Bridging the Air Gap: How to Harness Your Data and Protect Your OT Network

Co-Authored by: Mark Prince, Retired Entergy 2020 & Owner Optional Solutions, LLC

Original equipment manufacturers (OEMs) serving the Critical Infrastructure sector have a new opportunity to bundle advanced data analytics with their products. Innovative services like predictive maintenance and automatic ordering of supplies and spare parts are driven by data that must be delivered from an operating machine back to the OEM.

But Critical Infrastructure operators have long been concerned about introducing potential threats from opening their operational networks for OEMs to extract data. Traditionally, operational technology (OT) systems have been air-gapped, meaning they are physically isolated from other networks that run information technology (IT) systems. Some operators have moved to merge their OT and IT networks, but obtaining authorization to connect the two is challenging. Implementation is then complex, expensive and escalates maintenance requirements. That causes many operators to delay adopting advanced connected services that would otherwise be beneficial to both them and their OEMs.

All security is not created equal

The high expectation for reliable and continuous plant operation leaves no room for vulnerability.  While the air gap can be bridged, effective defense-in-depth requires security enforcement at every network interface.

Unfortunately software-based network security falls short. For one, it requires frequent updates to remain effective. Also, applications that require 2-way remote connections, like centralized management of remote locations, must enforce application-specific policies on data that can be changed.

For instance, merely protecting the login and the connection is not good enough. If login information or credentials are stolen or compromised, further security is needed to place reasonable limits on the rate and extent of changes that can be made to critical systems. That requires an application-aware policy enforcement mechanism.
 

Use case: Transferring PI data via a Proxy PI server 

A useful example to consider is the movement of operational historian data. The OSIsoft PI system is commonly used in many plants to document things like sensor information, thermal performance, efficiency and more. PI servers provide insight into how staff is maintaining the plant as well as critical forensics information for plant equipment failures. Analyzing this data is very valuable to safety, efficiency and cost. But bi-directionally sharing it through a firewall or other software security mechanism creates the risk of compromise either outbound or inbound.

Instead, the need for better security and data sharing can be the driver behind installing hardware security mechanisms known as data diodes, in which data can only flow in one direction, thereby blocking potential breaches. One-way data enforcement makes it easy to approve and integrate data feeds from an OT environment to one or more OEM networks.

Depending on the environment, there are several design strategy options for implementing diodes for PI data transfer.
 

The corporate PI server might also get data from multiple control systems, each using different interface protocols. In this case, the required proxies are configured on the source side of the diode, allowing it to interface with all control systems regardless of protocol. All data generated by the control systems will automatically propagate to the other side of the data diode for transfer to the PI server. This configuration requires multiple proxies but only a single PI server at the destination. It offers full flexibility as more interfaces are set up or the type of interfaces change with control system upgrades.
 
Diode products enable operators to mix many different protocols simultaneously through the same device without adding a Windows server for each. This flexibility is what allows end users to implement creativity in front-end engineering of PI installations, and also in service delivery. For instance, new subscription pricing models can shift the cost of security technology from a capital expense to an ongoing operational cost that can be incorporated into rate-based pricing adjustments.

Safe modernization

Safely sharing critical historian or other OT data creates meaningful new opportunities for OEMs to offer advanced analytics services, and for operators to improve from those deep analytical insights. With the right security strategy that includes a hardware-enforced layer in the full security stack, operators can safely bridge the traditional air gap, and move forward with innovative connected services that will bring a new era in plant efficiency and reliability.

This feature first appeared June 10, 2021 on Automation.com, a subsidiary of ISA—the International Society of Automation.