Use Case: Data Diode Cybersecurity Implementation Protects Water Utility OT Network

Size: px

Start display at page:

Download "Use Case: Data Diode Cybersecurity Implementation Protects Water Utility OT Network"

Louise Floyd
5 years ago
Views:

Providing Remote User/Data Access Standards Certification Education &

Sales and Customer Service at Owl Computing Technologies 2015 ISA

1 Use Case: Data Diode Cybersecurity Implementation Protects Water Utility OT Network Four Step Process to Network Cybersecurity & Providing Remote User/Data Access Standards Certification Education & Training Publishing Conferences & Exhibits Dennis Lanahan Director of Sales and Customer Service at Owl Computing Technologies 2015 ISA Water / Wastewater and Automatic Controls Symposium August 4-6, 2015 Orlando, Florida, USA

Presenter Dennis Lanahan, Manager, Sales & Customer Service Dennis joined Owl in the Fall of 2007, after four years as Director of Sales Operations at irobot.

His responsibilities included global supply-chain operations, customer fulfillment and North American consumer help-desk service and support.

2 Presenter Dennis Lanahan, Manager, Sales & Customer Service Dennis joined Owl in the Fall of 2007, after four years as Director of Sales Operations at irobot. During the time of rapid growth at irobot, from , he was responsible for overseeing Sales Operations and Customer Service for the Home Robots Division. His responsibilities included global supply-chain operations, customer fulfillment and North American consumer help-desk service and support. He started his career at Seagate Technology in Scotts Valley, CA and has held Sales and Sales Management positions in various technology companies selling computers, computer peripherals and internet services. He holds a Bachelors Degree of Individual Concentration (B.D.I.C.) from the University of Massachusetts from 1986, with a concentration in Business Management and Computer Information Science. 2

3 Presentation Outline Typical Network Security Configuration Air gap Response to Cybersecurity Threats Business Challenges of Air Gap Four Step Process to Meeting Air Gap Challenges Define Security Zones Define Workflows Define Security Policy Implement Cybersecurity Solution Summary of Issues Resolved 3

4 Typical Network INDUSTRIAL CONTROL NETWORK CONNECTED TO CORPORATE NETWORK VULNERABLE TO CYBER THREATS DCS stations s DMZ Remote Users s Plant Network Corporate Network

5 Response to Imminent Threat or Attack NETWORKS SECURED BY DISCONNECTING (CREATING AN AIR GAP ) DISCONNECT IMPEDES EFFICIENT OPERATIONS DCS stations s Remote Users s Plant Network Corporate Network

6 Business Challenges Faced After Implementing Air Gap Challenges Restore business information continuity Historical information access with network security and network domain separation Solutions Define the plant and business networks as separate security zones with a secure conduit in between Security Solutions Deployed Replicate data generated by DCS and PLC equipment into the business unit s Limit unauthorized access to plant network Install hardware enforced data-diode technology to enforce one-way data flows Provide Remote Users with visibility into OT network Implement Remote View capability

7 Applying lessons learned to Develop 4 Step Approach Each network is different and customers walk through a 4 step process to architect the right data diode cybersecurity solution 1.Define Security Zones 2.Define Workflows and Data Transfers between zones 3.Define security policy to support Workflows 4.Define security solution architecture

8 Step 1 of 4 Step process 1. Define security zones High Security Zone Prevent outside access Business Security Zone Enable plant support operations DCS 1 DCS 2 DMZ DCS 3 (OPC DA, A&E) Plant Network Industrial Control Systems Corporate Network IT Systems

9 Step 2 1. Define security zones 2. Define workflows and data transfers within the zones High Security Zone Prevent outside access Business Security Zone Enable plant support operations DCS 1 DCS 2 DMZ DCS 3 (OPC DA, A&E) Plant Network Industrial Control Systems Corporate Network IT Systems

10 Step 3 1. Define security zones 2. Define workflows and data transfers within the zones 3. Define security policy data transfers out, no attack vectors in High Security Zone Prevent outside access Business Security Zone Enable plant support operations DCS 1 DCS 2 DMZ DCS 3 (OPC DA, A&E) Plant Network Industrial Control Systems Corporate Network IT Systems

Step 4 1. Define security zones 2. Define workflows and data transfers within the zones 3. Define security policy data transfers out, no attack vectors in 4.

11 Step 4 1. Define security zones 2. Define workflows and data transfers within the zones 3. Define security policy data transfers out, no attack vectors in 4. Define security solution to support requirements High Security Zone Prevent outside access Business Security Zone Enable plant support operations DCS 1 DCS 2 DMZ Data Diode DCS 3 (OPC DA, A&E) Plant Network Industrial Control Systems Corporate Network IT Systems

12 Business needs solved with Security Zones and Secure Conduits Restore business information continuity Owl DualDiode enforces Plant and Business Network domain separation IP addresses, MAC addresses and all other identifying information is protected behind the data diode Historical Information Access with network security and network domain separation replication Transfer of data files Prevent access to plant network from outside the plant DualDiode is hardware enforced one-way data flows out NO access or data flows into the plant network of any kind Provide Remote Users with visibility into the Plant Implement Remote View capability

Network Architectural Design for Cybersecurity in a Virtual World

Network Architectural Design for Cybersecurity in a Virtual World Standards Certification Education & Training Publishing Conferences & Exhibits Kenneth Frische aesolutions 2016 ISA Water / Wastewater