Waterfall Security Solutions https://waterfall-security.com Unbreachable OT security, unlimited OT connectivity Thu, 28 Aug 2025 20:19:01 +0000 en-US hourly 1 https://wordpress.org/?v=6.8.2 https://waterfall-security.com/wp-content/uploads/2023/09/cropped-favicon2-2-32x32.png Waterfall Security Solutions https://waterfall-security.com 32 32 Secure Industrial Remote Access Solutions https://waterfall-security.com/ot-insights-center/ot-cybersecurity-insights-center/secure-industrial-remote-access-solutions/ Thu, 28 Aug 2025 20:19:01 +0000 https://waterfall-security.com/?p=35720 Secure, efficient, and reliable industrial remote access solutions enable monitoring, maintenance, and troubleshooting of SCADA and control systems from anywhere, protecting critical operations.

The post Secure Industrial Remote Access Solutions appeared first on Waterfall Security Solutions.

]]>

Secure Industrial Remote Access Solutions

Industrial remote access enables secure, efficient connectivity to SCADA, PLCs, and other control systems, supporting maintenance, monitoring, and troubleshooting. Best practices include robust authentication, encryption, network segmentation, and compliance with standards like IEC 62443 and NIST, while solutions like Waterfall’s HERA provide zero-trust, reliable remote access for critical industrial operations.
Picture of Waterfall team

Waterfall team

Secure Industrial Remote Access Solutions

In today’s hyperconnected industrial world, remote access has become both a necessity and a risk. Organizations across manufacturing, energy, utilities, and critical infrastructure rely on remote connectivity to monitor systems, troubleshoot equipment, and enable vendor support without dispatching teams onsite. While this brings significant efficiency and cost benefits, it also introduces new security challenges. Unsecured or poorly managed remote connections can serve as entry points for cyberattacks, threatening operational continuity and even safety.

Industrial remote access, therefore, requires a comprehensive framework—one that balances the operational need for connectivity with rigorous security controls. This framework isn’t just about VPNs or firewalls; it encompasses identity management, secure protocols, granular access policies, and continuous monitoring, all tailored to the unique demands of operational technology (OT) environments.

Definition and Scope

What is Industrial Remote Access?
Industrial remote access refers to the secure ability to connect to industrial systems, equipment, and control environments—such as SCADA, PLCs, and HMIs—from distant locations. This connectivity enables operators, engineers, and vendors to monitor performance, troubleshoot issues, deploy updates, and maintain equipment without being physically present at the facility.

How it differs from IT Access

Unlike general IT remote access solutions (think remote desktop tools or corporate VPNs), industrial remote access must account for the unique requirements of operational technology (OT). OT systems prioritize availability, safety, and reliability over typical IT concerns like data confidentiality. While IT remote access is often focused on office productivity, industrial remote access deals with real-time processes, critical infrastructure, and potentially life-safety functions—making its risk profile significantly higher.

A Brief Historical Evolution

Remote access in industry began with direct connections—dial-up modems or leased lines that allowed engineers to reach specific machines. Over time, this evolved into VPN-based approaches and, more recently, cloud-enabled remote access platforms. Each step has increased flexibility and ease of use, but also expanded the attack surface. Today, modern solutions integrate identity and access management, encrypted communications, and continuous monitoring to strike a balance between connectivity and security.

Importance in Modern Manufacturing

Role in Industry 4.0 and Smart Manufacturing

Industrial remote access is a cornerstone of Industry 4.0, where interconnected devices, automation, and data-driven insights define the future of manufacturing. Smart factories depend on continuous access to machine data, predictive maintenance, and real-time monitoring—all of which require reliable and secure remote connectivity. Without industrial remote access, the promise of fully digitalized and adaptive manufacturing environments would remain out of reach.

Benefits for Modern Operations

The practical advantages of industrial remote access are compelling. Manufacturers can dramatically reduce downtime by enabling engineers to diagnose and resolve problems without waiting for travel or onsite presence. Remote updates and configuration changes cut costs while ensuring systems stay current with minimal disruption. Most importantly, operational efficiency improves when plants can be monitored and optimized from anywhere, allowing scarce engineering talent to support multiple sites simultaneously.

Adoption Rates Across Sectors

Adoption of industrial remote access has accelerated rapidly. According to industry surveys, more than 60% of manufacturers now use some form of remote access for equipment maintenance, with adoption highest in sectors like energy, automotive, and pharmaceuticals. The pandemic further accelerated this trend, as facilities sought safe ways to maintain continuity without sending large teams onsite. These adoption rates underscore that remote access is no longer a “nice-to-have,” but an operational necessity in competitive, modern manufacturing.

Key Stakeholders and Use Cases

Machine Builders and OEMs Providing Remote Support

Original Equipment Manufacturers (OEMs) and machine builders increasingly rely on remote access to deliver timely support for their equipment deployed at customer sites. Instead of dispatching technicians worldwide, OEMs can diagnose faults, apply software patches, and guide operators in real time. This not only enhances customer satisfaction but also opens opportunities for new service-based business models.

System Integrators and Remote Commissioning
System integrators play a critical role in setting up and maintaining industrial systems. With secure remote access, they can perform commissioning tasks, configure programmable logic controllers (PLCs), and troubleshoot integration issues without physically being onsite. This accelerates project timelines, lowers costs, and ensures quicker adaptation to client needs.

Plant Operators Monitoring Production Lines
For plant operators, remote access provides continuous visibility into production processes. Operators can track performance metrics, spot deviations, and intervene as necessary from any location. This level of oversight ensures not only higher productivity but also quicker response to emerging issues, which can prevent costly downtime and safety incidents.

Maintenance Teams and Preventive Care
Maintenance engineers benefit enormously from industrial remote access. With real-time monitoring, they can detect anomalies before failures occur, plan preventive maintenance, and conduct corrective interventions remotely when possible. This proactive approach extends equipment life, reduces unplanned outages, and optimizes spare parts management.

Technical Architecture and Components

Connection Methods

VPN Tunnels and Secure Connection Protocols

Virtual Private Networks (VPNs) are one of the most common methods for establishing secure remote connections to industrial environments. They create encrypted tunnels that shield data traffic between external users and internal control systems, helping to prevent unauthorized interception. When paired with industrial-grade firewalls and authentication controls, VPNs provide a strong security foundation for remote access.

Cellular Connectivity Options (4G/5G)

Cellular connections have become increasingly attractive for remote industrial sites where wired infrastructure is limited or unavailable. With the advent of 4G and especially 5G, industrial facilities can achieve low-latency, high-bandwidth connectivity suitable for real-time monitoring and even control tasks. However, security hardening and proper device management are critical to prevent exploitation of cellular endpoints.

Ethernet Solutions for Local and Wide Area Networks

Ethernet-based connections remain a cornerstone of industrial networking. Whether through local area networks (LANs) within a plant or wide area networks (WANs) linking multiple facilities, Ethernet provides reliable, high-speed data transfer for SCADA, PLCs, and other control devices. Segmenting industrial Ethernet networks into security zones and managing traffic with firewalls ensures safe integration of remote access capabilities.

Internet-Based Access Mechanisms

As Industry 4.0 pushes systems toward cloud integration, internet-based access has become more widespread. Technologies such as secure web gateways, remote desktop protocols (RDP), and vendor-provided cloud platforms enable access through standard internet connections. While highly flexible, these methods also broaden the attack surface, making robust encryption, authentication, and monitoring essential components of secure deployment.

Hardware Infrastructure

Edge Gateways

Industrial-Grade Remote Access Gateways

Edge gateways are specialized devices that serve as secure bridges between external networks and industrial control systems. Unlike generic IT routers, industrial-grade remote access gateways are built with features tailored for OT, such as deep protocol inspection, built-in encryption, and role-based access control. They form a critical first line of defense, ensuring that only authorized and authenticated connections reach sensitive equipment.

Ruggedized Design for Harsh Environments

Industrial environments often involve extreme temperatures, dust, vibration, or electrical noise—conditions that typical IT hardware cannot withstand. Ruggedized edge gateways are designed to operate reliably in these harsh settings, providing uninterrupted remote access even in mission-critical facilities such as oil rigs, power plants, or manufacturing floors. This resilience is essential to maintaining secure connectivity without compromising system uptime.

Integration Capabilities with Existing Infrastructure

One of the strengths of modern edge gateways is their ability to integrate seamlessly with existing industrial infrastructure. They support a wide range of industrial protocols (e.g., Modbus, OPC UA, PROFINET) and can connect legacy equipment to modern remote access frameworks. This makes them invaluable for organizations seeking to modernize their systems incrementally while maintaining backward compatibility with their operational technology.

Control Systems Integration

PLC Connectivity Options

Programmable Logic Controllers (PLCs) are at the heart of industrial automation, and enabling secure remote access to them is essential for monitoring, programming, and troubleshooting. Modern solutions offer connectivity through encrypted VPN tunnels, protocol-specific gateways, or cloud-based interfaces, ensuring engineers can manage PLCs without exposing them directly to the internet. This secure connectivity reduces the risk of unauthorized manipulation while allowing timely interventions.

HMI Remote Visualization Techniques

Human-Machine Interfaces (HMIs) provide operators with a window into industrial processes, and remote visualization extends this capability beyond the plant floor. Techniques such as web-based dashboards, thin-client applications, or secure remote desktop sessions allow engineers to view and interact with HMI screens from afar. When properly secured, this enables faster response times and decision-making without compromising the integrity of the control system.

Control Panel Access Methodologies

Traditional control panels house critical switches, indicators, and manual overrides. With remote access, these panels can be virtually replicated, giving authorized users the ability to monitor or control key functions securely. Methods range from digital twins to secure remote terminal access, which balance the need for operator flexibility with strict safeguards that prevent unsafe operations or accidental activations.

Remote Access Client Applications

Client applications are the user-facing software that enable engineers, operators, and saervice providers to establish secure connections to industrial assets. These lightweight tools often include multi-factor authentication, encryption, and role-based access to ensure that only authorized users can reach sensitive systems. A well-designed client simplifies the user experience while embedding strong security by default.

Server-Side Management Platforms

Behind every secure remote access solution lies a management platform that enforces policies, provisions users, and controls connectivity. These platforms often reside on-premises, in the cloud, or as hybrid solutions, and provide administrators with centralized visibility and governance. By managing sessions, configurations, and permissions from a single interface, they reduce complexity while strengthening compliance and security.

Authentication and Authorization Systems

Robust authentication and fine-grained authorization are the backbone of secure remote access. Beyond simple usernames and passwords, modern solutions employ multi-factor authentication (MFA), certificate-based access, and role-based control to ensure that users can only perform actions aligned with their responsibilities. In SCADA and industrial contexts, this limits the potential impact of compromised accounts or insider misuse.

Monitoring and Logging Tools

Visibility is essential in remote access environments, and monitoring and logging tools provide the audit trail needed for both security and operational oversight. These systems capture session details, command histories, and user activity, which can be analyzed for anomalies or compliance reporting. Real-time monitoring also enables rapid detection of unauthorized actions, helping to contain potential threats before they escalate.

Security Framework for Industrial Remote Access

Threat Landscape

Common Attack Vectors Targeting Industrial Systems

Industrial systems face attack vectors ranging from stolen credentials and phishing to compromised remote access tools and exploitation of unpatched software. Attackers frequently exploit weak authentication, exposed VPNs, and misconfigured firewalls to gain an initial foothold. Once inside, they may move laterally across the network to target control systems, disrupt operations, or exfiltrate sensitive data.

Documented Incidents and Case Studies

Real-world incidents highlight the risks of insecure remote access. For example, the 2021 Oldsmar water treatment facility breach involved an attacker remotely accessing operational systems and attempting to manipulate chemical levels in the water supply. Similarly, ransomware campaigns have locked out operators from remote monitoring systems, forcing costly shutdowns. These cases underscore the dangers of inadequate security controls.

Emerging Threats Specific to Remote Industrial Environments

As industrial environments increasingly rely on cloud-based connectivity, IoT devices, and mobile access, new threats emerge. Attackers are developing malware tailored to industrial protocols, exploiting insecure edge devices, and leveraging supply chain compromises to infiltrate trusted systems. The rise of ransomware-as-a-service and nation-state actors targeting critical infrastructure further amplifies the risk, making proactive defense measures essential.

Compliance and Standards

IEC 62443 Requirements for Remote Access

IEC 62443, the leading standard for industrial automation security, establishes strict requirements for secure remote access. It outlines measures such as strong authentication, session encryption, access control policies, and audit logging. Compliance ensures that remote connectivity to control systems is governed by the principle of least privilege and monitored to detect anomalies.

NIST Cybersecurity Framework Application

The NIST Cybersecurity Framework (CSF) provides a flexible model for managing risk in industrial environments, including remote access. By applying its five core functions—Identify, Protect, Detect, Respond, and Recover—organizations can align remote access strategies with broader cybersecurity goals. For example, the “Protect” function stresses identity management and access controls, while “Detect” highlights continuous monitoring of remote sessions.

Industry-Specific Regulations and Guidelines

Different industrial sectors have their own compliance mandates for remote access security. Energy companies must follow NERC CIP standards, while pharmaceutical manufacturers often adhere to FDA regulations for electronic records integrity. The oil and gas sector may face additional regional requirements. Aligning remote access practices with these sector-specific guidelines not only reduces risk but also ensures legal and regulatory compliance.

Certification Processes for Secure Remote Access Solutions

Vendors offering remote access technologies are increasingly seeking certifications to demonstrate compliance and trustworthiness. Certifications such as IEC 62443-4-2 for components or third-party security audits validate that solutions meet stringent cybersecurity requirements. For end-users, choosing certified solutions helps reduce vendor risk and provides assurance that the tools enabling remote access won’t become the weakest link in the control environment.

Securing industrial remote access is no longer optional—it’s essential for protecting operations, maintaining uptime, and safeguarding critical infrastructure. By implementing best practices across authentication, encryption, network segmentation, and monitoring, organizations can reduce risk while reaping the benefits of modern connectivity. 

To see how these principles are applied in practice, explore Waterfall’s HERA remote access solution, a purpose-built platform that provides secure, reliable, and zero-trust remote connectivity for industrial systems. 

Learn more about HERA and how it can safeguard your operations today.

About the author
Picture of Waterfall team

Waterfall team

FAQs About Industrial Remote Access Solutions

Industrial Remote Access Solutions are specialized technologies that allow authorized personnel to securely connect to industrial control systems—such as SCADA, PLCs, and HMIs—from remote locations. These solutions enable monitoring, troubleshooting, maintenance, and updates without requiring on-site presence, all while addressing the unique requirements of operational technology (OT) environments where availability, reliability, and safety are critical. They typically combine secure connectivity methods, robust authentication and access controls, monitoring and logging, and seamless integration with both modern and legacy industrial systems, ensuring that remote access enhances efficiency without compromising security.

 
 
Ask ChatGPT

We need industrial remote access solutions because modern industrial operations demand real-time monitoring, rapid troubleshooting, and efficient maintenance across geographically dispersed facilities. Remote access enables engineers, operators, and vendors to respond quickly to issues, reduce downtime, and optimize production without the delays and costs of traveling on-site. Additionally, with the rise of Industry 4.0, cloud integration, and smart manufacturing, secure remote connectivity is essential for leveraging data-driven insights, predictive maintenance, and continuous process optimization—all while maintaining strict security controls to protect critical infrastructure from cyber threats.

The main use cases for industrial remote access solutions include equipment monitoring, troubleshooting, and maintenance, allowing engineers and operators to diagnose issues and apply fixes without being physically on-site. They also support system commissioning, configuration updates, and software patching for PLCs, SCADA, and HMIs. Additionally, remote access enables vendor and contractor support, real-time production monitoring, and data collection for analytics and predictive maintenance. These use cases improve operational efficiency, reduce downtime, lower costs, and ensure that industrial facilities can respond rapidly to both routine and emergency situations while maintaining security and compliance.

Share

Stay up to date

Subscribe to our blog and receive insights straight to your inbox

The post Secure Industrial Remote Access Solutions appeared first on Waterfall Security Solutions.

]]>
Remoting Into Renewables – the latest guidelines for secure remote access applied to renewables generation https://waterfall-security.com/ot-insights-center/power/remoting-into-renewables-the-latest-guidelines-for-secure-remote-access-applied-to-renewables-generation/ Thu, 28 Aug 2025 12:03:00 +0000 https://waterfall-security.com/?p=35923 Learn how secure access can enhance both safety and performance in renewable energy operations.

The post Remoting Into Renewables – the latest guidelines for secure remote access applied to renewables generation appeared first on Waterfall Security Solutions.

]]>

Remoting Into Renewables – the latest guidelines for secure remote access applied to renewables generation

Join our webinar on Sep 30th, 12PM EST, to learn how secure access can enhance both safety and performance in renewable energy operations.

Join us on September 30th, 12 PM Eastern Time

Remoting into Renewables

As renewable energy continues to dominate new power generation projects across North America and the EU, organizations must find ways to support remote operations without compromising cybersecurity. Wind and solar sites, often remote and digitally connected, demand secure access solutions that meet both operational and regulatory needs.

This webinar explores how energy leaders are balancing efficiency with cyber resilience. We’ll cover the latest guidance from CISA, CCCS, and others, with a spotlight on hardware-enforced, unidirectional remote access, now widely recommended for high-consequence OT environments.

Whether you're planning a new facility or optimizing an existing one, you'll gain insights into:

arrow red right The business impact of secure remote access

arrow red right Safe, scalable deployment strategies

arrow red right Aligning cybersecurity with operational goals

arrow red right Real-world adoption: how renewables operators are deploying these technologies today.

About the Speakers

Picture of Andrew Ginter

Andrew Ginter

Andrew Ginter is the most widely-read author in the industrial security space, with over 23,000 copies of his three books in print. He is a trusted advisor to the world's most secure industrial enterprises, and contributes regularly to industrial cybersecurity standards and guidance.
Picture of Lior Frenkel

Lior Frenkel

With more than 20 years of hardware and software research and development experience, Mr. Frenkel leads Waterfall Security with extensive business and management expertise. As part of his thought leadership and contribution for the industry, Lior serves as member of management at Israeli High-Tech Association (HTA), of the Manufacturers’ Association of Israel and Chairman of the Cyber Forum of HTA.

Register Now

Share

The post Remoting Into Renewables – the latest guidelines for secure remote access applied to renewables generation appeared first on Waterfall Security Solutions.

]]>
NIS2 and the Cyber Resilience Act (CRA) – Episode 142 https://waterfall-security.com/ot-insights-center/ot-cybersecurity-insights-center/nis2-and-the-cyber-resilience-act-cra-episode-142/ Mon, 18 Aug 2025 08:29:50 +0000 https://waterfall-security.com/?p=35094 NIS2 legislation is late in many EU countries, and the new CRA applies to most suppliers of industrial / OT computerized and software products to the EU. Christina Kieffer, attorney at reuschlaw, walks us through what's new and what it means for vendors, as well as for owner / operators.

The post NIS2 and the Cyber Resilience Act (CRA) – Episode 142 appeared first on Waterfall Security Solutions.

]]>

NIS2 and the Cyber Resilience Act (CRA) – Episode 142

NIS2 legislation is late in many EU countries, and the new CRA applies to most suppliers of industrial / OT computerized and software products to the EU. Christina Kiefer, attorney at reuschlaw, walks us through what's new and what it means for vendors, as well as for owner / operators.

For more episodes, follow us on:

Share this podcast:

“So NIS2 is focusing on cybersecurity of entities, and the CRA is focusing on cybersecurity for products with digital elements.” – Christina Kiefer

Transcript of NIS2 and the Cyber Resilience Act (CRA)  | Episode 142

Please note: This transcript was auto-generated and then edited by a person. In the case of any inconsistencies, please refer to the recording as the source.

Nathaniel Nelson
Welcome everyone to the Industrial Security Podcast. My name is Nate Nelson. I’m here with Andrew Ginter, the Vice President of Industrial Security at Waterfall Security Solutions, who’s going to introduce the subject and guest of our show today. Andrew, how’s going?

Andrew Ginter
I’m very well, thank you, Nate. Our guest today is Christina Kiefer. She is an Attorney at Law and a Senior Associate in the Digital Business Department of reuschlaw. And she’s going to be talking to us about cybersecurity regulation in the European Union. As we all know, NIST 2 is coming and there’s other stuff coming too.

Nathaniel Nelson
Then without further ado, here’s your conversation with Christina.

Andrew Ginter
Hello, Christina, and welcome to the podcast. ah Before we get started, can i ask you to say a few words, introduce yourself and your background, and tell us a bit about the good work that you’re doing at Reuschlaw.

Christina Kiefer
Yes, of course. So first of all, thank you very much for the invitation. I’m very happy to be in your podcast today. So, yeah, to me, my name is Christina Kiefer. I’m an attorney at law working as a senior associate at our digital business unit in the law firm reuschlaw.

Christina Kiefer
We are based in Germany and reuschlaw is one of Europe’s leading commercial law firms specialized in product law. And for more than 20 years, our team of approximately 30 experts has been advising companies in dynamic industries, both nationally but also internationally.

Christina Kiefer
And for me myself, in my daily work, I advise companies and also public institutions on yeah complex issues in the areas of data protection, cybersecurity, but also IT and contract law.

And one focus of my work is on supporting clients in introduction of digital products in the EU market. And also looking at the field of cybersecurity and IT law. Since my studies, I have already focused on IT law and cybersecurity. And yes, I have been involved in the legal development since since then in this area.

Andrew Ginter
Thank you for that. And our topic is, you know, the law in Europe for cybersecurity, its regulation. The big news in Europe is, of course, NIS2. And it’s not a law, it’s a directive to the the nation states to produce laws, to produce regulations. So every country is going to have its own laws. Can I ask you for an update? How’s that going? who’s Who’s got the law? I thought there was a deadline. do the do the Do the nations of Europe have this covered or or is it still coming?

Christina Kiefer
Yes, so it’s the last point, so it’s still coming. Some countries have already transposed NS2 Directive into national law, but also a lot of countries are still in the developing and the transposition yeah period.

And that that’s why we are yeah confusing because NIS2 Directive it’s already or has already been enforced since January 2023. and and also the deadline for the EU member states to impose the NIS2 directive international law was October 2024.

So because of that, because of a lot of member states haven’t transposed the NIS2 directive international law, the EU Commission has launched an infringement proceeding against 23 member states last fall in 2024. And this has led to some movements in some EU member states. So as of now, 10 countries have fully transposed this to international law.

So for example, Belgium, Finland, Greece or Italy. And then another 14 countries have published at least some draft legislation so far. And there you can call ah Bulgaria, Denmark and also Germany. And then there are also two countries, it’s Sweden and Austria, and those two EU member states, they have not published neither a draft or also a final national law. So there we have no public information available on their implementation status yet.

Andrew Ginter
And, you know, someone watching this from the outside with, you know, a command of English and of very limited command of German, is there sort of a standard place that a person like me looking at this from the outside could go to find all this stuff? Or is it on every country’s national website in a different language in a different location? Is is there any central repository of these rules?

Christina Kiefer
No, not yet at least. Maybe there will be some private websites where you can find all the different implementation information. But until until now, when you are a company, either you within the EU or also the EU, when you are providing your services into the EU market, you have to fulfill with the NIS2 directive. And this means you have to fulfill with the national laws in each EU member states.

And this is yeah a big challenge for all international companies because they have to check each national law of each EU member states and they have to check if they fall under the scope of application. And what is also very important that the different national laws have different obligations. So the NIS2 directive has a minimum standard which all national legislators have to fulfill But on top of this, some EU member states have imposed more obligations or ah portal for registration or new reporting obligations.

So you have to check for each EU member state. But here we can also help because we see in our daily work that this is a very, very hard yeah challenge for companies to check all the laws and also understand all the national laws. We offer a NIS2 implementation guide where you can get regularly updates on and an overview of how the different EU member states have transposed NIS2.

And yes, in addition to this, we also have a NIS2 reporting and obligation guide, especially looking at the reporting and registration obligations to see where you have to register in each EU member state, but guide So you can book our full guide, but we also post yeah some overviews on LinkedIn and our newsletter.

Andrew Ginter
So thanks for that. You touched on the yeah the the goal of NIS2 was to increase consistency among the nation states of Europe in terms of their cyber regulations, and in my understanding, to increase the strength of those regulations across the board. How’s that coming? Are the regulations that are coming out stronger than we saw with NIS2? And are they consistent?

Christina Kiefer
Well, it’s… correct that the idea behind NIS2 or the NIS2 directive was to create ah stronger and also more consistent cybersecurity framework across the whole EU and the EU market. And also the NIS2 directive should also cover a broad set of sectors for regulated companies. So there should be some consistency within the EU. but it’s an EU directive and not an EU regulation. So this means the NIS2 directive sets only a minimum standard to all EU member states that they can then transpose into national law. And that’s why EU member states are allowed also to go beyond if they want to. And some of the EU member states have already done this. this So what we’re seeing right now, looking at the national laws which have already been enacted and also looking at the draft of some national laws, we see quite a mixed picture. So we don’t see a whole consistency what a lot of companies were hoping for. We see more like a mixed picture with some countries like Belgium again, for example.

They have pretty much stuck to the core of the directive and haven’t added much on top. So there you are also for you as a company, you can ensure when you’re looking at this two directive or when you have already looked at this two directive, you can be yeah positive that you also fulfill the requirements of the law of Belgium. But on the other hand, looking for example, on Italy, they have expanded the the scope of application. So Italy has, for example, included a cultural sector as an additional regulated area. So the sector of culture hasn’t been mentioned in NIS2 directive at all. But Italy ah had the idea, well, we can regulate also the cultural sector. So that’s why they have also sort in yeah included it into their national law.

And also in France, you can see that they have imposed more obligations and also have broadened the scope of application of their national law. because here they have also widened up the regulated sectors and here they have added educational institutions, for example. We have a minimum set of standards set out in the NIS2 directive, but across the EU, looking at the national laws, we have a lot of national differences. And that’s why it’s very hard for companies to comply with the NIS2 directive or with the national laws within the EU market.

Nathaniel Nelson
One of the more interesting things that Christina mentioned there, Andrew, was Italy treating its cultural sector as like critical infrastructure, which sounds a little bit, it sounds very Italian, frankly.

Andrew Ginter
Well, I don’t know. It’s not just the Italians. The original, you know, this was back in the, I don’t know, the the late noughts. One of the original directives that came out of the American administration was… a list of critical infrastructures. And at the time it included something like national monuments as a critical infrastructure sector. And the justification was, you know, any monument or, you know, cultural institution that was that was seen as essential to national identity, national cohesions,

And then it disappeared in the 2013 update of what were ah critical national infrastructure. So it’s no longer on CISA’s list of critical infrastructures, but it used to be. And, you know, in terms of Italy, oh I don’t, you know, I don’t have a lot of information about Italy, but again, you might imagine that national monuments and certain cultural institutions are vital to sort of national identity. Think the Roman Colosseum. Should that be regarded as critical infrastructure? It’s certainly critical to tourism, that’s for sure. So that’s that’s what little I know about it.

