Posts

NIS 2 Raises the Bar for Network Security

Key directive: One or more DMZs are needed for the most secure, manageable, and scalable segregation of control and corporate networks.

The recent adoption of a new NIS 2 Directive by the European Commission is a sign of the times.  Beset by a world-wide pandemic, many companies across the EU have turned to digital technologies to allow their workforce to stay productive, and to facilitate access to valuable production data.  This has led to unprecedented levels of industrial data being passed between company networks and across the Internet, increasing the risk of exposure to malicious intruders.

To combat the threat, the European Commission has accepted revisions to the Directive on Security of Network and Information Systems (NIS), now calling it NIS 2. Among other things, this document mandates a number of basic security elements, including standards for networking data between the production and corporate levels of a company.

The Commission has tasked ENISA, the European Union Agency for Network and Information Security, with implementing the standards.  In pursuit of this mandate, ENISA relies on the expertise of three well-known bodies, NIST, ISO, and ISA to provide detailed descriptions of how network security should be implemented, as published in its Mapping of OES Security Requirements to Specific Sectors document.

Using DMZs

For example, the recommended way to bring process data into the corporate office is summed up in NIST document SP-800-82.  It says: “The most secure, manageable, and scalable control network and corporate network segregation architectures are typically based on a system with at least three zones, incorporating one or more DMZs.”

These three zones are the control zone (OT), the corporate zone (IT), and the DMZ itself.  The document describes the value and use of firewalls to separate these zones, and to ensure that only the correct data passes from one to the other. Using a DMZ ensures that there is no direct link between corporate networks and control networks, and that only known and authenticated actors can enter the system at all.

Skkynet recommends using a DMZ for OT/IT networking, and provides the software needed to seamlessly pass industrial data across a DMZ-enabled connection.  Most industrial protocols require opening a firewall to access the data, but Skkynet’s patented DataHub architecture keeps all inbound firewall ports closed on both the control and corporate sides, while still allowing real-time, two-way data communication through the DMZ.

Unlike MQTT, which cannot reliably daisy-chain connections across the three zones as ENISA recommends, the DataHub maintains a complete copy of the data and connection status from the source to final destination.  Thus, it provides accurate indicators of data reliability at each zone in the system, along with making the data itself available.

We applaud the European Commission for its no-nonsense stance on cybersecurity with NIS 2, and encourage all EU members, indeed any company expanding its use of corporate networking, Industrie 4.0, or Industrial IoT technologies to adhere closely to the guidance of ENISA, and to implement three-zone security using one or more DMZs.

Security During a Pandemic

Back in March of this year, Newsweek Vantage published a special report on industrial cybersecurity titled Weathering the Perfect Storm.  No sooner had it been released than we were broadsided by the COVID-19 crisis.  In response, Newsweek editor Nigel Holloway sat down to discuss this new challenge with the two main contributors to the article: Eric Cosman, President of the International Society of Automation (ISA), and Steve Mustard, an ISA executive board member.

Their insights on industrial cybersecurity during the pandemic were recorded, and are available on the ISA website.  Here are some of the highlights:

Both Cosman and Mustard agree that you need to prepare for the unexpected, even though it is difficult to imagine what that might be.  Having so many more people working remotely during this pandemic is probably leading to more cyber vulnerabilities.  Adversaries are going to try to exploit these weaknesses, and the quick, easy solution is not always the most secure.  In any case, now is the time to act.

Security – robust yet invisible

Increasing security can add friction, and people often look for creative ways to get around it.  “Convenience is at the other end of the scale to security,” said Mustard.  Cosman suggests: “We need to find ways to make security robust, yet almost invisible….The theme that goes through all of this is to integrate security into your work processes in such a way that is not seen as something that’s added on.”

IT and OT working together?

Another challenge is the difference between IT and OT (Operations Technology) cultures.  Both are running mission critical systems, but while IT thrives on change, OT shuns it. You can’t be updating an industrial system every few hours or playing what-if scenarios on a running production line.  What Mustard and Cosman suggest is to form a team of experts from both IT and OT, the “right people with the right skills and the right experience, who have the right understanding, irrespective of what organization they may come from.”

The right tools

To this we would add: Give these people the right tools.  At the heart of the security issue is providing secure access to OT system data.  Much of the exposure for remote access comes from using IT technologies like VPNs in  environments and scenarios they were not created for.  Other risks stem from using industrial protocols not designed for open networks like the Internet.

That’s why we offer data communication tools that are secure by design.  Industrial users should not have to compromise—either on security or convenience.  For our large and growing customer base, frictionless, secure access to their industrial data provided by the DataHub is a normal daily experience.  Their plants and production lines are linked in real time, they monitor their systems securely from remote locations, and they can send control commands as needed.  When the COVID-19 pandemic hit, they simply kept on working, keeping their staff safe and their mission-critical processes secure.

