Smart but Easy Cybersecurity for Critical Systems

The problem

The OT network needs to be highly secured, but… Lots of users on the IT network want access to OT to do their jobs!

Most industrial organizations start by deploying firewalls between IT and OT networks. However, there are problems with firewalls.

Enter data diodes. They promise total security from any attacks from the IT into the OT network. But they also completely cut off any interactive access with OT applications, databases and protocols.

Some databases can be replicated to the IT network, where they can be used. But many applications, and most protocols, can’t be “replicated”.

Is there any way that you can secure your OT network, yet still allow interactive access to applications, databases and protocols?

Our solution: Secure Xchange Network

Denelis V3

Yes, you can!

Seclab Secure Xchange has been used in Europe for many years. Like data diodes, it provides total protection from network layer attacks, but unlike data diodes, it adds full bi-directional communications between OT and IT.

Secure Xchange role is to Neutralize non expected content between 2 networks. It’s based today on an Appliance model.

Its core features are:

  • Disassembly the transport layers, of any protocol;
  • Prevent any attack at transport level, by being chip-based (vs. software);
  • Do content analysis, or chain other products for such.
Secure Xchange protects any OT system
001 excavator

Mobile equipment

002 monitor

Medical Machines

003 factory

Diversified Manufacturers

005 industrial robot

Industrial Machinery

004 skyline

Building Equipment

007 control panel

Automation and Controls

008 repair

Test & Measurement

009 plug

Electrical Power Dist

010 cctv

Advanced Components

006 solar panel

Power equipment

Our technology : Neutralizer by Seclab

How do we do this?  If you’re familiar with the seven-layer OSI model, you may know that the great majority of cyberattacks are propagated through layers 3 and 4, the Network and Transport layers respectively.  Attacks like Stuxnet, Black Energy, Wannacry, NotPetya, CrashOverride, etc. all rely on these two layers to spread themselves. No matter how devastating their “payloads” are, without having access to the Network and Transport layers, these attacks simply can’t cause damage.

OSI model SECLAB

Our Neutralizer technology destroys layers 1-4 of each packet from the IT network, while leaving layers 5 to 7 alone. It then re-creates layers 1-4 and inserts the packet on the OT network.

Most attacks occur on layers 3 and 4 (Network and Transport); there is no possibility any of these attacks will get through to the OT network.

Moreover, your users can continue to use applications, databases and protocols on the OT network, even though the level of security has greatly increased.

secure-xchange-process

There have been attacks at layer 7.
Since Secure Xchange passes layers 5 to 7 unchanged from the IT to the OT network, how does it protect against those attacks?

In two ways…

bidirectionnal-exchange

1. Secure Xchange offers Direction Control. This allows you to specify, for example, that all Modbus sessions must originate on the OT network, so no attack on Modbus can ever come from the IT network. This is a very powerful tool.

firewall

2. Sometimes, Direction Control isn’t practical. In those cases, you can deploy an application-layer firewall “in front of” Secure Xchange.
You can tune the firewall to block application-layer attacks that apply to the applications in your OT environment. The firewall protects layers 5 to 7, while Secure Xchange protects the rest.

Which Applications Work?

All applications, databases and protocols are developed under the assumption that the user will have interactive (bi-directional) access. Since data diode solutions block interactive access, there always needs to be a special workaround for any application that your IT network users still need to use – e.g. database replication.
But many applications, and most industrial protocols like Modbus, can’t be “replicated” to the IT network. With a data diode, there is no solution for this, other than moving physically to the OT network.

This doesn’t happen with Secure Xchange. Almost all applications, databases and protocols work without any change. For the very small number that won’t work properly, Seclab will engage with you to find a solution.

They trust us

Ressources

(EN) The Secure Xchange Story

(EN) White Paper: A new way to Protect your OT network

(FR) Denelis Secure Xchange : La preuve par 4

For More Information

+33 (0)4 11 930 859
contact@seclab-security.com
Name *
Company
Email *
Phone number
Subject *
Your message *

Top