Smart but Easy Cybersecurity for Critical Systems

The problem

The OT network needs to be highly secured, but… Many users on the IT network are dreaming to get access granted to OT to make their job easier!

Most industrial organizations start by deploying firewalls between IT and OT networks. However, such strategy creates new problems.

Enter data diodes. They promise total security from any attack from the IT to the OT network. But they also completely cut off any interactive access with OT applications, databases and protocols.

Some databases can be replicated to the IT network, where they can be used. But many applications, and most protocols, can’t be “replicated”.

Is there any way you can secure your OT network, while granting access to applications, databases and protocols?

Our solution: Secure Xchange Network

Denelis V3

Yes, you can!

Seclab Secure Xchange has been used in Europe for many years. Like data diodes, it provides total protection from network layer attacks, but unlike data diodes, it adds full bi-directional communications between OT and IT.

Secure Xchange role is to Neutralize non expected content between 2 networks. It’s based today on an Appliance model.

Its core features are:

  • Disassembly the transport layers, of any protocol;
  • Prevent any attack at transport level, by being Hardware-based (vs. software);
  • Do content analysis, or chain other products for such role.
Secure Xchange protects any OT system
001 excavator

Mobile equipment

002 monitor

Medical Machines

003 factory

Diversified Manufacturers

005 industrial robot

Industrial Machinery

004 skyline

Building Equipment

007 control panel

Automation and Controls

008 repair

Test & Measurement

009 plug

Electrical Power Dist

010 cctv

Advanced Components

006 solar panel

Power equipment

Our technology : Neutralizer by Seclab

How do we do this?  If you’re familiar with the seven-layer OSI model, you may know that the great majority of cyberattacks are propagated through layers 3 and 4,respectively Network and Transport layers.  Attacks like Stuxnet, Black Energy, Wannacry, NotPetya, CrashOverride, etc. all rely on these two layers to spread themselves. No matter how devastating their “payloads” could be, without having access to the Network and Transport layers, these attacks simply can’t cause any damage thanks to Seclab.

OSI model SECLAB

Our Neutralizer technology destroys layers 1-4 of each packet from the IT network, while leaving layers 5 to 7 alone. It then re-creates layers 1-4 and inserts the new and fresh packet on the OT network.

Most attacks occur on layers 3 and 4 (Network and Transport); there is no possibility for any of those attacks to get through and end on the OT network.

Moreover, your users can continue to use applications, databases and protocols on the OT network, even though the level of security has greatly increased.

secure-xchange-process

Question: There have been attacks at layer 7.
Since Secure Xchange transfers layers 5 to 7 unchanged from the IT to the OT network, how does this protects me from those attacks?

Answer: In two ways…

bidirectionnal-exchange

1. Secure Xchange enables traffic-direction Control. This allows you to specify, as illustration, that all Modbus sessions must originate from the OT network, so no attack on Modbus can ever come from the IT network. This is a very basic but powerful tool.

firewall

2. Sometimes, traffic-direction control isn’t the right approach. In those cases, you may deploy an application-layer firewall facing the Secure Xchange system.
You can tune this firewall to block application-layer attacks that apply to the specific applications of your OT environment. The firewall protects layers 5 to 7, while Secure Xchange protects the remaining: 1+1 = 3!.

Which Applications Work?

All applications, databases and protocols are developed under the assumption that the user will have interactive (bi-directional) access. Since data diode solutions block interactive access, there always needs to be a special workaround for any application that your IT network users still need to use – e.g. database replication.
But many applications, and most industrial protocols like Modbus, can’t be “replicated” to the IT network. With a data diode, there is no solution for this, other than moving physically to the OT network.

This doesn’t happen with Secure Xchange. Almost all applications, databases and protocols work without any change. For the very small number that won’t work properly, Seclab will engage with you to find a solution.

They trust us

Ressources

(EN) The Secure Xchange Story

(EN) White Paper: A new way to Protect your OT network

(FR) Denelis Secure Xchange : La preuve par 4

For More Information

+33 (0)4 11 930 859
contact@seclab-security.com
Name *
Company
Email *
Phone number
Subject *
Your message *

Top