The OT network needs to be highly secured, but… Lots of users on the IT network want access to OT to do their jobs!
Most industrial organizations start by deploying firewalls between IT and OT networks. However, there are problems with firewalls.
Enter data diodes. They promise total security from any attacks from the IT into the OT network. But they also completely cut off any interactive access with OT applications, databases and protocols.
Some databases can be replicated to the IT network, where they can be used. But many applications, and most protocols, can’t be “replicated”.
Is there any way that you can secure your OT network, yet still allow interactive access to applications, databases and protocols?
Our solution: Secure Xchange Network
Yes, you can!
Seclab Secure Xchange has been used in Europe for many years. Like data diodes, it provides total protection from network layer attacks, but unlike data diodes, it adds full bi-directional communications between OT and IT.
Secure Xchange role is to Neutralize non expected content between 2 networks. It’s based today on an Appliance model.
Its core features are:
- Disassembly the transport layers, of any protocol;
- Prevent any attack at transport level, by being chip-based (vs. software);
- Do content analysis, or chain other products for such.
Automation and Controls
Test & Measurement
Electrical Power Dist
Our technology : Neutralizer by Seclab
How do we do this? If you’re familiar with the seven-layer OSI model, you may know that the great majority of cyberattacks are propagated through layers 3 and 4, the Network and Transport layers respectively. Attacks like Stuxnet, Black Energy, Wannacry, NotPetya, CrashOverride, etc. all rely on these two layers to spread themselves. No matter how devastating their “payloads” are, without having access to the Network and Transport layers, these attacks simply can’t cause damage.
Our Neutralizer technology destroys layers 1-4 of each packet from the IT network, while leaving layers 5 to 7 alone. It then re-creates layers 1-4 and inserts the packet on the OT network.
Most attacks occur on layers 3 and 4 (Network and Transport); there is no possibility any of these attacks will get through to the OT network.
Moreover, your users can continue to use applications, databases and protocols on the OT network, even though the level of security has greatly increased.
There have been attacks at layer 7.
Since Secure Xchange passes layers 5 to 7 unchanged from the IT to the OT network, how does it protect against those attacks?
In two ways…
1. Secure Xchange offers Direction Control. This allows you to specify, for example, that all Modbus sessions must originate on the OT network, so no attack on Modbus can ever come from the IT network. This is a very powerful tool.
2. Sometimes, Direction Control isn’t practical. In those cases, you can deploy an application-layer firewall “in front of” Secure Xchange.
You can tune the firewall to block application-layer attacks that apply to the applications in your OT environment. The firewall protects layers 5 to 7, while Secure Xchange protects the rest.
Which Applications Work?
This doesn’t happen with Secure Xchange. Almost all applications, databases and protocols work without any change. For the very small number that won’t work properly, Seclab will engage with you to find a solution.