An Energy Company’s Approach to Proactive Critical Infrastructure Security

Recent headlines show that threats to critical infrastructure are accelerating. Adversaries’ offensive capabilities currently exceed industry’s traditional defenses, creating a need to increase plant security while keeping pace with modern business demands.

When computers were first used to run Operational Technology (OT), systems like valves, pumps, and actuators were analog and isolated. Since they couldn’t be remotely reached, operators saw no need to put security infrastructure in place.

As OT environments evolved, digital replaced analog. Networks and systems integral to business performance (such as cloud analytics and remote monitoring) also evolved outside the plant. Traditionally, those OT environments tended to be air gapped to separate them from external threats. While that may have kept the OT secure, it denied operators the business continuity benefits made possible through today’s open IT architectures—cloud services, distributed workers, and productivity and efficiency gains―only enabled by connecting the plant, but unfortunately simultaneously increasing plant vulnerability and risk.

Hardware-based data diodes offer operators a way to address this dilemma, offering defensive capability while allowing operators to take advantage of the business benefits of digitization. Different from firewalls and other inherently vulnerable software-based technologies, data diodes use hardware components to create one-way only data streams. Data diodes allow segmented systems to maintain their strict defensive posture while safely delivering operational data to users outside the plant. Using special protocol proxies, data diode systems can even support bi-directional industrial data protocols such as OPC, Modbus, and MQTT to transfer that data to outside sources.

One Company’s Journey

Given today’s increased threat level, a large North American energy company decided to proactively use data diodes as a critical component of its defense-in-depth strategy. The security architecture development was guided by a segmentation assessment to see what critical control systems could be modified to work in a one-way only mode―broadcasting data without expecting confirmation. That model fits with U.S. Department of Homeland Security guidance to convert as many connections as possible to hardware one-way only paths, and then focus defenses on communication that must remain two-way.

Since OT systems couldn’t be remotely reached, operators saw no need to put security infrastructure in place.

The company conducted a risk assessment to identify vulnerabilities. It then explored cost, value, threats, and controls needed to mitigate the risks. By shifting to isolation using hardware separation, it found that fewer additional controls were required.

A team for the company identified 52 unique existing connections that bridge operations to their IT network, and assessed what the impacts would be if any one of them were eliminated. After evaluating its ability to sustain plant operations in an isolated state, the team concluded that with a well-designed architecture using data diodes to separate OT from IT, the company could sustain an attack and maintain operations with minimal or no impact.

When the isolation analysis was complete, the company engaged an internal team involving all stakeholders before development began. That included its network team, application team and the application owners, security team, project team, the Security Operations Center (SOC), compliance team, and data exchange owners. The collaborative approach yielded a unified solution that met everyone’s needs.

The company’s chosen architecture would require separating the company from the Internet via data diodes. The internal team created a list of 50 requirements, plus dozens of details that a solution vendor would need to address, as its basis for an RFP supporting a specific solution vision. 

The proposal process led to determining the best fit from a use case perspective: which protocols, how much data, flows of the data to the end user, and where the diodes needed to fit into the architecture. Additional systems like virtual machines were needed for creating redundant paths, including a main and a secondary connection for each facility, with a primary and a backup connection for both. The proposal also addressed configuration considerations, like how many pipelines and channels were needed, what kind of data routing changes to configure, how to redesign the company’s SFTP servers, and how to undertake compliance classification. The last step was to conduct thorough regression, functionality, and security and user acceptance testing.

It was an exhaustive process that took many months, which shows that while it’s essential, strong security takes careful thought and hard work. As the nuclear industry learned long ago, true security improvement is found in isolating the highest value systems from the risks found on the Internet. A proactive approach today can prevent unexpected alarms and keep critical infrastructure running safely and reliably tomorrow.

Brian Romansky is chief innovation officer of Owl Cyber Defense. He has more than 25 years’ experience in security technology and innovation in automotive security, payment systems, healthcare, and logistics. As chief innovation officer for Owl, he is focused on shaping and executing the company’s growth strategy through advanced technology development and entry into new markets. Romansky formerly served as a product manager and technical expert for the U.S. Department of Transportation SCMS V2X initiative while at Escrypt and as senior director of corporate innovation at Pitney Bowes. He holds Master of Science degrees in Electrical Engineering and R&D Management from Rensselaer Polytechnic Institute and is an inventor on 25 U.S. patents.