For some time now, the attention of IT and Industrial Automation managers has focused on the topic of OT Security, ie how to protect networks and control systems from "cyber risk". process and factory automation.
With the advent of the so-called OT-IT convergence, also driven by extensive digitization in industrial companies but also utilities, according to Industry 4.x strategies, it was discovered that company networks with internet access, and therefore also everything connected in the production/operational departments, even if protected, they can be exposed to cyber incidents caused by malware and ramsonware.
Those involved in Cyber Security and especially OT Security have always preached the need to equip themselves with defense devices deployed in layers (Defense in Depth, multi-layered defense strategy): this strategy is based on the concept of having several active defense devices, of different types and with different technologies, focusing on the technique of "wearing out" any attackers from the network and therefore making it more complex and costly to achieve any "more deep”, i.e. devices connected to the factory network, PLC, SCADA, DCS, robots, etc.
Most of the network infrastructure is usually managed and maintained directly by the Company's IT (Information Technology) department which often interfaces with IT-Security colleagues for all protection needs.
Sometimes though the "deepest" part of the network, the one in the factory, the OT (Operation Technology) part, thrives on different processes and procedures, and is managed by different people, whose main concern is to follow the production and make sure that plants and machinery work and produce. This is why the need to "defend" arises from IT risk in a simple but effective way some of the most important systems present in the factory: i PLC and HMI/SCADA who manage them.
The question naturally arises: "But do I really have to defend these devices, even if they are not connected to the internet?"
Many cases that we have seen in recent years have confirmed that the connection often exists even if it is not registered/declared.
Often the network where the HMI/SCADA PCs and the PLCs are connected they are either on the same physical network, or on a subnet, which then brings data and information to other PCs or servers that belong to the enterprise network. More and more often we see connections with the outside world for data visualization and maintenance of machinery and plants in the factory.
Industry standards, such as IEC62443, they preach the segmentation of the factory network in zones, in order to allow possible containment of infections e segregation of critical assets to defend.
Here then is how devices and tools are welcome and expected by insiders, as mentioned, simple to install and configure and at the same time effective for "local" protection of the piece of network we want to defend, possibly specially designed for the purpose.
Bayshore Network's SCADAfuse it was created for this: to protect PLCs in a SCADA/PLC application on the network.
Easy to install, just place it downstream or upstream of the switch to which the PLC is or are connected.
Easy to configure: knows the protocols used by PLCs, learns by itself the connections and traffic between PLC and PLC and between PLC and PC/HMI/SCADA. Once "self-trained" it starts signaling if there is something suspicious to block, avoiding malfunctions due to cyber incidents.
SCADAfuse for iFix, similarly allows you to protect communications between the various SCADA nodes on the network, designed specifically for HMI/SCADA Proficy iFix by GE Digital: automatically recognizes the six protocols used by iFix for communications between SCADA nodes and View nodes, and as the product for communications between PLC and HMI/SCADA, it protects the network of SCADA nodes from malicious traffic that could lead to operational disruption.
Alongside, a network diagram with perimeter protection and "in depth" protection with SCADAfuse
SCADAfuse is the optimal solution for OT Security for System Integrators and Plant/Machine Builders who are in the position of having to supply a system based on PLC/SCADA, and are asked by the customer Final User to connect the system to a pre-existing factory network or company network: yes in fact, it controls the traffic between the HMI/SCADA node PCs based on iFix and all traffic between PLCs and between PLCs and HMI/SCADA nodes, leaving out of this "subnet" all traffic not pertaining to the supplied system.
In this way it is possible to continue to guarantee the integrity of network communications and the protection of this portion of the network from risks and intrusions.
What is the first step to take? AN ASSET INVENTORY DEFINITELY!
Do you want to download the one created by Bayshore for free? CLICK HERE
