gold book – Waterfall Security Solutions https://waterfall-security.com Unbreachable OT security, unlimited OT connectivity Tue, 09 Sep 2025 07:25:46 +0000 en-US hourly 1 https://wordpress.org/?v=6.8.2 https://waterfall-security.com/wp-content/uploads/2023/09/cropped-favicon2-2-32x32.png gold book – Waterfall Security Solutions https://waterfall-security.com 32 32 Abstraction for Safe Closed-Loop Control by Cloud Systems in Mining https://waterfall-security.com/ot-insights-center/metals-mining/abstraction-for-safe-closed-loop-control-by-cloud-systems-in-mining/ Thu, 23 May 2024 10:45:00 +0000 https://waterfall-security.com/?p=23228 What happens when we close the loop in mining operations? How can we prevent Internet-exposed services being compromised?

The post Abstraction for Safe Closed-Loop Control by Cloud Systems in Mining appeared first on Waterfall Security Solutions.

]]>
OT Insights CenterMetals & MiningAbstraction for Safe Closed-Loop Control by Cloud Systems in Mining

Abstraction for Safe Closed-Loop Control by Cloud Systems in Mining

What happens when we close the loop in mining operations? When Internet-exposed services are compromised and send malicious instructions back into our safety-critical operations? How do we prevent that from happening?
Picture of Andrew Ginter

Andrew Ginter

Abstraction For Safe Closed-Loop Control by Cloud Systems in Mining
Watch the recording of the webinar now

Central “cloud” services have substantial benefits, especially in mining and other industries where large industrial sites are situated at a distance from population centers. Unidirectional gateways safely and easily send information from these distant industrial sites out to cloud services, but what happens when we close the loop, when Internet-exposed services are compromised and send malicious instructions back into our safety-critical operations?

“Unidirectional gateways safely and easily send information from these distant industrial sites out to cloud services, but what happens when we close the loop?”

Inbound Unidirectional Gateways

Part of the risk can be addressed by with a second Unidirectional Gateway deployed to send information back into the mine, carefully designed to be “distant” from and independent of the outbound Unidirectional Gateway. This configuration prevents the targeted command-and-control loops that are the favorite attack tool for high-end ransomware and nation-state adversaries. In addition, to address the risk of a compromised cloud service sending unsafe instructions back into our mine or other remote industrial operation, we need data validation, which is made enormously easier and safer when we can thoroughly abstract our data.

Mineral Processing Example

What does that mean? Consider the example of a primary mineral processing operation at a mine site. The loaders and trucks are instrumented to measure the characteristics of every load of ore and transmit those measurements to a cloud-based expert system. The expert system or even an AI in the cloud uses the measurements to determine optimal mineral processing steps for the load at the mine site. Worker safety and equipment protection are priorities. For example, assume that primary processing includes steps such as:

  • a crusher with only three safe speed settings,

  • an electrostatic separator with a maximum safe voltage level, beyond which electrical insulation starts breaking down with a risk of arcing and fires at the site, and

  • a high-speed gravity-separator centrifuge that must avoid certain speeds because of the risk of harmonic frequencies creating dangerous vibrations in the device.

 

Imagine that these and other equipment at the primary processing site are monitored and controlled by a dozen PLCs. For each load of ore, optimally cost-efficient processing involves operating equipment at regularly-changed settings, based on the characteristics of each load of ore, and on the characteristics of the previous load of ore, part of which may still be in progress when the next load starts processing.

Abstracting Control Signals

To address the risk of a compromised cloud sending unsafe instructions, we need to define or restrict communications through the gateway to combinations of values and settings that are known to be safe. One can imagine the cloud service sending a stream of time stamps and PLC register numbers and values into a validation-checking system that looks at all the hundreds or thousands of PLC values and tries to determine whether the settings are likely to result in unsafe conditions. In practice, such testing systems are very difficult to design so that:

  1. They are not easily confused, and

  2. They are comprehensive as to the unsafe conditions they prevent.

 

A more secure and reliable system is one that uses a high degree of information abstraction – sending control information into the industrial network in a simpler format, one that is designed to be easily verified for safety, both by human inspectors and by software systems. In our example, the control information could be encoded as a standard document schema, such as an XML or JSON schema, designed to express safe variations of primary processing conditions. For example:

  • Since the crusher has only three safe speeds, express those speeds as the text values “low,” “medium,” or “high.”

