John Stevenson by John Stevenson | | Blog

In our previous blog we examined how organisations responsible for delivering critical infrastructural services could fortify the boundary between their IT and OT networks to combat the elevated threat level posed by cyber attackers.

Securing OT Monitoring in the Cloud

Now with the cloud enabling organisations to monitor their operational technologies remotely and efficiently there’s a new boundary to secure. In this blog we examine how best to secure this boundary by looking at the link between the OT network and the cloud-based monitoring system.

To the Cloud

Managing OT networks and assets from the cloud, whether for the purpose of viewing historical data, or monitoring those assets in real-time or even remotely controlling them, delivers big business benefits. Cloud-based monitoring can help the organisation improve product quality and performance, gain better control over inventory, increase visibility of stock and inventory and demonstrate regulatory compliance.

But to take advantage of these benefits, organisations responsible for delivering critical infrastructural services need to be certain that the communications channel between their OT network and assets and the cloud monitoring system, can’t be used as a vector for attack.

Ditching the Diode

The traditional solution to this problem was to deploy a data diode. A data diode is a one way only data flow enforced by hardware. In normal operation, networked machines are capable of both transmitting and receiving data. When connecting between two networks, one of which is untrusted, a data diode physically removes one of the transmit/receive channels and enforces a unidirectional flow at a hardware level.

While this is great security in theory, it really doesn’t meet the requirement to secure the link between the OT network and the cloud-based monitoring system. Firstly, data diodes simply stop the flow of all data in one direction, they don’t do anything to secure the content being carried.

Many modern monitoring applications will use bi-directional protocols such as HTTPs to communicate and these will require a two-way flow of information. Furthermore, they will carry monitoring data encoded in a format such as xml or json.

A data diode won’t check or constrain this data leaving the OT network and assets open to attack if a threat actor is able to compromise the communications channel. So, what’s the alternative?

Securing the Link

Deep Secure Threat Removal Plus is a next generation data diode, a combined hardware & software security solution that is ideally suited to securing the link between the OT network and the cloud-based monitoring system. Taking a lead from the diode, it uses unidirectional links but it provides two of them separately inside the same physical device, one each for inbound & outbound traffic. This architecture means Threat Removal Plus provides native support for bi-directional protocols such as HTTPs while at the same time preventing the outbound channel being used as a backlink by an attacker. It also enforces inbound and outbound protocol breaks to combat network level attacks.

We’ve already touched on the inability of a diode to check the content it carries. In theory this shouldn’t be an issue if monitoring data is just being “pushed” from the OT network to the cloud monitoring system. But what about if application data encoded in xml or json, or rich content such as Office files, PDFs or images needs to travel in the other direction? To mitigate this threat, any inbound connection is subject to a unique process to ensure it is threat-free. Using a technique called Threat Removal, all payload data is extracted from the protocol stream, constrained against pre-defined schemas, normalised and verified in hardware using FPGAs before being re-created and carried into the OT network using a fresh HTTPs connection. The same approach is applied to rich content.

The net result of this process is that any attempt by an attacker to use the channel to try to penetrate the OT network using application data or to insert malware inside rich content is always defeated. And there’s a further risk mitigation. Because the verification process takes place in hardware logic it can’t be remotely manipulated by an attack, creating an incredibly small attack surface.


No Compromise

The arguments in favour of moving OT network monitoring and analysis to the cloud are overwhelming in terms of increased efficiencies, more agile decision-making and overall cost savings. Set against this is the question of how to achieve these benefits while still providing the highest levels of assurance that the link out of the OT network cannot be used by an attacker as a way in.

Deep Secure Threat Removal Plus addresses exactly this need, providing support for the modern bi-directional protocols that monitoring tools rely on, while delivering the very highest levels of assurance that the communications channel cannot be hijacked by an attacker and that the defence itself cannot be remotely compromised.  

To learn more about Deep Secure Threat Removal Plus, go to www.deep-secure.com/ci or email contact-us@deep-secure.com.


View all posts