Andrew Ginter
And in my recollection of NIS2, one of the changes was increased incident disclosure rules. Now, i’ve I’ve argued or I’ve speculated. we We did a threat report at Waterfall. We actually saw numbers sort of plateau in terms of incidents. I wonder, I speculate whether increased incident disclosure rules are in fact reducing disclosures because lawyers see that disclosing too much information can result in lawsuits. For instance, SolarWinds was sued for incorrect disclosures. And so they they i’m I’m guessing that that they… they yeah conclude that minimum disclosure is least risk. And if they get partway into an incident and say, this is not material, we don’t need to disclose it we’re not going to disclose it, we actually see fewer disclosures.

Can you talk about what’s happening with the the disclosure rules? are they How consistent are they? Multinational businesses, how many different ways do they have to file? And are we seeing greater disclosure or in your estimation, fewer disclosures because of these rules?

Christina Kiefer
Yeah, that’s a really good question and honestly it’s something we get also asked all the time right now because once we hear again all over if we operate in several and several EU countries do I need to report a security incident in one you member states or via one portal and then I’m fine or do I really have to report a security incident to each EU member states which is kind of affected with the with regard to the security incident.

And yeah, unfortunately, the answer right now is yes, you have to report your security incident to each EU member state or to each national authority of the EU member state, which you fall under the scope of the national law. Because the NIS2 directive does not really require one portal or one obligation registration and also a reporting portal for all EU member states. So it’s up to the national authorities and also up to the EU member states to regulate this field law. And you can see that many national authorities have already recognized this issue and they are also looking at ways to simplify the process of registration but also of reporting security incidents and there you can see some member states try to yeah at least include or to to set up a portal a national-wide portal where you can yeah report your security incident.

Some other national authorities go even further. They say they implement a yeah scheme or structure where you only have to report to them and then they will yeah transfer the report to the other relevant EU authorities. But again, this is each and in e in each EU member state national law, so then you also have to check again all the other national laws within the EU. Yes, but also the authorities of the EU member states have already, well, at least indicated that they are talking to each other. So maybe in the future we will get one portal to report everything. But as I said before, it’s not regulated in the NIS2 directive and is also not foreseen for now.

Yes, and to the other part of your question. You could think that when you’re obliged to report everything and each security incident that the reporting would decrease But you also have to look at a yeah at the at the risk of non-compliance and the risks are very high because the NIS2 directive is imposing high sanctions and also a lot of yeah authority measures, authority market measures. And that’s why in the daily consulting work, it’s better to say, please report an incident because also the national authorities communicate this to the companies. They say, please report something because then we can work together. So the focus of the national authorities, at least in Germany, we see right now is they want to cooperate together.

They want to ensure a cyber secure en environment and a cyber secure market. So the focus is to report something that they can yeah work on together and that’s why it would be better to report and I would say maybe we get also an increase of reporting.

Andrew Ginter
So I’m a little confused by your answer. the The rules that I’m a little bit familiar with are the American ah Securities and Exchange Commission rules. And those rules mandate that any material incident must be reported to the public, any incident that might cause a reasonable investor to either buy or sell or assign a value to shares in in a company.

Which means non-material incidents can be kept quiet. And the SEC disclosures are public. Everyone can see them because reasonable people need information to buy and sell shares. The NIS2 system, is it requiring all incidents to be reported? And are those reports public?

Christina Kiefer
That’s a good point. To your first part of your question, the NIS2 directive and also the reporting obligation is kind of the same as the regulation you mentioned before, because you have to report only severe security incidents. As a regulated company, you are obliged to check if there is a security incident in the first step and then the second step you have to check if there a severe security incident.

And only this security incident you are obliged to report to the national authorities. So that’s kind of the same structure or mechanism. And to the second part of your question, the report will not be published for everyone. So first of all, if you report it to national authorities, only the national authorities have the information. It can happen because we have in some Member States some laws where yeah people from the public can access or can get access to information, to public information. It can happen that some information will be publicly available. But the the first step is that you will only report it to the national authority and that the report will not be available for the public as such.

But next to the reporting obligation to the national authorities, you also have information obligations in the NIS2 directive. So it can happen that you are also obliged to inform the consumers of your services.

Andrew Ginter
So thanks for that. The other big news that I’m aware of in Europe is the CRA, which confuses me because I thought NIS2 was the big deal, yet there’s this other thing that sort of came at me out of the blue a year ago, and I’m going, what’s what’s going on? Can you introduce for us what is the CRA, and how’s it different from NIS2?

21:30.66
Christina Kiefer
Yeah, sure. So, as you mentioned before, the CRA is like the sister or brother and the second major piece. of the new European cybersecurity framework alongside the NIS2 Directive.

Christina Kiefer
It’s the Cyber Resilience Act, or for short CRA. And while the NIS2 Directive focuses on the cybersecurity requirements for businesses or entities in critical sectors, the CRA takes a different angle and the CRA introduces EU-wide cybersecurity rules for products.

So NIS2 is focusing on cybersecurity of entities and the CRA is focusing on cybersecurity for products with digital elements. And also the other difference is also that NIS2 directive, we have an EU directive, so it needs to be transposed into national law by each EU member state and the Cyber Resilience Act is an EU regulation So when the Resilience Act comes into force, it will apply directly in each EU member state.

Andrew Ginter
Okay, so that’s how the CRA fits into NIS2. What is the CRA? What are what are these rules? is it Can you give us a high-level summary?

Christina Kiefer
Yeah, sure. So the CRA is the EU-wide first horizontal regulation, which imposes cybersecurity rules for products with digital elements. So regulated are products with digital elements and this definition is very broad. It covers software and also hardware and also software and hardware components if they are yeah brought to the EU market separately. And products with digital elements are kind of like connected devices and as I said, software and hardware that can potentially pose a security risk. Also, what is very important, the CRA imposes obligations not only to manufacturers, but also to importers, distributors, and also to those companies which are not resident in the EU, because the main point for the geographical scope of application is that you place a product in the EU market, whether you are placed in the EU or not.

Christina Kiefer
So this means also that the Cyber Resilience Act, such as data and such as the General Data Protection Regulation, has a global impact impact for anyone selling tech products in Europe.

Andrew Ginter
So let me jump in real quick here, and Nate. What Christina‘s described here, oh you the CRA, the scope applies to all digital products sold in Europe. To me, this the CRA is, in my estimation, and she’s going to explain more in ah in a few minutes, it’s probably the strictest cybersecurity regulation for products generally in the whole world. it It sounds to me like this might become just like GDPR. This was ah a European regulation that came through a few years ago. It had to do with marketing and the use of private information, in particular my email and sending it. Basically, so it was like an anti-spam act. It’s the strictest in the world. And everybody who has any kind of worldwide customer base, which is almost everybody in the digital world that that’s sending out marketing emails, is now following the GDPR pretty much worldwide because it’s just too hard to apply one law in one country and one law in the other. So what you do is you pick the strictest that you have to comply with worldwide, which is the gp GDPR, and you do that. worldwide instead of trying to figure out what’s what. It sounds to me like the CRA could very well turn into that kind of thing. It might be the thing that all manufacturers that embed a CPU in their product have to follow worldwide because it’s just too hard to to change what they do in one country versus another.

Andrew Ginter
Okay, so can you dig a little deeper? I mean, an automobile, you buy a a ah new automobile from the from the dealership. My understanding is that it has 250, 300, maybe 325 CPUs in it, all of them running software. It would seem to me that ah a new automobile is covered by the CRA. what What are the obligations of the manufacturer? What should customers like me expect in automobiles that that might be different because of the CRA?

Christina Kiefer
Thank you. First of all, looking at your example, automobiles are not covered by the CRA, because the CRA some exemptions. And the CRA says, we are not regulating digital products with the digital elements, which are already regular regulated by specific product safety laws. And here, looking at the automotive sector, we have for sure in the EU very strong and very specialized regulation for product safety of cars and so on. So just for your example, but looking at other products with the chill elements, for example, wearables or headphones, smartphones, for example, you can say that there are kind of five core obligations for manufacturers in the CRA. So the first obligation is compliance with Annex 1, which means you have to fulfill a list of cybersecurity requirements. And you don’t only have to fulfill those cybersecurity requirements, but you also have declare and show compliance with Annex 1 of the CRA. So it’s a conformity assessment you have to undergo.

Christina Kiefer
The other application, number two, is cyber risk assessment. If you are a manufacturer of a product with digital digital elements, you are obliged to assess cyber risks and not only during the development and the construction of your product and also not only during the placing of your product to the EU market, but throughout the whole product life circle. So if you have a product and you have it already placed on the market, you are obliged to undergo cyber risk assessments. Then looking at the third obligation, it’s free security updates.

Christina Kiefer
So manufacturers have to provide free security updates throughout the expected product life cycle. We have also mandatory incident reporting. So we have here also reporting and registration obligations, such as we already talked about looking at the NISS2 directive. And also like in each product safety law in the EU, we also have the obligation for technical documentation. So this is of those are the five core obligations, compliance, cyber risk assessment, free security update, reporting and documentation.

Andrew Ginter
And you mentioned distributors. What are distributors and importers obliged to do?

Christina Kiefer
yeah there We have some graduated obligations. So they they are not such strict obligations such for manufacturers, but importers and distributors are obliged to assess if the product, what they are importing and distributing to the EU market are compliant with the whole set of cybersecurity requirements of the CRA. So they have to check if the manufacturer and the product is compliant and if not, They have to inform and yeah cooperate with the manufacturer to ensure cybersecurity compliance. But also importers are also obliged to yeah impose their own measures to to fu fulfill with the CRA.

Andrew Ginter
Okay, and you said there were five obligations. You spun through them quickly. Some of them make sense on their own. Do a risk assessment, do it from time to time, see if the risks have changed. That kind of makes sense. The first one, though, comply with Annex 1. That’s like an appendix to the CRA. What’s in there? what What are the obligations?

Christina Kiefer
Yes, sure. Annex 1 is, yeah the you can also say, Appendix 1 to the CRA. and And there are you can see there is a list of certain cybersecurity requirements which manufacturers have to fulfill. And the list is divided into two different main areas. And one area is cybersecurity requirements. So it focuses on no known vulnerabilit vulnerabilities at the time of the market placement, secure default configurations, protection against unauthorized access, ensuring confidentiality, integrity and availability, and also secure deletion and export of user data. So kind of all of cyber security requirements such as them which I have mentioned. And the other area is vulnerability management. So manufacturers have to ensure that they have a structured vulnerability management process and they have to yeah install a software bill of materials.

They have to provide free security updates. They have to undergo cybersecurity testing and assessments. there needs to be a process to publish information on resolved vulnerabilities. And again, here we also need a clear reporting channel for known vulnerabilities.

Andrew Ginter
So it sounds like you said that a manufacturer is not allowed to ship a product with known vulnerabilities. Practically speaking, how does that work? I mean, a lot of manufacturers in the industrial space use Linux under the hood. Linux is a million lines of code of kernel. And, you know, the, these devices don’t necessarily do a full desktop style Linux, but they still have a lot of code that they’re pulling from an open source distribution. And in these millions of lines of code, From time to time, people discover vulnerabilities and they get announced. And so it’s it’s almost a random process. Do I have to suspend shipments the day that a vulnerability a Linux vulnerability comes to light until I can get the thing patched and then three days later ah start shipments again? Practically speaking, how does this zero known vulnerabilities requirement work?

Christina Kiefer
Basically, it is like, as you said, because the Cyber Resilience Act focuses on known ah no known vulnerabilities not only in your product but also in the whole supply chain. So the Cyber Resilience Act focuses not only on products with digital elements but also focusing on the cybersecurity of the whole supply chain. So this means looking at Annex 1 and the cybersecurity requirements Products with digital elements may only be placed on the EU market if they don’t contain any known exploitable vulnerabilities. So it’s not any vulnerability, but it’s any known exploitable vulnerability. That is a clear requirement under Annex 1. And also when you’re looking at making a product available on a market, that doesn’t just mean selling it.

Christina Kiefer
It includes any kind of commercial activity. And also what is also a very good question also in our daily work, looking at making a product available on the market. A lot of companies say, well, I have a ah batch of products. So, and if I have placed this batch of products on the EU market, I have already placed product on the market. So I can also place the other products of this batch also in the future. But it is not correct, because looking at EU product safety law, the regulation is focusing on each product. So looking at these requirements, you can say, first of all you really have to check your own product, your own components, but also the products and the components you are using from the supply chain. And you have to check if there are any known exp exploitable vulnerabilities. So you have to yeah impose a process to check the known vulnerabilities and also to ah impose mechanisms to fix those vulnerabilities.

Christina Kiefer
And if you have products already on the market, you don’t have to recall them because first of all, it’s okay if you have a vulnerability management which is working and where you can fix those vulnerabilities. And when you have products already in the shipment process, there it’s up to each company to assess if they have to yeah recall products in the and the shipment process or if they say, okay, we leave it in the shipment process because we know we can fix the vulnerability within two or three days. So in the end, it’s kind of a risk-based approach and each company has to assess what measurements are yeah applicable and also necessary.

Andrew Ginter
So that that makes a little more sense. I mean, the Linux kernel and sort of core functions in my, but I don’t have the numbers, but I’m guessing that you’re going to see a vulnerability every week or two in that large set of software. And if that’s part of a router that you’re shipping or part of a firewall that you’re shipping or part of any kind of product that you’re shipping, Does it make sense that, you know, you discover the exploitable vulnerability on Thursday and you have to suspend shipment until, ah you know, three weeks out when you have incorporated the vulnerability in your build and you’ve repeated all of your product testing, which can be extensive.

Andrew Ginter
And by the time you’re ready to ship that fix, two other problems have been developed and now you have to, you can’t ship until, you know, it, It sounds like it’s not quite that strict. it’s not that That scenario sounds like nonsense to me. It just it would never work. You’re saying that there is some flexibility to do reasonable things to keep bringing product to market as long as you’re managing the vulnerabilities over time. Is is that fair?

Christina Kiefer
Yes, yes, that’s right. Because in the CRA we have a risk-based approach and also you have to… No, the basis for each measure you have to to impose under the CRA is your cyber risk assessment. So you have to check what kind of product am I using or am i manufacturing? Which kind of product am I right now placing on the EU market? What are the cybersecurity risks right now? And also what what are the specific cybersecurity risks of this known vulnerability?

Christina Kiefer
And then you have to check, have i do I have a process? Do I have a process imposing appropriate measures to to fix those vulnerabilities? And if I have appropriate measures, to fix the vulnerabilities in a timely manner, then it’s not the know you are not obliged to recall the product itself. But at the end, looking at a risk-based approach, it’s up to the decision of each company.

Andrew Ginter
So this is a lot of a lot of change in in for a lot of product vendors. Can I ask you, how’s it going? Is it working? Are are the vendors confused? can you Do you have any sort of insight in into how it’s going?

Christina Kiefer
Yeah, sure. So what we’re seeing right now, a lot of companies, both manufacturers, but also suppliers, are getting ahead of the curve when it comes to the Cyber Resilience Act, because they see that there is a change and there there will be new strict obligations, not only on manufacturers, but also in the whole supply chain. So suppliers, distributors, importers are also coming to us and asking if they are under the scope of the CRA. So this is the first point. If you’re a distributor or an importer, you already have to check if you and your company itself falls under the scope of the CIA. And if it is like this, then you are already obliged to ensure all the obligations of the CRA. But it can also happen that suppliers are under the scope of the CRA in an indirect manner.

Because ensuring all those new cybersecurity requirements from a manufacturer point of view, you have to ensure it within the whole supply chain. And the main instrument to ensure this was already in a future in a and the past and will also be in the future is contract management. So you have to impose or transpose all those new obligations to the suppliers via contract management. And there we see different reactions, but there’s definitely a growing awareness that cybersecurity needs to be addressed contractually, especially in relation to the CRA obligations. And yeah looking at contract negotiations, of course, we have some negotiations with the suppliers And one of the main points which is negotiated is the regulation of enforcement.

Christina Kiefer
Because when you have contractual management looking at cybersecurity requirements, you can not only yeah transpose those obligations to the suppliers, but you also have rules on enforcing those new contractual obligations. For example, contractual penalties. And there we see that contractual penalties often sparks some debate during negotiations. But to sum up, in practice, we’ve always been able to find a balanced solution that works for all parties involved.

Nathaniel Nelson
I suppose I could think about any number of potentially trivial electronics products, Andrew, but let’s say that I or my neighbor has ah a smart fridge, a fridge with a computer it. We generally assume that those devices don’t even really have security in mind at all. And a security update is like so far from the universe of how anyone would interact. with such a device and now we’re saying that that kind of thing is going to be regulated in these ways.

Andrew Ginter
I think the short answer is yes. You might ask, what good does this regulation do for a fridge? And, you know, I think about this sometimes. I think the answer is it depends. If, you know, a lot of the larger home appliances nowadays have touchscreens. There’s a CPU inside. There’s software inside. These are cyber devices. You might ask, well, when was the last time I updated the firmware in my fridge? How many times am I going to update the firmware in my fridge? Those are good questions. Most people never think about something like that. But the law might… you know, very reasonably apply to the fridge if the fridge is connected to the Internet so that I can see, for example, how much power my fridge is using on my cell phone app.

Isn’t that clever? But now I’ve connected the fridge to the Internet. We all know what what happened to, what was it, the Mirai botnet took over hundreds of thousands of Internet of Things devices and and used them as attack tools for denial of service attacks. If you’ve got an internet connected fridge, you risk that if you haven’t updated the software. Worse, if someone gets into your fridge, takes over the CPU, you could change the set point on the temperature and cause all your food to spoil. This is a safety risk.

Andrew Ginter
Again, how many consumers are going to update the software in their fridge? Realistically, I don’t think… You the majority of consumers will, even if there is a safety threat. To me, you know, the risk, this this is part of the risk assessment. If there’s a safety threat because of these vulnerabilities, you might well need to… I don’t know, auto-update the firmware. That might be part of your risk assessment so that the consumer doesn’t have to do it. Or better yet, design the fridge so that safety threats because of a compromised CPU are impossible, physically impossible. Make the the temperature setting manual or something. But this is this is a bigger problem than I think one regulation, the the the question of safety critical devices connected to the cloud.

Nathaniel Nelson
Yeah, admittedly, the the notion of a smart refrigerator safety threat isn’t totally resonating with me. And then we haven’t even discussed the matter of like, OK, let’s say that my refrigerator gets automatic updates or I just have to click a button in an app when it notifies me to do so to update my firmware. At some point, you know, fridges sit in houses for long periods of time. I can’t recall the last time that my fridge has been replaced. In that time, any manufacturer could go out of business. And then how do you get those updates, right?

Andrew Ginter
Exactly. So, you know, to me, but this is outside the scope of the CRA, but, you know, to answer your question, to me, the solution you know, two or threefold, we we need to design safety-critical consumer appliances in such a way that the unsafe conditions cannot be brought about by a cyber attack. I mean, we talk about, you know, fixing known vulnerabilities. That’s only one kind of vulnerability. What about zero days? There is, there’s there’s logically no way that someone can, you solve all zero days. It it It’s a nonsensical proposition. So there’s always going to be zero days. What if one is exploited and, you know, a million fridges set to a ah set point that that’s unsafe?

Andrew Ginter
To me, we’ve got to design the fridges differently, but that’s that’s sort of a different conversation. In fact, that’s the topic of my next book, but which is why I care so much about it. but but it’s These are important questions, and I think the CRA is a ah step in the direction of answering them, but I don’t know that it has all the answers.

Andrew Ginter
So work with me. you know, what, what you described there makes sense for, you know, manufacturers like, uh, IBM who can, you know, produce high volumes of, or, you know, Sony or the, the big fish. But, you know, if I’m a small manufacturer, I produce a thousand devices a year. I buy components for these devices. I buy software for these devices from big names like Sony and Microsoft and Oracle. And, you know, I go to Oracle and say, you must meet my contract requirements or I won’t buy my thousand products from you at a cost of $89 a product. Oracle is going to say, take a flying leap. We’re not signing your contract. Is this realistic?

Christina Kiefer
Yes, and we see this also in practice because we are not only consulting the big manufacturers but are also the smaller companies in the supply chain. And there you can have different approaches because when you are buying products from the big companies, First of all, you have to know that they are or they might be obliged also under the CRA. So they are fulfilling all those new cybersecurity requirements. And you also have to take it though there you also have to check their contracts because there you can see already they have a lot of new regulations looking at cybersecurity, either if it’s implemented into the the general contractual documents or implemented into one cybersecurity appendix.

So you see all the companies are looking at the Cyber Resilience Act and then they are taking measures and also looking at their contract management. So if you are lucky enough, you can see, okay, they have a contract which is already regulating all the obligations under the CIA. And then if it’s not like this, We take the approach that we establish a cybersecurity appendix. So when you’re already a contractual relationship with the big players, you don’t have to negotiate the whole contract from the beginning. You can only show them your appendix and then on on basis of this appendix, you can discuss the cybersecurity requirements. So this is kind of a approach which has helped also smaller companies in the market.

Andrew Ginter
So you gave the example of of headphones and smartphones. For the record, does this apply to industrial products as well? I mean, our our listeners care about programmable logic controllers and steam turbines that have embedded computer components, or is it strictly a ah consumer goods rule? Now, and this is a very important point to highlight, the Cyber Resilience Act explicitly applies not only to consumer products but also to products in the B2B sector. so this means that all software and all hardware products along with any related remote data processing solutions fall under the scope of the CRA, either in B2C or also in B2B relationships.

Andrew Ginter
Well, Christina, thank you so much for joining us. Before we let you go, can I ask you, can you sum up for our listeners? What are the the key messages to take away to understand about what’s happening with cyber regulations, both NISU and CRA in Europe, and and what we should be doing about them as both consumers and manufacturers?

Christina Kiefer
Yeah, sure, of course. So let me give you a quick recap. So first of all, you see the EU legislature is tightening the cybersecurity requirements significantly with both the NIS2 directive and also the Cyber Resilience Act. And the new requirements affect any company that offers products or services to the EU market, no matter where they are based. So it is it has a very broad scope of application. Looking at the NIS2 directive, it’s very important to know that the NIS2 directive is already enforced, but it has to be transposed into national law, which has not been fulfilled by all EU member states, and that the national implementation across the EU is still quite varied.

Looking at the Cyber Resilience Act, the CRA brings new security obligations to products with digital elements, so for all software, for all hardware products. And it also is focusing not only on cybersecurity on products, but also in the whole supply chain. So both frameworks require companies to take proactive steps right now, looking at risk assessment, risk management, reporting, and also contract management, particularly when it comes to managing their supply chain. So looking at the short implementation deadlines ahead, both from the NIS2 Directive and also the CIA, it’s very important for companies to act now. And the first step we consult to do is to identify the relevant laws, because we have a lot of new regulations looking at digital products and digital services. So, yeah first of all, check the relevant laws and the relevant obligations which are applicable to your business.

And here we offer a free NIS2 quick check and also a free CRA quick check where you can just click through the different questions to see if you are under the scope of NIS2 and CRA. And then after all, when you clarified that you are affected on the one or both of the new regulations, the company needs to review and adopt their cybersecurity processes, both technically and also organizationally. So it’s very crucial to continuously monitor and ensure compliance with the ongoing legal requirements, especially also looking at contract management and focusing on the supply chain. And yeah, there we can help national but also international companies with kind of a 360 degree approach to cybersecurity compliance because we enter ensure solutions with the range from product development and marketing to reporting and market measures. So, yeah, we we give companies ah practical and also actionable guidance in ah in an every step way.

So looking at the first step to to act and yeah to identify the relevant laws and obligations to your business, companies can yeah visit our free NIS2 QuickCheck and our free CRA QuickCheck, which is available under nist2-check.com and also And yeah, if you have any further question, you are free and invited to write to me via email via LinkedIn. Yeah, I’m happy to connect. And thank you very much for the invitation.

Nathaniel Nelson
Andrew, that just about concludes your interview with Christina Kiefer. And maybe for a last word today, we could just talk about what all of these rules mean practically for businesses out there because, you know, it’s one thing to mention this rule and that rule in a podcast, but sounds like kind of stuff we’re talking about here is going to mean a lot of work for a lot of people in the future.

Andrew Ginter
I agree completely. It sounds like a lot of new work and a lot of new risk, both for the critical infrastructure entities that are covered by NIST or by the local laws, especially for for businesses, the larger businesses that are active in multiple jurisdictions, and certainly for any manufacturer who wants to sell anything remotely CPU-like into the the the European market. It sounds like a lot of work, but I have some hope that it’s also, because it’s such a lot of work, it’s also a business opportunity. And we’re going to see entrepreneurs and service providers and even technology providers out there providing services and tools that will automate more and more of this stuff so that not every manufacturer and every critical infrastructure provider can. in the European Union or in the world selling to the European Union. Not every one of them has to invent all of this the the answers to these these new rules by themselves.

Nathaniel Nelson
Well, thank you to Christina for elucidating all of this for us. And Andrew, as always, thank you for speaking with me.

Andrew Ginter
It’s always a pleasure. Thank you, Nate.

Nathaniel Nelson
This has been the Industrial Security Podcast from Waterfall. Thanks to everyone out there listening.

Stay up to date

Subscribe to our blog and receive insights straight to your inbox

The post NIS2 and the Cyber Resilience Act (CRA) – Episode 142 appeared first on Waterfall Security Solutions.

]]>
SCADA Security Fundamentals https://waterfall-security.com/ot-insights-center/ot-cybersecurity-insights-center/what-is-scada-security/ Thu, 14 Aug 2025 11:42:40 +0000 https://waterfall-security.com/?p=35683 Protect SCADA systems with best practices in SCADA security, including access control, monitoring, encryption, and compliance for critical infrastructure.

The post SCADA Security Fundamentals appeared first on Waterfall Security Solutions.

]]>

SCADA Security Fundamentals

SCADA security protects industrial control systems from cyber and operational threats through access controls, encryption, monitoring, governance, and regulatory compliance. Learn how best practices and Waterfall Security solutions safeguard critical infrastructure. Ask ChatGPT
Picture of Waterfall team

Waterfall team

What is SCADA Security

SCADA systems, or Supervisory Control and Data Acquisition systems, are at the heart of modern industrial operations, controlling everything from power plants and water treatment facilities to manufacturing lines and transportation networks. While they keep critical infrastructure running efficiently, SCADA systems are also increasingly exposed to cyber threats due to greater connectivity and digital integration. Understanding the fundamentals of SCADA security is essential for protecting industrial operations, ensuring safety, and maintaining operational continuity.

