White House Pushes for Security

Since the ransomware attack on the Colonial Pipeline last month, the US government has become more vocal on the need for industrial cybersecurity. A recent memo from the White House to corporate executives and business leaders across the country urges them to protect their companies against hackers. Among the action items is the need to segment networks, to isolate OT from IT.

“It’s critically important that your corporate business functions and manufacturing/production operations are separated,” the memo states, “and that you carefully filter and limit internet access to operational networks, identify links between these networks and develop workarounds or manual controls to ensure ICS networks can be isolated and continue operating if your corporate network is compromised.”

The memo says that although the government is leading the fight against cyber attacks of all kinds, the private sector is also expected to play their part. They are urged to back up data, update systems, and test response plans and implementations. The memo also listed five best practices from the president’s Improving the Nation’s Cybersecurity Executive Order, including:

  1. Multifactor authentication
  2. Endpoint detection
  3. Response to an incursion
  4. Encryption
  5. A capable security team
Isolate Control Networks

Most of the recommendations could apply to any system or network exposed to the Internet, but the White House also included one directly related to industrial systems: Segment your networks to protect operations. Industrial control system networks, it says, should be isolated so they can continue operating even when the management network is compromised.

This was the case with the Colonial Pipeline incident last month. Although the hack caused turmoil in the company and a week of problems for the whole East Coast of the US, it could have been much worse. If the hackers had been able to take control of the pipeline itself, we might have witnessed physical damage both to property and the environment.

To avoid such problems, isolating control networks is critical. This is best accomplished using a DMZ, a “demilitarized zone” that separates control systems from management systems. Using a DMZ ensures that there is no direct link between corporate networks and control networks, and that only known and authenticated actors can enter the system at all.

Skkynet recommends using a DMZ for OT/IT networking, and provides the software needed to seamlessly pass industrial data across a DMZ-enabled connection. Most industrial protocols require opening a firewall to access the data, but Skkynet’s patented DataHub architecture keeps all inbound firewall ports closed on both the control and corporate sides, while still allowing real-time, two-way data communication through the DMZ.

We are pleased to see support for securing industrial control systems coming from the White House and US government, as well as governments and agencies throughout the industrialized world. A more secure environment will keep costs down and production running smoothly by keeping hackers out of our control systems.

Case Study: City of Montreal, Canada

DataHub used for connectivity and integration on $10 billion project

Situated on an island in the St. Lawrence River, the City of Montreal in Quebec, Canada has been blessed with an abundant supply of water. Yet ensuring that clean, fresh water reaches the city’s millions of residents every day requires constant attention. In 2004, the City of Montreal embarked on a 20-year, 10 billion dollar project to upgrade the quality of drinking water production and distribution in the city. This initiative includes better metering, infrastructure repair, new purification systems, and plant upgrades. The goal is to improve efficiency throughout the system.

As part of this project, water resource engineers at the Charles J. Des Baillets plant’s head office were recently given the job of integrating the production data from all of the city’s seven pumping stations. Their task was to provide a reliable and secure way to bring key data from those satellite plants into a central control location for storage and analysis.

The data is available on SCADA systems at each pumping plant, accessed through OPC servers. However, networking this vital data proved to be a challenge. Networking OPC DA using DCOM was neither reliable nor secure, so the engineering team decided to use OPC tunneling. They tried several popular OPC tunneling products, and the only one that worked well was the Cogent DataHub®.

The data collection and redistribution architecture that the project planners had in mind was quite complex. Primarily, they needed to collect data from all of the remote stations in a highly secure way, and log it at their central control location. Neither the central client nor anyone else should be able to write back to the OPC servers. They also needed to send the collected data to a third location for the company’s IT staff, and bridge to other OPC servers there. In addition, each pumping station needed to receive some of the data collected from the other pumping stations. And finally, some of the pumping stations were running fully redundant SCADA systems, so they needed redundancy built into the system at those locations.

