There is a large and growing volume of data generated within critical infrastructure operational technology (OT) environments. While OT networks are traditionally air-gapped for the highest level of security, that network separation prevents the exchange of mission-critical data with untrusted external networks like the cloud. Every connected asset, after all, represents a potential point of compromise for cyber adversaries, including nation-state attackers. But this OT separation prevents government agencies from pursuing cloud-enabled analytics, data storage, systems monitoring and other beneficial functions.
Software-based firewall solutions, the longtime default technology for network cybersecurity, unfortunately fail against today’s advanced persistent threats (APTs). For agencies to leverage the advantages of the cloud, they need a more secure way to transfer OT data without external routable access back into the OT network.
Agencies are deploying hardware-enforced, one-way data transfer solutions to securely transfer data to the cloud to monitor OT systems. Hardware-enforced solutions provide a higher level of security than software-based solutions, and provide physical network separation, preventing threats from entering back into the OT network. Unlike software, hardware-enforced security does not require constant updating and patching. The “fixed” nature of this technology and its long shelf life also lower financial burdens of IT modernization initiatives with strong protection against sophisticated attacks.
From a regulatory and oversight perspective, several governing entities reinforce the value of this approach. The North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) regulations allow for the use of data diodes for hardware-enforced network segmentation to meet regulatory guidance and controls. The Cybersecurity and Infrastructure Security Agency (CISA) recommends it for all OT networks within critical infrastructure and industrial organizations. And the Department of Homeland Security (CISA’s parent agency) offers pointed recommendations (Seven Strategies to Defend Industrial Control Systems [ICSs]) that support isolating ICS networks from any untrusted networks, and only allowing real-time external connectivity if there is a defined business requirement or control function. DHS further suggests that if one-way communication is required to accomplish a task, ICS operators should then use optical separation to enable it.
Best Practices for Implementing Secure Data Transfers from OT to the Cloud
Many commercial organizations already running critical infrastructure successfully use hardware-enforced security for OT-to-cloud connectivity. In fact, that market is projected to increase to $7.9 billion by 2028 (up from $3.1 billion in 2020). To cite one example, the Morning Star Packing Company – one of the largest agriculture processing facilities in California’s Central Valley – is deploying hardware-enforced security as part of its architecture. That enables the company to maintain its 30-plus-year air-gapped network status and transfer government compliance reporting data to the cloud while prohibiting back-channel connectivity.
Government agencies running OT and ICS systems can also leverage hardware-enforced security to achieve similar benefits. When planning their approach, here are a few best practices for agencies to keep in mind:
- Per DHS recommendation, convert all necessary external OT connections to a one-way out architecture. This can only be achieved through hardware-enforced technology.
- Transfer data to the cloud utilizing protocols like MQTT
- Protect the source OT network and prevent threats from entering back in through data transfers. Hardware-enforced technology removes all header information so the identity of the source network is protected and not shared outside of the network.
Embracing the Cloud – Securely
While there are many benefits to utilizing the cloud, cloud-connected OT and ICS devices break traditional OT security models. The rapid proliferation of smart devices being adopted in critical infrastructure environments demands a new connectivity and security paradigm based on controlling data flow and enforcing application-aware protocols. A hardware-enforced security approach, when implemented according to proven design patterns, can preserve the integrity of an air-gapped environment, providing a path for agencies to maximize OT performance and efficiency in the cloud while minimizing risk.
