Cyberattacks and incidents are becoming a major source of unplanned downtime for industrial and critical infrastructure applications. IT level cyberattacks on business networks can have negative consequences for operations. As we saw with the Colonial Pipeline incident, loss of visibility into the supply chain resulted in an operational shutdown that cost the company millions. Proper isolation of IT and OT domains reduces the chances of an IT level attack impacting OT level operations.
The world of OT and industrial control systems (ICS) is becoming even more integrated with business and enterprise level applications through digitalization and its suite of new Industrial IoT (IIoT) technologies like cloud and edge computing, IoT protocols like MQTT, analytics, and machine learning. This expands the threat surface of OT forcing end users to ensure that the OT domain is properly isolated from the world of IT and enterprise systems.
What’s really required today is “isolation with communication.” The OT domain must remain secure and properly isolated from the IT domain to ensure worker health and safety and mitigate unplanned downtime, which costs the industrial and critical infrastructure segment over a trillion dollars a year in lost production. However, segmentation cannot eliminate communication; communication between the IT and OT domain is necessary to realize the benefits of Industrial IoT.
Cross Domain Solutions (CDS) are an excellent way to manage secure communications between IT and OT domains. ARC analysts recently sat down with Owl Cyber Defense to discuss their CDS offerings for the industrial and critical infrastructure space. This paper outlines the concept and benefits of CDSs in industrial and critical infrastructure applications. Here are some key takeaways:
- Cyberattacks are now a major source of unplanned downtime.
- Much of the OT level downtime experienced in recent cyberattacks stems from OT level impact resulting from IT level attacks.
- Industry and critical infrastructure need to secure the OT domain and shield it from the negative impact of IT level attacks.
- Cross domain solutions, long used in the government and defense sectors, are now being applied by industry and critical infrastructure to provide isolation and secure communication between IT and OT domains while preserving the ability to communicate bidirectionally.
Cyberattacks Are Now a Major Source of Unplanned Downtime
Unplanned downtime is the bane of the process industries, manufacturing, and critical infrastructure. ARC estimates that unplanned downtime represents over a trillion dollars in lost revenue worldwide for the industrial and critical infrastructure sectors. In a refinery, an unplanned shutdown can wipe out your annual profit. An unplanned power outage can present extreme risks like loss of life and interruption of essential services. In the past, most unplanned downtime could be attributed to operator error or some unexpected or abnormal situation in the process being controlled.
The impact of recent cyberattacks on operations shows us that cyberattacks and incidents are now a major source of unplanned downtime, one that also frequently presents a risk to human lives, safety, and the environment. According to the US Government, the losses suffered in the NotPetya ransomware attack were more than $10 billion.
IT Level Attacks Have OT Level Consequences
Many of the losses suffered during NotPetya were from industrial, manufacturing, and critical infrastructure companies that had to shut down operations largely because of being attacked at the IT and enterprise level. Companies like Honda, Maersk, Merck, and Mondelez International all suffered OT-related losses and significant unplanned downtime. Maersk suffered between $200 and $300 million in losses because they had to shut down shipping operations. Merck is reported to have suffered $135 million in lost revenue and spent over $800 million remediating the effects of NotPetya and upgrading its cybersecurity.
Operations Must Be Secured from IT and Enterprise
Most of the technological advancements in OT level systems over the past decade have focused on seamless integration between OT and IT or business/enterprise level functions. The flow of data from the OT world to the IT world has expanded exponentially over the past decade with the influx of IoT. Unfortunately, cybersecurity has not kept pace. Despite large-scale deployment of a myriad of cybersecurity products and solutions, IT level cyberattacks still have OT level consequences.
Cross Domain Solutions Provide an Answer
Cross Domain Solutions (CDS) have long been deployed in defense and high sensitivity government applications where absolute security is necessary. CDSs ensure secure communications between trusted and untrusted domains.
What Is a Cross Domain Solution?
A cross domain solution (CDS) is an integrated information assurance system that can consist of both hardware and software. CDSs provide a controlled interface to manually or automatically enable or restrict the access or transfer of information between two or more security domains based on predetermined security policies. CDSs enforce domain separation and typically include some form of content filtering, which is used to designate information that is unauthorized for transfer between security domains or levels of classification.
CDS solutions consist of a combination of hardware and software using a hardened operating system and specialized tools like Security-Enhanced Linux. Cross domain solutions provide multiple layers of filtering and content inspection and provide a “protocol break” (in the form of a data diode), to enable secure connections between trusted and untrusted network domains.
Cross Domain Solutions vs. Firewalls
Industrial firewalls are ubiquitous in the world of industrial control systems. Most industrial facilities utilize firewalls to protect perimeters and provide zone segregation. However, firewalls themselves have numerous vulnerabilities and require ongoing effort in terms of configuration and maintenance. Firewalls are a great way to provide network security and should not be confused with cross domain solutions. It is exactly because of the vulnerabilities inherent in firewalls and other security offerings that cross domain solutions were developed. Originally, CDSs were deployed in the military, intelligence, and critical infrastructure sectors where a breach cannot be tolerated and can cost lives. CDSs have also typically passed an extremely rigorous testing process administered by the National Cross Domain Strategy Management Office (NCDSMO), a unit of the National Security Agency.
CDSs Have Lower Operational Costs
Another key difference between CDS and firewalls is long-term operational and maintenance costs. Firewalls require ongoing maintenance. Firewall rulesets must be periodically reviewed, regular firewall security audits should be done, firewall rulesets must be backed up, and firewall logs must be periodically reviewed.