  • Since the electrostatic separator has a maximum safe voltage, send the voltage setpoint as a value between “0%” and “100%”. Forbid any value greater than “100%” in the separator voltage instruction.

  • Since the centrifuge has both safe and unsafe speeds, select a range of safe speeds – 10 speeds in this example – and express the centrifuge speed setting as either the string “off” or a number between “1” and “10.”

 

Instead of sending the processing system hundreds of PLC values and timestamps and scratching our heads as to whether these values are safe, a process engineering team in this example has determined the safe operating modes of the processing facility and the control instructions are encoded as abstract points within that “space” of safe settings.

Schema Verification

A syntax checker on the external network then verifies that the incoming commands comply with the XML or JSON or CSV or other schema describing allowed values. Any failures to comply are logged as errors and rejected. A second syntax checker repeats the process on the internal network, after the instructions have been sent through the Unidirectional Gateway. Any schema failures identified inside the primary processing network represent misconfigurations that defeated our first level of filtering. Such misconfigurations are again rejected and here are logged as high-priority errors and most likely indicative of an attack in progress. And finally, all accepted and twice-validated control instructions are passed to a Manufacturing Execution System (MES) or to a batch manager or comparable system in the mine’s OT network to be translated into PLC values and communicated to the devices controlling the physical process.

Safe Closed-Loop Cloud Control

This example highlights the network engineering discipline’s focus on the difference between monitoring information, which leaves the site, and control which enters the site. In this example, an attacker tampering with monitoring information that goes out to the cloud can at worst confuse the cloud. A confused or maliciously compromised cloud can at worst communicate an unprofitable configuration for the primary processor back into the industrial system. The schema for expressing configuration information that is the incoming control information is designed so that it is not possible to express unsafe configurations.

Malicious configurations are at worst ill-formed and easily detected and rejected, or well-formed but unprofitable. Unprofitable configurations will eventually be detected, investigated and the compromise of the cloud system detected. Short periods of unprofitability are regarded by most industrial operations as acceptable business consequences for which we can buy insurance, not unacceptable safety, environmental disaster or equipment-damaging consequences. Inbound Unidirectional Gateways coupled with control information abstraction and strict validity-checking makes closed-loop cloud-based control of mining operations and other industrial operations safe.

For more information about network engineering, please request a free copy of my latest book Engineering-Grade OT Security: A manager’s guide.

Get your complimentary copy now
About the author
Picture of Andrew Ginter

Andrew Ginter

Andrew Ginter is the most widely-read author in the industrial security space, with over 23,000 copies of his three books in print. He is a trusted advisor to the world's most secure industrial enterprises, and contributes regularly to industrial cybersecurity standards and guidance.
Share

Trending posts

Stay up to date

Subscribe to our blog and receive insights straight to your inbox

Tags

The post Abstraction for Safe Closed-Loop Control by Cloud Systems in Mining appeared first on Waterfall Security Solutions.

]]> OT Security: Are We Protecting the Information? https://waterfall-security.com/ot-insights-center/ot-security-standards/ot-security-are-we-protecting-the-information/ Thu, 07 Mar 2024 14:42:11 +0000 https://waterfall-security.com/?p=20585 Industrial network engineers have always been uneasy with the task of "protecting information". The real priority for OT security is in stopping inbound malicious information from entering the system and threatening machinery and workers.

The post OT Security: Are We Protecting the Information? appeared first on Waterfall Security Solutions.

]]>
OT Insights CenterOT security standardsOT Security: Are We Protecting the Information?

OT Security: Are We Protecting the Information?

