If you are working in the energy sector you probably have one or more of the following security challenges:
- You need to securely integrate your OT systems with your IT systems, this integration is necessary to analyse the data from your OT systems.
- You need to manage and monitor your sensitive OT systems remotely in a secure way, and you need to allow suppliers to perform maintenance and/or allow operating personnel to monitor and control your systems.
- You want to centralise your data logging in a secure way to avoid the risk of attacks that such a communication channel could be.
- You need to report data to an authority cloud service and want to avoid this opening up attack vectors into your sensitive systems.
- You want to make sure that your operations can continue without interruptions even under a cyberattack, as your operations are vital to society.
In this article we will explain how you can handle these security challenges.
Secure IT/OT integration
Separating IT and OT into separate segments helps you to avoid threats or disruption in IT affecting OT. To also avoid risks as a consequence of mistakes in configuration or malfunction, physical segmentation (zoning) should be used. This means that separate hardware is used for IT and OT.
The most secure way to connect an integrity/availability sensitive data network to other systems is to use data diodes. All data flows that can be managed with data diodes involve a simplified security analysis, simply because a data diode is so secure and easy to analyse. Or, more correctly, because it has such high assurance.
Here are two examples of when using data diodes in an OT environment makes the integration to the IT network more secure:
- Database mirroring: One method for exporting data from the OT zone is to mirror the contents of a database from the OT zone. By creating a copy of the data on the IT side, you can allow read access to all IT systems that need to access the database contents.
- XML export: Another method is to create an XML file in the OT zone, containing all the data needed outside OT. This file is then sent regularly by file transfer to a recipient in the IT zone.
Read more about secure IT/OT integration!
Secure remote access
One of the most common challenges for facility owners and manufacturers today is when equipment lacks remote access due to it being offline, requiring special connectivity (USB, serial) or has a lack of session control. It can also be of legacy equipment (Windows XP and similar) or have non-compliant workarounds invisible to IT & cyber.
With Advenica’s Remote Access Device you can add an instant layer of secure control around your site. It offers ad-hoc remote access, where and when needed. It also offers support of 3rd party needs such as tunnelling, IP/USB/Serial or even KVM access, in addition to simple user administration.
Benefits with the Remote Access Device:
- Portable: Small form factor and built-in battery allow users to easily move remote access to a single endpoint or a network of endpoints.
- Secure: Built on Zero Trust principles, ensuring Least Privileges, Access Control, and Audit Log.
- Versatile: A wide variety of I/O options enabling connections to an extensive range of devices.
- Clientless: Plug-and-play solution requiring no software installation on the endpoint, network, or technician’s computer.
- Out-of-Band: Built-in LTE connection ensures remote access is isolated from the network.
- Offline: Whether utilizing LTE, WiFi, or LAN, the internet connection is not shared with the endpoint and will remain offline during remote access.
Read more about secure remote access.
Secure centralised logging
Most IT systems generate logs that enable troubleshooting and traceability. To benefit the most from such logs, it is important to combine logs from as many systems as possible in one chronological list. By monitoring logins, failed login attempts, transactions, USB usage etc, effective preventive measures can be mapped out and damage control can be taken without delay. However, the character of the data also makes log servers hackers’ favoured target. Destroyed or manipulated data logging systems has no value, hence it needs to be protected at the highest possible level. With new regulation like NIS2 the demand to report incidents quick and correct it is crucial that logs are available and trustable.
To ensure integrity and security, high-assurance solutions are required. Data diodes create a high assurance isolation in the backward direction, thereby blocking everything from the outside.
Read more about secure logging.
Secure reporting to authority cloud services
Many organisations today have to report data continuously to an authority. This as the authority needs statistics from the different organisations reporting to them in order to put the right demands on the reporting organisations, charge them in the correct way or to be able to have a total picture of the subject in question. In most cases this reporting is done to a cloud service that the authority has. But this cloud service is a potential attack vector for a cyberattack, this could potentially affect all the organisations reporting to this authority.
To avoid this, a data diode can be placed between the cloud service and the reporting organisation. Then the data can only go in one direction, from the reporting organisation to the cloud service.
How to protect your business against cyberattacks
Unfortunately, there is no one-time formula that allows you to fully protect yourself against all cyberattacks. But there is much you can do to prevent it from happening, but also ways to reduce the damage of an attack.
To begin with, each company or organisation must identify which information or which systems that are most critical and thus worthy of protection. Since most systems today are interconnected, it is difficult to get an overview of how many paths that lead to the most valuable information. By making a risk and vulnerability analysis, information and systems worthy of protection can be classified and loopholes identified.
However, it is not practical or financially justified to protect all information in the same way. To secure the most valuable information, strict network segmentation is the best solution to use. This means that you create zones with different security levels.
After creating zones, you should choose security solutions for operation, availability, and adaptability based on the attacker’s perspective and worst-case scenario. To be able to protect your most critical information, be sure to use professional solutions for high security and solutions that are future-proof.
Use these four concrete tips on how you can protect yourself and your business against cyberattacks:
1. Create a good security culture
2. Segment your networks
3. Put demands on your subcontractors
4. Update securely
Read more about these tips!
Read more about how to enhance your OT security.
We have the security solutions and the experience you need
Advenica has extensive experience of solutions where networks are physically isolated at the same time as information is connected securely. Our expertise and solutions secure your ICS information management – and enable accelerated digitalisation without jeopardising accessibility and integrity of ICS systems.
In our customer cases “Wiener Netze protects its infrastructure using solutions from Advenica” and “Major energy company secure power with Advenica” you can read how large energy companies secure their operations with our help.
Ready to get some help with your security challenges? Contact us today!
