Security for Industrial IoT
T he issue of remote data access to data from an industrial system is not new. For years plant owners have been creating ways for their managers, operators, maintenance technicians and partners to gain access to the valuable real-time information generated by their plants. Innovative business practices, such as globalization and just-in-time manufacturing, have driven a need to have low-latency remote access to this data, often through untrusted networks to semi-trusted end users. For example, a manufacturer may want to share production information with a remote supplier, but not provide login access to the manufacturing system or database.
Several fundamental security problems have arisen from this need for remote real-time access:
Exposure to attack from the Internet. When a plant allows a user to access the system remotely, it naturally creates an attack surface for malicious actors to attempt to also gain access to the system.
Exposure to attack from the IT network. If a plant allows a user to access the system remotely, it also needs to expose itself to the network infrastructure of the company’s IT system. Generally the plant network is a subnet within the larger company network. Entry into the plant will be via the IT infrastructure. Attacks from the IT network are less likely, but some kinds of problems in the IT network could disrupt normal network data flow on the plant network. It is wise to separate the IT and plant networks as much as possible.
Remote access beyond the required data. Giving a remote user access to a desktop, such as Microsoft RDP, means that a curious or malicious user can try to gain access to programs and data beyond what was intended. Even if the user is trustworthy, but the user’s system is compromised, a remote access program becomes a point of attack into the plant system.
Exposure of a portion of the plant network. Some plants have chosen to use VPN connections to limit Internet attacks. However a VPN effectively puts all participants onto a local sub-network, which gives the participating machines effectively local network access to one another. Compromising any machine on the network (such as a remote supplier) produces an opportunity for an attacker to hack into the plant network via the VPN.
High cost. VPNs, RDP entry points, firewalls and routers require ongoing attention and effort from IT personnel. This cost increases as the number of participants in the system increases. Plants that do not devote the resources to IT are more likely to implement their remote data access less securely.
How can Skkynet Help?
Skkynet’s unique solution, SkkyHub™, provides a mechanism for dealing with all of the traditional security problems in remote plant data access.
NO Exposure to attack from the Internet. Users of Skkynet’s SkkyHub install an agent within the plant that collects plant information and pushes it out to Skkynet’s real-time data servers. Since this connection is outbound, from the plant to the Internet, there is no requirement for the plant to open any inbound TCP ports, and thus the plant never exposes itself to attack from the Internet.
NO Exposure to attack from the IT network. It is good practice to isolate the plant from the IT network using a router that allows only out-bound connections from the plant into the IT network. Using the SkkyHub service, the IT network can be treated as untrusted by the plant, and a firewall placed between the two that allows no inbound connections into the plant. Disruptions on the IT network will not affect data flow within the plant network, though they could affect data flow from the plant to the Skkynet service. The plant remains secure and functional, even if remote data access is degraded.
We designed a solution to address all traditional security problems in remote plant data access.
NO Remote access beyond the required data. Using SkkyHub, the plant decides which data to make available remotely. The plant engineer can choose any subset of the data produced by his plant, and make it available to remote users in data groups. Each group has its own read/write permissions as well as limits based on the remote user name and the IP address from which the remote user is connecting. The remote user has no mechanism to extend his access to data beyond what the plant engineer allows him.
NO Exposure of a portion of the plant network. The SkkyHub service does not create a VPN, or any kind of general-purpose network construct. It only makes a TCP connection for the transmission of data. Consequently, no participating machine is ever exposed to any other via a local network or VPN. The data can be routed through network proxies, data proxies and DMZ servers to ensure that the plant network never has a direct connection to the Internet, even for outbound connections. Participating systems in the Skkynet service never need to share a network.
NO High cost. SkkyHub eliminates many security hurdles, thereby substantially reducing the IT cost of implementation. Often, a plant can participate in the Skkynet service without any change to existing IT infrastructure. The plant has no need to hire extra IT expertise or to install extra networking equipment. Often the only cost is for configuration of the Skkynet agent at the plant and the Skkynet service itself.
Skkynet’s technology follows good industry practice by using SSL connections for all Internet traffic, and by validating the trust chains of certificates. This enhances your security for Industrial IoT, and protects you against network snooping and against man-in-the-middle attacks.
