The OT network needs to be highly secured, but… Many users on the IT network are dreaming to get access granted to OT to make their job easier!
Most industrial organizations start by deploying firewalls between IT and OT networks. However, such strategy creates new problems.
Enter data diodes. They promise total security from any attack from the IT to the OT network. But they also completely cut off any interactive access with OT applications, databases and protocols.
Some databases can be replicated to the IT network, where they can be used. But many applications, and most protocols, can’t be “replicated”.
Is there any way you can secure your OT network, while granting access to applications, databases and protocols?
Our solution: Secure Xchange Network
Yes, you can!
Seclab Secure Xchange has been used in Europe for many years. Like data diodes, it provides total protection from network layer attacks, but unlike data diodes, it adds full bi-directional communications between OT and IT.
Secure Xchange role is to Neutralize non expected content between 2 networks. It’s based today on an Appliance model.
Its core features are:
- Disassembly the transport layers, of any protocol;
- Prevent any attack at transport level, by being Hardware-based (vs. software);
- Do content analysis, or chain other products for such role.
Automation and Controls
Test & Measurement
Electrical Power Dist
Our technology : Neutralizer by Seclab
How do we do this? If you’re familiar with the seven-layer OSI model, you may know that the great majority of cyberattacks are propagated through layers 3 and 4,respectively Network and Transport layers. Attacks like Stuxnet, Black Energy, Wannacry, NotPetya, CrashOverride, etc. all rely on these two layers to spread themselves. No matter how devastating their “payloads” could be, without having access to the Network and Transport layers, these attacks simply can’t cause any damage thanks to Seclab.
Our Neutralizer technology destroys layers 1-4 of each packet from the IT network, while leaving layers 5 to 7 alone. It then re-creates layers 1-4 and inserts the new and fresh packet on the OT network.
Most attacks occur on layers 3 and 4 (Network and Transport); there is no possibility for any of those attacks to get through and end on the OT network.
Moreover, your users can continue to use applications, databases and protocols on the OT network, even though the level of security has greatly increased.
Question: There have been attacks at layer 7.
Since Secure Xchange transfers layers 5 to 7 unchanged from the IT to the OT network, how does this protects me from those attacks?
Answer: In two ways…
1. Secure Xchange enables traffic-direction Control. This allows you to specify, as illustration, that all Modbus sessions must originate from the OT network, so no attack on Modbus can ever come from the IT network. This is a very basic but powerful tool.
2. Sometimes, traffic-direction control isn’t the right approach. In those cases, you may deploy an application-layer firewall facing the Secure Xchange system.
You can tune this firewall to block application-layer attacks that apply to the specific applications of your OT environment. The firewall protects layers 5 to 7, while Secure Xchange protects the remaining: 1+1 = 3!.
Which Applications Work?
This doesn’t happen with Secure Xchange. Almost all applications, databases and protocols work without any change. For the very small number that won’t work properly, Seclab will engage with you to find a solution.