Perimeter security and network segmentation

We provide services and technologies to help you protect, fortify and segment networks



Not having devices to permit secure access to the OT network, not configuring them correctly, deploying them with default settings and/or the lack of network segmentation policies mean that the equipment, processes and systems located in the operating environment are more vulnerable to both external and internal threats. This is why incorporating devices to reinforce perimeter access and properly segmenting networks is one of the basic countermeasures which need to be considered within a defence in depth strategy.
[button type=”big” link=”ón-redes_wp.pdf” color=”green” newwindow=”yes”]Read our white paper and learn how to fortify and segment your OT environment[/button]
We provide services and technologies to help you protect, fortify and segment networks:
SCADA network analysis
The main aims of this intervention are to analyse current SCADA network status, to provide a proposal for its desirable condition and to supply a transition guide to be able to reach this desirable condition.

We perform analysis of SCADA networks by carrying out three phases (preparation, execution, analysis). This in turn is executed by means of the following six stages:

  1. Signing of the commitment.
  2. Compilation of information.
  3. Planning, design and adaptation of the analysis form.
  4. Collecting information.
  5. Analysis of information.
  6. Presentation of results.

The five aspects we analyse are:

  1. Physical security.
  2. Network electronic configuration.
  3. Visibility and access between networks.
  4. Protocols.
  5. Network fault tolerance and availability.
Industrial firewall

You are sure to ask what differentiates the firewall your IT department implements in your “back-office” and the firewall we recommend you use in OT environments. Here is the answer:

  • Industrial firewalls have been designed specifically with environmental settings and industrial network operation in mind.
  • Their installation and deployment is not intrusive or invasive.
  • Their configuration and rule management modules are easy to use.
  • They incorporate specific features to enable you to increase OT network security
  • They can be installed between SCADA and PLC systems to carry out DPI (Deep Packet Inspection). That is,they enable traffic to be segmented by specifying typically industrial protocols (Modbus TCP/IP, Ethernet IP, OPC, etc).

The main differences between traditional and industrial firewalls are summarised in this figure.

Firewall industrial

Data diode

The data diode is a hardware device (there is no firmware as in the case of firewalls) that separates/protects two networks by ensuring unidirectionality of information flow.

It ensures that the information from one network reaches another network (but not vice versa). If your environment is really critical and you want to equip your infrastructures with an almost unbreakable level of security, the solution you need to apply is the data diode.

Diodes replace the traditional DMZ and usually have certifications such as Common Criteria EAL 7+ (Netherlands Scheme), Common Criteria EAL 4+ (Norwegian Scheme), NATO (Secret), NATO Green Scheme Evaluated, NL-NCSA (Secret), BSI (Secret) and NERC-CIP Compliance Vendor.

They are based on the use of proxies either side of the diode with specific appliances for critical infrastructures and OT environments such as Modbus replicator, OPC replicator, OSIsoft PI replicator and general appliances such as file transfer, software updates, e-mail, database replication, network printing or network monitoring.

Protect your industrial environment