This post will be on the light side, describing a demo I had fun making and about which my co-workers are tired of hearing me speak. Nonetheless, despite the geekiness of the demo, it was not an exercise in frivolity. The demo highlighted a few key capabilities Owl data diode products can support using a relevant use case for an industry I focus on – pharmaceutical manufacturing.
Let me tell you about it.
One manufacturing use case that we’ve been talking about with customers involves the Industrial Internet of Things (IIoT). Specifically, we’ve worked with customers to secure their IIoT systems and devices and send data directly from them to the cloud.
As I mentioned previously, the concept of the operational technology (OT) network perimeter, and common models such as the Purdue manufacturing model, are fragmenting as inexpensive sensors and connected devices proliferate across the manufacturing floor. The IIoT has changed how folks think about their networks, their machine data, and connectivity to solutions outside the OT network, specifically to cloud platforms for data aggregation and analytics.
However, this connection, from a machine or device to networks outside of the OT network, also opens a potential cyber threat vector. The concern is that this connected machine could be unsecured and open to intrusions from outside the OT, not to mention potentially leveraging a compromised machine to gain greater access into the OT and control networks.
This, of course, is where a data diode comes in.
Here at Owl, I focus on pharma manufacturing. So when I was heading to a conference where many pharma manufacturing automation engineers might be pondering this very issue of IIoT connectivity, I thought it would be a good opportunity to create a demo to showcase how a data diode can protect connected devices. And since I’ve a background in biochemistry (not to mention a personal penchant for brewing), I knew I wanted to do build something that could demonstrate and monitor live biochemical activity.
Like a bioreactor. Sort of.
I got together a flask containing malt, water, and yeast – a fair DIY approximation of a bioreactor. And of course, I added some sensors: a pH sensor, a dissolved solids (salts, basically) sensor, and a temperature probe. I also added a magnetic sensor to measure the rotation speed of the stir plate that spun a stir bar in the flask. All of this sensor data was collected and processed by an Arduino microprocessor. The Arduino sent data (via HTTP POST) directly to a cloud service IIoT dashboard via the data diode and a wireless gateway.
The Set Up
To configure the data transfer from the Arduino to the cloud service, we had to specify a few key parameters related to the security features of the data diode (see schematic below). First the Arduino was set to send the data to the IP address on the Source side of the data diode. The Source side of the data diode was set to accept connections from the Arduino IP address, on a specific port and with a specific protocol (HTTP). The Destination side of the data diode was set to receive this data and send it on to the IP address of the cloud service. As a bonus, because we connected the Destination side of the data diode to a wireless gateway, we didn’t need to connect it to a fixed network to get the data to the cloud.
The Demo in Action
The photo below shows the live demo set up at the PI World event this past September. There was also yeast growing in the spinning flask, so it was both a “live demo” and “alive demo.”
The screenshot below also shows the monitoring dashboard we set up. You can see changes in temperature caused by yeast growth and demo area crowd flows; a change in pH as the culture ages (I think that’s the cause); and spikes in the total dissolved solids as we spiked the flask with a liquid aminos solution (a soy sauce substitute, in case you’re wondering). While the dashboard doesn’t show it, the RPMs also changed as we fiddled with the stir plate speed.
Yes, in essence, in this demo the advanced, unhackable data diode was protecting but a humble Arduino, but think of the Arduino as a placeholder for a key machine or device in your network creating valuable data. PLCs, data historians, SCADA systems, safety systems, whatever it is that you need (or want) data from. The data diode provides a simple, clean mechanism to deliver data without opening any pathways for potential exploit or cyberattack.
We have many customers doing variations of this type of setup. For example, connecting a Rockwell PLC to a data diode and streaming Modbus or PI System data to a cloud repository. We see these direct to data diode setups as useful for organizations looking to securely adopt IIoT into their manufacturing. We also think these set ups can be good for those looking to easily stream data from contract manufacturers without using the contract manufacturer network.
What do you think? Are you interested in learning more how such a set up might help you?
Let us know.