Bridging the Air Gap: How to Harness Your Data and Protect Your OT Network

image credit: Photo 173416559 © Jakub Jirsák |
Brian  Romansky's picture
Chief Innovation Officer, Owl Cyber Defense

Creating business value through innovation and delivering new products to new market segments are at the core of my professional development. I have a strong emphasis on a user centered approach...

  • Member since 2020
  • 18 items added with 17,437 views
  • Sep 23, 2021

Co-Authored by: Mark Prince, Retired Entergy 2020 & Owner Optional Solutions, LLC

Original equipment manufacturers (OEMs) serving the Critical Infrastructure sector have a new opportunity to bundle advanced data analytics with their products. Innovative services like predictive maintenance and automatic ordering of supplies and spare parts are driven by data that must be delivered from an operating machine back to the OEM.

But Critical Infrastructure operators have long been concerned about introducing potential threats from opening their operational networks for OEMs to extract data. Traditionally, operational technology (OT) systems have been air-gapped, meaning they are physically isolated from other networks that run information technology (IT) systems. Some operators have moved to merge their OT and IT networks, but obtaining authorization to connect the two is challenging. Implementation is then complex, expensive and escalates maintenance requirements. That causes many operators to delay adopting advanced connected services that would otherwise be beneficial to both them and their OEMs.

All security is not created equal

The high expectation for reliable and continuous plant operation leaves no room for vulnerability.  While the air gap can be bridged, effective defense-in-depth requires security enforcement at every network interface.

Unfortunately software-based network security falls short. For one, it requires frequent updates to remain effective. Also, applications that require 2-way remote connections, like centralized management of remote locations, must enforce application-specific policies on data that can be changed.

For instance, merely protecting the login and the connection is not good enough. If login information or credentials are stolen or compromised, further security is needed to place reasonable limits on the rate and extent of changes that can be made to critical systems. That requires an application-aware policy enforcement mechanism.

Fortunately, the choice is not just either air-gapping or bi-directional access using software-based security. Hardware-enforced network protection is more resilient against attack and is not susceptible to zero-day threats that would penetrate an OT network. Effective network security in the form of embedded modules or IP cores can be integrated into new and existing designs. That way, OEMs can support operators in significantly expanding defensive coverage and reducing their OT network threat surface while sharing operational data.

Use case: Transferring PI data via a Proxy PI server 

A useful example to consider is the movement of operational historian data. The OSIsoft PI system is commonly used in many plants to document things like sensor information, thermal performance, efficiency and more. PI servers provide insight into how staff is maintaining the plant as well as critical forensics information for plant equipment failures. Analyzing this data is very valuable to safety, efficiency and cost. But bi-directionally sharing it through a firewall or other software security mechanism creates the risk of compromise either outbound or inbound.

Instead, the need for better security and data sharing can be the driver behind installing hardware security mechanisms known as data diodes, in which data can only flow in one direction, thereby blocking potential breaches. One-way data enforcement makes it easy to approve and integrate data feeds from an OT environment to one or more OEM networks.

Depending on the environment, there are several design strategy options for implementing diodes for PI data transfer.

At a basic level, a diode can replace a firewall and provide physical security between a single source (i.e. OPC server) and the corporate PI server to which it is feeding data. The diode extracts the payload from the incoming data packets; data is placed in a proprietary protocol thereby creating a protocol break; data is then sent to the other side of the diode; the data packets are rebuilt before being sent to the destination PI server. Depending on the network architecture, this method can omit the need for other network security devices like interior firewalls.

The corporate PI server might also get data from multiple control systems, each using different interface protocols. In this case, the required proxies are configured on the source side of the diode, allowing it to interface with all control systems regardless of protocol. All data generated by the control systems will automatically propagate to the other side of the data diode for transfer to the PI server. This configuration requires multiple proxies but only a single PI server at the destination. It offers full flexibility as more interfaces are set up or the type of interfaces change with control system upgrades.
Diode products enable operators to mix many different protocols simultaneously through the same device without adding a Windows server for each. This flexibility is what allows end users to implement creativity in front-end engineering of PI installations, and also in service delivery. For instance, new subscription pricing models can shift the cost of security technology from a capital expense to an ongoing operational cost that can be incorporated into rate-based pricing adjustments.

Safe modernization

Safely sharing critical historian or other OT data creates meaningful new opportunities for OEMs to offer advanced analytics services, and for operators to improve from those deep analytical insights. With the right security strategy that includes a hardware-enforced layer in the full security stack, operators can safely bridge the traditional air gap, and move forward with innovative connected services that will bring a new era in plant efficiency and reliability.


This feature first appeared June 10, 2021 on, a subsidiary of ISA—the International Society of Automation.


No discussions yet. Start a discussion below.

Brian  Romansky's picture
Thank Brian for the Post!
Energy Central contributors share their experience and insights for the benefit of other Members (like you). Please show them your appreciation by leaving a comment, 'liking' this post, or following this Member.
More posts from this member

Get Published - Build a Following

The Energy Central Power Industry Network is based on one core idea - power industry professionals helping each other and advancing the industry by sharing and learning from each other.

If you have an experience or insight to share or have learned something from a conference or seminar, your peers and colleagues on Energy Central want to hear about it. It's also easy to share a link to an article you've liked or an industry resource that you think would be helpful.

                 Learn more about posting on Energy Central »