New Approaches for ‘Air Gapped’ IT and OT Environments for Critical Infrastructure
In this new world of interconnected systems, critical infrastructure organizations benefit from a multitude of Internet of Things devices with all the additional functionality they bring, and valuable, bi-directional data sharing between IT and OT systems. The benefits of this connectivity are huge: increased productivity, more agile and flexible processes, reduced cost and increased innovation to name but three.
Like all other industries, critical infrastructure has benefited from digital transformation and the move to Industry 4.0. Critical infrastructure’s IT and OT systems are often built on bespoke, legacy and in some cases antiquated systems. However, no system can last forever and these updates often mean readdressing the ‘air gap’ – the separation between operational technology and IT systems connected to the web.
Rightly so, critical infrastructure is heavily regulated and when data sharing across systems is introduced, this must be properly monitored and managed.
However, with benefits do come risks, and that will include increased internal and external threats to online systems. Threats from external attacks are only increasing, with a long history of attacks against critical infrastructure stretching back to Stuxxnet in 2010. Shamoon, Dragonfly, Wannacry, Petya and more are all well known for the disruption they caused to energy firms, critical manufacturing and other public services. The attacks are becoming more frequent, extremely sophisticated, and targeted. The cost of ransomware demands is now through the roof – CAN Financial recently paid out $40m and $60m was demanded of Apple. In fact the cost of ransomware, both in terms of payouts and downtime, is expected to exceed $265bn by 2031.
Security in the Critical Infrastructure “Airport”
Against this backdrop, how can we modernise and improve our environments while also keeping critical data and systems safe and available? Firewalls and data diodes are the de facto technologies traditionally used, but are limited in terms of functionality and have also suffered in terms of effectiveness against targeted attacks.
Above all, the physical safety and availability of the asset and the amenity it provides to the community it serves (water, gas, traffic control etc) must be maintained.
At the other end of the airport security process is the exit gate – similar in critical infrastructure to the data diode. When leaving the airport it’s a one-way only process, but there are no security inspections on the way out. Yes, you can’t get back in, but there’s no record of you leaving, and no-one’s checking you haven’t taken anything you shouldn’t have in your bags. Digitally, a user could exit the network with unauthorised documents, which could be extremely damaging.
The technology gap between the firewall and the data diode can however be addressed. Let’s think of these technologies as checkpoints in a critical infrastructure ‘airport’. The firewall acts as the check in desk – performing basic checks and verifying a users’ identity. However, they are basic checks and you can still get past that point with items you’re not supposed to be carrying. In the airport this may be a bottle of water in your carry-on – in the digital world some hidden malicious code inside an innocuous looking document.
Forcepoint Data Guard offers the same levels of checks within an IT/OT system. It transfers information cross domain (from the “clean” to the “connected” system) safely and securely, minimising risk as much as possible.
The missing piece in this ‘airport’ is Data Guard technology. This guard is a much more in-depth security process – you could think of this as the scanners, security staff, X-ray machines and all the other checks within an airport. These provide a deeper inspection than simple identity only. In the airport, they are a fine-grained, detailed inspection of your person and belongings, checking for any malicious activity (e.g. the hand swab for residue detection).
When Data Guard is applied, it is set up on a bespoke basis with specific rules and protocols for each particular environment. Plug ins can be applied, including virus scanners and CDR services (content, disarm and reconstruction products) to filter all the data and ensure nothing gets in, or out, which is not permitted.
Through a data guard, documents can transfer from different levels of security domain, (IT to OT networks) and can be cleaned on the way through to ensure no document is hosting hidden malware in the way in, or exfiltrating hidden data on the way out. The idea here is 100% prevention: and in critical infrastructure, this level of security is necessary.
Critical infrastructure architectures are all different, built on different OT set ups and with varying levels of security requirements. Forcepoint takes a partnership-focused approach to implementing Data Guard and other Cross Domain solutions, ensuring a programmatic approach which delivers strengthened cybersecurity posture as well as enhanced ROI – bringing in all of those benefits of Industry 4.0 and digital transformation. Together with our partners, we deliver high assurance cybersecurity protection of data in transit, keeping the OT networks of critical infrastructure customers clean, and protected.
Newsflash: It’s worth noting that Forcepoint just announced the signing of a definitive agreement to acquire Deep Secure (which recently closed), a developer of cybersecurity products and services which protect organizations from attacks delivered via malware. Forcepoint will be building Deep Secure’s products into our Cross Domain Solutions portfolio to deliver enhanced efficacy for securing critical data. Deep Secure’s Threat Removal Platform helps eliminate the threat from a number of the most common attack vectors, including email and web downloads.
To learn more about Forcepoint’s Data Guard and hear details of the technical implementation and use cases of the technology, listen to our webcast on the topic.
This post was first first published on Forcepoint website by Bryan Skelton. You can view it by clicking here