The increasing networking of machines, systems, industrial control systems and automation solutions is eliminating the previous physical separation of OT (operational technology) from other IT systems. Traditional IT security solutions are often not suitable for protecting OT networks, which are now also potentially vulnerable to external attacks. Effective protection is often prevented by outdated operating systems, unwanted interventions in running processes, security updates that cannot be implemented or subsequent hardening measures. According to the German Federal Office for Information Security (BSI), every second successful attack in the past has led to production or operational downtime.

The defense-in-depth principle

Effective protection for the confidentiality, integrity and availability of OT networks results from the interplay of rules, procedures, measures and tools, as defined in the Information Security Management System (ISMS in accordance with ISO/IEC 27000) and the standard for 'Industrial communication networks - IT security for networks and systems' (IEC 62443), among others, and as currently discussed under the keyword 'cyber resilience' (see box: Cyber resilience: the new IT security paradigm).

In the IEC 62443 standard, the defense-in-depth principle defines protection against cyber attacks in several layers, similar to an onion: even if a security layer is breached, only part of the network is affected. The entire system is protected by further layers of security. In line with this concept, it makes sense to divide internal networks into different security zones and assign staggered protection levels. In this way, particularly sensitive segments can be strictly separated from other areas. The zone transitions and communication between the zones can be restrictively limited by industrial firewalls and corresponding filter rules.

Monitor the behavior of network components

Who is talking to whom in the OT network? The AI-supported cognitix Threat Defender shows which assets have initiated how much data traffic (source assets) or responded to (destination assets) in the last hour or in the last 30 days, as well as the data traffic between the assets. Policies can be defined, monitored and enforced based on these analyses.

© Genoa

Network monitoring is also a suitable protective measure for OT networks to monitor system communication and investigate anomalies. This is where AI-supported (artificial intelligence) anomaly detection comes in. "It enables the detection of atypical behavior and thus, in addition to technical error states and misconfigurations, also the detection of previously unknown forms of attack on such networks," according to the BSI's cyber security recommendation (BSI-CS 134).

With an anomaly detection system, not only can the entire network traffic be monitored, but the behavior of the network components (assets) can also be analyzed. Threat Defender sets up a monitored secure network for this purpose. Behaviour patterns of network devices are detected, classified and rules are applied according to the classification. Previously separate functions such as network analysis, intrusion detection, asset tracking and a dynamic policy engine are brought together in one system.

All devices and all network traffic are initially recorded in their 'basic state' by means of an asset tracking of the network. The communication between the devices is analyzed and rules are gradually created for permissible communication. If an unknown communication is detected, the policy may need to be readjusted. Otherwise, the new type of network traffic represents an anomaly that indicates a problem or even a malfunction or an intruder.

Network segmentation makes sense

It also makes sense to segment the network dynamically and transparently. The security requirements that apply to a device are then no longer determined by the network port or the switch to which the device is connected. How a device is allowed to communicate with other participants in the same network or other networks is now determined by its function and behavior. By assigning the network components in this way, their security properties can be defined individually and communication behavior can be restricted.

Business-critical systems and processes can now be more tightly sealed off. For example, data traffic from production systems to the SAP system can be defined as a process requiring special protection. To achieve this, the production systems and workstations are marked as SAP devices and rules are defined for these assets. For example, prioritization in data traffic, a maximum number of requests or permitted communication protocols can be defined. This effectively blocks unwanted and problematic access to the SAP system.

Reliably secure remote maintenance access

The rendezvous concept of secure remote maintenance. Secure remote maintenance solutions only allow access from the inside to the outside and only to a security zone.

© Genoa

Remote maintenance of machines and systems is a particularly sensitive intervention in the OT network. A trustworthy remote maintenance solution therefore ensures that the system operator retains control over all access. Secure remote maintenance solutions only allow access from the inside to the outside and only to a security zone. This can be implemented with a so-called rendezvous server with an integrated firewall, which is installed in the demilitarized zone (DMZ). This neutral intermediate level prevents a direct connection to the Internet. In the DMZ, both the maintenance service and the machine operator establish encrypted connections at the agreed time. Only when they rendezvous on the server in the DMZ and the recipient has sovereignty over the connection, for example during the initial setup, is the continuous maintenance connection to the supported machine established.

Security for edge computing

Diagram of data pre-processing at the edge. Secure edge gateways strictly seal off the security gateway and edge computing, i.e. the application.

© Genoa

With the help of edge computing, ever larger amounts of data, for example from sensors, can be processed immediately close to the machine. Time-critical data no longer has to be transmitted completely over the network and sensitive data can remain in the company's own network. This shortens the response time compared to data processing in a big data cloud, for example. An edge gateway secures the data. Secure gateways should offer two separate areas in industrial-grade hardware that are strictly separated from each other: a computing platform for individual application containers and a security gateway. The separate areas each have their own operating systems and dedicated hardware resources.

In the application platform area, machine manufacturers or operators can install their individual application using container technology. The application retrieves the status and performance data from the machine via standard interfaces and pre-processes the data. The application scenarios are diverse. For example, information can be used for immediate evaluations, while others are transferred to the cloud. The information is therefore filtered and only the data that is required for data analytics evaluations is transferred to the cloud.

OPC UA strengthens cybersecurity

Data diodes are suitable for sensitive system areas. Thanks to their one-way architecture, they allow data to be transferred without risk.

© Genoa

The OPC UA communication standard enables strong and secure networking. Previously predominantly proprietary manufacturer-specific protocols no longer need to be converted at the network boundaries. With OPC UA, a single protocol can be used from the sensor to the cloud. Security has played an important role in the OPC UA standard right from the start. A separate security layer was also specified for this purpose. This defines mechanisms for authenticating services or devices, how data is encrypted and how its authentication is guaranteed.

In practice, however, the user is dependent on the quality of the respective manufacturer's implementation. Supplementary security solutions such as data diodes can therefore be useful for sensitive systems and network segments. They only allow unidirectional communication, for example to transfer data from sensitive industrial plants to 'insecure environments' such as the internet or a cloud without risk. Without a return channel, attackers will never have access to the machines or systems.

Low effort, high protection

Steve Schoner is Strategic Product Marketing Manager for Industrial Cyber Security at Genoa.

© Genoa

In OT security, a high level of protection against cyber risks can be achieved with today's technologies at a manageable cost. The focus should be on adequate security. However, cyber security is not fairy dust that is briefly applied at the end of a project. OT security must be considered from the outset and in all relevant dimensions. And if you want to upgrade, this should be done as independently of the manufacturer as possible to avoid a vendor lock-in. The aim is to create staggered levels of protection through technical and organizational measures and to provide special protection for the company's most important data and systems. This cyber resilience also ensures that core processes and core infrastructures can be maintained or at least quickly restored to full performance even in the event of cyber attacks.

Secure data transfer

With the 'NAMUR Open Architecture' (NOA), the automation technology interest group for the process industry (NAMUR) has set itself the goal of making production data easily and securely usable for system and device monitoring and optimization - even for existing systems. The NAMUR initiative proposes a secure one-way channel for the direct transfer of process data in addition to the existing automation structures. On this second channel, the data can be transferred without feedback. A diode that prevents unwanted and uncontrolled data streams in the direction of the sender will ensure the security of the data transfer. The 'cyber-diode' from Genoa enables such secure one-way data transfer by not allowing any communication by product design. In line with the defense-in-depth principle, it protects particularly sensitive network segments with its high security standard as a supplementary security measure. These are then de facto no longer vulnerable from the outside.