Conversely, CDSs have much fewer rules to configure and less ongoing maintenance requirements. Where a firewall is more analogous to a deny-list strategy, where certain protocols and ports and services are blocked, a CDS is more like an allow list, where only certain kinds of communications and services are allowed. This is what makes CDSs so useful in supporting things like Mandatory Access Control (MAC) schemes and Role Based Access Control (RBAC).
Owl Cyber Defense Cross Domain Solutions
Owl Cyber Defense provides cross domain solutions for deterministic one-way and bidirectional data transfer to industry, manufacturing, and critical infrastructure. Owl’s IXD industrial cross domain solution is designed specifically for these applications. The underlying hardware and software platform that IXD was built upon was tested and certified to government standards for cross domain solutions and was achieved through the NSA’s Lab Based Security Assessment (LBSA) process.
IXD provides content inspection beyond the capabilities offered in next generation firewalls, hardware-enforced segmentation with data diodes, and the advanced data filtering engine of a software guard in one device. IXD transfers and filters multiple protocols and data types either unidirectionally or bidirectionally. IXD also includes built-in hardware enforcement through data diodes, which provides additional network segmentation benefits, including protocol breaks that disrupt attack vectors that cannot be stopped by other solutions such as firewalls. IXD also includes content filtering to control, restrict, and filter data transfers from trusted to untrusted domains.
Primary Components of IXD
Cross domain solutions are distinguished by their inclusion of a trusted hardware component, trusted operating system, and a trusted software component to ensure secure communication of sensitive and mission critical data between two separate domains.
Trusted Hardware Component
The hardware component of IXD is a hardware-enforced data diode that assures directionality using one-way fiber-optic connections. Fiber-optic transmitters and receivers enable the communications between each side of IXD. Each is physically able to only transmit or receive data. Each computer-system assembly consists of a complete x86 motherboard and ICE-PIC communication cards.
Trusted Operating System
IXD has a trusted operating system in the form of a customized distribution of Red Hat Enterprise Linux, including only the elements needed for IXD’s operation. The trusted OS also incorporates the Mandatory Access Control (MAC) mechanisms of RHEL. Security Enhanced Linux (SELinux) policy enforcement is employed to protect core system resources, as well as to be extensible to Trusted Software Components (TSCs).
Trusted Software Component
IXD’s Trusted Software Component (TSC) is comprised of software and configuration files that are loaded into the IXD from a Datakey RUGGEDrive™ during the system startup. The TSC application interfaces with the Trusted Operating System (TOS) to provide cross-domain filtering while enabling data transfer. The TSC is cryptographically bound to the hardware and the TOS. Since it is stored on a RUGGEDrive, the TSC can be removed and stored in a secure location once the IXD is operational, but it can also be left in place for automatic restarting if power is interrupted. IXD TSC supports one or more Protocol Adapters running simultaneously. The maximum number of Protocol Adapters and pipelines depends on the number of concurrent dataflows and the available resources of the IXD.
XML Linear Assured Pipeline
IXD features a series of non-bypassable filters that are repeated in both the source and destination domains to ensure data is thoroughly vetted. Protocol adaptors interface with the networks in each domain. Data is normalized and filtered against schemas and other criteria. Progress and outcome of each step is reported via Syslog, and system administrators can configure a sequence of filters appropriate to their use case.
IXD supports a broad range of protocols for industrial applications. Protocols supported in the IP suite of protocols include UDP, TCP/IP, HTTPS, ICCP, OPC DA, OPC A&E, Syslog, FTP, SFTP, and FTPS. IXD also supports REST protocol and database synchronization with Oracle TNS. Future protocol offerings include support of OSIsoft Asset Framework, SNMP, and email protocols, all to be launched in 2022. IXD also offers OSIsoft historian replication features and HMI screen replication.
CDSs Are Adopted by a Wide Range of Industries
Once found primarily in the world of defense and government applications, several suppliers are now offering CDSs that fit the requirements of a wide range of end users across industry and critical infrastructure. The hydrocarbons sector is the largest adopter today, from oil and gas exploration and production to pipelines and LNG applications. The downstream sector, including refining and petrochemicals, are also adopting the technology. CDSs are also being used in the chemicals, automotive, and power generation industries.
Regardless of the industry, end users are primarily deploying CDSs to achieve the highest level of security in communication between OT and IT domains. The amount of OT data being consumed at the IT and enterprise level continues to expand exponentially, and firewalls by themselves are not enough to provide the proper level of isolation between these domains.
Primary Use Cases
One of the most common use cases for CDSs in industrial and infrastructure applications is replication of process historian data to the enterprise, either on the business network or to the cloud. Owl’s OSIsoft PI historian replication capabilities are a good example of this. Other key use cases include:
- OT to IT OSIsoft PI Historian Replication with High Availability Failover
- Pipeline Compressor Pump Station Data to Business Network
- Safety Instrumented System to DCS to Business Network Communications
- Bently Nevada Vibration Data to Business Network
- Electrical Network Segmentation
- OPC Server Transfer Service
As the demand for more secure communications mounts between the world of OT and IT, end users should consider cross domain solutions (CDS) to provide better isolation and security of communications between these two domains. The lower operational and maintenance costs and requirements of CDSs combined with the level of security provided can make a cost-effective strategy for avoiding unplanned downtime at the OT level if an attack happens at the IT level. Conversely, CDSs prevent against attacks launched at the OT level pivoting to the IT network or cloud.
ARC Advisory Group clients can view the complete report at ARC Client Portal
If you would like to buy this report or obtain information about how to become a client, please Contact Us
Keywords: Cross Domain Solutions, CDS, OT Cyberattacks, Owl Cyber Defense, Data Diodes, Industrial Internet of Things, ARC Advisory Group.