After years of experience in the remediation or securing of factory systems and networks for OT Cyber ​​Security, we have matured the belief that to adequately protect the systems that manage plants and machinery, both in Industry and in Utilities, it is necessary to start by the people.

Downstream of the risk analysis, make the technicians who design, implement and then maintain the systems, PLC, SCADA Server and Client, HMI, and network devices understand the importance of correct behavior (i.e. what is called Cyber ​​Hygiene) OT is the first step towards Security-by-Design. Even virtuous behavior on the part of the operators who will then use the systems in the factory every day for the management of the plants and production is the weapon that allows the IT risk to be consistently reduced.

Then, as often happens, there are the tools to adopt, indispensable for the effective implementation of the policies Industrial Cyber ​​Security decided by the Company to guarantee the levels of Business Continuity necessary to satisfy the Business requirements defined by the Management.

Let's see the most frequently adopted ones.

Firewall to protect the SCADA-PLC network with OTfuse

For this level of protection, according to the network segmentation criteria suggested by the IEC62443 standard, in the proposal ServiTecno we have Bayshore Networks OTfuse appliances with IPS/IDS Advanced Threat Detection, Policy Learning and Policy Enforcement features. OTfuse should be placed in close proximity to critical endpoints, protecting PLCs and SCADA/DCS devices from unauthorized use, dangerous instructions and activities, and remote acquisition from hostile sources. It features a pair of bypass ports for incoming and outgoing data packets, requires no network or resource redirection, and is completely self-contained. It is also manageable remotely but no remote management console is required for installation or maintenance.

OTfuse is available in several variants:

  • OTfuse: offers turnkey protection for PLC, SCADA and DCS. Native support for Modbus Ethernet IP, S7, DNP3, BACnet, SLMP, FINS, EGD, etc.
  • OTfuse iFix: Bayshore Networks has partnered with GE Digital to achieve a new level of network security for proprietary protocols used on networks running iFIX servers, clients, and drivers
  • OTfuse Simplicity: Uniquely supports GE Digital's proprietary Cimplicity software protocols.
  • OTfuse Lite: "lightweight" version of OTfuse that allows you to have most of the features of OTfuse Standard at a reduced price, including Advanced Threat Detection, Policy Learning and Policy Enforcement.

More information here:

OTfuse

Data diode for secure one-way or even two-way transmission: NetWall

The Bayshore Networks NetWall USG unidirectional security gateway for IT/OT is a high-speed hardware and software solution that allows data replication in a single direction, from trusted to untrusted network whether it is on-premise or in Cloud. It essentially creates a secure network segment when installed, shielding and isolating critical resources and sensitive networks from accidents, attacks and misuse. This is the preferred solution when it is necessary to replicate data from a Historian on the "protected/trusted" factory network to a Historian or other database server on the Enterprise network.

NetWall is also available in version BSG (Bilateral Security Gateway) which incorporates all the features of the NetWall version USG (Unidirectional Security Gateway), and adds the ability to receive response data from certain destinations on the untrusted network.

How does it work? Using the NetWall Bilateral Security Gateway solution, a TCP connection is initiated from the protected network to the "untrusted" network. At this point the destination network is authorized to reply to the "sender" by sending data. The permitted activity is only that of reply, while all other autonomous communication activity towards the protected network remains inhibited.

For info, see:

Netwall

Remote access for maintenance, visualization, system management with OTaccess

Bayshore Networks' OTaccess is the only real-time secure remote access solution that offers granular access control and enables customized control by protocol, by user activity and by location, with continuous monitoring and policy enforcement for duration of each session.

In practice, OTaccess allows a granular and secure remote access, more accurate than current VPNs.

Controlled access by user, by protocol, by activity, and ensures that the resources and the OT network cannot be manipulated remotely outside the granted permissions. It is available as a local hardware/software solution or as a Cloud service and minimizes the attack surface, being the most secure option for remote employees or third party vendors to access endpoints (PLC, SCADA, Engineering workstation, etc. ) within the OT network.

For info see figure and:

OT access

Asset Inventory with Bayshore Networks Scrutiny

Scrutiny is Bayshore Networks' OT asset detection and visualization tool: in practice, it allows passive Asset Inventory of the entire factory network, without affecting normal activities. It allows operators to create a map of all the devices on their industrial network, with information regarding industrial ports and protocols in use that can reach or be reached by different factory devices: PLC, SCADA, DCS, Robot, etc. that they are.

OT network operators with the use of Scrutiny are able to obtain information on OT network connections and communication, connected machinery and protocols used in the factory or in any case during the process. After Scrutiny has examined plant data traffic for even a few minutes, most OT teams detect anomalies, among which we could have:

  • Equipment they thought was shut down is still communicating.
  • Communication slowdowns and anomalous bandwidth consumption/occupation.
  • Protocols or ports and services in use on segments of the network that would normally have been unreachable or even isolated.
  • Discrepancies between the inventory and what detects the actual network traffic

Using Scrutiny periodically, it is possible to obtain successive photographs of the situation of the factory networks to compare and therefore to be able to verify changes that have occurred and any countermeasures to be implemented.

For info see:

Scrutiny

MDT Autosave for Change Management and Back-up management of OT devices

For Change Management & Configuration Control for the control of process variations on SCADA, PLC, DCS and above all for the management of Back-ups, MDT AutoSave is the most advanced and feature-rich Change Management Software on the market, specially designed for version management and change control in the Factory and Process environment (Change Management), supported by adequate and highly professional support and field assistance services.

By bringing together all the data generated by change management activity within a single web tool, the AutoSave dashboard/portal for managing manufacturing facilities and utilities, you can easily identify issues that could impact performance and Plant security.

For info, see:

MDT Autosave

Conclusions

We have said that the first step in making factory plants and machinery safer from IT risk is to keep the attention of the people who install, maintain and use the OT systems and networks that manage them, in Industry as in Utilities: this is achieved with good awareness programs and training.

Furthermore, tools can be adopted that allow the level of resilience of the OT network to be raised, allowing the Company to reach the levels of operational continuity, both in production and in the provision of services, and ultimately, the Business objectives decided by the Management .