Securely Connecting Your Plant to the Outside World

-Luke Amory, Danbury, CT

Traditionally, when working with operationally sensitive equipment such as HMI/SCADA Systems, the established practice has been to “Air-Gap” your equipment and prevent any access from the outside world. Globalization, regulations, & the advent of AI have made this practice obsolete and costly to your bottom line. Plants that choose to be “Air-Gapped” lose out on new innovations that allow for increased oversight and efficiency optimization to plant systems. Thankfully there are options for advantageous plant engineers that want to access facilities remotely without compromising on security.

The simplest implementation of plant connectivity is accomplished by adding an Application-Aware Firewall. This device is often marketed under the moniker “Security Appliance” “SCADA Fuse” or “Secure Router”. A device such as this is would be used in a scenario where the plant network is expanded to access portions of the corporate LAN. The Firewall would sit between the corporate side and the plant side to monitor ingress and egress traffic and prevent unwanted communications by enforcing rules defined by the administrator. The flaw with this implementation is that by extending plant communications protocols outside of their normal bounds your plant becomes exposed to inherent vulnerabilities in these industrial communications protocols. Most industrial protocols were developed to be exclusively implemented in these “Air-Gapped” networks and therefore were optimized for ease of implementation and access. Lacking modern features such as encryption and mutual authentication, traffic from these protocols can be modified in transit or spoofed entirely. This creates a scenario where a party with malicious intent or “Bad Actor” on the corporate side of the network can potentially infiltrate the plant side of the network.

Alternatively, a more conservative solution to this problem is to implement what is called a protocol conversion gateway. This gateway, like a firewall, sits between the plant network and the corporate network, translating communications from each side with mappings configured by the administrator. This device allows the conversion of insecure plant protocols to be converted to more secure protocols such as BACnet or OPC-UA without exposing unsecured plant equipment to the corporate network. Unfortunately, the level of security provided by implementing a device such as this can very widely. Unless explicit specifications for a secure implementation is provided, the lowest bidder will not provide these security measures by default and forgoes these features in favor of simplicity of maintenance and configuration.

With the Preferred Cloud Platform, we have approached this problem from a different direction. The integrity of our and our customers’ networks is paramount and therefore we have designed a platform to facilitate that. From the beginning we have designed our systems to have security in mind at every step. So that even if there is a catastrophic failure in one part of our infrastructure the attacker has no means by which to proliferate their attack to our customers. By collecting data locally with our cloud gateway and ingesting data into our isolated and secured infrastructure we can provide all the benefits of a connected plant without creating an attack vector from your corporate network or burdening your team with complicated security configurations. Preferred also leverages this connectivity to supply operations teams with tools that enable you to be more aware of problems with your equipment and to assist you in optimizing your plants for peak efficiency.

View the Preferred Cloud Platform here!

Leave a Reply

Your email address will not be published.