Understanding SCADA Systems in Security Context

A SCADA system typically includes several key components:

  • Central control servers that process and manage data

  • Human-Machine Interfaces (HMIs) that allow operators to monitor and control processes

  • Remote Terminal Units (RTUs) and Programmable Logic Controllers (PLCs) that collect data from field devices and execute commands

  • Communication networks connecting the central system with remote devices
    These components work together to provide real-time monitoring, automation, and reporting across industrial environments, forming the backbone of critical infrastructure operations.

The evolution of SCADA architecture from isolated to networked environments

Originally, SCADA systems were isolated, often using proprietary protocols and physically separated networks, which naturally limited cyber risks. Over time, they have become increasingly networked, connecting to corporate IT systems, the internet, and cloud platforms to enable remote monitoring and analytics. While this connectivity improves efficiency and operational insight, it also introduces new attack surfaces and vulnerabilities that must be addressed with modern cybersecurity measures.

Critical infrastructure sectors relying on SCADA systems

SCADA systems are essential across multiple critical infrastructure sectors:

  • Energy: Power generation, transmission, and oil & gas refineries rely on SCADA for stability and control.

  • Water and Wastewater: Treatment plants use SCADA to monitor chemical levels, flow rates, and system health.

  • Manufacturing and Industrial Production: Automated production lines and robotics are coordinated through SCADA for efficiency.

  • Transportation and Logistics: Rail networks, traffic systems, and ports use SCADA for safe and timely operations.
    A compromise in any of these sectors can have wide-reaching operational, economic, and safety consequences.

Critical infrastructure sectors relying on SCADA systems

Operational technology (OT) vs. information technology (IT) security paradigms

SCADA systems fall under the broader category of OT, which focuses on physical processes and operational continuity. Unlike IT systems, which prioritize data confidentiality and integrity, OT emphasizes safety, uptime, and real-time reliability. Security strategies for SCADA must account for this difference, ensuring that protective measures do not disrupt critical processes while still defending against cyber threats.

Security implications of legacy SCADA implementations

Many SCADA environments still operate on legacy hardware and software that were not designed with modern cybersecurity in mind. These older systems often have outdated protocols, limited patching capabilities, and weak authentication, making them prime targets for attackers. Securing legacy SCADA implementations requires careful risk assessment, network segmentation, and compensating controls that protect industrial operations without interrupting critical processes.

SCADA Components and Security Considerations

SCADA systems consist of multiple interconnected components—HMIs, PLCs, RTUs, data acquisition servers, and communication networks—that collectively monitor and control industrial processes. Each component presents unique security considerations, from physical access control to software vulnerabilities and network exposure. Ensuring the security of SCADA requires a holistic approach that addresses both cyber and physical threats while maintaining operational continuity.

Human-Machine Interface (HMI) security vulnerabilities

HMIs provide operators with a visual interface to monitor and control industrial processes, but they can also be a target for cyberattacks. Vulnerabilities include weak authentication, unpatched software, and susceptibility to malware, which can allow attackers to manipulate displayed data, issue unauthorized commands, or gain a foothold in the broader SCADA network. Securing HMIs involves strong authentication, regular updates, and network isolation to reduce exposure.

Programmable Logic Controllers (PLCs) attack vectors
PLCs are responsible for executing automated control logic and directly interacting with machinery. Attack vectors targeting PLCs include unauthorized access via default credentials, firmware vulnerabilities, and malicious commands injected through network connections. Compromising a PLC can result in process disruption, equipment damage, or unsafe operating conditions. Protecting PLCs requires strict access controls, firmware management, and monitoring for anomalous activity.

Remote Terminal Units (RTUs) security challenges
RTUs collect data from field devices and relay commands between the central system and industrial processes. Because they are often deployed in remote or exposed locations, RTUs face both physical and cyber threats. Challenges include unsecured communication links, outdated firmware, and tampering risk. Mitigation strategies include encrypted communications, physical protection, and secure configuration management.

Data acquisition servers and historian security
Data acquisition servers and historians store and manage process data from SCADA systems, providing analytics and historical records. These servers are attractive targets for attackers seeking operational intelligence or the ability to manipulate data. Security considerations include regular software updates, strong authentication, network segmentation, and continuous monitoring to ensure data integrity and prevent unauthorized access.

Communication protocols security weaknesses
SCADA systems often use specialized protocols like Modbus, DNP3, and OPC, which were designed for reliability and performance rather than security. Many lack built-in encryption or authentication, making them susceptible to interception, spoofing, or replay attacks. Securing communication protocols involves implementing encryption where possible, network segmentation, intrusion detection, and monitoring for unusual traffic patterns to protect data integrity and operational reliability.

The Threat Landscape for SCADA Environments

Nation-state actors targeting critical infrastructure
Nation-state actors often target SCADA systems as part of strategic cyber operations aimed at critical infrastructure. By exploiting vulnerabilities in industrial control systems, these attackers can disrupt power grids, water treatment facilities, or manufacturing operations, potentially causing widespread economic and societal impact. Protecting SCADA from such threats requires advanced threat intelligence, continuous monitoring, and collaboration with government and industry partners to detect and respond to sophisticated, state-sponsored attacks.

Cybercriminal motivations for attacking SCADA systems
Cybercriminals may target SCADA systems for financial gain, such as demanding ransom through ransomware attacks, stealing sensitive operational data, or manipulating industrial processes for profit. Unlike nation-state attacks, these intrusions are often opportunistic, taking advantage of weak security measures or unpatched systems. Strengthening SCADA security against cybercriminals involves implementing strict access controls, patch management, network segmentation, and continuous monitoring to prevent unauthorized access and operational disruptions.

Hacktivism and SCADA systems as political targets
Hacktivists may target SCADA systems to make a political statement, raise awareness of social causes, or disrupt public services to attract attention. These attacks often aim to demonstrate vulnerability rather than achieve financial gain, but they can still have serious operational and safety consequences. Protecting SCADA from hacktivism requires both robust cybersecurity measures—such as intrusion detection, secure remote access, and anomaly monitoring—and proactive communication and incident response planning to minimize impact.

Notable SCADA Security Incidents

Over the past decade, several high-profile cyberattacks have highlighted the vulnerabilities of SCADA systems and the potentially severe consequences of a breach. From malware targeting industrial equipment to coordinated attacks on national infrastructure, these incidents demonstrate why securing SCADA environments is critical for operational safety, public welfare, and national security.

Stuxnet and its implications for industrial security
Stuxnet, discovered in 2010, was a sophisticated malware specifically designed to target Iranian nuclear enrichment facilities. It exploited vulnerabilities in PLCs to manipulate centrifuge operations while hiding its activity from operators. Stuxnet demonstrated that cyberattacks could cause physical damage to industrial equipment, marking a turning point in awareness of ICS and SCADA security. Its legacy emphasizes the need for strong network segmentation, rigorous patch management, and monitoring of operational anomalies to detect and prevent similar attacks.

Ukrainian power grid attacks
In 2015 and 2016, Ukraine experienced cyberattacks that targeted its power grid, leading to widespread blackouts affecting hundreds of thousands of people. Attackers compromised SCADA systems to manipulate breakers and disrupt electricity distribution, highlighting the vulnerability of critical infrastructure to coordinated cyber operations. These incidents underscore the importance of access controls, real-time monitoring, incident response planning, and collaboration with national security authorities to protect industrial operations from both cybercriminals and nation-state actors.

Water treatment facility breaches
Water treatment facilities have also been targeted by attackers seeking to manipulate chemical dosing or disrupt water supply systems. These breaches demonstrate how SCADA vulnerabilities can have direct public health consequences. Security measures such as robust authentication, network segmentation, physical security, and continuous monitoring are essential to safeguard water treatment operations and prevent potentially life-threatening outcomes from cyber intrusions.

SCADA Security Architecture and Controls

Defense-in-Depth Strategies for SCADA
Securing SCADA systems requires a defense-in-depth approach, which layers multiple security measures to protect industrial control systems from both cyber and physical threats. By combining preventive, detective, and responsive controls across all components, organizations can reduce the risk of compromise and minimize the impact of any potential breach.

Multi-Layered Security Approach for Industrial Control Systems
A multi-layered security strategy ensures that if one control fails, others continue to protect critical operations. This approach includes endpoint security for devices, network protections, access controls, monitoring systems, and incident response procedures. Layering defenses helps address diverse threats, from malware and insider attacks to physical tampering, while maintaining operational continuity.

Network Segmentation and Security Zones Implementation
Segmenting SCADA networks into distinct zones—such as separating field devices from corporate IT networks—reduces the attack surface and limits the spread of malware or unauthorized access. Security zones allow organizations to apply tailored policies and monitoring based on the criticality and risk profile of each segment, enhancing both operational safety and cybersecurity resilience.

Air Gap Considerations and Limitations in Modern Environments
Air-gapping—physically isolating SCADA networks from external connections—can provide strong protection against remote attacks. However, in modern industrial environments, remote monitoring, cloud analytics, and third-party integrations often make strict air-gaps impractical. Organizations must balance isolation with operational needs, supplementing partial air-gaps with strong authentication, encrypted communications, and rigorous monitoring.

Demilitarized Zones (DMZ) for SCADA Networks
DMZs act as buffer zones between SCADA networks and external systems, such as corporate IT networks or the internet. By placing intermediary servers and firewalls in the DMZ, organizations can control and inspect data flow, preventing direct access to critical industrial systems while still allowing necessary information exchange. DMZs are a key component of layered defense, reducing exposure to external threats.

Security Monitoring Across Defense Layers
Continuous monitoring is essential for detecting anomalies, intrusions, or unauthorized activity across all layers of SCADA defense. This includes monitoring network traffic, device behavior, access logs, and operational metrics. Effective monitoring enables rapid detection and response, ensuring that threats are mitigated before they can disrupt critical processes or cause physical damage.

Access Control and Authentication

Role-Based Access Control for SCADA Operations
Role-based access control (RBAC) assigns permissions based on job functions, ensuring that operators, engineers, and administrators only access the SCADA functions necessary for their roles. Implementing RBAC reduces the likelihood of human error, limits exposure of sensitive controls, and simplifies auditing and compliance. Regular review of role assignments is essential to maintain security as personnel and responsibilities change.

Multi-Factor Authentication Implementation Challenges
Multi-factor authentication (MFA) strengthens SCADA security by requiring additional verification beyond passwords, such as tokens or biometrics. However, implementing MFA in industrial environments can be challenging due to legacy systems, operational uptime requirements, and remote access needs. Balancing usability with security is critical to ensure that MFA does not disrupt time-sensitive control processes.

Privileged Access Management for Critical SCADA Functions
Privileged accounts control key SCADA operations and present significant risk if mismanaged. Effective privileged access management involves monitoring account activity, limiting the number of privileged users, enforcing strong password policies, and conducting regular audits. These practices prevent unauthorized changes to control logic and reduce the risk of insider threats or credential compromise.

Authentication Mechanisms for Field Devices
Field devices like PLCs, RTUs, and sensors require secure authentication to prevent unauthorized command injection or manipulation. Strong authentication mechanisms—including unique credentials, device certificates, and secure firmware—ensure that only trusted devices can communicate with the SCADA network, protecting the integrity of industrial processes.

Managing Vendor and Contractor Access to SCADA Systems
Vendors and contractors often need temporary access for maintenance, updates, or troubleshooting. Proper access management includes time-limited accounts, supervised sessions, detailed logging, and adherence to organizational security policies. Controlling third-party access is essential to prevent external breaches and maintain overall SCADA security.

Managing Vendor and Contractor Access to SCADA Systems
Vendors and contractors often need temporary access for maintenance, updates, or troubleshooting. Proper access management includes time-limited accounts, supervised sessions, detailed logging, and adherence to organizational security policies. Controlling third-party access is essential to prevent external breaches and maintain overall SCADA security.

Encryption and Data Protection

Protecting data in SCADA systems is essential for maintaining operational integrity and preventing unauthorized access or manipulation. Encryption and other data protection measures help ensure that sensitive information—whether in transit, at rest, or within device configurations—remains confidential and trustworthy.

Protocol Encryption Considerations for SCADA Communications
SCADA systems often rely on specialized protocols like Modbus, DNP3, or OPC, which were not designed with security in mind. Encrypting communications between devices, servers, and HMIs is critical to prevent interception, tampering, or replay attacks. Implementing encryption must balance security with real-time performance, as delays can affect operational processes.

Key Management Challenges in Distributed Environments
Managing cryptographic keys across distributed SCADA networks is complex. Field devices may have limited processing capabilities, and remote locations can make key distribution or rotation difficult. Secure key management practices—including automated key provisioning, rotation policies, and secure storage—are vital to maintaining the effectiveness of encryption across the network.

Data Integrity Verification Mechanisms
Ensuring that SCADA data remains accurate and unaltered is critical for operational safety. Mechanisms like checksums, digital signatures, and hash functions can detect tampering or corruption in sensor readings, command instructions, and historical records. Implementing integrity verification helps prevent attackers from manipulating operational data to cause unsafe conditions.

Secure Storage of SCADA Configuration and Historical Data
SCADA systems rely on configuration files, control logic, and historical process data to operate effectively. Protecting this data through encryption, access controls, and regular backups ensures that it cannot be tampered with or lost. Secure storage also supports disaster recovery and forensic investigations in the event of a security incident.

Cryptographic Controls Appropriate for Resource-Constrained Devices
Many SCADA field devices have limited computational resources, which can make standard cryptographic algorithms impractical. Lightweight cryptographic controls, optimized for low-power and low-memory environments, allow these devices to maintain data confidentiality and integrity without degrading performance or responsiveness. Choosing the right cryptography for resource-constrained devices is a key consideration in SCADA security.

Security Monitoring and Incident Response

Continuous monitoring and proactive incident response are essential for protecting SCADA systems from cyber threats. By observing system behavior in real time, organizations can quickly detect anomalies, identify potential attacks, and respond before operational disruptions occur. A structured approach to monitoring and incident response helps ensure the reliability, safety, and integrity of industrial control operations.

Security Information and Event Management (SIEM) for SCADA
SIEM solutions collect and analyze logs and events from SCADA devices, networks, and applications to provide centralized visibility into potential security incidents. By correlating data across multiple sources, SIEM systems can detect unusual patterns, alert operators to suspicious activity, and support forensic investigations. Integrating SIEM with SCADA networks enhances threat detection and accelerates incident response.

Operational Technology-Specific Monitoring Requirements
Monitoring SCADA systems requires OT-specific strategies that account for real-time processes, legacy devices, and specialized protocols. Unlike traditional IT environments, SCADA monitoring must minimize disruption to operations while detecting both cyber and physical anomalies. This includes tracking device behavior, network traffic, command sequences, and environmental data to identify potential threats.

Baseline Establishment for Normal SCADA Operations
Establishing a baseline of normal SCADA activity is critical for identifying deviations that may indicate cyberattacks or operational issues. This baseline includes typical network traffic patterns, device communication behavior, command sequences, and process metrics. Continuous comparison against the baseline allows security teams to quickly detect and investigate anomalies, improving both threat detection and operational reliability.

Security Governance for Industrial Control Systems

Effective governance ensures that SCADA security is not an afterthought but an integral part of industrial operations. By defining clear policies, roles, and processes, organizations can systematically manage risk, maintain compliance, and embed security throughout the SCADA lifecycle.

Security Policies Specific to SCADA Environments
SCADA-specific security policies provide guidelines for protecting industrial control systems, covering areas such as access control, network segmentation, patch management, and incident response. These policies establish consistent expectations for staff, vendors, and contractors, ensuring that operational and cybersecurity requirements are aligned.

Roles and Responsibilities in SCADA Security Management
Clearly defined roles and responsibilities are critical to prevent gaps in SCADA security. Operators, engineers, IT/OT security teams, and management must understand their specific duties—ranging from system monitoring to vulnerability remediation—to maintain the integrity and safety of industrial processes. Accountability and communication across teams strengthen overall security posture.

Change Management Procedures for Control Systems
SCADA systems require controlled and documented changes to hardware, software, and configurations to prevent unintended disruptions or security vulnerabilities. Formal change management procedures ensure that updates, patches, or system modifications are reviewed, tested, and approved before implementation, reducing operational risks and maintaining compliance.

Security Metrics and Key Performance Indicators
Tracking security metrics and KPIs allows organizations to measure the effectiveness of SCADA security programs. Metrics may include incident response times, patch deployment rates, access violations, and anomaly detection frequency. Regularly reviewing these indicators helps identify weaknesses, prioritize improvements, and demonstrate regulatory compliance.

Integration of Security into SCADA Lifecycle Management
Security should be integrated at every stage of the SCADA lifecycle, from design and procurement to operation and decommissioning. Incorporating security considerations early—such as secure device selection, network architecture planning, and ongoing monitoring—ensures that protection is embedded rather than retrofitted, enhancing resilience against cyber and operational threats.

Compliance and Standards

Adhering to industry standards and regulatory requirements is critical for ensuring SCADA security, operational reliability, and legal compliance. These frameworks provide guidance for risk management, access control, monitoring, and incident response, helping organizations protect industrial control systems against evolving threats.

IEC 62443 (Formerly ISA99) for Industrial Automation
IEC 62443 is a widely recognized international standard for the cybersecurity of industrial automation and control systems. It covers the entire lifecycle of SCADA systems, including secure design, development, operation, and maintenance. IEC 62443 provides guidelines for risk assessment, network segmentation, access control, and supplier security, offering a comprehensive framework for securing industrial environments.

NERC CIP Requirements for Energy Sector SCADA
The North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) standards establish mandatory cybersecurity requirements for the energy sector. These standards focus on protecting bulk electric systems, including SCADA networks, by enforcing strict controls over access, monitoring, incident response, and system recovery. Compliance with NERC CIP is essential for energy providers to ensure reliable and secure power delivery.

NIST Special Publication 800-82 Implementation
NIST SP 800-82 provides guidance on applying the NIST Cybersecurity Framework to industrial control systems, including SCADA. It outlines strategies for protecting OT environments, integrating IT and OT security practices, and managing risk in operational contexts. Organizations can use this publication to develop security policies, deploy appropriate controls, and strengthen resilience against cyber threats.

Industry-Specific Regulatory Requirements
Beyond international and national standards, many industries have sector-specific regulations that impact SCADA security. For example, water utilities may need to comply with EPA regulations, healthcare facilities must adhere to HIPAA requirements, and manufacturing plants may follow ISO 27001 for information security. Understanding and implementing these requirements ensures both compliance and the protection of critical infrastructure.

Security Awareness and Training

Human factors play a critical role in SCADA security. Even the most advanced technical controls can be undermined by untrained personnel or poor security practices. Building awareness and providing targeted training ensures that all staff understand the risks and act in ways that protect industrial control systems.

Operator Training for Security-Conscious Operations
Operators are on the front lines of SCADA system management, monitoring processes and responding to alerts. Security-focused training helps them recognize suspicious activity, understand secure operational procedures, and respond effectively to potential incidents without compromising operational continuity. Well-trained operators are a key line of defense against both accidental and malicious threats.

Engineering Staff Security Awareness Programs
Engineering teams design, maintain, and update SCADA systems, making them critical to overall security. Awareness programs for engineers emphasize secure coding, configuration best practices, vulnerability management, and compliance with relevant standards. By embedding security knowledge into engineering practices, organizations reduce the risk of exploitable system weaknesses.

Security Culture Development in Operational Technology Environments
A strong security culture in OT environments promotes shared responsibility, proactive risk management, and consistent adherence to policies. Encouraging collaboration between IT, OT, and operational staff fosters an environment where security considerations are integrated into daily decision-making, helping prevent breaches and maintain resilient SCADA operations.

Some Final Thoughts

Securing SCADA systems is no longer optional—it’s a critical requirement for protecting industrial operations, critical infrastructure, and public safety. From access control and encryption to monitoring, governance, and regulatory compliance, a layered and proactive approach is essential to defend against evolving cyber threats. By implementing best practices and leveraging advanced solutions, organizations can safeguard their SCADA environments while maintaining operational continuity.

To see how Waterfall Security’s specialized SCADA protection solutions can help defend your industrial control systems, contact us today.

About the author
Picture of Waterfall team

Waterfall team

FAQs About SCADA Security

SCADA security refers to the measures and practices used to protect Supervisory Control and Data Acquisition (SCADA) systems, which control and monitor industrial processes in critical infrastructure like power plants, water treatment facilities, manufacturing plants, and transportation networks.

The goal of SCADA security is to ensure the confidentiality, integrity, and availability of these systems while maintaining safe, continuous operations. Unlike traditional IT security, SCADA security must balance cybersecurity with operational requirements, since disruptions can directly affect physical processes and safety.

Key aspects of SCADA security include:

  • Access control and authentication for operators, engineers, and field devices

  • Encryption and data protection for communications and stored data

  • Network segmentation and monitoring to detect and respond to threats

  • Compliance with standards and regulations like IEC 62443 and NIST SP 800-82

  • Security awareness and training for personnel interacting with SCADA systems

In short, SCADA security safeguards the systems that keep critical industrial operations running reliably and safely.

SCADA systems are essential to the operation and safety of multiple critical infrastructure sectors, including:

  • Energy: Power generation, electrical grids, and oil & gas refineries rely on SCADA to monitor and control equipment, maintain grid stability, and manage production processes.

  • Water and Wastewater Utilities: Treatment plants use SCADA to regulate chemical dosing, flow rates, and overall system performance, ensuring safe water supply.

  • Manufacturing and Industrial Production: Automated production lines, robotics, and process controls depend on SCADA for efficiency and quality management.

  • Transportation and Logistics: Rail networks, ports, traffic systems, and pipelines use SCADA to coordinate operations safely and reliably.

  • Healthcare and Life-Critical Systems: SCADA supports facilities that require precise monitoring of medical gases, HVAC systems, and other critical operational infrastructure.

These sectors rely on SCADA because any disruption can have wide-reaching operational, safety, or economic consequences, making SCADA security a top priority.

Share

Stay up to date

Subscribe to our blog and receive insights straight to your inbox

The post SCADA Security Fundamentals appeared first on Waterfall Security Solutions.

]]>
What is OT Network Monitoring? https://waterfall-security.com/ot-insights-center/ot-cybersecurity-insights-center/what-is-ot-network-monitoring/ Thu, 14 Aug 2025 11:42:29 +0000 https://waterfall-security.com/?p=35144 How OT network monitoring enhances industrial system security and reliability through real-time visibility, alert management, and tailored solutions for operational technology challenges.

The post What is OT Network Monitoring? appeared first on Waterfall Security Solutions.

]]>

What is OT Network Monitoring?

OT network monitoring is essential for keeping industrial systems safe, reliable, and compliant. It requires specialized tools and strategies tailored to unique protocols, legacy equipment, and strict uptime demands. Effective monitoring improves visibility, detects threats early, supports compliance, and enables operational optimization—all while balancing security with continuous process control.
Picture of Waterfall team

Waterfall team

What is OT Network Monitoring

Understanding OT Network Monitoring

In today’s hyper-connected industrial world, the heartbeat of factories, power plants, transportation hubs, and water treatment facilities is no longer just mechanical—it’s digital. These environments depend on Operational Technology (OT) networks to keep processes running safely, reliably, and efficiently. But as cyber threats grow more sophisticated and downtime becomes more costly, simply “trusting” your systems to operate as intended is no longer an option. Continuous OT network monitoring has emerged as a critical safeguard—helping organizations detect anomalies before they escalate into safety incidents, production stoppages, or costly equipment failures.

Definition and Importance

What Are OT Networks?

Operational Technology networks are the communication backbones of industrial control systems (ICS). They connect sensors, controllers, actuators, and other devices that directly monitor and control physical processes. Whether it’s a PLC adjusting a chemical feed rate in a treatment plant or a SCADA system regulating voltage on a power grid, OT networks bridge the cyber and physical worlds—where even small disruptions can have large-scale consequences.

What is OT network monitoring?
OT network monitoring is the continuous observation, analysis, and reporting of traffic, device behavior, and system performance across industrial networks. Unlike a one-time audit or periodic check, monitoring is an ongoing process—providing operators and security teams with real-time visibility into what’s happening across their industrial assets. The goal is to spot deviations, intrusions, misconfigurations, or malfunctions early enough to prevent safety hazards, unplanned downtime, or regulatory violations.

Why monitoring is essential
In industrial environments, the stakes are higher than in most corporate IT networks. An undetected fault or cyber intrusion in an OT system can lead to physical damage, environmental harm, or even loss of life. Continuous monitoring helps maintain operational continuity by:

  • Detecting anomalies before they cause process disruption

  • Enabling rapid incident response to minimize downtime

  • Supporting compliance with safety and cybersecurity regulations

  • Preserving the reliability and lifespan of critical assets

How OT monitoring differs from IT monitoring
While both IT and OT network monitoring aim to ensure secure, reliable operations, their priorities and constraints are markedly different. IT monitoring focuses heavily on data confidentiality, network uptime, and user access control. In contrast, OT monitoring emphasizes safety, system availability, and process integrity—often in environments where downtime is unacceptable and changes must be carefully tested before deployment. Additionally, OT networks often run on legacy protocols, proprietary systems, and equipment designed decades ago—requiring specialized tools and approaches that standard IT monitoring solutions can’t handle without risking operational disruption.

The Evolution of OT Network Monitoring

Historical context of industrial control systems monitoring

In the not-so-distant past, most industrial control systems (ICS) operated in tightly controlled, air-gapped environments. These systems weren’t connected to corporate networks—let alone the internet—and monitoring was often limited to local diagnostics or manual inspection by on-site engineers. Security risks were mostly physical: unauthorized access to a control room or tampering with equipment. The idea of a remote cyberattack was, for most operators, a theoretical threat rather than an operational concern.

Shift from air-gapped systems to connected OT environments

That changed as industrial facilities embraced digital transformation. To improve efficiency, reduce costs, and enable remote management, organizations began linking OT environments to corporate IT networks, suppliers, and even cloud services. This shift brought undeniable benefits—real-time data sharing, predictive maintenance, and centralized control—but also opened a new and much wider attack surface. Threat actors no longer needed physical access; they could exploit vulnerabilities from halfway around the world.

Impact of Industry 4.0 and IIoT on monitoring requirements

The arrival of Industry 4.0 and the Industrial Internet of Things (IIoT) has taken OT connectivity to an entirely new level. Advanced analytics platforms, AI-driven optimization, and a proliferation of smart devices have transformed OT environments into highly dynamic, data-rich ecosystems. Monitoring requirements have grown exponentially—not only must organizations track traditional ICS traffic, but they must also manage vast flows of sensor data, device-to-device communications, and edge-to-cloud interactions. The sheer volume and diversity of connections demand more sophisticated monitoring tools capable of deep protocol inspection, anomaly detection, and contextual alerting.