Working Remotely to Stop Coronavirus

Companies using Skkynet software and services expect high security for their data communications. They know they can stop computer viruses by keeping all inbound firewall ports closed. Now, with the coronavirus looming large we must do pretty much the same thing in real life. We need to keep our distance and stay behind physical walls as much as possible. And yet work must go on. The data must get through. We need to work remotely, if possible.

The problem is, logging in remotely can be risky.  Typically, you need to expose your servers via the web or a VPN―and that’s a risk that our industrial control customers cannot take.  They need tighter security, to access to their process data without exposing the process servers and networks.  Skkynet’s unique tunnelling technology provides this kind of secure access.  It lets users securely push data from their plants to our SkkyHub service, where they can access it in real time, all without opening firewalls to the outside world.

A Helping Hand

We are now offering this service at no cost to help our customers weather the coronavirus storm. For the next three months any DataHub user can connect to SkkyHub free of charge. A simple tunnel connection provides a way to access data remotely, even through DMZs and proxies. The SkkyHub service includes a web-based interface, SkkyHub WebView, that lets people build dashboards to access their data and interact with their systems from home. Those who are new to WebView can quickly get up to speed, designing pages through its web interface.  With SkkyHub, users can view and operate their control systems remotely as quickly and easily as being right in the control room.

Let’s face it. These are not easy times. Some factories have been forced to shut down, and restarting will be difficult, as Matthew Littlefield at LNS Research explains in this blog, Closing Factories is Hard, Re-Opening will be Harder. Remote access can alleviate these problems to some degree, but it must be reliable and above all, secure.

In another blog, Coronavirus Lessons for Industrial Cybersecurity: Quarantines, Sid Snitkin at ARC Advisory Group compares quarantines for coronavirus to securing industrial systems, and suggests, “Use DMZs, firewalls, zero-trust access control, anti-malware software, awareness training, and security hygiene to reduce the likelihood of an initial compromise.” He also recommends system segmentation to limit lateral movement of viruses, continuous device and system monitoring, and strengthening tools to prevent future attacks.

Doesn’t that sound a little like social distancing, washing hands, not travelling, and keeping our immune systems strong? The social structures we have developed throughout history and the technical systems we have built recently are not as different as we might imagine. They both can serve us well, but we need to protect them and keep them, like ourselves, in good health.

US Gas Pipeline Ransomware Shutdown – A Ready Solution

An entire US gas pipeline was shut down for two days due to a ransomware attack according to a recent report from the US Cybersecurity and Infrastructure Security Agency (CISA). The hackers sent a spear-phishing email to someone on the IT network that crossed over into the OT network and infected HMIs, data historians, and polling servers on the process control system. Although only one facility was hit, management shut down the whole pipeline for two days, resulting in loss of productivity and revenue to the pipeline, as well as to upstream production systems and downstream distribution networks.

This need not have happened. There is a simple remedy―isolate the OT network. They could have used Skkynet software on a DMZ to keep their firewalls closed and their gas pipeline system secure.

Using a DMZ

The first technical recommendation in the CISA report is to segment networks using a DMZ: “Implement and ensure robust Network Segmentation between IT and OT networks to limit the ability of adversaries to pivot to the OT network even if the IT network is compromised. Define a demilitarized zone (DMZ) that eliminates unregulated communication between the IT and OT networks.”

The easiest and most cost-effective way to pass production data securely through a DMZ is using DataHub tunnelling. Because it is secure by design, DataHub tunnelling can provide bidirectional data flow with no open inbound firewall ports, and no VPNs. The key is to access the data, not the network. This technology has been deployed in mission-critical systems worldwide for over 20 years, and was implemented recently in the TANAP project in which DataHub software was used to securely transmit process data from an 1800 km pipeline into a central control system through closed firewall ports.

Secure OT Assets

The second technical requirement recommended by CISA is to secure OT assets as much as possible.  The report said, “Organize OT assets into logical zones by taking into account criticality, consequence, and operational necessity. Define acceptable communication conduits between the zones and deploy security controls to Filter Network Traffic and monitor communications between zones. Prohibit Industrial Control System (ICS) protocols from traversing the IT network.”

Again, DataHub tunnelling is a ready, off-the-shelf conduit for making the necessary connections.  It provides secure, bidirectional real-time data mirroring between logical zones of OT assets, and from OT to IT. Data traverses the tunnel using the DHTP protocol, and can be converted to or from industrial protocols at either end.

Of course, the most secure system relies on sound planning and operational strategies in addition to strong technical and architectural solutions. The choice of software is one element of a larger picture. But in this case, simply using Skkynet IoT software would have prevented this gas pipeline shutdown altogether.

Case Study: TANAP Pipeline, Turkey

Skkynet’s DataHub middleware was used by ABB for secure, real-time data networking on the Trans-Anatolian Natural Gas Pipeline (TANAP) project in Turkey.

Secure IoT Gateway Architecture

An enhanced, secure-by-design OPC UA to MQTT gateway can pass data through a DMZ or IT department, keeping all inbound firewall ports on the plant closed.