24 May 2017 Hannover Messe “Outsourced Security” Demo: An Overview and Takeaways
Recently, Waterfall joined 24 vendors from Industrie 4.0 (I4.0) and the Industrial Internet Consortium (IIC) in demonstrating secure cloud interconnectivity at the Hannover Messe industrial event. Unidirectional gateway technology and strong encryption was at the heart of this outsourced security demo, illustrating how to benefit from direct integration of control systems with cloud systems, without risk of any remote, online attack damaging industrial systems. This important demonstration illustrated how industrial businesses can take advantage of the operational benefits of the industrial cloud, without exposing industrial control networks to remote cyber risks.
The demo: Interoperability between Industrie 4.0 and Industrial Internet Consortium members
The “outsourced security” concept for the demo is very timely. We often find that industrial sites require intrusion detection and other security monitoring applications, but do not wish to develop their own in-house expertise to interpret complex alerts and other potential attack information. The solution many sites would like to adopt is to outsource real-time security monitoring to IT-based or third-party, cloud-based SIEMs and Security Operations Centers (SOCs). However, concerns for safety and reliability can prohibit such outsourcing. To demonstrate how to address these risks, all the vendors spent months preparing for the first large-scale demonstration of its kind. The objective of the demo was to show how secure interoperability is possible among many vendors’ and consortiums’ industrial systems, using different roots of trust for certificates that control encrypted communications. Many of the participating vendors were industrial equipment suppliers, such as Schneider Electric, Siemens and Fujitsu. Six were SIEM vendors, and GlobalSign provided all of the certificates.
Unidirectional CloudConnect® at the heart of connectivity
Waterfall Security provided the demonstration with three Unidirectional CloudConnect appliances. One of these appliances was deployed in each of the IIC and I4.0 pavilions, enabling safe and reliable integration for IIoT edge devices in those pavilions with IT-based and cloud-based SIEMs. These edge-devices all connected to the CloudConnect equipment using encrypted TLS/TCP V3 Syslog streams. The CloudConnect systems validated these streams, aggregated them, and sent a copy of each stream to each of the Cloud and local SIEMs. The unidirectional gateway technology at the heart of the CloudConnect products ensured that while Syslog content was able to flow to IT-based and cloud-based SIEMs, no attack whatsoever could flow back to the sensitive industrial devices through the CloudConnect systems.
A third CloudConnect system received Syslog data from cloud sources and Internet-based edge devices, aggregated those streams, and sent a secure copy of each stream to each of the SIEMs as well. The many SIEMs used a variety of types of encryption certificates, all of which were validated by the CloudConnect equipment, and were used to negotiate secure communications between the SIEMs and the CloudConnect systems.
The solution illustrated in the demo is one that many believe represents the future of security in the IIoT. The IIC Industrial Internet Reference Architecture (IIRA) and Security Framework (IIC SF) describe an architecture where edge devices either connect directly to IT-based or Internet-based “cloud” systems, or connect indirectly via security gateways when direct connections are unsafe. The IIC SF recognizes that the IIoT security gateways that provide the strongest security to sensitive industrial systems are those which use hardware-enforced unidirectional-gateway technology, such as Waterfall’s Unidirectional CloudConnect.