Growing convergence between IT and OT networks and its monitoring implications

As IT and OT networks become increasingly intertwined, the line between them blurs. This convergence has significant implications for monitoring strategies. IT monitoring tools excel at tracking data integrity and cyber hygiene, while OT monitoring prioritizes process continuity and safety. Today’s industrial operators must integrate these perspectives—merging security event monitoring, performance tracking, and incident response into a single, coordinated approach. Done right, convergence can improve visibility across the enterprise. Done poorly, it can create blind spots that leave critical systems vulnerable.

Key Components of OT Network Monitoring

At the physical layer, OT network monitoring begins with the hardware devices embedded in the industrial environment. Sensors capture process data such as temperature, pressure, flow rates, and vibration levels—feeding this information into controllers like PLCs (Programmable Logic Controllers) or RTUs (Remote Terminal Units). These controllers manage real-time process logic, while gateways act as secure bridges between isolated OT systems and external networks, translating data across different protocols. In a monitoring context, these devices often host or support passive taps and probes, enabling the collection of network traffic and system performance data without disrupting live operations.

Software elements (monitoring platforms, analytics engines)

 

On top of the hardware layer, software platforms provide the brains of OT monitoring. These solutions gather raw data from field devices, parse industrial protocols, and present the information through dashboards, alarms, and reports. Advanced analytics engines can detect anomalies by comparing live data against baselines, identifying subtle patterns that may indicate equipment malfunctions or cyber intrusions. Increasingly, these platforms leverage AI and machine learning to provide predictive insights—alerting operators to problems before they manifest on the plant floor.

Communication protocols specific to industrial environments

OT networks operate on a very different set of communication standards than traditional IT systems. Protocols such as Modbus, DNP3, Profinet, EtherNet/IP, and OPC UA are purpose-built for deterministic, real-time control rather than security. While these protocols excel at ensuring consistent process operation, many lack built-in authentication or encryption, making them susceptible to eavesdropping and manipulation if left unprotected.

Effective OT monitoring tools must not only “speak” these protocols fluently, but also inspect them deeply for irregularities without interrupting time-sensitive communications.

Integration points with existing industrial control systems

No monitoring solution exists in isolation—it must integrate seamlessly with existing ICS infrastructure, including SCADA systems, distributed control systems (DCS), and safety instrumented systems (SIS). Integration ensures that monitoring tools can correlate network activity with operational events, allowing operators to understand whether a network anomaly is a harmless configuration change or a potential threat to process integrity. This tight coupling between monitoring and control systems enables faster, more accurate decision-making and helps maintain the delicate balance between security, performance, and safety in OT environments.

Objectives of OT Network Monitoring

Ensuring operational reliability and uptime

In industrial environments, downtime isn’t just inconvenient—it’s expensive, potentially dangerous, and damaging to reputation. OT network monitoring helps maintain system availability by continuously tracking device health, network performance, and control logic execution. By identifying early signs of equipment stress, communication bottlenecks, or misconfigurations, monitoring tools enable operators to intervene before small issues escalate into full-blown outages.

Detecting anomalies and potential security threats

Modern OT networks face a dual threat landscape: accidental faults caused by human error or equipment failure, and deliberate attacks from cyber adversaries. Effective monitoring acts as a 24/7 security guard—detecting abnormal traffic patterns, unauthorized device connections, or deviations from established operational baselines. Whether the anomaly is a misfiring sensor or an intrusion attempt exploiting a legacy protocol, rapid detection is critical for containing the impact and preserving safety.

Supporting compliance with industry regulations

From NERC CIP in the power sector to ISA/IEC 62443 in general industrial control environments, compliance requirements are becoming more stringent. OT network monitoring provides the data logs, audit trails, and real-time oversight needed to meet these standards. Beyond avoiding fines, compliance-driven monitoring ensures that security practices are not just theoretical policies but actively enforced operational controls.

Providing visibility into industrial processes and network performance

 

You can’t manage what you can’t see. OT network monitoring delivers deep visibility into both process-level and network-level activity—allowing operators to correlate production events with network behaviors. This transparency helps pinpoint the root cause of issues, improve troubleshooting efficiency, and ensure that process outcomes match expected performance parameters.

Enabling predictive maintenance and operational optimization

The same monitoring data that flags problems can also be used to predict and prevent them. By analyzing long-term trends in device behavior and network traffic, operators can identify components that are degrading, schedule maintenance before failure, and optimize process efficiency. Predictive insights not only extend equipment lifespan but also reduce costs associated with emergency repairs and unplanned downtime.

Enabling predictive maintenance and operational optimization

The same monitoring data that flags problems can also be used to predict and prevent them. By analyzing long-term trends in device behavior and network traffic, operators can identify components that are degrading, schedule maintenance before failure, and optimize process efficiency. Predictive insights not only extend equipment lifespan but also reduce costs associated with emergency repairs and unplanned downtime.

OT Network Monitoring Implementation and Technologies

Implementing OT network monitoring is not simply a matter of installing new tools—it’s a strategic process that must align with an organization’s operational priorities, security policies, and existing industrial infrastructure. From selecting the right hardware probes and protocol analyzers to integrating advanced software platforms and analytics engines, every step must be tailored to the unique requirements of the OT environment. The technologies that power monitoring—ranging from passive network taps to AI-driven anomaly detection—must work seamlessly together to provide comprehensive visibility without disrupting critical processes. In this section, we’ll explore the practical steps, architectures, and enabling technologies that make effective OT monitoring possible.

Monitoring Technologies and Tools

Specialized OT network monitoring platforms

Unlike traditional IT monitoring tools, OT-specific platforms are designed to understand industrial protocols, device types, and operational priorities. They offer deep packet inspection tailored to ICS communications, real-time process visualization, and alerting that reflects the unique safety and uptime requirements of industrial environments.

Industrial protocol analyzers

These tools decode and interpret proprietary or specialized communication protocols such as Modbus, DNP3, Profinet, and OPC UA. By understanding the context and function of each packet, protocol analyzers can identify anomalies like unexpected commands, malformed messages, or unauthorized configuration changes—issues that generic network analyzers might overlook.

SPAN port configuration for traffic mirroring

Switch Port Analyzer (SPAN) or port mirroring is a common method for capturing OT network traffic without interfering with live operations. By duplicating data from a selected port or VLAN to a monitoring device, operators can passively observe communications, detect anomalies, and maintain security without introducing latency or downtime.

 

Intrusion detection systems (IDS) for OT environments

An IDS in an OT context is tuned to recognize threats against both network infrastructure and industrial processes. It detects malicious traffic, suspicious control commands, and protocol misuse, often with preloaded threat intelligence specific to ICS vulnerabilities. Passive IDS deployment ensures security visibility without impacting system availability.

Security information and event management (SIEM) integration

Integrating OT monitoring data into a SIEM platform provides centralized visibility across both IT and OT environments. This convergence enables unified incident detection, correlation, and response—bridging the gap between enterprise security operations and plant-floor monitoring teams.

 

Asset visibility and inventory management tools

Accurate, real-time knowledge of every device on the network is essential for effective monitoring. Asset visibility tools automatically discover connected OT devices, record their firmware versions and configurations, and track changes over time—supporting vulnerability management and compliance efforts.

Network Segmentation in OT Monitoring

Importance of OT network segmentation for security and monitoring

 

In industrial environments, segmentation is one of the most effective ways to reduce risk and improve monitoring accuracy. By dividing the OT network into smaller, controlled segments, operators can contain potential threats, limit the impact of misconfigurations, and make it easier to identify abnormal traffic patterns. Segmentation not only improves security but also enhances monitoring efficiency—allowing tools to focus on specific areas of the network where baselines and behaviors are easier to define.


Zone-based monitoring approaches

Zone-based monitoring organizes OT systems into functional or security zones—such as safety systems, control systems, and corporate access points—each with its own tailored monitoring policies. This approach ensures that high-criticality zones (like safety instrumented systems) receive stricter oversight, while less critical zones can operate with more flexible monitoring rules. By assigning dedicated monitoring resources to each zone, operators gain more granular visibility and can respond faster to localized anomalies.

Purdue Model implementation for monitoring strategy

 

The Purdue Enterprise Reference Architecture (PERA) provides a layered framework for segmenting industrial networks, from the enterprise layer (Level 4) down to the physical process layer (Level 0). Applying the Purdue Model to monitoring strategies ensures that each layer—whether it’s ERP systems, SCADA networks, or field devices—has dedicated monitoring points and security controls. This structured approach helps correlate events across layers and prevents threats from moving laterally between operational and business systems.

Segmentation techniques specific to industrial environments

 

Industrial segmentation often requires more than traditional VLANs or firewalls. Techniques such as data diodes, unidirectional gateways, and protocol-specific filtering are used to control traffic flow while maintaining real-time process communications. These methods are designed with the deterministic nature of OT traffic in mind, ensuring that security measures do not introduce latency or disrupt time-sensitive operations.

 

Monitoring traffic between segments and zones

Segmentation alone is not enough—visibility into the traffic that moves between segments is critical. Monitoring inter-zone communications helps detect unauthorized connections, unusual data flows, or attempted breaches of segmentation controls. This is especially important in IT–OT convergence points, where attackers may try to use corporate networks as a gateway into industrial systems. Placing monitoring tools at these chokepoints ensures both security and operational continuity.

Threat Detection Capabilities

OT-specific threat detection mechanisms

 

Industrial environments require threat detection methods that understand the unique protocols, device types, and operational priorities of OT systems. Unlike IT-focused tools, OT-specific detection mechanisms can interpret commands to PLCs, SCADA servers, and RTUs, differentiating between legitimate process changes and malicious activity. These solutions are tailored to the deterministic nature of industrial traffic, allowing them to spot subtle but dangerous deviations that general-purpose cybersecurity tools might miss.

 

Anomaly detection in industrial control systems

Anomaly detection works by establishing a baseline of “normal” network and process behavior, then flagging deviations from that baseline. In OT environments, anomalies could include unexpected changes in control logic, abnormal device communications, or sensor readings that don’t match expected process conditions. Because many OT attacks exploit process manipulation rather than traditional malware, anomaly detection is a critical layer in identifying early warning signs before damage occurs.

Behavioral analysis for identifying operational irregularities

 

Behavioral analysis digs deeper into how devices, users, and processes interact over time. It can reveal irregularities such as operators issuing commands outside normal work hours, machines starting or stopping unexpectedly, or repeated failed login attempts to control systems. By correlating these behaviors across multiple data sources, monitoring platforms can detect suspicious patterns that indicate insider threats, compromised credentials, or process misuse.

 

Signature-based detection for known threats

 

Signature-based detection compares observed traffic and files against a database of known malicious patterns, such as specific malware payloads, exploit attempts, or command sequences. In OT networks, these signatures may include known exploits targeting industrial protocols or specific vendor equipment vulnerabilities. While this method is effective for identifying recognized threats, it must be paired with behavioral and anomaly-based approaches to catch novel or modified attacks.

Zero-day vulnerability monitoring approaches

Zero-day threats—attacks that exploit vulnerabilities not yet disclosed or patched—pose a significant risk to OT systems, especially those running legacy equipment. Monitoring for zero-day attacks often relies on heuristics, advanced anomaly detection, and machine learning models that can recognize malicious intent based on suspicious activity patterns rather than known signatures. These proactive methods help detect and contain emerging threats before attackers can cause operational disruption or safety incidents.

Visualization and Reporting

Network topology mapping for OT environments

A clear, accurate map of the OT network is the foundation of effective monitoring. Topology mapping tools automatically discover devices, communication paths, and protocol usage—presenting them in a visual layout that reflects the actual physical and logical structure of the network. In OT environments, these maps help operators understand dependencies between assets, identify unauthorized devices, and pinpoint exactly where anomalies occur within the process control architecture.

Real-time dashboards for operational visibility

Dashboards transform raw monitoring data into actionable insights, giving operators instant awareness of network health, device status, and process performance. In OT environments, real-time dashboards often display critical KPIs like latency, packet loss, and PLC status alongside production metrics, allowing plant and security teams to make informed decisions on the spot. Customizable views let different roles—engineers, security analysts, managers—see the information most relevant to their responsibilities.

Alert management and prioritization

With hundreds or even thousands of events occurring daily in a large OT environment, alert fatigue is a real concern. Effective monitoring systems prioritize alerts based on risk level, operational impact, and asset criticality—ensuring that safety-related or production-threatening events are escalated immediately, while lower-priority notifications are logged for later review. Intelligent alert correlation can also group related events, helping teams focus on the root cause rather than chasing symptoms.

Reporting capabilities for compliance and auditing

 

Regulatory frameworks such as NERC CIP, ISA/IEC 62443, and sector-specific safety standards require detailed evidence of monitoring activities. Reporting tools generate structured outputs that document network changes, security incidents, and system availability over time. Automated reporting ensures compliance documentation is always up to date, reducing the burden on operational teams while providing auditors with clear, verifiable records.

 

Historical data analysis and trend identification

Long-term monitoring data is a valuable asset for improving both security and operational performance. By analyzing historical trends, organizations can identify recurring issues, spot gradual performance degradation, and assess the effectiveness of past remediation efforts. In OT environments, trend analysis can also reveal seasonal patterns, workload fluctuations, or process inefficiencies—information that can be used to refine maintenance schedules and optimize resource allocation.

Challenges and Considerations

Dealing with legacy OT systems and protocols

One of the biggest hurdles in OT network monitoring is the prevalence of legacy equipment and outdated protocols that were never designed with security in mind. Many industrial control systems run proprietary or unsupported software, making it difficult to deploy modern monitoring tools without risking operational disruption. Monitoring solutions must be carefully chosen and configured to work with these legacy systems, often relying on passive techniques that avoid interfering with critical real-time processes.

 

Bandwidth and performance impacts of monitoring

OT networks are highly sensitive to latency and packet loss, which can directly affect control loop timing and process stability. Introducing monitoring infrastructure—especially active scanning or intrusive inspection—can strain network bandwidth and degrade performance. Therefore, monitoring architectures must be designed to minimize overhead, often through passive traffic collection methods like SPAN ports or network taps that don’t interfere with live traffic flows.

False positive management in industrial environments

OT networks generate a high volume of routine operational alerts, which can quickly overwhelm security teams if not properly filtered. False positives—alerts triggered by benign but unusual behaviors—can desensitize operators and cause critical warnings to be overlooked. Effective OT monitoring solutions use context-aware analytics, asset baselining, and correlation techniques to reduce noise, prioritize alerts, and ensure that only genuinely suspicious or impactful events demand attention.

 

Skill requirements for effective OT monitoring

OT monitoring requires a specialized skill set that combines cybersecurity expertise with deep understanding of industrial processes and control systems. Teams must be familiar with ICS protocols, safety requirements, and operational constraints to accurately interpret monitoring data and respond appropriately. This often necessitates cross-disciplinary collaboration between IT security professionals and OT engineers, alongside ongoing training to keep pace with evolving threats and technologies.

Balancing security monitoring with operational requirements

In OT environments, safety and continuous operation are paramount. Security monitoring cannot come at the expense of process reliability or safety system integrity. This balance requires careful planning—selecting non-intrusive monitoring technologies, aligning security policies with operational priorities, and maintaining transparent communication with plant personnel. The goal is to enhance security without introducing risk or disruption to critical industrial functions.

Ready to strengthen your industrial network’s defense without compromising operational integrity? Waterfall Security Solutions offers proven, non-intrusive security technologies designed specifically for OT environments. Our unidirectional gateways and advanced monitoring tools provide reliable protection against cyber threats while ensuring uninterrupted process performance. 

Contact us today to learn how Waterfall can help you achieve unmatched OT security and operational visibility.

About the author
Picture of Waterfall team

Waterfall team

FAQs About OT Network Monitoring

OT network monitoring is the continuous observation, analysis, and reporting of traffic, device behavior, and system performance across industrial networks. Unlike a one-time audit or periodic check, monitoring is an ongoing process—providing operators and security teams with real-time visibility into what’s happening across their industrial assets. The goal is to spot deviations, intrusions, misconfigurations, or malfunctions early enough to prevent safety hazards, unplanned downtime, or regulatory violations.

In industrial environments, the stakes are higher than in most corporate IT networks. An undetected fault or cyber intrusion in an OT system can lead to physical damage, environmental harm, or even loss of life. Continuous monitoring helps maintain operational continuity by:

  • Detecting anomalies before they cause process disruption

  • Enabling rapid incident response to minimize downtime

  • Supporting compliance with safety and cybersecurity regulations

Preserving the reliability and lifespan of critical assets

While both IT and OT network monitoring aim to ensure secure, reliable operations, their priorities and constraints are markedly different. IT monitoring focuses heavily on data confidentiality, network uptime, and user access control. In contrast, OT monitoring emphasizes safety, system availability, and process integrity—often in environments where downtime is unacceptable and changes must be carefully tested before deployment. Additionally, OT networks often run on legacy protocols, proprietary systems, and equipment designed decades ago—requiring specialized tools and approaches that standard IT monitoring solutions can’t handle without risking operational disruption.

Share

Stay up to date

Subscribe to our blog and receive insights straight to your inbox

The post What is OT Network Monitoring? appeared first on Waterfall Security Solutions.

]]>
What Is ICS (Industrial Control System) Security? https://waterfall-security.com/ot-insights-center/ot-cybersecurity-insights-center/what-is-industrial-control-system-security/ Thu, 14 Aug 2025 11:42:21 +0000 https://waterfall-security.com/?p=35669 How ICS security protects Industrial Control Systems, from SCADA and PLCs to critical infrastructure, vulnerabilities, and best practices

The post What Is ICS (Industrial Control System) Security? appeared first on Waterfall Security Solutions.

]]>

What Is ICS (Industrial Control System) Security?

ICS Security is crucial for protecting critical infrastructure like energy, manufacturing, utilities, and healthcare. This blog covers Industrial Control System components, common vulnerabilities, sector-specific risks, and best practices—including access control, network security, and compliance with NIST CSF and IEC 62443—to help safeguard industrial operations from cyber and operational threats. Ask ChatGPT
Picture of Waterfall team

Waterfall team

ics

Industrial Control Systems (ICS) are the backbone of modern industries, running everything from power plants and water treatment facilities to manufacturing lines and critical infrastructure. While these systems keep our world moving smoothly, they also face a growing threat: cyberattacks. ICS security focuses on protecting these vital networks and devices from digital intrusions, system failures, and operational disruptions. As industries become increasingly connected and automated, understanding ICS security is no longer just an IT concern—it’s a matter of safety, reliability, and national security.

Understanding ICS Security Fundamentals

Industrial Control Systems (ICS) are specialized networks and devices that monitor and control industrial processes. They include systems like SCADA (Supervisory Control and Data Acquisition), DCS (Distributed Control Systems), and PLCs (Programmable Logic Controllers). ICS manages the machinery and processes that keep essential services running, such as electricity generation, water treatment, oil and gas pipelines, and manufacturing operations. Because these systems directly affect public safety and economic stability, ensuring their continuous and secure operation is critical.

The distinction between IT security and OT (Operational Technology) security approaches

While IT security focuses on protecting data, networks, and digital assets in traditional computing environments, OT security is concerned with safeguarding physical processes and industrial operations. Unlike typical IT systems, ICS and other OT environments often require continuous uptime, predictable real-time performance, and safety prioritization over data confidentiality. This means security measures in OT must balance protection with operational reliability, often using specialized controls, monitoring, and risk management strategies tailored to industrial environments.

Historical evolution of ICS security concerns and awareness

Historically, ICS environments were isolated and relied on proprietary technologies, making security a low priority. However, as industrial networks became increasingly connected to corporate IT systems and the internet, the risk of cyberattacks grew exponentially. High-profile incidents such as the Stuxnet malware attack in 2010 highlighted the devastating potential of targeting industrial systems, raising awareness across industries and governments. Today, ICS security is recognized as a critical aspect of infrastructure protection, with organizations implementing advanced monitoring, threat detection, and incident response strategies to defend against both cyber and physical threats.

Components of Industrial Control Systems

SCADA (Supervisory Control and Data Acquisition) systems architecture and security considerations

SCADA systems are designed to monitor and control large-scale industrial processes. Their architecture typically includes a central control system, remote field devices, communication networks, and data storage/reporting tools. Security considerations for SCADA focus on protecting these components from cyberattacks, unauthorized access, and network disruptions. Key strategies include network segmentation, strong authentication, encrypted communications, regular software updates, and continuous monitoring for anomalies. Since SCADA systems often control critical infrastructure, even minor compromises can have major operational and safety impacts.

PLCs (Programmable Logic Controllers) and their vulnerability points

PLCs are the “brains” of industrial equipment, executing automated control logic for machinery and processes. Their vulnerabilities often stem from outdated firmware, insecure protocols, or weak physical and network access controls. Attackers targeting PLCs can manipulate operations, cause equipment damage, or create unsafe conditions. Protecting PLCs involves strict access management, firmware patching, network isolation, and monitoring for unusual command patterns that could indicate tampering.

Distributed Control Systems (DCS) and their security requirements

DCS manage complex industrial processes by distributing control tasks across multiple controllers, allowing for redundancy and higher reliability. Security requirements for DCS focus on ensuring operational continuity, integrity of control logic, and protection against both cyber and insider threats. Measures include role-based access controls, encrypted communications, intrusion detection systems, and continuous auditing of process changes to prevent unauthorized modifications.

Remote Terminal Units (RTUs), sensors, and actuators as potential attack vectors

RTUs, sensors, and actuators are the field devices that collect data and execute commands in ICS environments. These components are often exposed to physical and network risks, making them potential entry points for attackers. Securing them requires tamper-resistant hardware, secure firmware, encrypted communications, and network monitoring to detect anomalies in field-level operations. Any compromise at this level can cascade to the entire control system.

Human-Machine Interfaces (HMIs) and their security implications

HMIs are the interfaces through which operators interact with ICS systems, providing visibility and control over industrial processes. Security risks include unauthorized access, malware infections, and manipulation of displayed data, which could lead to unsafe decisions. Protecting HMIs involves strong authentication, regular software updates, restricted network access, and operator training to recognize suspicious behavior or system anomalies.

Critical Infrastructure Sectors Relying on ICS

Energy sector (power plants, electrical grids, oil refineries)

The energy sector depends heavily on ICS to manage electricity generation, transmission, and distribution, as well as the operation of oil and gas refineries. These systems ensure the stability of power grids, regulate fuel flow, and monitor complex processes in real time. A security breach in this sector can lead to widespread blackouts, environmental hazards, or even national-level disruptions, making robust ICS protection absolutely essential.

Manufacturing and industrial production facilities

 

Modern manufacturing relies on ICS to automate production lines, control robotics, and maintain process efficiency. From automotive plants to electronics factories, these systems coordinate machinery and workflow at a scale and speed impossible for humans alone. Compromising these ICS environments can halt production, damage equipment, or create defective products, emphasizing the importance of both operational and cyber security measures.

Utilities (water treatment, gas distribution)

Water treatment plants, sewage systems, and gas distribution networks all depend on ICS to maintain safe and continuous service. ICS monitors flow rates, chemical levels, and system integrity to prevent contamination, leaks, or service interruptions. Because failures in these systems can directly affect public health and safety, securing these control networks against cyber and physical threats is critical.

Healthcare facilities and life-critical systems

Hospitals and healthcare facilities increasingly rely on ICS to manage critical systems such as medical imaging, laboratory equipment, HVAC, and backup power generators. Attacks or malfunctions in these systems can jeopardize patient safety, disrupt emergency services, and delay life-saving treatments. Consequently, securing ICS in healthcare involves not only traditional cyber defense but also compliance with stringent safety and privacy regulations.

ICS Security Framework and Implementation

ICS-Specific Vulnerabilities and Risks

Legacy systems with extended lifecycles and limited update capabilities

Many ICS environments rely on legacy hardware and software that were designed decades ago, often with minimal consideration for cybersecurity. These systems may not support modern security patches, updates, or encryption methods, leaving them exposed to vulnerabilities that attackers can exploit. The long lifecycle of these systems makes it challenging to maintain security without disrupting operations, creating a persistent risk for industrial environments.

Default configurations and hardcoded credentials

A common vulnerability in ICS is the use of default settings and hardcoded passwords in devices such as PLCs, HMIs, and RTUs. These default credentials are often well-known and can be exploited by attackers to gain unauthorized access. Failing to change these settings or implement strong authentication mechanisms can turn even a single compromised device into a gateway to the broader network.

Physical security concerns and their cyber implications

ICS components are often deployed in remote or accessible locations, making them susceptible to physical tampering or sabotage. Physical access can allow attackers to manipulate hardware, inject malicious code, or bypass network security controls. Because many ICS devices are connected to critical processes, even a small physical breach can escalate into a major operational or safety incident.

Operational requirements for availability versus security needs

ICS systems prioritize operational continuity and real-time performance, which can sometimes conflict with security best practices. For example, shutting down a process to apply a security patch may be unacceptable, or adding authentication delays could interfere with time-sensitive controls. This tension between availability and security requires careful risk management, layered defenses, and proactive monitoring to protect systems without compromising operational efficiency.

Access Control and Authentication

Role-based access control implementation for ICS environments

Role-based access control (RBAC) is a cornerstone of ICS security, ensuring that users can only access the systems and functions necessary for their job roles. By defining clear permissions for operators, engineers, and administrators, RBAC reduces the risk of accidental or malicious actions that could disrupt industrial processes. Regularly reviewing and updating role assignments helps maintain security as personnel or responsibilities change.

Multi-factor authentication for critical system access

To strengthen ICS security, multi-factor authentication (MFA) adds an additional layer of verification beyond passwords. MFA can include hardware tokens, biometrics, or one-time codes, making it much harder for attackers to gain unauthorized access. Implementing MFA is especially critical for remote access or administrative accounts that control key components of industrial processes.

Privileged account management for control systems

Privileged accounts in ICS—those with administrative or high-level operational access—pose a significant security risk if mismanaged. Proper management involves monitoring account activity, limiting the number of privileged users, enforcing strong password policies, and regularly auditing access logs. These practices help prevent insider threats, credential theft, and unauthorized system changes.

Physical access restrictions to ICS components

Physical security complements digital protections by preventing unauthorized personnel from tampering with ICS devices. Measures include locked cabinets, secured control rooms, surveillance systems, and restricted entry to sensitive areas. Controlling physical access is especially important for PLCs, RTUs, and HMIs that could be directly manipulated to disrupt industrial processes.

