15 Apr 2024
by Simon Wiseman and Aaron Mulgrew

Strong security unlocks the benefits of external connectivity in Operational Technology environments

Guest blog by Simon Wiseman, Chief Technology Officer and Aaron Mulgrew, Solutions Architect at Everfox #techUKOTSecurity

Connecting an Operational Technology environment to the outside world would bring huge benefits when it comes to the use of cloud scale monitoring, remote maintenance, and applying updates. But  unless the connectivity can be secured to the same level achieved with physical isolation, the benefits cannot be realised. So how do you maintain the same level of security without the physical safeguards in place? This blog explores some of our solutions and how they map onto these challenges.

Cloud based monitoring

When organisations first make external connections to their operational network, it is often to implement cloud-based monitoring, where they can harness the power of the cloud for machine learning and big data algorithms to work out inefficiencies in their processes or to alert if something isn’t quite right.

Connections for monitoring are often made through a data diode, which physically enforces a one-way data flow, preventing an attack using the connection to get into the operational network. But back channels are important in networking, as they underpin reliable delivery and allow throughput to be maximised.

What’s needed is not a device that blocks the back channels, but one that allows their use to be controlled with supreme confidence. This is incredibly hard with a software device because software is generally very complex and too easily changed. But there is a different approach, called hardsec, where trust is placed in simple hardware logic rather than complex software.

Introducing Hardsec and FPGAs

The strength of software is that it can modify itself. The operating system of a computer can run any software we load onto it. But when it comes to security, this is its weakness. It’s impossible to be sure that it never misbehaves because it can change after it’s been checked. Hardware logic is different. Its functionality is fixed when it is designed. So, once it is right it stays right.

Logic is good at doing simple things fast. If we have a simple security task to perform, we can implement it in logic. Once we get it right, we know that it will remain secure. Doing this is hardsec.

For example, we can create logic that passes messages in a particular format but discards anything else. That could be used to allow telemetry in one direction and to propagate a link-loss signal in the other direction to allow the sender to tolerate equipment failures – something a data diode cannot do.

A Field-Programmable Gate Array (FPGA) is a series of logic gates whose interconnections are programmed when the device is powered on. The start-up process can be controlled so that only approved logic is loaded, and once it is loaded it cannot be changed. There’s no software involved with applying the security constraints, so overall attack surface is extremely low.

With a hardsec connection, vital telemetry can be sent to cloud historians reliably. If the operator needs to show a regulator that the data flow is one way, this can be done because the logic that enforces this property is simple and straightforward. Everfox has hardsec technology covering all the typical cloud ingest protocols including MQTT and HTTPS/REST with JSON and XML.

In cases where an attack could cause damage by leaking data, such as high value recipes, a hardsec solution has the added benefit of being able precisely control what data is carried by the telemetry – something that is not possible with a data diode.

Securing remote maintenance

Exporting telemetry to a service provide allows them to determine when maintenance is required, but if a specialist engineer must visit the site to investigate problems, timeliness and efficiencies are lost. Remote access is the answer, but securing it is generally a difficult problem.

What’s needed is a remote access solution that provides tight control over its use, prevents any unwanted accesses, holds the engineers to account for their actions, and does all this in a way that is demonstrable secure to satisfy the business owner and regulators.

The Everfox solution for this is a gateway based on using a thin client protocol to give the remote engineer access to a local engineering workstation. Once connected, the engineer can work on the local network, even though they are not physically present. Several security mechanisms are built around this to give the required control.

The first issue is that remote access protocols are extremely complicated by nature, so there is plenty of scope for the implementation to be flawed in a way that allows an attacker into the operational network. This problem is solved using hardsec to implement a protocol break – a security device that converts a complex protocol into a simpler one, and back again, so that only the implementation of the simple protocol is critical to security. Everfox use hardware logic to implement the simple protocol, so no software is critical, and attackers are presented with no software attack surface.

In a remote access solution, user authentication is vital, so Everfox uses certificates with a VPN to connect to the outer edge of the gateway, then the engineer authenticates with a hardware token to the gateway’s inner edge, and finally a username and password entered within the tunnel gains access to the engineering workstation. Access is also authorised by calling out to the operational network’s ticketing system to ensure the maintenance access is scheduled.

The engineering workstation may well be shared by different engineers at different times, so the solution configures what resources the local workstation can access dependent on the role of the engineer using it.

A remote engineer working on equipment as expected can still cause damage, wilfully or through negligence, and in an operational system it is important to hold them to account for their actions. With the Everfox remote access solution this can be done by recording the remote session for later review, or by having a supervisor watch the session in real time.

Securing software update imports

Updates are inevitably needed in an operational system, whether it is for recipes or software. Imports with manual intervention, using USB flash drives etc., are slow and inconvenient, and not easy to control with any certainty. Delivery over the network is not only faster and more reliable, but can also be better controlled, even if the final distribution hop is via exchangeable media.

Files containing recipes or other manufacturing data can be transferred a through hardsec protocol break, but steps must also be taken to ensure the data is safe to receive. This can be done with a data break – a security device that converts complex data structures into simple ones, and back again, so only simple checks on the simple data are security critical.  Everfox uses hardware logic to implement the checks on the simple form of the data, so no software is critical, and attackers are presented with no software attack surface.

Software cannot, unfortunately, be checked to make sure it is safe – it’s a fundamentally impossible task - and checking for known unsafe software doesn’t go far enough to protect a critical system. When importing software, it is the provenance of the software that is important, and digital signatures are usually used to indicate this. The Everfox solution checks the source of updates, validates their signatures, and ensures they are delivered to the appropriate holding area where AV scanning and sandboxing can take place. The hardsec protocol and data breaks are used to make sure these checks are always applied.

Conclusion

A modern operational system cannot afford to be disconnected, but equally it cannot afford to connect without security technology that can be relied on to defeat sophisticated attackers.

One-way inbound and outbound data flows are not sufficient to meet the need, but by implementing critical security functions in hardware logic, it is possible to build security gateways that provide the functionality needed in a way that can assure business owners and regulators that the system remains as secure as if it were isolated.


techUK’s Operational Technology Security Impact Day 2024 #techUKOTSecurity

techUK’s Cyber Programme is delighted to be holding our first securing Operational Technology (OT) security impact day to showcase how cyber companies are helping organisations to secure their OT and navigate the convergence of IT/OT systems.

Find all the insights here!

Cyber Security Programme

The Cyber Security Programme provides a channel for our industry to engage with commercial and government partners to support growth in this vital sector, which underpins and enables all organisations. The programme brings together industry and government to overcome the joint challenges the sector faces and to pursue key opportunities to ensure the UK remains a leading cyber nation, including on issues such as the developing threat, bridging the skills gap and secure-by-design.

Learn more

Join techUK's Cyber Security SME Forum

Our new group will keep techUK members updated on the latest news and views from across the Cyber security landscape. The group will also spotlight events and engagement opportunities for members to get involved in.

Join here

Cyber Security updates

Sign-up to get the latest updates and opportunities from our Cyber Security programme.

 

 

 

 

Authors

Simon Wiseman and Aaron Mulgrew

Simon Wiseman and Aaron Mulgrew

Chief Technology Officer and Solutions Architect, Everfox