Industrial network engineers have always been uneasy with the task of "protecting information". The real priority for OT security is in stopping inbound malicious information from entering the system and threatening machinery and workers.
Picture of Andrew Ginter

Andrew Ginter

are we still trying to protect industrial information

Connectivity between OT / industrial automation systems, between OT systems and IT systems, and between all this and Internet-based cloud services continues to increase. On the surface, this trend demands that we encrypt everything, thus protecting the information. And, because no operating system nor cryptosystem is perfect, we must also deploy at least the “detect,” “respond” and “recover” pillars of the US National Institute for Standards and Technology Cybersecurity Framework6 (NIST CSF). Since connectivity leads sooner or later to intrusions, we must use sophisticated intrusion detection techniques, in hopes that when we are compromised, we can detect the attacks, respond to them, and recover normal functionality again before we suffer downtime, equipment damage, casualties, or other unacceptable consequences.

Monitoring Data vs. Control Data

Industrial network engineers, however, have always been uneasy with protecting information. Consider a six-story catalytic cracking tower full of high-pressure, high-temperature hydrocarbon liquids and gasses. Imagine we are standing in front of the cracker watching a technician carrying out routine maintenance. In front of us are two analog gauges reporting temperature and pressure, and a dial controlling the flow of fuel to the cracker’s furnace.

Binoculars girlWe look over our shoulder and notice that, outside the fence, someone is sitting with a telescope pointed at the gauges, taking notes. We tap the technician on the shoulder. “That person over there seems to be writing down our settings,” we say. “They are stealing information.” What does the technician do? They might call corporate security. Depending on policy, they might shrug their shoulders and go back to work. The consequence of stealing that information is a business consequence – it is somebody else’s problem.

Now imagine that the person behind the telescope cuts a hole in the fence, runs up to us, cranks the furnace fuel feed hard to the right, and runs away. What does the technician do? They scream for security. They run to the dial and returns it immediately to the correct position. Over-heating the cracker risks damage to the catalyst and possibly a fire and an explosion.

The point here is that monitoring information that leaves the site is just information – with value comparable to the value of any other information in an IT network. All control information that enters the industrial site, however, is a potential threat. Calling both examples simply “attacks on information” and saying “encrypt everything to protect the information” ignores this fundamental difference.

“…monitoring information that leaves the site is just information – with value comparable to the value of any other information in an IT network. All control information that enters the industrial site, however, is a potential threat.”

Protect The Information?

In many, but not all, industries, the goal for most network engineers is not to “protect the information” but rather to prevent unacceptable physical consequences of cyber attacks. Universal connectivity lets monitoring information leave the plant, yes, but it also lets potentially dangerous control information enter the plant. Encryption provides no protection against a compromised cloud that sends attack information into the plant inside of an encrypted, authenticated connection.

encryptionPutting cryptographic and other protections in place for monitoring information that leaves the site makes sense. The business and societal consequences of an attacker stealing monitoring information are similar to the consequences of an attacker stealing other kinds of business information. Putting information-protecting mechanisms in place for control information is often woefully inadequate, because at many industrial sites, the consequences of compromised controls are completely unacceptable.

Hope Is Not Good Engineering

Engineers are also uneasy with the focus on detect, respond, and recover activities. Hoping that we can detect attacks in progress and respond in time to prevent unacceptable physical consequences is not good engineering. Engineers do not “hope” their bridges will not collapse, nor “hope” that their 300-ton steam turbines will not shake themselves to pieces. Engineers design systems that simply do not fail in the face of a defined set of threats. That said, yes engineers often do monitor or periodically inspect their finished products to ensure that they are holding up as designed, but any engineer caught “crossing their fingers” in a design risks being drummed out of the profession.

To read further on network engineering solutions at IT/OT or OT/Internet criticality boundaries, click here to request a free copy of the author’s latest book: Engineering-Grade OT Security: A manager’s guide.

Get your complimentary copy now
About the author
Picture of Andrew Ginter

Andrew Ginter

Andrew Ginter is the most widely-read author in the industrial security space, with over 23,000 copies of his three books in print. He is a trusted advisor to the world's most secure industrial enterprises, and contributes regularly to industrial cybersecurity standards and guidance.
Share

Trending posts

Stay up to date

Subscribe to our blog and receive insights straight to your inbox

Tags

The post OT Security: Are We Protecting the Information? appeared first on Waterfall Security Solutions.

]]>