Vendor and contractor access management protocols

Vendors and contractors often require temporary access to ICS for maintenance, updates, or troubleshooting. Implementing strict access management protocols—such as time-limited accounts, supervised sessions, and detailed logging—reduces the risk of third-party breaches. Ensuring these external users adhere to the same security standards as internal staff is critical for maintaining overall system integrity.

Regulatory Compliance and Standards

Industrial Control Systems operate in sectors where safety, reliability, and compliance are paramount. To manage the unique cybersecurity risks in these environments, governments and international organizations have established a range of regulations and standards. These guidelines help organizations implement consistent security practices, align with industry best practices, and ensure that critical infrastructure remains protected from cyber and operational threats.

NIST Cybersecurity Framework application to industrial control systems

The NIST Cybersecurity Framework (CSF) provides a structured approach for identifying, protecting, detecting, responding to, and recovering from cyber threats. While originally developed for general IT environments, the framework has been widely adopted for ICS and OT systems. Organizations use NIST CSF to assess their current security posture, implement risk-based controls, and create resilient industrial operations. Its flexible design allows ICS operators to align security practices with operational priorities without compromising uptime.

IEC 62443 standards for industrial automation and control systems 

IEC 62443 is a comprehensive set of international standards specifically designed for industrial automation and control systems. It addresses security across the entire lifecycle of ICS components, from design and development to operation and maintenance. Key areas include system security requirements, secure network architecture, and procedures for managing vulnerabilities. The standards also provide guidance on role-based access, authentication, and supplier security practices. You can learn more in detail here: IEC 62443 Standards Overview.

For more on this topic, see  this article.

International standards and their regional variations

Different regions and countries have developed their own regulations for ICS security, often building on international frameworks like NIST and IEC 62443. For example, the European Union’s NIS Directive sets cybersecurity requirements for critical infrastructure operators, while the U.S. Department of Homeland Security provides sector-specific guidelines for energy, water, and transportation systems. Understanding these regional variations is essential for multinational organizations to ensure compliance and maintain consistent security practices across all industrial sites.

Final Thoughts

In today’s interconnected industrial landscape, the security of ICS and SCADA systems is more critical than ever. From legacy vulnerabilities to sophisticated cyber threats, protecting these systems requires a comprehensive approach that combines best practices, regulatory compliance, and advanced monitoring. Staying ahead of potential risks ensures not only operational continuity but also the safety of employees, communities, and critical infrastructure.

To see how Waterfall’s solutions can safeguard your SCADA systems and strengthen your industrial security posture, contact us today.

About the author
Picture of Waterfall team

Waterfall team

FAQs About ICS Security

ICS security, or Industrial Control System security, is the practice of protecting the hardware, software, networks, and processes that manage and automate industrial operations. This includes systems like SCADA (Supervisory Control and Data Acquisition), DCS (Distributed Control Systems), PLCs (Programmable Logic Controllers), and field devices such as sensors and actuators.

The goal of ICS security is to ensure the confidentiality, integrity, and availability of these systems while maintaining safe and continuous operations. Unlike traditional IT security, ICS security must balance cyber protection with operational requirements, because disruptions can directly affect critical infrastructure like power plants, water treatment facilities, manufacturing lines, and healthcare systems.

The main difference between IT security and OT (Operational Technology) security lies in their focus and priorities:

  • IT Security protects data, networks, and digital assets in traditional computing environments. Its primary goals are confidentiality, integrity, and availability of information, with downtime often being manageable.

  • OT Security protects physical processes, machinery, and industrial systems like ICS and SCADA. Its main priority is safety and continuous operation, since downtime or disruption can directly impact production, critical infrastructure, or even human life.

In short, IT security focuses on protecting information, while OT security focuses on protecting physical processes and operational continuity, often requiring specialized controls that balance cybersecurity with real-time industrial performance.

Industrial Control Systems (ICS) are the frameworks that monitor and manage industrial processes, from manufacturing lines to power grids. They consist of PLCs (Programmable Logic Controllers) that automate machinery, sensors and actuators that detect conditions and execute actions, SCADA systems that collect and display data, and HMIs (Human-Machine Interfaces) that allow operators to interact with the process. RTUs (Remote Terminal Units) extend control and monitoring to remote locations, while communication networks connect all components and enable data flow.

Together, these components allow operators to monitor, control, and optimize industrial processes safely and efficiently. Safety and protection systems, like safety instrumented systems, provide critical safeguards by intervening automatically when processes exceed safe limits. In essence, ICS integrates the “eyes, hands, brain, and nerves” of an industrial operation, ensuring processes run reliably, safely, and in real time.

Share

Stay up to date

Subscribe to our blog and receive insights straight to your inbox

The post What Is ICS (Industrial Control System) Security? appeared first on Waterfall Security Solutions.

]]>
Network Duct Tape – Episode 141 https://waterfall-security.com/ot-insights-center/ot-cybersecurity-insights-center/network-duct-tape-episode-141/ Wed, 13 Aug 2025 16:31:00 +0000 https://waterfall-security.com/?p=35075 Hundreds of subsystems with the same IP addresses? Thousands of legacy devices with no modern encryption or other security? Constant, acquisitions of facilities "all over the place" network-wise and security-wise? What most of us need is "network duct tape". Tom Sego of Blastwave shows us how their "duct tape" works.

The post Network Duct Tape – Episode 141 appeared first on Waterfall Security Solutions.

]]>

Network Duct Tape – Episode 141

Hundreds of subsystems with the same IP addresses? Thousands of legacy devices with no modern encryption or other security? Constant, acquisitions of facilities "all over the place" network-wise and security-wise? What most of us need is "network duct tape". Tom Sego of Blastwave shows us how their "duct tape" works.

For more episodes, follow us on:

Share this podcast:

“We abstract the policy from the network infrastructure such that you can have a group of devices or a device itself that essentially associates with an IP address that’s an overlay address.” – Tom Sego

Transcript of Network Duct Tape | Episode 141

Please note: This transcript was auto-generated and then edited by a person. In the case of any inconsistencies, please refer to the recording as the source.

Nathaniel Nelson
Welcome listeners to the Industrial Security Podcast. My name is Nate Nelson. I’m here as usual with Andrew Ginter, the Vice President of Industrial Security at Waterfall Security Solutions.

He is going to introduce for all of us the subject and guest of our show today. So Andrew, how are you?

Andrew Ginter
I’m well, thank you, Nate. Our guest today is Tom Sego. He is the CEO and co-founder of BlastWave. And he’s going to be talking about distributed asset protection, which is a fancy name for a very common problem in the industrial space. We have – Stuff – devices, computers, assets, cyber assets all over the place, might be distant in pumping and substations might be local. The stuff was bought, on the cheap. It was the the lowest bidder.

It’s old. It’s ancient. And we have no budget to rip in place. So what do we do about cybersecurity? And this is something he’ll he’ll be walking us through.

Nathaniel Nelson
Then let’s get right into it.

Andrew Ginter
Hello, Tom, and thank you for joining us. Before we get started, can I ask you to say a few words of introduction? Tell us a bit about your background and about the good work that you’re doing at BlastWave.

Tom Sego
Sure, Andrew. Thanks for having me. So my background is I started my career as a chemical engineer at Caterpillar. I also spent eight years at Eli Lilly designing and building processing facilities to make medicine.

I was also a certified safety professional during that period and managed a 24-7 liquid incineration operation, which burned a 30,000 gallons of liquid waste per day.

So a shit ton. And then I went to Emerson, got did business development, corporate strategy there. Then I did product management at AltaVista. Then I went on to do sales support at Apple, where I was at Apple for almost 10 years.

And then that’s when I started my entrepreneurial career. I started a mobile telephony company, started a solar storage company, started a wine importing business, then played professional poker for a few years, and then eventually started this cybersecurity business called BlastWave.

I co-founded that in 2017. And our mission then is the same as it is today, which is to protect critical infrastructure from cyber threats.

And we wanted to kind of come at this with a very different approach than other cybersecurity companies in that We kind of started from first principles thinking about what are the three highest kind of classes of threat and categories of threats, and can we actually eliminate those?

The biggest category is probably no surprise to anybody here, but it’s phishing, credential theft, et cetera. I’m like, well, let’s just get rid of usernames and passwords altogether. And come up with a different model for for MFA that can actually apply to industrial settings.

So we did that. The second category of threats was really CVEs and and vulnerabilities. And could we make those unexploitable? And we came up with a concept called network cloaking, which I’m sure we’ll discuss, which kind of addresses that issue. And then the last one is human error, which is impossible to get rid of.

But if you can make human beings make fewer decisions, they can also make fewer mistakes. So we also incorporated that into a lot of our UI and UX.

Andrew Ginter
That’s, wow, that’s that’s a history like none other I’ve ever heard, Tom. Makes like I’m thinking it makes my own, what I thought, storied background look completely mundane.

You’ve been in lots of different industries. Now, I understand that a lot of what BlastWave does right now is upstream and midstream. And we’ve never had someone on the show explaining how that works. I mean, I think we’ve had one person on talking about an offshore platform at some point.

But when you’re looking at the industry, can we start with the industry? what’s What’s the physical process? Physically, what’s this stuff look like? What’s it do? How does it work?

Tom Sego
Yeah, it’s really interesting because I can talk about the physical process and it’s also evolved quite a bit in the last 20 years. So first of all, just stepping back, looking at the industry, the overall oil and gas market globally generates $2 trillion dollars of revenue per year, and it generates $1 trillion in profit.

So there’s a lot of money in this business. And that also means that there’s a lot of gallons of oil and lot of cubic feet of gas that are being extracted and transmitted and sent everywhere around the world.

And the other thing that’s interesting is that in spite of how old this industry is, there’s between 15 and 20 thousand new oil wells created per year and in fact, half of those were done in the Permian Basin. So about 8,000 wells were created last year in the Permian Basin.

Tom Sego
I don’t think people realize the magnitude of which the oil and gas companies are continuing to create wells and extract oil. The other thing that’s interesting about it is 20 years ago, we had a traditional vertical drilling approach to oil and gas.

And in that to last two decades, we’ve noticed that there are capabilities to actually now drill horizontally. And what’s pretty interesting is you can actually, as you start drilling a well today, you create the initial bore, which is, usually a foot or more in diameter.

And then you can send these kind of devices and drill bits down a relatively sloping curve that over the course of maybe 100 or 200 meters, you’ve now done 90 degree angle.

And then you can start drilling horizontally, which allows you to have higher probabilities of not hitting a dry well. It gives you more capabilities for lower cost extraction.

And so it’s been a great boon for the industry. Hydraulic fracturing, which is another technique that’s been exploited to to get much higher yields out of these wells, also contributed to the the recent boom in oil and gas.

So There are many, many things that have to be considered when you start doing this process. You’ve got to go through site selection, permitting. You’ve got to do all this site prep. And one thing people may not realize is site prep means building roads.

You have to build an entire infrastructure to get to and from these wells. And then once you start building. Actually drilling the well, it’s much like a CNC machine if you’ve been in a factory like Caterpillar or something where there’s a fluid, heat transfer fluid that allows you to cut the metal.

In this case, they use a mud that both stabilizes the wellbore and it also helps you manage pressure. And that that mud flows down through the the drill pipe and then it comes out around in kind of an annulus, almost like a donut that comes back up the outside of that drill pipe to be then cleaned, having the the rock kind of cuttings removed from it using a screening and operation.

And then you kind of reuse the mud and so forth. So there’s a lot to it. And And increasingly, much of this is being automated.

And you’re having connectivity that is absolutely essential to be your eyes and ears in these wells. Because once you start producing oil and gas, these things are hours and hours away from each other.

They’re very remote, very rural areas. And so that connectivity is absolutely critical. And you may have, we have one customer who has 700 sites that they’re trying to manage.

And so they have to have the ability to do this in an automated fashion, which requires not just connectivity, but secure connectivity.

Andrew Ginter
Cool. I mean, it’s a piece of the of the the industry I’d never dug into. So thank you for that. Can I ask you, you’ve said in the modern world,

you know it increasingly everything is automated. I mean, that makes perfect sense. The The example I often use is you buy an automobile, it’s got 300 CPUs in it. It Everything, every every device, but every non-trivial device you you you buy nowadays has a CPU in it.

Can you talk about the automation in these these drilling systems, in these these upstream systems? what does, what’s that automation look like? Is it like built into the device like an automobile? Is it a programmable logic controller? I mean, I’m familiar with, power plants vaguely. I mean, bluntly, I don’t get out much. I’m i’m a software guy more than a hardware guy, but but I’ve had a few tours. I know what a PLC looks like. If if i If I visited one of these well sites, would I recognize the automation? What’s it look like?

Tom Sego
Yeah, you would definitely recognize the automation. So what you see is your classic kind of SCADA tech stack, if you will. So you’ll have remote terminal units. You’re going to have PLCs.

You’re going to have these things mounted on a DIN rail in a cabinet. And there can be various size cabinets at some well locations.

You’re going to have just a few number of devices. And then at some other well sites, again, I go back to the horizontal drilling, you’re going to have a much bigger operation there. You’re also going to have those well sites connected to what are called tank batteries.

so that you can essentially manage the flow of oil and gas into these storage facilities. So there’s there’s a lot of automation that’s necessary using kind of PID control loops to maintain equilibrium within these systems.

And there can also be Oftentimes, challenges that happen, shocks to the system, where let’s say in the case of oil and gas, the price starts dropping.

But when the price starts dropping, the motivation of the business unit is not to just keep cranking production at maximum capacity. And so you actually want to have dynamically, you want to manage your your operation dynamically based on economic conditions that can change over time.

And I’ll tell you something else, Andrew, about what’s happening today. There’s a lot more uncertainty in the business world today than there was four months ago. And I think that is going to affect oil and gas.

It’s going to affect the price of oil and gas. It’s going to affect the supply of oil oil and gas. It’s going to affect the transmission across borders. So these kinds of things can affect the the automation.

I’ll call it like Uber automation. Okay. Not just between the actual plant operations and facilities, but also between different entities in the upstream, downstream and midstream ecosystem.

So there’s a lot of very interesting factors that affect that. And I’ll tell you one other thing that’s kind of interesting. That’s how everybody’s talking about ai and there are some of the larger oil and gas companies that are trying to figure out how to apply AI to optimize their operation.

And everybody knows that there’s there’s automation that’s used to help identify ways to to to deliver predictive maintenance to rotating machines.

But there’s also uses of AI in oil and gas to to prevent things like spills. And one of the big challenges is it’s easy. If you go talk to someone at BP or Shell or Chevron and you say, can I get data to the cloud? They’re going to go, well, heck yeah.

There’s all kinds of great things that can allow you to get data out of your process. And in fact, I think you’re associated with a company that does a really good job of doing that kind of one-way transmission of data.

And the other thing is, but once you have that data, and you’re using it to build AI models, then how do you get, deliver those set points and control variables back to the process?

It scares the crap out of these people. The idea of connecting their control network to a much less secure cloud network or corporate network.

Because as we all know, security is a continuum. It’s not Boolean secure insecure. So I think there’s a lot of interesting things that are happening with that. And I think just to to kind of close the story on that, one company, for example, is pulling that data, they’re analyzing it actually in AWS, and then they are taking some of those control variables and they’re using a human in the loop process so that they’ll say, this is the recommended set point for this this process.

And then the human in the loop then implements that through their control HMI. So there’s a lot of very interesting traditional ways in which automation is applied to oil and gas.

But there’s also some very interesting evolving mechanisms that involve machine learning.

Andrew Ginter
So, Nate, let me jump in and and give sort of a bit of context here. Yeah, AI and cloud-based systems, in my opinion, these are the future of industrial automation in pretty much… Everything.

The question is not if, the question is when, because different kinds of cloud systems are going to be used in different kinds of industries at different times, with different intensities. So, I care enormously about this topic because I am writing my fourth book. The the working subtitle of the book, possibly the title of the book is CIE for a Safety Critical Cloud.

You know, when you have cloud systems controlling, you potentially dangerous physical processes. How do you do that? There are designs that work. I… I’m keen to to to listen to the rest of the episode here. I’m keen to, but when I had Tom on, I was keen to learn from him. When I write these books, I try not to make up solutions myself.

I tend to get them wrong when I do that. I try to learn from experts like Tom and, gather up the best knowledge in the industry and try and trying package it up in a digestible format.

So, yeah, that the cloud is the future and I’m, yeah when When we recorded this, I was keen to to learn from Tom about what the future looks like.

Nathaniel Nelson
And I know we’re about to get right back into the interview. And what I’m about to say actually kind of has nothing to do with what you just said. But before we go, a few times now, it feels like you guys have mentioned the terms upstream, downstream, midstream. And I just want to make sure I’m clear on this before we continue.

Andrew Ginter
Sure. This is This is standard oil and gas terminology. People say, oh, oil and gas, as if it were one industry. It’s not. Really, there’s three industries involved, and each of these these sort of sub-industries have a lot of different kinds of facilities. So the stream is generally considered to be the pipeline.

So we’re talking upstream is producing stuff to feed into midstream, the pipeline. And downstream is taking stuff out of the pipeline to for for refining and such. So, sort of next level of detail, what’s involved in upstream? Exploration is considered part of upstream.

Initial drilling is part of upstream. Offshore platforms are part of upstream. The, onshore pump jacks are part of upstream.

The whole infrastructure, building roads is part of the upstream process. Midstream is pipelines and tank farms. And, in in the natural gas space, you need to do sort of an initial separation and, discard waste from the the product. You might even need this in liquids to take if you can do an initial filter and take water out of the oil and pump it back down, the dirty water back down into the well, sort of waste, or carbon dioxide out of the natural gas, there’s initial processing facilities that are sort of pre-sending stuff into the pipeline. There’s tank farms where the pipelines store stuff sort of intermediate. There’s liquid natural gas ports. There’s oil oil ports. There’s oil tankers. This is all part of midstream, the process of moving stuff and you’re from from place to place and to a degree storing it while you’re moving it.

And then downstream is sort of everything you do after it comes out of the pipeline. So there’s refining, turning it into diesel fuel and and jet fuel. There’s the the the finished processing on on natural gas, taking out all of the the natural gas liquids, making it basically pure methane with not much else.

There’s even stuff like trucking. Gasoline from the pipeline to the gas stations is considered part of downstream.  Midstream kind of rears its head again because, you you might have the concept of a gasoline pipeline. So you’ve got the oil pipeline bringing the crude oil to the refinery. Then you’ve got the, you sort of hit midstream again, taking the finished product, gasoline, and sending it to consumers. Then you’ve got the trucks, you’ve got the gas stations.

Each of these sort of upstream, midstream, and downstream sub-industries has sort of many components. I I’ve lost it now, but I saw a list once of, here’s all the different kinds of things that can be in midstream.

And it was like, I counted, it was 27 kinds of things. So it’s a complicated industry, but very loosely, upstream produces, midstream transports, and downstream consumes, in a sense, refines and produces the goods that we actually consume.

Andrew Ginter
So that’s interesting. I mean, human in the loop, I’ve heard that described as open loop, in power plants, which I’m more familiar with. You you monitor the turbines.

13:42.13
Andrew Ginter
The AI in the cloud comes back and sends you a text message and says, you should really service, the turbine in generating unit number three sometime in the next four weeks. And it goes into my eyes, goes into my brain. I go and double check with my fingers. I type on things. I say, i think they’re right.

And I schedule the service. That’s open loop. And yeah, it it gets scary when you start doing closed loop.

Yeah. Yeah. And And I would say that one of the key things, if you look at some analogous systems where they have actually gone from open loop, human in loop, if you will, to closed loop, you can you I’ll give two examples. One would be autopilot on planes and another would be self-driving cars.

And in both of those cases, you don’t just switch from open loop to closed loop. No, you do an extensive amount of testing and validation.

And you also, in many cases, build redundant systems that allow an an additional level of supervisory control on top of your normal process control loops.

And so like an example that I had heard about was a company that was looking at having, tank level measurements and looking at an AI model that would actually analyze the input feeds to that tank model. So, and and it would pull data from third parties that would look at the truck routes for the tankers that were pulling oil from that tank.

And so you could actually synthesize that data. Now you would have to put in place a lot of, I’ll call it ancillary systems and ancillary testing to make that safe enough to be like an autopilot on a car.

Because theoretically now with all that supporting testing, autopilot on a car is is supposed to be safer than humans.

And with people on their phones, like I see them these days, I think that’s become an increasingly low bar.

Andrew Ginter
Fascinating stuff. The The future of automation, I’m convinced. But if we could come back to the to the mundane, you talked about phishing, you talked about CVEs, exploiting vulnerabilities.

We’re talking about protecting these assets in the the the upstream and midstream oil and gas. Can you Can you bring us back to cybersecurity? How does how does this big picture fit with with what you folks do and and what you’re focused on cybersecurity-wise?

Tom Sego
Absolutely. So one of the things that’s interesting is, I love talking to customers and I try to spend at least 50% of my time and actually listening more than talking to customers and understanding what their challenges are and how we can solve those.

And in the case of oil and gas, there were three customers that came to us and told us the identical story and they became our largest customers.

And this the story they were telling us was that they had these highly distributed assets all over these these very wide geographic areas And they had spotty cellular and they had backup satellite to enable that connectivity that they need. They need the eyes and the ears in the field because it would be cost prohibitive for them to get in a truck and and drive out there to monitor that every few hours.

So the challenge they brought to us was the security team didn’t like the operations team having this insecure connectivity to these remote areas.

And so the security team said, you need to do something about that. And that’s where BlastWave came in. And we said, we can actually use our software-defined networking solution to cloak those assets so they’re undiscoverable to adversaries.

but also segment them so that if there were malware that were to get introduced in one area, it would not spread to others. And then finally, you would have the ability to get secure remote access.

And one of the coolest parts about this is this is not a bump in the wire kind of solution. This is a solution that allows routing and switching between groups of devices and users.

So it cuts across firewalls as if they don’t exist. It doesn’t route traffic based on source and destination. It routes it based on identity.

And this is something I think is very unique to us. And it’s something that I think customers absolutely love. And this has enabled us to address a benefit that we hadn’t even thought about, which was when oil and gas companies acquire other oil and gas companies that one of the first things they face are the need to maybe re-IP this architecture.

Because oftentimes the IP space, there’s overlapping addresses. And the that can be problematic. It can take a lot of time.

It can take a lot of money. And that’s another solution that we’ve been able to deliver calm almost by accident. We had one company, an oil and gas company, that acquired a $30 billion dollars acquisition target.

That’s a big company that you’re acquiring. And they were able to protect that with Blast Shield in three weeks of acquiring them. And they didn’t have to re-IP anything.

Again, that’s just because of the way we do this network overlay. So there’s a lot of cool things that that that use cases that we’ve discovered through the process of listening and talking to customers.

Andrew Ginter
Cool. So, so, you’ve said the the phrase SD-WAN, software defined wide area network. I have never figured out what is an SD-WAN. I mean, I’ve worked with firewalls for 20 years.

I did a lot of different kinds of networking, not not hugely. I mean, and I never worked for a telco, but but can you work with me? What is an SD-WAN? What is your SD-WAN? How does one of these things actually work? What does it do?

Tom Sego
Yeah. Well, first of all, I said SDN, not SD-WAN. So I said software-defined networking, which is a principle, not SD-WAN, which is an architecture.

What I guess the best way for me to think about this, and keep in mind, I’m a chemical engineer, not a software engineer. So I That means i’ll yeah if it takes me it may take me longer to understand these concepts, but when I finally do, I can probably explain them to people.

So the the the way I’ve learned this is that we essentially establish, we abstract the policy from the network infrastructure so that such that you can have a group of devices or a device itself that essentially associates with an IP address that’s an overlay address, much like you get network address translation.

All right, so you have a an original IP address, you have and a translated IP address, and the software-defined network then uses the overlay address to both communicate with each other, to establish the most efficient route,

because performance is very important in OT environments, unlike IT environments. And this allows us to optimize the path for any given packet, which is also very cool. So that’s one of the elements that I think is important in software-defined networking.

um The other thing is, is that it creates this illusion that it is a point-to-point between two different devices or two different groups.

And so that’s part of the abstraction. So if you don’t have to like set the path, which is what firewalls do, path, looking at the routing, how you go from this firewall to that firewall, from this port to that port, when you just abstract that to, I wanna go from this centrifuge to that control room,

It doesn’t matter if the infrastructure changes. And this is a very powerful yeah benefit of software-defined networking. Because if you’re just looking at the device you want to protect and the user who wants to connect to that protected device, as the environment evolves and it absolutely will, you don’t get put in the penalty box like you would in a firewall situation where you could get firewall rule conflict.

And if one thing to think about, Andrew, is when you think about the breaches that occur, about 100 percent of those breaches already have firewalls.

And so that means that the firewall didn’t work properly, which is usually a result of a firewall rule problem or the the environment has evolved in such a way that it’s no longer protected. There’s a hole.

And of course, we all know that adversaries just need to be right once. Whereas us defenders, we’ve got to be right all the time, which is very tough unless you’re my wife.

Andrew Ginter
There you go.

Andrew Ginter
so So Nate, let me jump in here. I’ve, the as I told Tom, I’ve wondered about this space of software-defined networking, wide area networking for some time, and i’m I’m beginning to wrap my head around it.

um he gave the example of, you you might imagine that we’ve got oh the internet, local area networks, wide area networks were designed so that devices have internet protocol addresses and they talk to each other and, routers move messages from one network to another. So they get from the source to the destination.

Why is any of this complicated? Why do we need any more than that? One example that that Tom gave was acquisitions. If company A, i mean, there’s there’s internet addresses, the 10-dot series, two to the 24th addresses are private addresses.

Private businesses can assign them to their, ad written to to assets on their private networks and never show those those ad addresses to the public, to the the public internet. That’s fine.

There’s another set, 192.168 is a 16-bit address range that everyone uses. So you might say, so so what? Company A uses, let’s say 10.0.1 through 10.0.20.

They’ve got a lot of assets. They use up a bunch of the address space. And then they buy company B that’s used the same addresses because they’re private addresses. You don’t have to register that you’re using them in public.

And now all of the equipment has the same IP addresses. For For each IP address, there’s two pieces of equipment in the network. How do you route messages from from these subnetworks, from these assets to each other?

um This is the problem of renumbering when you acquire a business. Often you have to renumber it’s it’s a pain in the butt on on IT t networks.

It can shut you down until you’re done and tested the renumbering on OT networks and nobody wants to shut down. So you if if there’s a piece of technology, i mean, the the the textbook technology is network address translation, part of most firewalls.

It lets you hide some private addresses and assign a different address to sort of that set of of private addresses. You’ve got to set up a whole bunch of firewall rules You can do that sort of manually painfully, but it gets worse than that.

I mean, I was talking to Tom after the recording. He gave me an example that I didn’t capture on on the recording, but he said, Andrew, they’re they’re working with an airport and the airport’s building a new wing.

