port of entry into the control network firewall can compensate for network access concerns. Note: Protocols are only as secure as certificate maintenance and product upgrade strategy. To stay safe, you should take the administrative burden of re-issuing certificates frequently and keeping products with updates posted by the vendor. Despite overloading and maintaining security applications, protocols, and practices around firewalls and network segmentation; it is relatively simple, low cost and safe. These solutions can create a basis for secure communication from business management to the plant; for feedback from manufacturing operators or real-time changes to the PLC for process efficiency.
Once the data is securely accessible, they must arrive at the appropriate destination. If access is from a DMZ, access can usually be made from applications on that network. Data transfer between DMZs is typically performed using a bidirectional TLS-based protocol (such as OPC UA, HTTPS, MQTT, or a proprietary offer from a software provider). If you move data to a public cloud, assuming the DMZ has an Internet-oriented connection, MQTT or HTTPS can protect travel over the public Internet. Cloud providers can provide software for the network segment with Internet access, collecting data from local systems via OPC UA, MQTT, HTTP, database or file access, and transferring data to the cloud via HTTP, MQTT, AMQP, or custom solutions. VPNs can also be used to increase security between the data source and the destination.
New users and roles require access to data and secure infrastructure to provide it. Do these new users want fast update rates for real-time analytics or do they use historical data for trend analysis? If not needed in real time, SQL replication may be suitable from a relational database of the process control network to a secure relational database to the DMZ or OPC UA between the control network and DMZ for fill a database in the DMZ. Direct access to the protocol flow of a control network is not usually necessary. Understand what these new users and roles need before designing them to suit them.
Threats to industrial control systems are occurring with increasing frequency. It is almost enough for this author to only recommend air gaps with hardware data diodes for any digital transformation effort. However, it is not realistic for all organizations, it is not necessary for all environments and it is not yet an impeccable security guarantee.
To quote Robert Rash, chief architect of solution provider Microland: “The biggest myth is the idea of the gap gap. The idea that a network, VLAN, or independent segment that is not connected to the Internet stays that way and keeps them isolated and protected is almost always false. There is always a technician, an engineering station or a remote connection that provides connectivity to these networks with ‘air gapped’ and that is usually done without any guidance or control and without the knowledge of SecOps ”.
With attack vectors even in isolated environments, it is more important than ever to secure and manage all aspects of networks. This includes training and behavior modifications for users, the use of only company-approved software and hardware, and multiple layers of authentication.
This article addressed security-related issues and solutions in smart manufacturing initiatives. Data is critical to the future of business and proper use of technology and well-developed strategies can ensure a high degree of security as companies transform.
About the author
Sam directs and manages PTC’s Kepware Applications Engineers, a global team of industrial connectivity experts who help our users create connectivity solutions for industrial automation and enterprise digital transformation. He has more than fifteen years of experience in computer science (information technology), OT (industrial operations technology) and business development. Sam has proven experience in systems design, industrial networking and systems integration, technical and business account management, technical training and education programs, and business operations.
Did you like this great article?
Check out our free e-newsletters to read more great articles.