Planning for Industry 4.0
In this part two, I'll examine the technical challenges that need to be overcome and explains how Forcepoint’s portfolio of products for critical infrastructure providers can be used to underpin the initiative.
OT to IT Connectivity
The journey to Industry 4.0 starts with assessing how securely and reliably data can flow from OT to IT. Typically, the requirement here will be to extract logs to monitor the performance and security of the OT network. There may be a further requirement to extract data from the OT network to support the predictive maintenance of OT equipment. Often, this communications channel is guarded with a data diode.
In normal operation, networked machines are capable of both transmitting and receiving data. When connecting between two networks, one of which is untrusted, a data diode physically removes one of the transmit/receive channels and enforces a unidirectional flow at a hardware level. In short, data can physically flow from OT to IT but not from IT to OT.
The data diode mitigates the risk that the channel can be used by an attacker to get in, but it can create a problem. With a unidirectional flow enforced in hardware there is no mechanism for reporting back to the sending application on the OT network that all the data has successfully arrived on the IT network. This can be costly and complex to resolve, often involving pairs of data diodes operating in opposing directions or manual interventions, or both.
The Forcepoint High Speed Verifier (HSV) is a new type of diode that addresses the requirement for both security and reliability and is ideally suited to Industry 4.0. Protected by protocol breaks to stop network-level attacks, the HSV enforces separate unidirectional data flows in software meaning it can support the modern bidirectional protocols needed to not only send data from OT to IT, but to reliably confirm that it has arrived.
IT to OT Connectivity
The next area for consideration is how to allow data to flow securely and reliably from IT to OT. Typically, the requirement here will be to import operating system updates and anti-virus signature updates into the OT environment. There may also be a requirement to bring in “IT files” such as PDF operating or maintenance manuals.
Here again, the Forcepoint HSV can be used to connect IT to OT in a manner that is both secure and reliable. Operating between “staging servers” on the IT and OT networks, the HSV can carry updates across the IT/OT boundary, ensuring the file stores on either side are mirrored and up to date. If there is a requirement to import IT files such as PDFs, the HSV includes Forcepoint’s unique Zero Trust Content Disarm and Reconstruct (CDR) technology that renders files such as PDFs malware-free without using detection. A further characteristic of the HSV is that the data it carries is verified in hardware logic (FPGAs), meaning that if an attacker were to compromise the IT network, they could not remotely compromise it to gain access to the OT network.
Secure Monitoring in the Cloud
From a security perspective, the goal of an Industry 4.0 initiative is that it supports monitoring in the cloud that is both secure and reliable. The Forcepoint HSV can be used to achieve this, securing the connection between the OT network and a cloud monitoring platform such as the Microsoft Azure Cloud Monitoring Service.
The HSV is ideally suited to this task. It can support bidirectional Web application protocols like HTTPs and json, the sort of protocols that are typically needed to carry OT data to cloud monitoring platforms. It enforces one way data flows and protocol breaks and is designed for non-stop operation with high availability and failover built in. The HSV’s CDR capability can be configured to verify the data being carried is safe by constraining it to pre-defined data schemas and because this verification is performed in hardware using FPGAs, it can’t be remotely compromised by an attacker.
OT Data on Demand
Moving to Industry 4.0 involves adopting cloud centric computing to deliver OT data on-demand to stakeholders – wherever they are. Organisations looking to do this need to be able to share data across physically, logically and administratively separated networks in a reliable, secure and interoperable manner.
Forcepoint’s portfolio of products for critical infrastructure providers – Firewalls, Data Diodes, Data Guards, High Speed Verifiers (HSVs) and CDR capabilities enable organisations to achieve this, ensuring the availability, integrity and confidentiality of the data being carried from OT to IT and to the cloud.