I mean, this is common. Airports expand. And in every, let’s say there’s 27 gates in the new wing. Every gate has got one of those machines, those those ramps the that sort of snuggle up to the aircraft and the door opens and people come out and step onto this device that has, I forget what the name of it is, moved up to the aircraft and then they they walk into the into the airport building.

Every one of these devices has automation, has computers.

Every one of these devices, when you buy it from the manufacturer, the manufacturer assigns the same private addresses to every one of their products. So now you’ve got 27 of these ramps in the new wing, and every batch of 20 computers or devices that are built into the ramp have the same IP addresses.

How do you route this stuff? Again, you can put firewalls in place. You can do So now you need a firewall in every ramp. You need you need technology. And it gets it gets more complicated than that.

Andrew Ginter
For example, many years ago, I worked with a bunch of pipelines. I remember one pipeline, thousand kilometers long, pumping stations, compressor stations, all the way down the pipeline. Communication was important.

You have to communicate with these these stations or you have to shut down the pipeline. It’s illegal to operate a pipeline in in that jurisdiction unless there’s human supervision.

And so you had, there there was a fiber laid along the right of way for the pipeline. And from time to time, some fool would run a backhold through it.

So you’d need backup communications. I kid you not, this pipeline had something like seven layers of backup communication. There was satellites, there was DSL modems to the local internet service provider.

There was cable modems when there were a local internet service provider. There was… I don’t think I think this was before the era of of cell phones.

there were There were analog modems. We’re talking 56 kilobit, 100 kilobit per second modems that you can route in an emergency internet protocol down very slowly.

And they had built their own by hand. They had rolled their own, what today I think would be called a software-defined wide area network, where the task of that component was to say, I need to send an internet protocol message from the SCADA system to device 500 kilometers away

what infrastructure is up, what infrastructure is dead. If a piece of the infrastructure, the communications but infrastructure has failed, then activate another piece of the, one of the backups and change all the routes, change all the firewall rules so that

All of the messages that have to get from a to B can get from a to B. It was it was it seemed to me ridiculously complicated, but in hindsight, it it sounds like the same kind of need that modern software-defined wide-area networks address.

They address security needs as well as just the basics of getting the messages from one place to another when the underlying infrastructure changes from moment to moment.

Andrew Ginter
um So so that that kind of makes sense. You’re I think of wide area network, I think of routing. So there’s a routing element. You’ve got multiple paths. The system sort of auto-heals and figures out the best paths or presumably the cheapest paths.

But you’ve also talked about users and and security. How does How does this routing concept work with security?

How is security part of this? You’ve also mentioned firewalls. Can you can you can you dig a little deeper?

Tom Sego
Yeah. Well, I think I think we in a way are disrupting firewalls that are used for industrial, lots of industrial applications.

There are great uses of firewalls. They’re a fantastic tool, but it’s it’s kind of been used like the if you have a hammer, all the world looks like a nail. And, especially again, I’ll talk about these remote oil and gas locations where you may only have five or 10 devices.

And so the idea of having a firewall to segment that is ridiculous. The expense would be prohibitive. So that’s one of the other reasons why it’s so cool about the way we can scale dramatically from protecting five devices at a very remote well site to 2000 devices with a single gateway.

So there’s a lot of flexibility that we have that, that firewalls can’t deliver. And when you look at a comparison of a project that involves a firewall as a solution versus blast shield, we are, we take one 10th the time, cost one fourth as much.

We can deliver this with half the administrative lift. It’s much easier to deploy as well. And it actually works. So there’s a lot of benefits that we bring over a firewall kind of solution.

Andrew Ginter
Okay, so so I understand these are these are powerful benefits, but can we come back to the technology? Can you tell us what does this stuff look like? I mean, you said it’s not a bump in the wire.

Physically, what does it look like? Is it a DIN rail box at each of these sites? Is it a DIN rail box on on a central tower? is it what Is it something in the cloud? Can you talk about what is it that that is solving these problems?

Tom Sego
Sure. So there are basically five components that we have to our platform. The first two create the authentication handshake. One is a client that runs late locally on on your HMI or on your machine.

And then you also typically have either a mobile application that provides the and MFA without passwords. And that was patterned after Apple Pay.

So again, I spent a decade at Apple. And so the idea was, let’s try to use some of that technology to provide stronger authentication. The other thing that we have is we have a gateway.

And the gateway is a software appliance. And it can be deployed on x86 bare metal. It can be deployed… On containers. It can be deployed on Kubernetes clusters.

It can be deployed in the cloud, AWS, GCP, Azure. It’s very flexible and it can be operated both in passive mode and active mode. So in the pat traffic path or outside the traffic path.

We also have an agent that can run locally on a machine, which most people know what agents are. And then finally, there’s an orchestrator that is used to drag and drop devices and people into groups and then establish policies between those groups.

So that’s a little bit about the way that the but technology is set up. And one of the things that that we found is that you can have people who are, I’ll say, less sophisticated than many CCNA trained professionals.

So they don’t even need to know how to use command line to deploy our solution. So it’s relatively simple. We have an example where one person is managing 22,000 devices.

So again, that provides a benefit to them in terms of OPEX reduction ongoing. So that’s a little bit about the way technology work and these the and the way these components fit together. Does that answer your question, Andrew?

28:55.44
Andrew Ginter
ah That’s close. I mean, what what you’ve described is sort of the the pieces of the puzzle. But, I’m still a little weak on on on how they work together. I mean, you again, we’ve we’ve used the word routing a couple of times.

29:09.02
Andrew Ginter
um To me, there’s there’s two ways to do routing. You can either take the message messages into one of your components, I’m not sure which one, and figure out where they belong and send them on the way yourself. You can be a router.

29:24.15
Andrew Ginter
Or, and I understand sometimes some software WANs can do this, they reach out to routers like firewalls and just routers and who knows what else that can route messages.

29:38.01
Andrew Ginter
And they send commands to those devices when things need to be routed differently. Is one of these models what what you use? how How do you guys do the routing?

Yeah, so let me talk about how these pieces all fit together. So the software appliance that is the gateway sits upstream of the switch and usually downstream of the firewall.

And what it often will do is it will provide what we call layer two isolation. And so what that is, if you think about, we can essentially turn a 48 port switch into 48 VLANs so that each one of those is its own encrypted unit that can’t see their neighbors and can’t talk to their neighbors in unless the policy allows that to happen.

And so that level of very granular control is something we can deliver because of the way the gateway controls and manages the routing that you’re discussing.

Now, there’s two other components I didn’t really talk that much about. One was the authenticator, and the second was the client. And the client is different than the agent. And so the what the client does essentially is a challenge response between either the SSO, the FIDO2 compliant key, or the mobile authenticator.

And so what it’ll do is essentially produce a QR code that the mobile application would scan and then apply your face ID, and then you would be into the system, but not authorized or permitted to see anything unless the policy had already been allowed.

So that’s the way we manage both the authentication and the authorization. And that’s also the way we manage routing of traffic between devices, gateways, and the groups that that those devices are in kind of encapsulated in.

Nathaniel Nelson
So in his answer there, Tom was was trying to describe things, but admittedly I was getting a little bit mixed up because there were certain things that were upstream from other things and downstream from other things and layer two and switches. And be like Can you, Andrew, just help simplify everything we’re talking about here?

Andrew Ginter
Yeah, sure. So in my understanding, they have a few different kinds of components. And And I might have got this wrong. But, what I got out of it was, imagine… Um

You know, firewalls can do network address translation. They can say, I’ve got a bunch of addresses here. I’m going to show you a different address to the world. But, managing them in sort of scale, at scale with tens of thousands of devices can be a real challenge, especially if each firewall is only managing a handful of devices. That’s a ridiculous number of firewalls to manage.

So what Thomas got, I believe, is a, I think he called it a gateway device. It’s something that sort of sits between, let’s say, a small network of five to 10 devices and the infrastructure.

And you can assign whatever IP address you need to to that gateway. Oh It might, in fact, have two addresses, one on sort of the infrastructure side and one on the device side.

So it has a device address that is compatible with whatever stupid little network of five local, always reused, ramp IP addresses, the, the, the airport ramp addresses, it’s, it’s compatible with that bit of address space.

It talks to those five devices. And when those devices send it messages, it forwards those messages into the infrastructure and it figures out the addressing. It figures out the, it does encryption.

If you’ve got sort of more conventional, um, Windows or Linux communications, you can put his software on those devices. They that That software will do the crypto, the software will connect sort of natively into the infrastructure and and sort it all out.

And then, the the thing of beauty is, okay, those pieces kind of make sense. The thing of beauty is what I heard was they’ve got a management system, which says, okay, you have 20,000 devices.

um half of them have exactly the same IP address. That doesn’t matter. This device over here in this building in this country can talk to that device over there.

It’s allowed. But when that device wants to talk to Andrew’s laptop, because I’m a a maintenance technician, Andrew has to provide two-factor authentication.

So you can, you basically, you you you stop caring what IP addresses these devices have you don’t have. You’re not configuring routing rules. You’re configuring permissions in a sort of a high-level user-friendly permission manager.

And all of the routing nonsense and the encryption nonsense is figured out for you under the hood. So you can you can think about… Your your big picture of devices that need to talk to each other, who should be allowed to talk to each other, instead of how do I route this when the IP address is conflict? You don’t have to ask that question anymore.

Andrew Ginter
Cool. So that that starts to make sense. I mean, can you talk a little bit about, you’ve been doing this for, 2017, this eight years. Can you talk about, can you give us some examples to to to help us understand, how this stuff works?

Tom Sego
Well, I think the, having run this for almost eight years now, the the journey was not a straight line. We went through, we originally started out, believe not, Andrew, as a hardware company.

And the the thesis was to build an unhackable stack. So this sounds naive, and it was. We were going to start with a chip, a new chip, that we had a partner developing that would have an onboard neural net.

It would create 17 key pairs and it would encrypt the bootloader in the factory and burn a fuse so it couldn’t be reset. And that was the foundation of our product. And then we were gonna write our own kernel, write our operating system. And this was from someone who helped write the OS 10 kernel.

We were gonna write that in such a way that it used byte codes and would not be exposed to buffer overflows and other issues. So it could, we were going to use formal methods to even prove the kernel.

And then we’d have our networking layer, which is what our company is now. And then we’d have our own SDK to manage applications that would also use formal methods. And then finally, we would have the authentication layer that we also have today. So we went from a five,

very ambitious levels of of tech stack to two. And then we have other people doing some of those other things. I think the market really wasn’t ready for something that complex, maybe that secure from a, on the higher end of the security spectrum, if you will.

um the market just really wasn’t willing to pay that. And so we simplified, we pivoted. And then by the way, once we did come out with our hardware product in February of 2020, there was another global issue that hit everyone that caused us to then pivot to a software as a service model, which then required some more development and everything else. So we didn’t really launch our product until late in 2021 and started getting our first customers very shortly thereafter.

And since then, we’ve grown very rapidly to the point where this most recent year, we quadrupled our our revenue and tripled our customer count.

So it’s been an exciting ride.

So let me give you an example. The one one customer, again, an oil and gas customer who was, again, trying to, they were faced with a challenge where they were going have to build their own cell towers, essentially become their own wireless ISP. And this is not unique to this oil and gas customer.

There are many that are facing that. And I don’t know if you or your audience knows, but it’s about a quarter million dollars to build a cell tower. And you have to have many of them. So in in in a relative sense, we are not just delivering security to this customer, we’re also so helping save them a ton of money.

So instead of 10 to $20 million, dollars they’re spending a fraction of that, which is also very interesting. One of the When they did this acquisition, there was another company that did an acquisition.

They wanted to sell off certain components too. So they wanted to sell off the saltwater rejuvenation or… It I don’t know exactly what the right word is, but they wanted to offload this asset.

And one of the things that they were able to do very quickly, because all of our segmentation, all of our granularity and access is done in software.

We can essentially just take that new entity. Put their users in a group, put the devices that they control into another group, and they would have complete control of just their newly acquired saltwater assets and no visibility, no access at all to the oil and gas parent company.

So that was another great example of using this in a creative way.

Andrew Ginter
So you’ve mentioned acquisitions a few times. I mean, I live in Calgary. This is oil country. I hear about these acquisitions all the time. Is this Is this sort of part of the the the the genesis of your organization? is is this How often do these things happen? How complicated are these sort of mergers and acquisitions technology-wise that happen all the time?

Tom Sego
Well, they happen very frequently, especially, again, in oil and gas. In the In the case of oil and gas, because one customer sorry one asset owner has a certain tech stack that can only profitably make money up to a point.

And then they can sell that asset to someone else who has a richer skillset that can extract more profit, more money, more revenue from that same resource.

and And I would say an example that we’ve also seen where people are pleasantly surprised about Blast Shield is when there yeah there’s one one oil and gas customer that acquired a company.

And their biggest fear was they were going to have to do an IP space assessment and figure out whether there were overlapping IP addresses. And so instead of having to do that, which they didn’t have to do at all, they just deployed our software overlay and immediately were able to segment using software each one of these devices, even regardless of whether the underlay IP address was the same.

That saved a lot of money in truck rolls. That saved a lot of money and hassle and headaches in managing that that IP space, which which they were very happy about. And the way they described it, actually, they described it two ways to me.

One way was, my God, this is like a Swiss Army knife. And the other guy said, this is like duct tape. It’s like networking duct tape. It has It provides lots of different purposes and is very versatile to basically deliver the network they want with the network they have.

Andrew Ginter
So let me just sort of emphasize, Tom has said, you talked about changing IP addresses a few times. I talked about it a few times. I’ve actually, from time to time had to change IP addresses on stuff, not so much in an industrial setting, just, just internet protocol networks, just, business infrastructure.

And here’s the tricky bit. It’s very hard to do that remotely.

You know, Imagine that you you want to remote into a remote substation. There’s nobody there, but there’s 100 devices. And you have to log into each device with, I don’t know, SSH or remote desktop.

And you’ve got to change the IP address on the device. And at some point, you’ve got to tell the firewall that it’s talking to a different network of IP addresses.

And if you do that in the wrong order, if you, let’s say, hit the firewall first, now you can’t send messages to any of the devices because the firewall doesn’t know how to route to those devices anymore. They have different IP addresses. So you have to undo that. Now you go into the device and you give the SSH command a Linux box. You give the that that command line command to change the IP address, and it stops talking to you because you’re connected to the old IP address. You’ve got to try and connect to the new IP address.

Only the firewall won’t connect you to the new IP address because it its IP address hasn’t been updated. So now you have to sort of blindly change all these addresses. Then you change the firewall, and then you see if you can still talk to these devices, and three of them have gone missing.

Why? Did I fumble finger the IP address? Is there some other problem? It’s just really hard to do this remotely. And so, again, if you have 700 sites, you’ve got to put people in trucks and drive out to these wretched sites to make these changes.

If there’s a way to avoid that, you can save a lot of money. So, yeah, I kind of get that it’s really useful to avoid doing that.

Andrew Ginter
so So this is starting to come together for me. I mean, you can do the network address management in your, what did you call them?

The gateways.

Tom Sego
Gateway, yeah.

Andrew Ginter
And that gives you an enormous amount of flexibility. But And it’s it’s the the client that does the the crypto. Or maybe it’s the agent.

39:22.07
Andrew Ginter
I’ve i’ve i’ve lost track.

Tom Sego
The client is used to authenticate.

Andrew Ginter
Right.

Tom Sego
The agent runs on typically a server in the cloud, those kinds of maybe a historian type of use case. The gateway is the workhorse because so much of OT infrastructure cannot run an agent.

And so because it can’t run an agent, you need to have a gateway that can do the encryption and decryption of traffic. Now, when you think about the way a lot of these processes are controlled, they use PLCs.

And the PLCs, we don’t encrypt the traffic below the switch.

We don’t interfere with that. However, with the traffic that is upstream of the switch, all of that’s encrypted wherever it may go.

So I think that’s that’s the way it’s done.

Andrew Ginter
One other technical question, you mentioned CVEs and exploits and vulnerabilities earlier.

I mean, i’m I’m familiar with, let’s say firewalls that that say they do stuff like virtual patching, meaning if there’s a vulnerability in a PLC, the firewall, if it sees an exploit for that vulnerability come through, will drop the exploit and will protect the, the prevent the exploit from reaching the the the device. Is Is that the kind of thing you do when you talk about about protecting from exploits or are you doing something else?

We’re definitely doing something else. And I think the the approach that we take is we use this networking cloaking concept where you have to authenticate first before you can see anything.

There’s no management portal. So there are zero exposed web services. If you run a network scan on a factory, that’s protected by blast shield, you’re going to come up with nothing.

And what that means is if there are CVEs, and I guarantee you there will be, there will also be zero-day viruses, okay which may not be on anyone’s list.

And so in those both of those cases, as well as ancient devices that are never going to be patched, you’ve got a way to deal with these unpatchable systems because they’re unaddressable. And so it’s going to be very difficult to exploit those.

Andrew Ginter
Cool. So, I understand you’re you’re you’re heavy into oil and gas with all of the examples we’ve been talking about oil and gas, but I’m guessing you you are active in other industries as well. Given your personal background, are you active in other industries? what Can you give me some examples of what’s going on there?

Tom Sego
Yeah, absolutely. I think manufacturing is a fantastic kind of industry for us. They oftentimes have our little bit early adopters with with as it pertains to machine learning, predictive maintenance, those kinds of things, advanced analytics.

And we had one a manufacturing customer, in fact, who was hacked and many manufacturers do get hacked from time to time. They were hacked and the board asked the CISO to have an assessment to figure out what their risk posture was.

And before they could complete that assessment, they were hacked again. And so this really lit a fire under the entire kind of security team.

And they basically came up with a list of findings. And with those findings, they started implementing those findings. And they were testing various kinds of solutions.

And in one facility, they had 10 different lines, manufacturing lines. And they had deployed blast shield on one of those manufacturing lines.

They got hacked a third time. Now, this time, though, nine of the 10 lines shut down, whereas the line that was protected by Blastshield continued to run.

And what was really interesting about that is how quickly the organization responded. The CFO of this company responded and elevated that to the parent private equity company.

And now that’s leading to us becoming the default standard for not just that one company and all of its 17 plants, but also the parent private equity company and all the other manufacturing facilities that they’re trying to manage. Okay.

Andrew Ginter
Cool. I’m I’m delighted to hear it. The world needs more cybersecurity. Um

I mean, I’ve learned a lot. Thank you so much for joining us. Before we let you go, can we ask you to sum up? What what are the key concepts we should be taking away from from our conversation here?

Sure. So I think the company, as it was founded, was trying to establish protecting critical infrastructure based on first principles. And the first principle was to try to eliminate entire classes of threats if possible.

And so our solution then tries to eliminate phishing credential theft. So we we have an MFA passwordless feature. We also allow you to segment using software.

We cloak your network so it’s undiscoverable. 35% of all CVEs discovered last year are what are called forever day vulnerabilities. And so that network cloaking capability means that they’re not exploitable.

And then finally, we also have a secure mode access component in there. So we’re trying to deliver a lot of value to our oil and gas manufacturing customers so that they when you couple this with a continuous monitoring and visibility tool like a nozomi dragos dark trace armis SCADAFense industrial defender the group clarity so when you combine those two you get a ton of protection at a very low price

Nathaniel Nelson
So that just about does it, Andrew, for your interview with Tom. Do you have any final words to take this episode out with?

Andrew Ginter
Yeah, I mean, I really like Tom, the the the customer that gave the duct tape analogy. You have lots of little networks, sometimes thousands of devices.

Half of them have literally the same IP address or half of these, tiny little subnetworks of of five devices on on airport runways or on, on webbages.

ah networks that you’ve acquired with, acquiring an oil field, they all have the same IP address. They all have the same IP address range. None of it’s encrypted. It’s just a mess.

And, this is something that lets you patch it all together. You need crypto, you need authentication, you passwordless is good. Use certificates instead. They’re harder to phish. You need to hide all of these repeated subnets with the same IP addresses.

You need a permissions manager, saying A can talk to B.

You need infrastructure underneath the permissions manager to make the messages from a go to B. You need to to have some synthetic IP addresses so that when you set everything up, your SCADA system can talk to an address and a port, I don’t know, probably on the gateway or or some piece of the infrastructure rather than the real address that’s repeated a hundred times in your infrastructure.

This just makes… A lot of sense. I It seems to me there’s there’s a a bright future for this kind of, of again, duct tape or just patch it all together and make it work and throw some security on top of it. Crypto authentication, this is all good. I’m i’m i’m impressed.

Nathaniel Nelson
Thank you to Tom Sego for speaking with you about all that, Andrew. And i always, gotta say that again. Well, thank you to Tom Sego for speaking with you about all of that, Andrew. And Andrew, as always, thank you for speaking with me.

Andrew Ginter
It’s always a pleasure. Thank you, Dave.

Nathaniel Nelson
This has been the Industrial Security Podcast from Waterfall. Thank you to everybody out there that’s listening.

Stay up to date

Subscribe to our blog and receive insights straight to your inbox

The post Network Duct Tape – Episode 141 appeared first on Waterfall Security Solutions.

]]>
Credibility, not Likelihood – Episode 140 https://waterfall-security.com/ot-insights-center/ot-cybersecurity-insights-center/credibility-not-likelihood-episode-140/ Wed, 06 Aug 2025 20:52:59 +0000 https://waterfall-security.com/?p=34651 Explore safety, risk, likelihood, credibility, and unhackable cyber defenses in the context of Norwegian offshore platforms.

The post Credibility, not Likelihood – Episode 140 appeared first on Waterfall Security Solutions.

]]>

Credibility, not Likelihood – Episode 140

Safety defines cybersecurity - Kenneth Titlestad of Omny joins us to explore safety, risk, likelihood, credibility, and deterministic / unhackable cyber defenses - a lot of it in the context of Norwegian offshore platforms.

For more episodes, follow us on:

Share this podcast:

Large scale destructive attacks on big machinery is, not something that I would consider a credible attack.” – Kenneth Titlestad

Transcript of Credibility, not Likelihood | Episode 140

Please note: This transcript was auto-generated and then edited by a person. In the case of any inconsistencies, please refer to the recording as the source.

Nathaniel Nelson
Welcome everyone to the Industrial Security Podcast. My name is Nate Nelson. I’m here with Andrew Ginter, the Vice President of Industrial Security at Waterfall Security Solutions, who’s going to introduce the subject and guest of our show today. Andrew, how are you

Andrew Ginter
I’m very well, thank you, Nate. Our guest today is Kenneth Tittelstad. He is the Chief Commercial Officer at Omni, and he’s also the Chair of the Norwegian International Electrotechnical Committee of Subgroup working on 62443. So this is the Norwegian delegation to the IEC that produces the widely used IEC 62443 standard.

We’re going to be talking about credible threats. What should we be planning for security wise? And by the way, I happened… I had opportunity to be in Norway and I visited Kenneth at the Omni head office where they have a lovely recording studio. So we recorded this face to face in their in their studio in their head office.

Then let’s get right into your conversation with Kenneth.

Andrew Ginter
Hello, Kenneth, and welcome to the podcast. Before we get started, can you tell our listeners, give us a bit of information about your background, about what you know, what you’ve been up to and and the good work that you’re doing here at Omny Security

Kenneth Titlestad
Thank you so much, Andrew, and welcome to Norway and our office. It’s, I’m so glad to have you visiting us. So my name is Kenneth Titlestad and I’m working as a Chief Commercial officer in Omny and I’ve just started as a commercial officer here in Omny. I went over from Southwest area where where I was heading up OT cyber security for. I’ve been doing that for six years.

Before that I was working in Ecuador also working on OT cybersecurity, so I’ve been working in the field now for almost 15 years and also for the last five or six years I’ve been chairman for the Norwegian Electrotechnical Committee, the the group that is handling IEC 62443. I’ve been diving deep into the cybersecurity now for quite many years.

And at Omny, we are developing a software platform for for handling cyber security and security for critical infrastructure. It contains security, knowledge graph and. AI that provides actionable insights into security for critical infrastructure. So it’s about it out and physical infrastructure.

Andrew Ginter
OK. Thank you for that. Our topic today is credibility. Now this is talking about risk. You know a lot of people think risk is boring. OK, a lot of people when they enter the industrial security space, they they want to know about attacks. They want to know about the technical bits and bytes. You tell me that you got interested in risk. Very long time ago. Can you talk about that? Where? Where did that come from?

Kenneth Titlestad
Absolutely. I’m I’m not sure if I when I when I considered it as as a as a risk or as a as a field of expertise. So when I was just a small boy, actually my dad, he worked as a control room technician offshore in Conoco Phillips or back then it was called Phillips. So when I was only two years or three years old in 1977. He was working at the Palau offshore oil and gas. Before and I don’t remember this of course back then. But it it, uh, it was always a topic around the dinner table at my my home where he talked about how it was working in the oil and gas business. So in 1977 he was on his way out to the platform when the big horrible blowout happened. He was not actually. He hadn’t arrived at the platform, but he was on his way out there. So it it really was a big topic around the dinner table all the time about safety risks involved in oil and gas.

So I was always listening with my my small ears back then being a bit fascinated about this world, I didn’t see the real danger in it, but I I was trying to picture it in my mind what it was to actually work on in these kind of environments.

So it I was kind of primed back when I was just a small, small boy and later on when I moved into the I I was more into computers. So I did a lot of gaming and programming on Commodore 64 and I started to work in Ecuador on the IT side. But I was still fascinated, fascinated, about the core business being oil and gas and production and exploration. So when I actually got my first trip offshore. I kind of felt that the the circle was closed and I saw the big world, the industrial world that my dad was had been talking about for several years and the kind of the risk perspectives also kicked in. The first thing you meet when you step on board, such a platform is the HSE focus a lot of focus on HS.

OK. And it’s for a reason and I fully got to understand that first, when I actually came on board such a facility, I understood why it’s so important, because it’s it can be really dangerous if you don’t have control over what you’re doing. So that’s when I actually saw the big scale of risk as a perspective.

Andrew Ginter
Yeah. Offshore platforms are intense. I’ve never set foot on one myself, but I’ve I’ve heard the stories quite the environment. And this is I mean, we’re talking about industrial cybersecurity, so you know offshore platforms are intense in terms of physical risk. Can you talk about cyber?

Kenneth Titlestad
It’s it’s an emerging topic. So when I was working in, in Statoil when it was called stator, now it’s equinor, we started to look into that area Around 2010 two 1011 I I still remember the day when people came charging into the meeting room and they started talking about the news of Stuxnet. So that was I I think we got to hear about it in 2010. I was working on the IT side and I I was responsible for large part parts of our Windows infrastructure in the company and we started to I I started to look into what what this SCADA things, what what is it I didn’t know about. PLCS I had never seen a PLC. I didn’t know that there was actually other kind of digital equipment operating critical infrastructure. So so with Stuxnet I started to to dive into the landscape of cyber security.

