The addition of devices to fortify the perimeter access and the correct network segmentation is one of the basic countermeasures to be considered within a deep defense strategy.
Why is network fortification so relevant?
The lack of devices than enable a secure access to the OT network, their improper setup, default setup deployment and/or lack of network segmentation policies increase the vulnerability of equipment, processes and systems located at the operations environment from external and internal threats.
Taking into account the existing network architecture on each plant and the process criticality, the most suitable segmentation and fortification measures must be adopted. In any case, considering the idiosyncrasy of OT environments, and in order to increase security in industrial networks, it is mandatory to audit its condition by means of an inventory of the devices connected to them, and identifying the media by which they access, and analyzing its segmentation level.
One of the most used tools for network fortification is the so called data diode. It’s a hardware device – there’s no firmware as in firewalls – that separates/protects two networks and ensures that the information flows in one direction, so the information from a network reaches the other network – but not vice versa. It is strongly recommended for highly critical environments which need almost insurmountable security infrastructures.
Among the choices to be considered, we can find the FOX IT data diode, which consists of a hardware that ensure the information traffic in one direction – through fiber optics transceivers – and two servers – named proxies. These include specific applications to transmit information in one direction in critical infrastructures and industrial environments over protocols like Modbus or OPC, or stored on industrial databases such as OSIsoft PI or Wonderware Historian.
The key point of data diodes is that it is able the bidirectional protocols – typical, TCP, which require three-way handshaking – to be interpreted, “broken up” and converted into unidirectional – between proxies and the diode hardware – and then enter them in the network not being compromised again as bidirectional.