How Critical Infrastructure Providers Can Securely Connect OT to the Cloud
Cloud connectivity offers tremendous benefits for critical infrastructure operators. Sending data from operational technology (OT) devices to the cloud opens the door for asset owners to use remote diagnostic and analysis tools, improve supply chain management, adopt predictive maintenance and schedule planned downtime—improving the efficiency and resilience of operations in ways not possible before.
While beneficial, new cloud connections also introduce new risks. Every additional connected asset represents a potential access point for bad actors, even including nation-state level threats. This situation is compounded by the use of geographically distributed and sometimes wirelessly connected edge assets in the industrial internet of things (IIoT).
Consequently, OT asset owners have faced the dilemma of potentially introducing cybersecurity threats into their OT environments or losing out on the benefits of cloud-enabled analytics, data storage, systems monitoring and other high-value applications. Software-based security solutions fall short of ensuring the strong protection needed for critical infrastructure networks. Firewalls have been proven ineffective in stopping cybersecurity threats with any level of sophistication and are no longer considered a viable security control. Some security ‘solutions’ even have the potential to be hijacked by sophisticated threat actors who can use them to launch attacks on the OT.
Hardware-Enforced Security Shifts the Paradigm
Instead, hardware-enforced security technology allows data to travel out of a facility to the cloud without providing a path back to the inside that could be exploited. That is achieved through integrating physical devices, known as data diodes, and digital isolators with hardware-enforced protocol validation technology.
In a data diode, data follows a one-way path through an optical transmitter, across a fiber optic cable and into an optical receiver. That design completely eliminates the possibility of data traveling in the opposite direction. Similarly, digital isolators use transformers to magnetically couple data across a one-way-only isolation barrier. This proven approach has been used for decades by industrial organizations and nuclear energy facilities to connect their OT to their IT.
No software-based firewall can provide this same level of assurance. That is why many organizations now require hardware-enforced security for any use case that involves data from an OT device being sent to the cloud. In fact, hardware-enforced network segmentation is required by the North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) regulations. It is also recommended by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) to secure external connections, including the cloud, for all OT networks within critical infrastructure and industrial organizations.
OT to the Cloud in Action
The value of hardware-enforced security for connecting OT to the cloud is already being proven. For example, a major cloud provider was able to secure a data connection to the Morning Star Packing Company, the largest tomato processor in the world, located in California’s Central Valley, by implementing a hardware-enforced data diode solution into their security architecture. Morning Star’s corporate security policy required maintaining an impenetrable air gap and prohibiting the connection of OT to the internet. Using the hardware-enforced approach enabled the company to automatically transfer production data via MQTT from the factory edge to the cloud for greater insights on operational efficiency, product yield and predictive maintenance. This replaced an old-fashioned “walk net” option involving data transport via thumb drives to a local computer for download. In addition, critical government compliance reporting data via FTP and SFTP protocols to the regulatory agencies were upgraded from software-based firewalls to the data diode solution, providing greater protection against cybersecurity threats to the boiler control systems.
Similarly, a large Swedish petrochemical company also needed to get data from its facilities to an external cloud platform to realize important efficiency improvements. While relying on air gapping to maintain absolute OT security, one of the company’s plants applied a hardware-enforced data diode solution, enabling them to safely transfer data to the cloud while maintaining the air gap’s integrity. That first implementation is paving the way for the same model across the company’s 35 global facilities.
Critical Infrastructure Companies to Reap Cloud-Enabled Benefits
Implementing an OT-to-cloud data flow protected by hardware-enforced security will enable critical infrastructure companies to reap cloud-enabled benefits like optimizing plant performance and maximizing device maintenance practices while ensuring the strongest cybersecurity defenses possible. Hardware-enforced security will allow operators to reduce expenses and deliver more customer value, while still fully meeting all regional and federal regulatory requirements. With the advantages of cloud and automation now safely available to all critical infrastructure providers, growing customer demands and competitive pressures compel adoption of solutions that will meet this transitional moment.