Kenneth Titlestad
And also as a company, we started a big uh journey back then on on really making uh OT much more cybersecurity. And Stuxnet was kind of a kickstart for it.

Nathaniel Nelson
Andrew, it feels like maybe there are certain kinds of seminola cyber security incidents in the O2 world. We talk, we reference off in the 2007 Aurora test. Maybe, you know, Triton and destroyer. But Stuxnet is that foundational thing that, you know, set the timeline for everybody, right?

Andrew Ginter
Indeed. And you know I was active in the space. I mean, I was leading the the team at Industrial Defender building the world’s first industrial SIM at the time. So Stuxnet was big news. I did a lot of work on Stuxnet. I had a blog at the time, you know, every time I learned something new about it because somebody had published a report, somebody had published another blog.

I’ve done a little research on my own. I published a paper on how Stuxnet spread because, you know, analysis had been done of the artifact. You know, the malware. But it had been done by IT. People at Symantec at I think he said, a bunch of people had analyzed the malware and you know, that’s work I couldn’t do. I’m not a I’m not a a reverse analyst.

But I sat down with Joel Langill. I sat down with Eric Byers and we investigated the impact that Stuxnet would have in a network. What would what would happen if you let this thing loose in a network? Given our understanding of the the Siemens systems, Joel was nexpert on the Siemens systems. You know, Eric and I were sort of more expert more generally, firewalls and industrial systems. So we all contributed to this paper and said here’s what happens if you let loose Stuxnet into an industrial network.

And in hindsight, I have to wonder if we didn’t do more damage than than good, because a lot of people learned stuff about Stuxnet, but there was only one outfit that benefited. And that was Iran’s nuclear weapons program. That was the only, site in the world that was physically impacted.

Why? I regret some of the stuff that I published about about Stuxnet.

Nathaniel Nelson
Do you recall if that research got traction, whether it might have gotten over there or is there no way to tell?

Andrew Ginter
I have no way to tell. I do recall a conversation, sometime later, because I’m a Canadian, I I work with the the Canadian authorities. I remember a conversation with Canadian intelligence services. And I remember, asking them. I’ve stopped, but at one point when I figured out that there’s only one place in the world that’s physically benefiting from my research, I stopped publishing anything about Stuxnet. And I remember some time after that talking to Canadian intelligence saying, I’ve stopped publishing anything about Stuxnet. You don’t have to tell me nothing. In the future, if you ever see me putting out information that’s helping our enemy, tap me on the shoulder, would you? And tell me. Shut up, Ginter. You’re doing more harm than good, and I will shut up. So, yeah, I, I look back on Stuxnet with with mixed emotions. It it was a wake up call for the industry. a lot of people learned about cyber security because of Stuxnet, but who benefited because of all that research?

OK. So that’s Stuxnet is. A lot of people got started in the OT space it was the big news years ago.

Andrew Ginter
Can I ask you, let’s let’s talk about industrial security and the work you, the work you’ve been doing. Stuxnet is where it got started. Where have you wound up? What are you up to today?

Kenneth Titlestad
Yeah, it’s. It’s as you say, it’s 15 years and it’s been, it’s for me. I think it’s been a very interesting journey. So but back in 2010 when when Stuxnet hit the news, I wasn’t immediately immediately diving into OT cybersecurity full time. I was working on the IT side, trying to secure Windows environment in a large oil and gas company.

But uh short, uh, after a while I move more and more over to outsider security, and I had my first trip offshore to oil and gas platform. I think that first trip was in 2013, so actually three years after the Stuxnet. But then I was going out just to to do some troubleshooting on a firewall. So, but more and more, I was moving into OT cybersecurity, and at the end I was. I moved over to Super Steria and I think it was in 2017. And at the end I was really working hard on finding really proper solutions for OT cybersecurity when when potential nation states are targeting you, what do you then do? If you must sort of have their mindset of assume breach and these kind of systems with the PLCS and all they are really, really vulnerable. What do you do when you are being targeted so then then I started to look into. I heard rumors that could there could be something that was non hacky.

So I started investigating into unidirectional data. Diodes was exposed to to waterfall. That was one of the first examples of of where I heard about non hackable stuff. And also I got to to to hear about the, the the Crown Jewel analysis, Cyber informed engineering. Back then it was consequence driven, cyber informed. Hearing. But those kind of topics really, really sparked an extra interest for me because then then I saw on some attack vectors on some of the risks I saw actually a solution that could remove the risk instead of just mitigating it.

Andrew Ginter
So your first sort of foray, everyone was interested in Stuxnet, but you started working on the problem you said with a firewall and to a degree that makes sense. I mean the the firewall, the Itot firewall is often the boundary between the engineering discipline on the platform in the industrial process and the IT discipline, where information is the asset that needs to be protected. And so that boundary is something that both the engineers and the IT folk care about, so that that kind of makes sense. I’m, I’m curious, you got out to the platform you were tasked with the firewall. What did you find?

Kenneth Titlestad
There. Yeah, it was actually kind of a long, long lasting ticket we had in our system, there was a firewall between it and OT that was noisy, so it was causing creating a lot of events and alerts on traffic that it shouldn’t have so I was tasked to go out there and try to troubleshoot this. We we absolutely didn’t think that it was a cyber cyber attack or kind of evil intent, but it was incorrectly configured firewall rule. But when I got out there I could see that it was. It was just incorrectly configured firewall.

There’s nothing, not, not anything dangerous or cyber attack involved, but I also got to to think of of a scenario where if it had actually been a cyber attack and one that created so much noise as well on a security boundary, a security component. Sitting on the outskirts of OT, shouldn’t the OT environment do something to sort of shut down or go into a more fail safe situation? So I got kind of interested in in actually the instrumentation behind your security components on the outskirts of OT. So that’s a topic I continued to explore for for several years, having in the back of my mind cyber informed engineering, non hackable approaches unidirectional systems and on on S4 last year I talked about the the safety instrumented system because safety has always been a particular interest of mine. So I talked about the cyber informed safety instrument. The system shouldn’t the safety instrumented system. At some point, when you’re under an attack, shouldn’t the the the sort of the big brain? Uh, in the room? Shouldn’t that actually take an action? An instrumented automated action and going into not necessarily. A fail safe only, but a more fail failover to a more safe and secure situation.

Andrew Ginter
So that makes sense in theory. I mean if the firewall was saying help help. I’m under attack over and over again. Should some action not have taken place on the OT side. But let me ask you this. It was a false positive. It would have shut down the platform. a very expensive that form unnecessarily, can we detect cyberattacks reliably enough to prevent this kind of unnecessary shutdown, and have if if we do shut down whenever there’s a bunch of alarms? Is that not a new sort of denial of service vulnerability? The bad guys don’t even need to get into OT. They just need to launch a few packets. That firewall generates some alarms in the shuts down without them even bothering to break in the OT. Is that really the right way forward?

Kenneth Titlestad
No, I totally agree. It’s not a good approach going forward. But at the same time I think to shut down one too many times, is is better than not actually doing it, so we should be kind of overreacting and and going into fail safe situation and it could cause unnecessary down time and it could. It’s vulnerability on the production side, but I think it’s much more dangerous with the false negatives where we actually don’t see any attacks and but it’s it’s actually happening. So false positive we need to reduce them, but it’s much more important to actually reduce the false negatives.

Andrew Ginter
So just listening to the recording here. I mean, this is not something I discussed with Kenneth, but we were talking about automatic action when we discovered that an attack might be in progress, for example, because there’s a lot of alarms coming out of the firewall, you know. He agreed with me that shutting down the platform was probably an overreaction because that introduces a new attack vector. The bad guys just need to send a few packets against the firewall, generate a few lines and the whole platform shut down, I agreed with him that something should be done, but we didn’t really figure out what. Here’s an idea in hindsight, a number of jurisdictions are introducing what they call islanding rules, meaning if IT is compromised, you need to, basically, I don’t know, power off the IT firewall, nothing gets through into OT anymore.

For the duration of the emergency, you have the ability to shut off all communications into OT. This is part of, the regulation says you must be able to island. So now you have that capability. I wonder if it isn’t reasonable to trigger islanding when you automatically discover a whole bunch of alarms coming out of anything, because the modern attack pattern, most of them of of modern day attacks, are not like Stuxnet, where you let it loose and it does its thing most of modern day attacks have remote control from the Internet, and if you island, if you break the connection between it and OT.

If there was an attack in the OT network, the bad guys can no longer control it. They can no longer send commands. So and this is not, this is not new. The the term islanding is a little bit new. The concept of sort of an automatic shut off is has been bandied about for for many years. But again, given that the regulators are demanding an islanding capability. maybe engaging it automatically from time to time is not the worst thing that can happen. It increases our security and the impact on operations is is minimal because you’ve you’ve deployed the ability to island already.

You’ve developed the capability of running your OT system independently, and so interrupting that communication for a period of hours at a time while you track things down and say, oh, that was a false alarm. I’m guessing is, minimal cost. So there’s an idea.

Andrew Ginter
OK. Well, let’s come back to our our topic here. The topic is credibility. we’re talking about the risk equation, the typical risk equation is consequence times likelihood. generally we do it qualitatively, but we we wind up with a number coming out of that to compare different different kinds of risks, high frequency versus versus high impact risks. can you talk about that? Where does credibility fit in that equation?

Kenneth Titlestad
I think it fits very well into that equation because when we we, especially when we talk about the likelihood or the probability part of it, the left left side of the equation it it’s always a very, very difficult conversation to have when you try to identify the risk or the the risk levels we are talking about or you try to identify the consequence levels involved. It’s sad to see that a lot of the conversations they go astray due to not being able to put the number on the probability or the likelihood, and I think it it the the conversation gets to be much more fruitful if we can get rid of that challenge on trying to figure out the number on the probability or the likelihood.

Credibility gives us tools in our language to actually be able to talk about the left part of the. So it’s something that is a bit more analog and analog value where we can move more towards the consequence approach, the consequence driven where the the right side of the equation is is more important to talk about as long as you get, if you consider it being credible.

Andrew Ginter
Well, I have to agree. Uh, I’ve argued in my previous in my last book that that likelihood is flawed, that at the high end of cyber attacks, not the low end, the low end likelihood actually works. The high end. The outcomes of cyberattacks are not random. If the same ransomware hits a factory twice and we’ve all we’ve done is restore from backup, it took them down the first time we restore from backup. We make no changes. It hits. Again, they’re going to go down the same way. It’s not random.

I argue that on the high end nation state, targeting is not random either. it’s not that they they they try for a while and if they if they don’t succeed they, go try somewhere else. Nation state threat actors keep targeting the same target until they achieve their mission objective. It’s not random. Once they’ve targeted you, it’s not random. Randomness to me doesn’t work at the high end. Credibility makes more sense. We know is is the threat credible? Is the consequence credible? If this threat comes after us, is this attack comes after us? Is it reasonable to believe credibility is what’s reasonable to believe, not who what’s reasonable to believe? Is it reasonable to believe that the consequence will be realized?

I think it makes a lot of sense, but it’s it’s new. I don’t see the word credibility in a lot of of standards. where does this sit? What what you know. Is this? Is this something people are talking about?

Kenneth Titlestad
Yeah, absolutely. In my work with the clients, I’ve been working with and also the professionals I’ve been working with, we have discussed for some years now that the, the OR we have discussed the big challenge of the the likelihood or the probability part of the equation. And we’ve we’ve without actually having having without following standards or best practices, we’ve seen that we need to skip the discussion on the probability or the likelihood and and talk about the consequent side of it first and then we revisit the likelihood and probability afterwards. But I also see in IRC 6243, especially with the 3-2, it actually talks about consequence, only cyber cyber risk analysis.

So that’s giving a opportunity to actually move away from the discussions on on probability and also of course with the consequence driven approach with cyber informed engineering, we start to see more focus on the far right side with the. The consequence consequence side but leaving out what to do with the likelihood, and I think with credibility we we get some some language based tools to actually play. Is it where we talk about it in a qualitative manner? Instead of having to force it into a number?

Andrew Ginter
So that makes sense to me. I mean, I have the sense that over time in the course of time, cyber attacks become more sophisticated, more sophisticated attacks become credible attacks that were dismissed A decade ago as theoretical have actually happened. Do you see that? what? What do you see coming at us in terms of sophisticated attacks in in the near?

Kenneth Titlestad
I think that’s a really challenging question looking far into the future or or far into the into the history to try to extrapolate what could we expect from the future we see with with the Stokes net, the against Ukraine. Triton, Colonial Pipeline. We see incidents that have had a really high impact, but there’s not very many of.

So, but we see it’s those kind of capabilities are being explored and are being put into different tools, so they can be used by not only nation states but also criminal groups. So with with that kind of analysis we can expect more and more sophisticated attacks and also by more and more non sophisticated groups. So we should expect increase in high impact incident.

Andrew Ginter
OK, so if we’re not talking likelihood, we’re not talking probability, we’re talking credible. How do we decide what’s credible? How do we decide what’s reasonable to believe?

Kenneth Titlestad
Yeah, that’s a that’s a good question. So we need to have some grasp of of what is credible and what is not credible. I’m also of the opinion that that the credibility part of the equation. It’s a qualitative thing. It’s not a zero or one, it’s something that is attached to a kind of a a slippery slope not easily defined. But what we could say if we are trying to to see credibility as a zero or one, what is credible things that have happened actually have happened once or twice or three times. They are credible, so the twice on incident or a safety only type of cybersecurity. That’s now a credible attack because it has happened.

And also near misses. That’s something that Triton was kind of a near miss. They didn’t actually cause it this this destructive attack, but it could have happened. And so we also have other near misses, incidents that we should be considering.

Andrew Ginter
So that makes a lot of sense to me. Credibility versus likelihood. How do we decide though credibility sounds like a judgment call. How do we decide? What’s?

Kenneth Titlestad
That’s a that’s a good question. I I I think there’s a good recommendations in 62443, for instance the 3-2 it it talks about the like I said, the consequence only as an example on how how you can approach the risk equation but it also talks about the need for focusing on worst case consequences. So it talks about essential functions, which basically could be the safety functions. For instance, you need to investigate the consequence if those are actually attacked and compromised. What could be the worst case consequence? So you begin there and then once you identify the worst case consequences, then you move over to the probability or likelihood dimension.

And then you need to consider all the factors. So what are the vulnerabilities involved? What are the safeguards and or what the the standard is talking about? You’re compensating countermeasures. You consider that you consider the function or the asset as well, that if there’s. If there’s no actual interest in the assets, then the vulnerability could be also non interesting to address or analyze. But you start with the consequence side, then you start to look at the likelihood and probability and then you are informed by the the consequence approach.

Andrew Ginter
OK, so let me challenge you on that. I’ve read the CI implementation guide. It says start with the worst case consequences. It says those words. I’ve not seen those words in three Dash 2. Are you sure that that you’re you’re not reading into 3-2?

Kenneth Titlestad
No, I’ve been searching for for that specific part of three dash too many times because because I’ve, I’ve heard others say that the same and it’s actually there. It’s really gold Nuggets in 3-2 talking about essential functions, specifically saying the worst case consequence and also specifically saying that you can choose to do a consequence only risk assessment, so that’s really important. Single words or single sentences in three after. So worth highlighting in the three Dash 2.

Andrew Ginter
OK. So that that makes sense in the abstract. Can you give me some examples what applying these principles? What what should we regard as credible?

Kenneth Titlestad
Yeah, interesting question. I think that the things that come to mind first is for instance the, the, the Triton incident. Before 2017, where when it actually happened, we didn’t think it was credible that someone would actually target a safety only system or cause a safety incident with a cyber attack with with Triton it we actually saw the first first of its kind and the threat became obviously credible. And then SolarWinds as well. It’s a very interesting study where the way they actually compromised the solar winds update mechanism, suddenly massive, massive deployment of kind of malware within critical and non critical infrastructure became really credible threat as well and also near misses. Of course we should be informed by things happening out there and coming on the news that are near misses that can talk about talk to us about what is a credible threat.

Another kind of near miss that I think or is not a near miss, but it’s scenarios or incidents that could talk about credibility is is where we actually have a safety incident. For instance, we we had have had lots of them in Norwegian oil and gas and in oil and gas gas. In general, is safety incidents where we, which is not cyber related at all, but where we see that it it could be able to be replicated by a cyber attack. So that’s something that we should be considering as a credible threat going forward where we actually could replicate the cyber or the incident with the cyber cause.

On credibility, I also think that we need to have in the back of our mind or in the analysis we have to have focus on on the technology evolution, the development and sharing of new technology. So we I see it as a graph where where we are exposed to more and more heavy machinery or heavy software that can be used on the adversary side.

Kenneth Titlestad
So with Kali Linux Metasploit now there’s also AI. So what is being about becoming a credible threat threat is more and more sophisticated stuff due to development of technology. So AI now is on on both sides of the table, or both as an attacker as a tool that makes more more attacks credible, but also on the on the defensive side where we actually need to use it to protect against more and more sophisticated attacks.

Andrew Ginter
So Nate, I was, let me go just a little bit deeper into into Kenneth’s last example. I remember talking to him about this two days before I recorded the session with Kenneth. I was at another event. I had 1/2 hour speaking slot. I was, listening politely to the other speakers. I remember. And one of the speakers was a a penetration tester. I remember asking the pen tester a question about AI and his answer alarmingly.

And, I discussed it with Kenneth. I discussed it with with others. Since the future is is difficult, I asked the AI the the pen-tester so you, you touched on AI. What should we look for from AI going forward? And I asked, should we worry about about AI crafting phishing attacks because I’ve I’ve heard of that happening. Should we worry about Ai helping the bad guys write malware to write more sophisticated malware because I’ve heard of that happening.

And I paused and his answer was Andrew, you’re not thinking hard enough about this problem, you know? Yeah, that stuff’s happening. But what you need to worry about is somebody taking a Kali Linux ISO image. This is the Linux disk image that everybody uses. All the pen testers use. Lots of attack tools, he says. Taking that GB of ISO image. coupling and adding it together with two gigabytes of AI model and the model has not been trained on natural language and creating phishing attacks. The model has been trained by watching professional pen testers attack OT systems, mostly in test beds. I mean, this is what pen testers do. They take a test bed that is a a copy of a system that they’re supposed to be, doing the pen test on no one that does the pen test on a live system. They do it on a test bed.

They use the Kali Linux tools. They attack the system and demonstrate how you can get into the system and cause it to bring about simulated physical consequences. So you’ve taught this AI model how to use the Kali Linux tools to attack OCF OT systems to brick stuff and bring about physical consequences. You take that training model, couple it with the image.

Wrap it up in enough code to run the image as a sort of kind of embedded virtual machine to run the the AI model the million by million matrix of numbers that is a neural network run the neural networ. Run the the the Kelly Linux image and have the AI operate the tools to attack a real OT system. Drop that three, 3 1/2 gigabytes of attack code on an OT asset, start it and walk away and it will figure out what’s there? It will figure out how to attack it. It will figure out how to bring about physical consequences.

I heard that and I thought crap. That’s nasty. back in the day, Stuxnet was autonomous. It did its thing, but it was a massive investment to to produce an an asset, a piece of malware that did its thing without human intervention. This strikes me as again something that will do its thing without human intervention, and it will figure out as it goes. It’s one investment you can leverage across hundreds of different kinds of targets.

I was alarmed. This is something I’m I’m thinking about going forward, it’s to me this is a credible threat. This is something we all need to worry about. I don’t know that the this thing exists yet. But I’m pretty sure it will in five years.

Andrew Ginter
OK. So that’s that’s a lot to worry about. Can I ask you know? Is everything credible? What? What in your mind is not a credible threat at this point.

Kenneth Titlestad
I would think that large scale destructive attacks on big machinery is not something that I would consider a credible attack, but it also goes back to the motivation of the threat sector, for instance, if you have a small municipality, I would lee that really heavy, sophisticated cyber attacks, a lot of them wouldn’t be actually credible due to the target not being interesting for such a threat actor. So large scale destructive attacks is something that in a lot of scenarios wouldn’t be a credible attack.

And then we have for, for instance, large large scale blackouts is quite an interesting story nowadays because a couple of weeks ago, I would think that it wasn’t actually a credible attack. Once we now see that it can happen, for instance, with Spain, it was probably not a cyber attack, but it was something that happened on the consequence side. If we can show that or or identify that it actually can be caused by a cyber attack, then that suddenly nowadays within the last week has become a credible attack.

And also swarm kind of attacks we I hear the discussions on that from time to time where where they see talk about whether it’s a credible thing where you attack millions of cars. As of now, I don’t see that as a credible attack, but things can change.

Nathaniel Nelson
You know, that’s an interesting statement he made there. That large scale attacks on heavy machinery. It isn’t credible. when I think about what we’re talking about on this podcast, the purpose of OT security presumably is that there are significant risks to really important machines. Large scale, but maybe at this point we’ve covered that.

That’s a good point. I think one of the the lessons here is that determining what is and is not credible is a judgment call. OK? Different experts are going to disagree. I’ve, few years ago I saw research published. Saying, look, here’s let’s take for the sake of argument, the possibility of attacking a I don’t know, a chemical plant and causing a toxic discharge. And the researchers concluded that it was theoretically possible, but it was such an enormous amount of effort on the on the part of the adversary, all of which would have to go on undetected by the sight, they said. in the end, I just don’t know that this is reasonable to believe that this will ever happen. So, that was one site.

But again, there are the experts, experts disagree. This is the the what I learned on the very first book I wrote. I got wildly different feedback from different internationally recognized experts. Here’s here’s an insight. To me, this means that when we make judgments about credibility, we probably have to be we have to make if we’re going to make a mistake, make a mistake on the side of caution, err on the side of caution because different experts have different opinions. We might be wrong. every expert has to be honest enough to admit that we might be wrong and build a margin for error into their judgment of what’s credible.

So even if we don’t believe that an attack that I don’t know destroys a turbine is credible, we might want to take some reasonable defences to against, such a not terribly credible attack in our opinion, but we might want to to deploy defences anyway.

Just because we might be wrong and this, this is something that that is also being discussed. It’s how big a margin for error do we need to build into our our planning. I mean I talked to a gentleman who produces who who designs pedestrian bridges. I said how do you how do you calculate the maximum mode? He says that’s easy. Andrew you you you build a barrier to either side of the bridge so vehicles can’t get on the bridge.

Most people are less than two meters tall. Most people are mostly water. You model 2 meters of water. The width of the bridge, the length of the bridge. That’s your maximum load. And then he says. And then he says, you multiply that by 8 and you build the bridge to carry the multiplied load. Because these are people we’re talking about, it is unacceptable for the bridge to fail under load. And so this is the margin for error that engineers routinely built into their safety calculations. I believe, we as as experts in cybersecurity need to build a margin for error into our security planning as well.

Andrew Ginter
So this all makes sense. One of the things that appeals to me very much about the credibility concept is using the concept to communicate with non-technical decision makers like boards of directors. You do this, you have experience with this. Can you talk about your experience?

Kenneth Titlestad
Yeah, I think it’s interesting. When we talk to board members and the the CXOS in different companies, they they don’t necessarily go into details about risk, but they know that they have a special accountability.

So so when we talk about credibility for for those kind of people, they are getting more on board with the discussions, they know they have a special accountability, they draw the line in the sand. For instance if if if the potential consequence is that somewhat somebody to die then that’s a non acceptable risk and they they take on that kind of position due to their accountability as as board members or or heads of of the company.

And they also are being accountable for from from the the government and from the for the society. So the some, some risks when it comes to the consequence side if if we talk about people dying then that’s absolutely and not acceptable risk for this?

Society and the representatives for for that kind of approach is is elected persons in the government and they put the the heads of the company or the Board of Directors as accountable for that on top of the company.

Andrew Ginter
So that makes sense. Boards care about consequences that the business or the society is going to find unacceptable. You didn’t use the word credible. How does credibility fit into acceptability when you’re communicating with?

Kenneth Titlestad
Yeah, we don’t have to defend against all possible cyber attacks. What we do have to protect against is the credible ones. So when we bring credibility in as a concept, then it’s something that communicates, communicates much better for the the Board of Directors and the heads of the companies.

Andrew Ginter
This has been good, but it’s it’s a field big enough that I fear we’ve missed something. let me ask you an open question. What? What should I have asked you here?

Kenneth Titlestad
We’ve been talking about credibility. Credibility is what is reasonable to believe. But it’s not enough to talk about reasonable attacks. We also need to be talking about reasonable defence. So what is a reasonable defence? We then need to be considering or or taking all the tools.

We need to use all the tools at our disposal for a reasonable defence, and nowadays that also obviously includes AI on the defensive side, not only on the offensive side.

This is also a very important part of me, of the reason for me joining Omny. So Omny is is built on our security knowledge graph, so it’s a data model where we can put all information we need about our assets on the vulnerabilities on the network, topologies, on the threats, the threat actors. So it becomes a digital representation or a digital twin of our asset. Combining that with AI which we have built in from the beginning, we get a very strong assistance on security where it matters most.

Andrew Ginter
Cool. Well, this has been great. Thank you, Kenneth, for joining us. Before I let you go, can I ask you to sum up for our listeners, what should we take away from this episode?

Kenneth Titlestad
Thank you, Andrew, for having me and and thank you so much for being here in Norway and and visiting us at our office. So we’ve we’ve had a good conversation about consequence, the focus on on the worst case consequences we’re we moved over to talking about credibility, replacing the the likely good concept with credibility, especially for high impact stuff where we don’t have the probability or the data to talk about it. We also talked about reasonable attacks and reasonable defences. So what is a reasonable defence against increasingly credible, sophisticated attacks with high consequences. So it’s been a really good discussion about all of these topics.

Kenneth Titlestad
If people want to know more about these topics or they want to discuss them, please connect with me on LinkedIn and message me there. I’m more than happy to discuss these topics and please visit our webpage Omnysecurity.com. Our platform addresses most of these topics we talked about today.

Nathaniel Nelson
Andrew, that just about does it for your conversation with Kenneth Title. Scott, do you have any final words you would like to take out our episode with today?

Andrew Ginter
Yeah, I mean we’ve we’ve talked about about credibility and this is a concept that is is relevant to sort of the high end of sophisticated attacks, the high end of of consequence. But I’m not sure let me.

Let me try and give a very simple example. I mean I was I was raised in Brooks, Alberta, little town, 10,000 people in the middle of nowhere. Literally an hours drive from any larger population centre. In terms of cyber threats, do let pick. Let’s pick on, I don’t know, the Russian military, does the Russian military have the money to buy three absolute cyber gurus, train them up on water systems, plant them as a sleeper cell in the workforce of the town of Brooks water treatment system. Have them sit on their hands for three years and after three years.

