Network Security Is Not Enough for OT Data

Summary

Everyone agrees that network security is essential for information technology (IT) systems. Cyber attacks can cause huge problems or force crippling ransomware payments. Securing operational technology (OT) networks is even more critical. One successful exploit on a production network might halt production, incur huge costs and even put lives at risk.

Before the days of Industry 4.0, Internet of Things (IoT) and digitalization, it was simple to secure OT networks and data by simply disconnecting them (by air gap if need be). Unfortunately, that is no longer an option for any company that wants to stay competitive. The modern enterprise needs secure access to data from OT to increase efficiency and cut production costs.

This kind of data access must be secure, but securely accessing OT data does not have to be overly complicated or costly. A good solution may not be as expensive as you might think. Whatever level of network security you have, there are easy and affordable ways to gain secure access to OT data.
 

Data security: Different from network security

The reason is that data security is different from network security. Although data security can be implemented alongside network security—and be fully compatible with it—the goals of each are not the same. The difference is much like home security.

Running a system without network security is like leaving a door open, which allows anyone to enter your house. Unwanted visitors can steal things or hold your family members hostage. You’re also exposed to viruses from any infected person who walks in.
 

Securing the network

To secure the network, a company might implement zero-trust network access which comes at a significant cost. Such a solution often uses virtual private networks (VPNs) to restrict network access to a limited number of authorized people.

Using a VPN is like allowing only invited guests with a key to enter your house. These guests can still be carrying unwanted viruses that might infect your household. A VPN that extends from the IT network to OT extends the security perimeter to enclose OT. Should anyone in IT receive a phishing email or plug in a thumb drive with a virus on board, the malicious code could easily propagate to OT.
 

An invisible mail slot

For data access, a better solution—which is both cost-effective and secure—is to close the network to everyone and set up secure data connections. It’s like pushing open an invisible mail slot in your door and exchanging messages with an authorized mail carrier. Nobody enters the house to bring in a virus or hold your family members hostage. When you close the mail slot, it blends back in with the door. Only the mail carrier knows it’s there and only they can drop off or pick up messages.

For industrial systems, the invisible mail slot is an outbound firewall port at the plant. The mail carrier is typically a tunnelling application or MQTT broker running onsite or in a demilitarized zone (DMZ). If you are using a DMZ, the IT side can implement the same mail slot interface and keep all IT inbound firewall ports closed as well.

Using a DMZ is recommended by the EU’s NIS 2 Directive and NIST SP 800-82 as the best way to segregate OT and IT networks. Each network must be secure and any data connection between them must also be secure. Network security and data security should work hand in hand.
 

Viable options

Whatever level or type of network security you deploy, you need the right software and services to gain secure access to your data. If you need to isolate your OT system from IT or the cloud, you can use MQTT or Sparkplug to make outbound connections while keeping all inbound firewall ports closed. Some tunnel/mirroring software, such as Skkynet’s Cogent DataHub, is equipped to do this and more. Unlike MQTT, this kind of tunnel/mirroring solution can pass data seamlessly across a DMZ in both directions, which maintains the connection status and data quality information at every step.

To make an even more secure connection and ensure one way data flow, you can use a data diode. This is a hardware device that allows and enforces only one-way communication and prevents any kind of message from the destination getting back to the source. Some tunnel/mirror solutions are fully compatible with data diodes and can even be used to aggregate data sources on the sending side or to distribute data to various clients on the receiving side.
 

Working together

The thing to remember is that network security and data security are both important. They may be implemented separately, but they should work together as one unit. No matter what level or type of network security you have, Skkynet provides the technology and know-how you need to fully integrate it with data security.

_{This feature originally appeared in the November 2024 issue of AUTOMATION 2024.}