Safe Enterprise Integration For Chemical Plants

Protecting Industrial Control Networks From Evolving Cyber Threats
Safe Enterprise Integration For Chemical Plants
Customer/ Partner:

Chemical Processing Facility in Japan.

Customer Requirement:

The ability to monitor industrial operations without the risk that attackers can impair physical operations or steal recipes, configurations and other valuable intellectual property from industrial networks.

Waterfall’s Unidirectional Solution:

A Waterfall Unidirectional Gateway implements safe IT/OT integration by creating a fully functional OSIsoft PI system replica on the enterprise network, while a Waterfall FLIP enables disciplined, scheduled updates of production orders and anti-virus signatures in production systems.

Cyber Threats To The Chemical Processing Environment

The consequences of compromise of control systems and of losing sensitive intellectual property in chemical processing are unacceptable. Attacks tampering with control system software can cause unscheduled downtime, equipment damage, threats to site personnel and even public safety. The theft of confidential recipes or processing configurations can eliminate competitive advantage for an enterprise which has invested significantly in R&D. Industrial security regulations urge operators to use cybersecurity best practices to secure IT/OT interconnection in order to protect against cyber attacks and IP theft. Best practices increasingly point out that software-only protections and reliance on intrusion detection systems are not reliable protections for critical industrial operations.

The Challenge icon
The challenge

To secure the processing of feedstocks into chemical products on control networks which include reactors, heat exchangers, distillation columns, tanks, pumps, compressors and other piping equipment. Modern processing control systems are responsible for the careful handling and transport of sensitive chemicals, and the smart devices on the production line store confidential IP. Protecting these critical assets with software (firewalls or other IT security measures) is not enough as all software by nature can be compromised.

Waterfall solution - icon
Waterfall solution

A Waterfall Unidirectional Gateway was installed between the ICS network and the Enterprise network. Unidirectional Gateway software connectors replicate an OSISoft PI server and Syslog server from the control network to the enterprise network where enterprise clients can interact normally and bidirectionally with these replicas in realtime. A Waterfall FLIP, a hardware-enforced Unidirectional Security Gateway whose orientation is reversible, was also installed between the Industrial and IT networks. By schedule, or by exception, an independent control mechanism triggers the FLIP hardware to change orientation, allowing information to flow back into the protected ICS network as needed.

Results and benefits - icon
Results & benefits

100% Security: Having replaced the software firewall with hardware-enforced physical protection in the form of a Unidirectional Gateway and a FLIP, the plant control networks are now physically protected from online attacks originating on IT, Internet or other external networks.

100% Visibility: The Industrial network continues to operate as if nothing has changed. Instead of accessing servers on the critical operational network, users on the enterprise network now access real-time data from the replica PI System for all informational and analytical requirements.

100% Compliance: This architecture facilitates compliance with even the most rigorous industrial cybersecurity standards and regulations, worldwide.

vertical red line
Theory of Operation
Click to enlarge

Waterfall Unidirectional Security Gateways replace firewalls in industrial network environments, providing absolute protection to control systems and operations networks from attacks originating on external networks. The Gateways enable vendor monitoring, industrial cloud services, and visibility into operations for modern enterprises and customers. Unidirectional Gateways replicate servers, emulate industrial devices and translate industrial data to cloud formats. As a result, Unidirectional Gateway technology represents a plug-and-play replacement for firewalls, without the vulnerabilities and maintenance issues that always accompany firewall deployments.

Unidirectional Gateways contain both hardware and software components. The hardware components include a TX Module, containing a fiber-optic transmitter/ laser, and an RX Module, containing an optical receiver, but no laser. The gateway hardware can transmit information from an industrial network to an external network, but is physically incapable of propagating any virus, DOS attack, human error or any cyber attack at all back into the protected network.

vertical red line
Unidirectional Security Gateways Benefits:

arrow red right Safe, continuous monitoring of control systems

arrow red right Strong protection from remote attack consequences, including unscheduled downtime, equipment damage, and threats to worker, environmental, and public safety

arrow red right Simplified audits, change reviews, and security system documentation

arrow red right Disciplined, on-demand and scheduled updates of plant systems, without the vulnerabilities that always accompany firewall deployments

vertical red line
Global Cybersecurity Standards Recommend Unidirectional Security Gateways

The enhanced level of protection provided by Waterfall’s Unidirectional Security Gateway technology is recognized as best practice by leading industry standards bodies such as NIST, ANSSI, Israel’s Ministry of Environmental Protection, NERC, the IEC, the US DHS, ENISA, and many more. Waterfall Security Solutions is the market leader for Unidirectional Gateway technology with installations at critical infrastructure sites worldwide.


Stay up to date

Subscribe to our blog and receive insights straight to your inbox