I recently attended the DistribuTECH and OSIsoft PI World, as an exhibitor and a speaker, and I had a number of great conversations with attendees about cybersecurity in the industrial, commercial, and critical infrastructure verticals. These conversations ranged from the theoretical down to the specific technologies, such as Owl data diode solutions, and hit upon the varied requirements and challenges these particular industries face every day.
I have often found it helpful to refer people to the Department of Homeland Security’s (DHS) recommendations for securing industrial control systems. The recommendations are outlined in a fantastic and highly informative white paper titled “Seven Strategies to Defend Industrial Control Systems”. (If you haven’t read it yet, I definitely recommend taking the time to get familiar the DHS recommendations.)
The basic concept of the DHS strategies can be summarized as:
- If any external connections are for monitoring purposes only, convert them to one-way out
- If data transfers into the OT network are required (software updates, patches, etc.), convert as many as possible to one-way in
- And lock down any remaining two-way connections with a single open port over a restricted network path
In general, these folks understand and to a certain degree have embraced to value of employing data diodes as a secure way to move data one-way, typically from the ICS/OT network to their IT/business network, or moving software updates one-way into a secured network. However, until now, there has been no practical way to leverage the benefits of hardware-based data diode security for communications that have to be two-way. So as the conversation progresses, people inevitably come out with some version of:
“I understand the value of using data diodes to move data one-way, but I have this one application that just cannot be one-way. How can you address that two-way requirement with data diodes?”
These two-way data streams frequently involve scenarios where the customer needs the ability to conduct remote command and control, remote monitoring, remote help desk, or even SCADA system replication. Think of an employee charged with monitoring a remote asset like a dam, substation, or a pump station. On a Saturday afternoon they receive an alarm on their mobile phone saying that a PLC setting requires attention. In the real world, remediating the alarm condition may involve a 50-mile drive to a remote asset, on a weekend, for a 5-minute PLC setting change. To make matters worse, the remote asset could be unmanned, and security also needs to be brought in to allow the employee onsite access.
Recently we’ve opened a new chapter in Owl’s network security solutions. After gathering feedback from conversations such as those at our recent trade shows and from our many diverse customers, we’ve taken the requests and requirements from the field and used them to develop a brand new product – ReCon.
ReCon was designed to address the two-way communication capability gap, combining the same proven security benefits of a hardware-based cybersecurity solution with the ability to provide secure round trip, bidirectional communication. It utilizes two independent one-way paths, each completely independent from the other and using its own hardware-enforced data diode, built on Owl’s proven DualDiode Technology. The two data diodes each enable only one direction (send or receive) of data transfer, together creating a complete bidirectional pathway with a much higher security profile than software-based tools, such as firewalls.
For more information on ReCon, check out the data sheet or contact your Owl Account Executive, and check out the Solutions page of our website for more info on Owl’s other award-winning cybersecurity solutions.