Are you struggling to get your systems on the network with your IT department? Here are some insights on designing a cybersecure controls system that an IT department will know and trust.

The simple action of picking up your cell (mobile) phone and making a call belies the enormous amount of work that goes on behind the scenes to get the protocols and encryption standards approved—so that each phone can connect to the cellular network securely.

If we homemade our own cell phones, it's understandable that the network provider would (and should) quickly become “the department of no,” not allowing us to connect to their network. Many things could go wrong, and they would soon be on the hook for any issues our device might cause.

It really is no different from when we show up at the factory with an Ethernet-enabled PLC and ask our IT department to connect it to the factory network.

They don’t know anything about the PLC! And they have lots of questions...

What software is it running? What protocols is it using? What certification process has it gone through? What software tools does it use? It's a mystery box full of unknowns. It's only fair that they become “the department of no” to protect both the company and the network.

Like cell phone makers, most PLC manufacturers work hard to build their devices to comply with known standards and use established protocols. Sure, some take shortcuts, but those who have been in business for a few decades know that the price savings of any shortcuts are never worth it.

Sometimes, these mystery PLCs might not be "new." They may have been installed and reliably producing widgets for the past several years—they just have never been hooked to the network. However, at some point, the actionable data locked up in them finally outweighs "the department of no," and so the question is raised: “How can we safely and securely connect these mystery devices to our network?”

Ok, that was a long blog intro… ready for the short version?

Cybersecurity has manageable pain for measurable gain.

How do you manage the pain, and what's the gain?

Just like cell phone networks have been around long enough to have mature protocols and encryption, they also have skilled people who use monitoring and management tools. IT networks are no different.

Services that convert the PLC Ethernet MAC address to an IP address (DHCP), and then tie that IP to a hostname (DNS) have been around for decades. They are battle-hardened and have a cornucopia of tools to help your IT department monitor and manage every device on your network.

Your PLC should not be any different, but it probably is.

When designing the groov family, Opto 22 started with a clean sheet of paper. Still, we did not wipe out our decades of experience as one of (if not) THE first companies to build an industrial automation controller with a built-in Ethernet port.

This experience matters because the very first note on that clean sheet went something like this;
To the best of our abilities, we want to help our customers have an out-of-the-box cybersecure controller that the IT department will know and trust.

How did we go about this? Just like with cybersecurity, there is no one-click-fix—it's a process of design from the ground up. Three key design aspects were at the top of the list:

1. OS. We did not invent the core operating system. We chose an open-source Linux kernel that has been peer-reviewed since its conception in 1993. Three years later, on June 17th, 1996, the first stable version (1.1) of Debian was released. This is the platform that Opto built upon.

2. Cryptography. We then cryptographically sign that core OS with our key so that no one can change the firmware and thus change the core code running on the groov devices.

3. Dual networks. Lastly, the other out-of-gate cybersecurity technique we knew we had to have was dual-segmented network adapters to keep the operational technology (OT) network and the IT network segmented.

With this foundation, we could deliver not just a PLC, but also an IPC (Industrial Personal Computer) and much more to you, so you can confidently take these to your IT departments and get quick approval to connect to the network.

Let's examine how these founding principles can change your cybersecurity attack surface by at least an order of magnitude. To do this, we need to start with the big picture: the daily reality that industrial control folks face each morning when they wake.

Below is a typical signal-to-data chain that most of you know, from the OT network on the left to the IT network on the right. Look at all the open locks. Each step, each device...each one is either (or both!) a software or hardware mystery box—an unknown cyber threat surface.

It is often said that the easiest vulnerability to address is the one you don’t include. The groov family collapses that long signal-to-data chain into just two or three parts.

Here is the same end result, but managed now with known software, protocols, encryption, and dual Ethernet ports. OT is still on the left, and IT is on the right. Just pause and consider for a moment how much less surface area this diagram has compared to the first.

Right here is your gain for the pain of consolidating that first image into the second.

With that big picture in mind, let's now look at our three key design points:

• OS
• Cryptography
• Dual networks

Core OS

Without getting too bogged down in specifics, let's use one example of a critical cybersecurity vulnerability that was found and addressed by the Linux community and see how Opto 22 responded. (You can read more about it if you want to dig into the specifics.)

I dug up the email chain from Opto 22 regarding this vulnerability, and it went something like this:

• Six minutes after the alert email was sent out, our engineers rallied. The VP of engineering assessed the threat, what SSL packages Opto uses, and what patches were required.
• 15 minutes later, the Linux package repositories here at Opto were updated, a new OS was built, and the QA (quality assurance) test was started.
• 45 minutes later, the firmware update was ready for our customers to download from our website.

Addressing a major cybersecurity vulnerability like "heartbleed" in under an hour would just not be possible without leveraging an open-source/crowd-sourced solution like Linux.

Signed Firmware

Updating your PLC firmware should not open the door to running compromised code.

Stuxnet is often mentioned at this point in the topic, but by most accounts, it was more of a worm than replacement firmware. The point remains—too many systems have been compromised by tampered firmware.

The groov Family simply will not allow it.

During the update process, the firmware is always cryptographically compared with our key, and the firmware will not load if there is a key mismatch.

Dual Networks

Segmenting the OT and IT networks is an extremely powerful tool that is built into the groov EPIC family.

As they come from the factory here in Temecula, California (yes, Opto 22 products are made in the USA), EPIC family products do not allow any routing of traffic between the two networks, and even the built-in firewall blocks traditional unsecure industrial protocols like Modbus/TCP from being accessed via the IT network. This is just such a powerful head start to controlling access and application data flow between the two networks!

Of course, the built-in cybersecurity tools are not limited to just those three aspects, because building a cybersecure industrial automation system is not just a single product feature. It's often said that you can't "buy security," but the groov family of controllers and I/O sure come close to doing the bulk of the heavy lifting.

Your skills, deep knowledge, and experience in your factory—and your process—are the keys to building a secure control system for your facility with our hardware.

Next time you are on your phone, take a pause to think about the many different applications it runs, the connectivity it provides between those applications, and the networks it uses to move data around. Is it really that different from a modern PLC on the factory floor? Let's all work to be as safe and cybersecure as possible.

Till next time.

Cheers.
-Ben