Production and IT: the Connection Is Secure

To securely connect the production and IT worlds, ServiTecno offers solutions for attack-proof integration: from the hub to the gateway family to remote access devices, sensitive data are protected

In times of cyber attacks, process control networks are often physically isolated from the rest of the company to protect critical production assets and sensitive data. However, a total network isolation not only fails to secure the systems (many intrusions occur locally), but also implies giving up the benefits of interconnectivity. It would not be possible to integrate production data into decision support platforms, or to feed data analytics systems.
In any case, a system allowing the secure extraction of useful data from an adequately protected system may represent a serious challenge.
A solution is provided by ServiTecno, distributor of advanced software solutions on the Italian market.

DataHub understands the different languages  spoken in the  OT and IT world.
DataHub understands the different languages spoken in the OT and IT world.

A hub dedicated to production data

Developed by Skkynet, DataHub is a middleware solution enabling data from different sources to be integrated and used easily and securely. Local and geographic networks can thus be created by connecting sensors, devices and machinery in the area, thereby realizing 4.0 architectures and solutions. Integrating data generated by production systems into management systems and analytics solutions on the cloud, that is, outside the realm of operations, is an essential but also risky operation. Datahub allows communication between the various layers of the company network, managed by firewalls, with bidirectional connections but without opening the incoming ports, transferring large volumes of data in real time mode. The solution enables real-time two-way connections between the production world, that is, OPC UA and Classic (OPC DA) clients and servers, and any SQL database, MQTT client or broker, but also to Excel spreadsheets and cloud platforms such as Azure IoT Hub, Google IoT, Amazon IoT Core.
DataHub understands the different languages spoken in the OT and IT worlds, translates them quickly, and creates a single unified dataset available to any analysis or visualisation platform.
Capable of handling over 50,000 changes in value per second of the points generating the data, DataHub is fast, allowing the data to be used for plant monitoring and control. The integrated web HMI (WebView) allows pages to be created and displayed in a web browser. It also allows: recording data in any SQL database; creating a secure connection to any Industrial IoT platform; triggering actions based on data changes; and performing real-time analysis with Microsoft Excel using an add-in.

With DataHub it is possible to create and display pages in a web browser.
With DataHub it is possible to create and display pages in a web browser.

A digital diode to separate equipment from the outside world

To separate OT networks from other networks, a firewall with a strict set of rules to protect the underlying network segment is usually chosen. However, even the best firewall can be breached. One solution is NetWall, a family of security gateways developed by Bayshore. It consists of unidirectional (NetWall USG, Unilateral Security Gateway) and bidirectional (NetWall BSG, Bilateral Security Gateway) models.
The unidirectional models are available in four sizes, based on the data exchange speed supported: 50 Mbps, 100 Mbps, 1 Gbps and, the latest addition, 10 Gbps. NetWall USG is a ‘digital diode’ which is installed in a 19” rack and physically separates industrial equipment from the outside world. A high-speed hardware and software solution which creates a secure network segment.
The entire NetWall family supports real-time replication of files and data outside the electronic perimeter to enterprise systems such as ERP, MES, PLM, PIM and others. The NetWall BSG bi-directional models offer all the features of the unidirectional version, with the addition of being able to receive response data from certain destinations on the untrusted network. Both types of NetWall support OPC UA.

NetWall is a family of security gateways.
NetWall is a family of security gateways.

Secure protection for PLCs

Bayshore also offers the OTfuse family of intelligent protection products, and the OTaccess series of secure remote access devices, available for On Premise, Cloud or virtual machine installations.
OTfuse has been developed to protect PLCs in a network SCADA/PLC application. To install it, it is sufficient to place it downstream or upstream of the switch to which one or more PLCs are connected. Easy to configure, it knows the protocols used by the PLCs, and learns by itself the connections and traffic between PLCs, and between PLCs and PC/HMI/SCADA. Once “self-instructed”, it signals if there is anything suspect which should be blocked.OTfuse for iFix, similarly to its general purpose version, enables the protection of communications between different SCADA nodes in the network, but is designed specifically for GE Digital’s HMI/SCADA Proficy iFix. OTfuse is also available in a “lighter” version OTfuse Lite. This product is also installed near the endpoints which protect PLCs and other devices connected to the network, and is automatically configured and offers intelligent intrusion prevention.
The difference is that OTfuse Lite is dedicated to non-critical industrial applications, which do not require the highest level of availability of the original OTfuse.

OTfuse for iFix protects communications between different SCADA nodes in the network.
OTfuse for iFix protects communications between different SCADA nodes in the network.

Ensuring secure, real-time remote access

We now turn to OTaccess, a solution which securely manages real-time remote access. It offers granular and customised control by protocol, user activity and location, with continuous monitoring and policy enforcement for the duration of each session.
To allow access, OTaccess requires the exposure of a service on an endpoint (defining both the destination port and the protocol/service), and the explicit authorisation of a user to access that endpoint/service combination. It is a cloud-hosted software-defined product with support for encrypted microtunnels, two-factor authentication, Microsoft Active Directory users and groups, and endpoint-specific access capabilities oriented towards OT network security requirements.