Using the passwords they’ve gained, the trust they’ve gained and the expertise that they have. Have them launch a crippling cyber attack that that damages equipment that takes the water treatment system down for 45 days is that a credible threat? Well, the Russians have the money to do that. It’s, they have the capability to do that.

But you have to ask, why would they bother? I mean, this is a little agricultural community. There’s a little bit of oil and gas, activity. Why would they bother? That does not seem to be it. It. It does not seem to be reasonable to launch that kind of attack against the town of Brooks. It just makes no sense. I don’t see that as a credible threat.

Is that a credible threat for the water treatment system in the city of Washington, DC, home of the Pentagon? I do think that’s a credible threat. So the question of what’s credible is an important question that I see more and more people asking in risk analysis going forward. we have to figure out what’s credible for us, what are what, what, what capabilities do our adversaries have? What kind of assets are we protecting? What kind of defences we have deployed what makes sense, what’s reasonable to believe in terms of the bad guys coming after us. This is an important question going forward and I see lots of people discussing it. I’m I’m, grateful for the the the chance to explore the concept here with with Kenneth.

Nathaniel Nelson
Well, thanks to Kenneth for exploring this with us. And Andrew, as always, thank you for speaking with me.

Andrew Ginter
It’s always a pleasure. Thank you, Nate.

Nathaniel Neson
This has been the Industrial Security Podcast from Waterfall. Thanks to everyone out there listening.

Stay up to date

Subscribe to our blog and receive insights straight to your inbox

The post Credibility, not Likelihood – Episode 140 appeared first on Waterfall Security Solutions.

]]>
Rethinking Secure Remote Access for Industrial and OT Networks https://waterfall-security.com/ot-insights-center/ot-cybersecurity-insights-center/rethinking-secure-remote-access-to-industrial-and-ot-networks/ Wed, 06 Aug 2025 09:38:01 +0000 https://waterfall-security.com/?p=35035 Discover which remote access technologies truly secure industrial and OT networks—and which leave critical operations exposed.

The post Rethinking Secure Remote Access for Industrial and OT Networks appeared first on Waterfall Security Solutions.

]]>

Rethinking Secure Remote Access for Industrial and OT Networks

Rethinking Secure Remote Access for Industrial and OT Networks

Remote access is essential—but traditional solutions like VPNs and jump hosts are increasingly under fire from both attackers and regulators. With guidance from CISA and CCCS urging organizations to move beyond legacy remote access tools, the stakes for industrial and OT networks have never been higher.

This ebook demystifies secure remote access technologies, from classic firewalls and 2FA to hardware-enforced solutions and unidirectional gateways. Discover which approaches truly protect against today’s threat landscape—and which leave critical operations exposed.

Download the book now to:

arrow red right Gain a deep understanding of modern and legacy remote access technologies – including VPNs, firewalls, 2FA, jump hosts, cloud systems, and hardware-enforced solutions.

arrow red right Explore common attack scenarios and assess how different combinations of security technologies perform against actual threats

arrow red right Learn which security measures are most effective for specific attack types, helping you make informed decisions about protecting remote access in your organization

About the author
Picture of Waterfall team

Waterfall team

FAQs About Remote Access

Remote access for OT (Operational Technology) networks is the ability to connect to and control industrial systems from outside the facility—often over the internet or corporate IT networks.

This allows engineers, vendors, or operators to:

  • Monitor and manage ICS, SCADA, and other OT systems remotely

  • Perform maintenance, updates, or troubleshooting without being on-site

  • Enable emergency intervention from anywhere

✅ Common technologies for remote access:

  • VPNs – Secure encrypted tunnels into OT networks

  • Jump servers / Bastion hosts – Controlled gateways between IT and OT

  • Remote Desktop (RDP/VNC) – Access to HMI or control workstations

  • OT-specific platforms – Purpose-built tools for safe industrial remote access

  • MFA / 2FA – Authentication to ensure only authorized users connect

⚠ Remote access increases convenience, but also creates potential entry points for attackers if not properly secured.

Organizations use remote access to:

1. Improve Efficiency

  • Engineers can diagnose and configure systems without traveling

  • Reduces downtime for routine maintenance

2. Support Vendor Access

  • Equipment vendors can update or troubleshoot systems remotely

  • Faster support without waiting for on-site technicians

3. Handle Emergencies

  • Teams can respond to incidents outside working hours

  • Quick intervention minimizes production impact

4. Lower Costs

  • Saves money on travel, labor, and incident response

  • Enables small OT teams to manage multiple sites

5. Enable Remote Operations

  • Operators can control or monitor sites across large geographic areas

  • Ideal for distributed infrastructure like pipelines, wind farms, or utilities

While powerful, remote access brings serious cybersecurity risks to industrial environments:

⚠ Top Risks Include:

  1. Unauthorized Access

    • Stolen or reused credentials can give attackers access

    • Weak or shared authentication increases exposure

  2. Vulnerable Technologies

    • VPNs, RDP, and web tools may have unpatched flaws

    • Attackers exploit them to gain a foothold in OT

  3. Lateral Movement

    • Once inside, attackers move from one device to another

    • Can lead to control over critical operations

  4. Human Error

    • Remote staff may misconfigure systems

    • Vendors might introduce malware accidentally

  5. Malware and Ransomware

    • Remote sessions can be used to inject malicious code

    • Poor segmentation allows malware to cross into OT from IT

  6. Regulatory and Safety Violations

    • Unauthorized changes can impact safety and compliance

    • Could trigger penalties, outages, or safety incidents


✅ Conclusion: Remote access brings flexibility, but also risk. Implementing strong authentication, network segmentation, monitoring, and vendor controls is essential to stay secure.

Share

Fill out the form and get it by email

The post Rethinking Secure Remote Access for Industrial and OT Networks appeared first on Waterfall Security Solutions.

]]>
Unidirectional vs Bidirectional: Complete Integration Guide https://waterfall-security.com/ot-insights-center/ot-cybersecurity-insights-center/unidirectional-vs-bidirectional-integration/ Wed, 30 Jul 2025 12:54:43 +0000 https://waterfall-security.com/?p=34800 Discover the key differences between unidirectional and bidirectional integration to choose the best approach for secure and efficient system connectivity.

The post Unidirectional vs Bidirectional: Complete Integration Guide appeared first on Waterfall Security Solutions.

]]>

Unidirectional vs Bidirectional: Complete Integration Guide

Unidirectional integration offers maximum security with one-way data flow—ideal for critical infrastructure. Bidirectional integration enables real-time control and automation but requires stronger cybersecurity. Choose based on your need for protection vs. interactivity.
Picture of Waterfall team

Waterfall team

Unidirectional vs Bidirectional Integration

In today’s increasingly connected industrial environments, the way data flows between systems has a direct impact on both operational efficiency and cybersecurity. As more organizations integrate IT and OT networks, a crucial decision arises: Should data communication be unidirectional or bidirectional? This choice defines not just how systems share information, but also the security posture of critical infrastructure. Understanding the differences between unidirectional vs bidirectional integration is vital for organizations aiming to strike the right balance between connectivity and protection.

In this complete integration guide, we’ll explore  unidirectional vs. bidirectional integration, the security implications of each, and how to choose the best architecture for your specific needs.

What Are Unidirectional and Bidirectional Integrations?

Before diving into which type of integration suits your environment best, it’s important to understand what these terms mean and how they function in industrial and enterprise networks.

Unidirectional Integration

A unidirectional integration allows data to flow in only one direction—typically from an operational network (OT) to an information technology (IT) network. This setup is most commonly implemented using unidirectional gateways or data diodes, which enforce physical separation of the send and receive paths.

Unidirectional networks are used primarily in high-security environments such as power plants, manufacturing control systems, and water treatment facilities. They allow critical systems to share data (like sensor readings or logs) without exposing those systems to remote access or cyber threats from external networks.

Key characteristics:

  • One-way data transfer

  • Enforced by hardware (e.g., data diode)

  • Maximizes security by preventing inbound traffic

Typically used for monitoring, reporting, and secure logging

Bidirectional Integration

In contrast, bidirectional integration supports two-way communication between systems. This setup is essential for use cases where interactive control, acknowledgment messages, or real-time adjustments are required.

Bidirectional integrations are common in enterprise IT systems, smart manufacturing, and connected industrial IoT environments. While they offer flexibility and richer functionality, they inherently introduce more attack surfaces and require robust cybersecurity measures.

Key characteristics:

  • Two-way data flow

  • Enables command and control, updates, and automation

  • Higher functionality but with increased security risks

Requires rigorous access control, segmentation, and monitoring

How Unidirectional Integration Works

Understanding how unidirectional integration functions is key to appreciating its role in secure network architectures, especially within Operational Technology (OT) environments. In this section, we’ll explore the mechanics of one-way data flow, examine common use cases, and break down the technical architecture that makes unidirectional networks both effective and resilient.

Understanding One-Way Data Flow

At its core, unidirectional integration enforces a strict policy of one-way communication—typically from a lower-trust zone (like an OT environment) to a higher-trust zone (such as an IT network or cloud). This ensures that while operational data can be monitored, analyzed, or stored externally, no control commands, malware, or unauthorized access can be sent back into the secured source system.

This model eliminates many of the vulnerabilities associated with bidirectional connectivity. Even if the destination network is compromised, the source remains shielded by design. This “data out, nothing in” approach forms the foundation of many industrial cybersecurity strategies.

Unidirectional Networks and Their Applications

Unidirectional networks are not just conceptual—they’re actively deployed in industries where data integrity and system availability are non-negotiable. Here are a few key applications:

  • Power Generation & Utilities
    Unidirectional gateways allow operators to transmit SCADA data to enterprise systems without exposing critical control infrastructure to internet-based threats.
  • Oil & Gas Pipelines
    Flow meters and safety systems can transmit logs and alarms upstream, while maintaining complete isolation from IT control commands or firmware update traffic.
  • Water Treatment Facilities
    Supervisory data can be monitored externally, while preventing any potential backdoor into programmable logic controllers (PLCs).
  • Manufacturing Plants
    Production statistics and quality data can be sent to ERP systems or cloud analytics platforms without risking compromise of production lines.

In each of these examples, the unidirectional model supports visibility and compliance reporting while upholding air-gap-level security—without the operational constraints of physical disconnection.

Technical Architecture of Unidirectional Systems

Unidirectional systems are typically built using hardware-enforced one-way devices, such as data diodes. These devices physically prevent any electrical signal from traveling in the reverse direction. The architecture generally includes:

  1. Source Connector (Transmitter Side)
    Installed within the secure network, this component captures the necessary data (e.g., logs, telemetry, historian feeds) and prepares it for transmission.

  2. Unidirectional Gateway (Data Diode)
    The core of the system, this device ensures that data flows in one direction only. It may use fiber-optic technology with transmit-only and receive-only components to guarantee physical enforcement.

  3. Destination Connector (Receiver Side)
    Located on the external or less-trusted network, this side receives the data for further processing, display, or storage.

Replication and Proxy Services
Because many enterprise applications expect two-way protocols (e.g., TCP/IP), unidirectional gateways often use software proxies that emulate bidirectional behavior on the destination side, without actually allowing any response traffic to return to the source.

This architecture supports common protocols such as OPC, Syslog, MQTT, and even file transfers via FTP—all while ensuring that control systems remain entirely isolated from inbound threats.

How Bidirectional Integration Works

When it comes to unidirectional vs. bidirectional integration, unidirectional prioritizes isolation and security whereas bidirectional integration enables dynamic interaction, control, and real-time responsiveness across systems. In modern industrial and enterprise environments, many operations depend on this two-way data flow to support automation, decision-making, and system coordination.

In this section, we’ll break down how bidirectional integration functions, its strengths in real-time environments, and the technical architecture behind it.

Understanding Two-Way Data Flow

Bidirectional integration involves the continuous exchange of data between two systems, where both can send and receive information. Unlike unidirectional networks, this model allows interactive communication, enabling not just monitoring but also remote control, updates, and acknowledgments.

For example:

  • A production system may send machine data to a centralized platform.

That platform, in turn, may send control instructions or configuration changes back to the machine.

This closed-loop communication supports agility and responsiveness, especially in environments where uptime, accuracy, and real-time decisions are critical.

Key benefits include:

  • Immediate feedback loops

  • Remote diagnostics and control

  • Adaptive systems based on real-time analytics

  • Streamlined maintenance and operational workflows

However, this model requires stronger cybersecurity controls, as opening both communication paths increases the system’s exposure to threats.

Real-Time Synchronization in Bidirectional Systems

One of the defining features of bidirectional integration is real-time synchronization. This capability allows disparate systems—such as SCADA, MES, ERP, or cloud platforms—to work in harmony with minimal delay.

Common use cases include:

  • Industrial IoT Deployments
    Sensors collect data and receive updated rules or thresholds from central management platforms.

  • Smart Manufacturing
    Machines dynamically adjust based on input from enterprise planning systems or predictive maintenance algorithms.

  • Remote Monitoring & Control
    Operators can adjust setpoints, restart equipment, or change logic based on data analysis and alerts.

Real-time sync ensures operational efficiency and responsiveness, which is why bidirectional networks are popular in high-performance industrial settings. However, the same real-time capabilities can be weaponized by threat actors if not properly secured.

Technical Architecture of Bidirectional Systems

Unlike unidirectional systems, bidirectional integration relies on both logical and physical pathways for communication in both directions. Here’s a look at the typical architecture:

  1. Two-Way Communication Channels
    These may include standard TCP/IP connections, industrial protocols like OPC UA, Modbus TCP, or RESTful APIs that support request-response interactions.

     2. Edge Gateways and Firewalls
         Often positioned at network  boundaries, these devices      enable protocol translation, data normalization, and enforce security policies such as DPI (deep packet inspection) and rate limiting.

     3. Authentication and Authorization Layers
        Critical to any bidirectional system is robust identity management. Role-based access control (RBAC), multi-factor authentication (MFA), and secure tokens help ensure only authorized devices and users can send or receive data.

      4. Encryption and Secure Tunneling
          To protect data in transit, bidirectional systems typically employ TLS/SSL or VPN tunneling. This is especially important when communicating across public or semi-trusted networks.

       5. Redundancy and Monitoring Systems
          Because bidirectional networks are more complex and carry more risk, real-time monitoring, logging, and redundancy (e.g., high availability failovers) are often integrated into the architecture.

While this setup is more flexible and powerful, it requires continuous cybersecurity vigilance to detect and defend against threats such as command injection, ransomware propagation, and lateral movement within the network.

Key Differences: Unidirectional vs Bidirectional Integration

Choosing between unidirectional and bidirectional integration isn’t just a technical decision—it has far-reaching consequences on performance, scalability, security, and compliance. To make the right choice for your organization, it’s essential to understand how these two models differ in fundamental ways.

In this section, we’ll compare them across three critical dimensions: data flow, performance and scalability, and security posture.

Data Flow Patterns Comparison

At the most basic level, the core difference between unidirectional and bidirectional integration lies in how data moves between systems.

Aspect

Unidirectional Integration

Bidirectional Integration

Flow Direction

One-way (e.g., OT → IT)

Two-way (OT ⇄ IT)

Control Capabilities

No remote control; outbound data only

Full interaction, including remote control and configuration

Latency Requirements

Suitable for delayed or scheduled transfers

Designed for real-time responsiveness

Use Cases

Monitoring, logging, compliance reporting

Automation, command execution, real-time adjustments

While unidirectional setups prioritize data exfiltration with protection, bidirectional systems are optimized for interactive workflows and dynamic coordination.

Performance and Scalability Considerations

Performance and scalability are major factors when integrating large-scale or distributed systems. Each model comes with its own strengths and trade-offs:

Unidirectional Integration:
  • Performance: Typically lighter-weight due to single-direction flow.

  • Scalability: Easier to scale across secure zones without introducing complexity.

  • Limitations: No built-in feedback mechanisms or live response capabilities.

Bidirectional Integration:
  • Performance: Higher demand on bandwidth and processing due to synchronous communication.

  • Scalability: Can be more complex, requiring advanced routing, load balancing, and session management.

Advantages: Enables real-time control, adaptive systems, and closed-loop feedback.

For environments requiring continuous updates, machine-to-machine commands, or cloud analytics integration, bidirectional integration often provides better long-term scalability—if the supporting infrastructure is in place.

Security and Compliance Implications

The security and compliance impact of each integration model is perhaps the most decisive factor—especially in regulated industries like energy, transportation, and manufacturing.

Unidirectional Integration:
  • Security Strength: Extremely secure; eliminates inbound attack vectors.
  • Attack Surface: Minimal—source systems are physically protected from external access.
  • Compliance Fit: Ideal for meeting strict regulatory standards like NERC CIP, IEC 62443, or government-grade segmentation.
  • Monitoring: Often paired with passive network monitoring tools for early detection.
Bidirectional Integration:
  • Security Risk: Higher exposure due to two-way channels—must defend against remote exploits, ransomware, and unauthorized commands.
  • Mitigation Needs: Requires strong firewalls, intrusion detection, access controls, and continuous threat monitoring.
  • Compliance Complexity: Must demonstrate layered defenses and auditability; more challenging in highly regulated sectors.
  • Visibility: Provides deeper insight and operational transparency—but at a cost.

Ultimately, unidirectional integration provides strong security guarantees and is often preferred in mission-critical OT systems, while bidirectional integration is essential where automation, efficiency, and responsiveness are prioritized—provided appropriate risk controls are in place.

Unidirectional vs. Bidirectional Integration: When to Choose Unidirectional Integration

Unidirectional integration is not just a cybersecurity strategy—it’s a deliberate architectural choice for environments where risk tolerance is low, and system integrity is paramount. While it limits interactivity, it offers unmatched protection for critical assets.

In this section, we explore when unidirectional integration is the right fit, where it excels, and what to consider before implementing it.

Ideal Use Cases for One-Way Integration

Unidirectional networks are most effective in industries or systems where availability, safety, and integrity take precedence over interactive control or real-time feedback. These include:

  • Critical Infrastructure
    Power grids, water treatment plants, and natural gas pipelines often use unidirectional gateways to send telemetry and log data to IT systems without allowing access back into the control network.
  • High-Security Industrial Control Systems (ICS)
    SCADA environments that require strict air-gapped security benefit from one-way data transfers to external monitoring or compliance systems.
  • Regulated Environments
    Nuclear facilities, military systems, and financial institutions often deploy unidirectional systems to satisfy stringent cybersecurity and compliance frameworks such as NERC CIP, IEC 62443, and ISO/IEC 27001.

  • Passive Monitoring and Forensics
    Security operations centers (SOCs) often use unidirectional data feeds for log aggregation, intrusion detection (IDS), or anomaly detection tools.

If the goal is to observe without influence, unidirectional integration is almost always the safest route.

Benefits of Unidirectional Approaches

The advantages of unidirectional integration go far beyond one-way data movement—they redefine the security posture of an entire architecture. Key benefits include:

  • Maximum Security
    Eliminates the risk of inbound cyberattacks, malware propagation, and remote access.
  • Physical Enforcement
    With hardware-based gateways (like data diodes), policies are not just logical—they’re physically unbreachable.
  • Regulatory Alignment
    Helps meet the most demanding cybersecurity standards and audit requirements.
  • System Stability
    Critical OT systems remain isolated from internet-based threats, reducing the chance of disruption or manipulation.
  • Simplified Network Segmentation
    A clear boundary is created between zones, reducing complexity in firewall and access control management.

For organizations where a cyber breach could result in physical damage, environmental harm, or loss of life, these benefits are non-negotiable.

Limitations and Considerations

Despite its strengths, unidirectional integration comes with limitations that may not suit every operational model:

  • No Command & Control Capability
    Operators cannot send commands, software updates, or configurations through unidirectional channels. This restricts remote management and automation.

  • Requires Specialized Hardware
    Implementation depends on data diodes or unidirectional gateways, which can be costly and may need custom configuration.

  • Protocol Emulation Challenges
    Some two-way protocols must be emulated on the receive side to appear seamless to upstream systems, which adds complexity.

  • Limited Interactivity
    In modern IIoT environments or smart factories, unidirectional setups may be too restrictive to support advanced digital workflows or adaptive automation.

  • Delayed Feedback Loops
    Without a response channel, operators must rely on scheduled reporting, creating a gap between action and awareness.


Before committing to a unidirectional model, it’s essential to assess whether your operational goals can be met without live control or feedback.

Unidirectional vs. Bidirectional Integration: When to Choose Bidirectional Integration

While unidirectional integration offers high assurance security, it isn’t always practical—especially in dynamic, data-driven environments that require interaction, control, and feedback. This is where bidirectional integration becomes essential. When speed, automation, and interactivity are top priorities, a two-way architecture can deliver the operational agility modern organizations demand.

In this section, we’ll explore when bidirectional integration makes the most sense, highlight its key advantages, and address the challenges it introduces.

Ideal Use Cases for Two-Way Integration

Bidirectional integration is ideal for scenarios that require real-time control, feedback loops, or active data exchanges between systems. Common examples include:

  • Smart Manufacturing and Industry 4.0
    Production environments where machines communicate with MES and ERP systems, enabling adaptive planning, predictive maintenance, and real-time quality control.
  • Industrial IoT Deployments
    Sensors and edge devices that not only report data but receive firmware updates, configuration changes, or automated instructions from centralized platforms.
  • Remote Monitoring and Control
    Operators who need to adjust setpoints, trigger shutdowns, or reconfigure control logic based on changing conditions or alerts.
  • Cloud-Connected Operations
    Systems that leverage cloud analytics or AI to optimize performance and send actionable insights back to the shop floor or field devices.
  • Energy Management and Demand Response
    Power generation systems that respond to grid signals in real time, adjusting loads or activating backups based on supply and demand.

In all these cases, the ability to act on data—not just observe it—is critical to achieving efficiency, agility, and competitive advantage.

Benefits of Bidirectional Approaches

The strength of bidirectional integration lies in its ability to enable dynamic, intelligent operations. Some of its most important benefits include:

  • Real-Time Decision-Making
    Two-way communication allows systems to respond immediately to operational changes, enhancing efficiency and responsiveness.

  • Operational Flexibility
    Remote teams can manage, configure, and control systems without being physically present—critical in distributed or global operations.

  • Automation Enablement
    Bidirectional data flow supports complex automation logic, adaptive control, and event-driven workflows.

  • Improved Resource Optimization
    Systems can be fine-tuned in real time based on sensor data, external conditions, or predictive models.
  • Enhanced User Experience
    Dashboards, analytics tools, and mobile apps can reflect and influence operational status in real time, improving visibility and decision-making.

Challenges and Complexity Factors

Despite its advantages, bidirectional integration introduces significant complexity and risk. Here are the most critical challenges to consider:

  • Expanded Attack Surface
    Two-way communication opens inbound paths, increasing the potential for cyberattacks, command injection, and lateral movement.

  • Higher Security Requirements
    Must be accompanied by advanced cybersecurity controls including firewalls, intrusion detection/prevention systems (IDS/IPS), segmentation, and continuous monitoring.
  • Greater Compliance Burden
    Regulatory requirements may be harder to meet, especially when systems span IT/OT boundaries or involve critical infrastructure.
  • Protocol and Data Handling Complexity
    Managing bidirectional protocols (like OPC UA, MQTT, or REST APIs) across network zones often requires middleware, protocol converters, or edge gateways.

  • Maintenance and Support
    Bidirectional systems typically demand more ongoing maintenance, including access control updates, patching, and threat modeling.
  • Latency and Synchronization Concerns
    Real-time sync requires robust network performance, redundancy planning, and high system reliability to prevent data conflicts or command delays.

Organizations opting for bidirectional integration must invest not just in connectivity—but also in cyber hygiene, policy enforcement, and security architecture to protect their operations.

Conclusion: Choosing the Right Integration Approach

When it comes to unidirectional vs bidirectional integration, there is no one-size-fits-all answer. Each approach serves a distinct purpose and is suited to specific operational and security needs.

Unidirectional integration is the go-to solution when security, system isolation, and regulatory compliance are top priorities. It provides robust protection against external threats, making it ideal for critical infrastructure, legacy control systems, and any environment where “look but don’t touch” is the guiding principle.

  • Bidirectional integration, on the other hand, is essential in environments that demand real-time responsiveness, automation, and full system control. It supports modern digital transformation initiatives, smart manufacturing, and connected IoT ecosystems—but comes with the trade-off of increased complexity and security risk.

Key Takeaway:
Choose unidirectional networks when your goal is to protect.
Choose bidirectional integration when your goal is to interact and optimize.

Before making a decision, assess your organization’s:

  • Risk tolerance

  • Operational requirements

  • Regulatory obligations

  • Long-term scalability goals

In some cases, a hybrid architecture may offer the best of both worlds—combining one-way data flows for critical systems with secure two-way channels for less sensitive operations.

By aligning your integration strategy with your business objectives and security posture, you can achieve both resilience and responsiveness in today’s complex digital landscape.

About the author
Picture of Waterfall team

Waterfall team

FAQs About Unidirectional Vs Bidirectional Integrations

A unidirectional integration allows data to flow in only one direction—typically from an operational network (OT) to an information technology (IT) network. This setup is most commonly implemented using unidirectional gateways or data diodes, which enforce physical separation of the send and receive paths.

In contrast, bidirectional integration supports two-way communication between systems. This setup is essential for use cases where interactive control, acknowledgment messages, or real-time adjustments are required.

Bidirectional integrations are common in enterprise IT systems, smart manufacturing, and connected industrial IoT environments. While they offer flexibility and richer functionality, they inherently introduce more attack surfaces and require robust cybersecurity measures.

 

At its core, unidirectional integration enforces a strict policy of one-way communication—typically from a lower-trust zone (like an OT environment) to a higher-trust zone (such as an IT network or cloud). This ensures that while operational data can be monitored, analyzed, or stored externally, no control commands, malware, or unauthorized access can be sent back into the secured source system.

This model eliminates many of the vulnerabilities associated with bidirectional connectivity. Even if the destination network is compromised, the source remains shielded by design. This “data out, nothing in” approach forms the foundation of many industrial cybersecurity strategies.a

Bidirectional integration involves the continuous exchange of data between two systems, where both can send and receive information. Unlike unidirectional networks, this model allows interactive communication, enabling not just monitoring but also remote control, updates, and acknowledgments.

This closed-loop communication supports agility and responsiveness, especially in environments where uptime, accuracy, and real-time decisions are critical.

However, this model requires stronger cybersecurity controls, as opening both communication paths increases the system’s exposure to threats.

Share

Stay up to date

Subscribe to our blog and receive insights straight to your inbox

The post Unidirectional vs Bidirectional: Complete Integration Guide appeared first on Waterfall Security Solutions.

]]>