Technology
Securing OT networks with unidirectional gateways/diodes
34
CYBERSECURITY INTRUSIONS INTO OT (Operational Technology) networks, from malevolent groups are gaining more and more attention. Attacks against safety and critical systems are a growing concern and solutions to secure these systems are becoming critical. Ensuring the safety and availability of these networks are paramount in protecting our modern way of life. There are mitigations to protect such systems, and this article will present a potential solution leveraging the use of Unidirectional Gateways and Data Diodes. OT (Operational Technology) networks, also referred to as ICS (Industrial Control Systems) are a unique environment that houses and control systems critical to our modern way of life. OT security engineers have the unique responsibility of maintaining, protecting and securing critical safety systems and infrastructure. These systems provide comfort, convenience, and functionalities for a high standard of living. Media headlines describing the Ukraine Power Grid attack, the cyber-attack against a German steel mill where serious damages were incurred are illustrations of the need to secure safety systems, devices, and OT networks. Traditional Information Technology networks or IT use the paradigm of Confidentiality, Integrity, and Availability. The OT world is primarily concerned with safety and reliability. Unlike IT systems, rebooting a PLC (Programmable Logic Controller) that is controlling and monitoring the protection of a nuclear reactor could cause serious safety issues if an unscheduled reboot were to occur. Such use cases are not realized in IT environments. Firewalls and routers with properly configured ACLs (Access Control Lists) are widely used to support a defense-in-depth strategy in both OT and IT networks. However, firewalls can be circumvented due to incorrect or badly written rules. NGFWs (Next-Generation Firewalls) provide greater granularity in rule sets to filter specific applications signatures that go beyond the OSI (Open Systems Interconnection) model layers 3 and 4. They also include anti-virus protection, intrusion detection prevention systems, URL filtering and important proxy capabilities.
SOURCE: SCHNEIDER ELECTRIC
Data diodes offer a hardware-enforced solution to defend OT networks and safety systems, using one-way flow of data without allowing returning threats. As always, defensive strategies must still combine people, processes, and technology all working together to support OT network security.
Automation pyramid and consistency.
OSI Model
The seven layers of the OSI model.
The OSI model is a conceptual model developed by the International Organization for Standardization demonstrating a standard for computer and networking communications. The OSI model is a conceptual model developed by the International Organization for Standardization (ISO) demonstrating a standard for computer and networking communications. Physical layer: This layer provides electrical functions whereby mechanical and electrical functions can be enabled or disabled. This layer includes copper and optical cabling. The physical layer translates communications requests from the datalink layer to the hardware operations affecting the electronic
transmission and reception of these signals. Datalink layer: The datalink layer is responsible for handling issues resulting from bit error transmissions. The layer makes sure that data flows without overwhelming the sending and receiving components on the network. This layer also sends transmission data to Layer 3 (Network layer) to be routed. It moves data into and out of a physical link in a network. The Media Access Control (MAC) and Logical Link Control (LLC) are sublayers within the datalink layer. Network layer: Layer 3 is where routing takes place. The routing of network protocols allows for packet communications across multiple networks. ICMP (Internet Control Message Protocol), OSPF (Open Shortest Path First), and RIP (Routing Information Protocol) are a few examples of protocols operating at the network layer. Transport layer: This layer provides the transfer of data and communication services for applications. Some of the protocols found in the transport layer are TCP (Transmission Control Protocol), UDP (User Datagram Protocol), ATP (AppleTalk Transaction Protocol), and FCP (Fiber Channel Protocol). Session layer: The session layer provides the network mechanism that opens and closes mapping communication sessions for applications and processes. Examples of protocols used in this layer are NetBIOS (Network Basic Input/output System, RPC (Remote Procedure Call Protocol), PPTP (Point-to-Point Tunneling Protocol), and PAP (Password Authentication Protocol).
in d u s t r ial et h er ne t b o o k
2.2020