“We started by connecting the Pierrefonds plant and the central location in Atwater for logging the data, with a second tunnel to the IT office for analytical use of the data,” said the project manager. “We had a few initial issues related to configuration and network addresses, and Cogent’s quick response was very helpful to resolve them. After this first experience with the DataHub, we were very enthusiastic to apply this solution to the rest of the plants in Montreal.”

As each location came online, while they were configuring the tunneling to the central office, the team realized that they had the necessary tool to share the data securely between satellite locations. On the DataHub at the central office they established a separate data domain for each plant, and created a read-only tunnel to receive the data. Then at each plant, they created a read-only tunnel from their local DataHub to the central DataHub to get the data from each of the other plants. This gave the operators at each plant a complete picture of what was going on throughout the system.

“To make intelligent decisions at a satellite plant, it is very helpful to know what’s happening across the city,” the project manager said. “Since all the data was there in the DataHub anyway, we decided to use it.”

With data logging and secure tunneling in place, the next feature to implement was redundancy. Several locations had completely redundant SCADA systems, each with its own OPC server. With help from Cogent, the team was able to establish a connection to the redundant OPC servers such that if one server failed for any reason, the DataHub would start receiving data from the second OPC server.

“The system has been running for months without any problems, logging the data we need to stay efficient,” said the project manager. “We are very pleased with the high quality of the DataHub, its flexibility to do what we need, and with Cogent’s excellent technical support at every point of the way. The data integration aspect of the City of Montreal’s water system upgrade project is meeting or exceeding its goals.”

Is Your Country Cloud-Ready?

Just as the clouds in the sky have no geographic limits and glide over all borders, we might hope that cloud computing would also be an international phenomenon. At the very least, as the various countries around the world go increasingly digital, cloud computing and real-time data interconnectivity should begin to take on a greater significance worldwide. The question then comes to mind: Which countries are best prepared for cloud computing?

A few weeks ago the BSA Global Cloud Scorecard was released, the first report of its kind. The BSA (Business Software Alliance) positions itself as an advocate for the software industry, and its membership is made up of many leading firms such as Micrsoft, Apple, Oracle, Intel, Siemens, Sybase, and Dell. The Global Cloud Scorecard is an attempt to rate the top 24 ICT (Information and Communication Technology) countries in the world in terms of their readiness for cloud computing.

GlobeFlagsThe results are interesting, indeed surprising in some ways. Although we would expect the more “developed” countries to be more advanced in their ability to support cloud computing, “troubling obstacles emerge when you examine the lack of alignment in the legal and regulatory environments in many of those advanced countries,” according to the report. At the same time, the strong desire for ICT in advancing countries like China, India, and Brazil doesn’t necessarily make them ideal environments for cloud computing either. Each country has its own legal dynamic that plays out in unique ways.

The 24 countries were evaluated in three broad areas:

1. The legal environment that ensures privacy and security, defines and restricts cybercrime, and upholds the rights of intellectual property.

2. Policies and support for international standards, e-commerce, and free trade.

3. ICT readiness of the general infrastructure, and policies for broadband Internet support.

The printed report provides the detailed scorecard for each country, by category, as well as some graphs for making quick comparisons. The website also features a page in which you can get a verbal summary of the situation, country by country.

Some of the trends that caught my eye included:

Japan is at the top of the chart, as the country is active in cybercrime treaties, IP laws, and international standards. They also have high broadband penetration, and plan to provide access to 100% of households by 2015.

Most European countries scored reasonably well. Germany is near the top, but may drop in the standings if they begin interpreting laws to restrict the flow of data across borders.

The USA is a leader in cybercrime laws, privacy protection good at the individual level, but inconsistent at the state level. The country has high Internet use, but broadband coverage is not consistent.

China, India, Brazil, and Thailand all exhibit a strong and growing interest in ICT, but some significant gaps in privacy protection and cybercrime legislation.

Although there may be a few setbacks, my guess is that all of the countries in the report will have made substantial improvements in their scores in the next few years, and there may be new ones added. We look forward to seeing next year’s report.