Simplifying OT and IIOT network security with the NetFoundry Cloud

NetFoundry has been working with companies providing solutions for IIoT to smart factories, automated warehouses, connected supply chains, energy and utilities, agriculture etc. NetFoundry helps to secure the networks for the IIoT solution ecosystem. We also help industries secure networks for OT hardware and software automation systems such as PLCs, SCADA, DCS etc. In this article, we'll discuss the common use cases in IIoT & OT and how NetFoundry secures the network while improving agility and scalability. If not secured and left open to listening IPs / ports, large IOT / OT networks that are compromised can become the source of cyber attacks.

 

The environment:

 

Securing workloads, providing secure remote access and management:

IIOT / OT networks are complex with the distributed nature of gateways, multitude of devices (Protocols and OS), cloud platforms & various apps. With increasing reliance on digitization and automation, organization's want to improve network security for communication within and outside the site or factory to stay protected from hackers and prevent unauthorized access. "The NetFoundry Cloud" uncomplicates the deployment and operations of IIOT and OT networks and helps improve security, scalability and agility with a software only, embeddable and programmable Zero Trust, software defined NAAS platform.

 

1. Secure, private and  reliable communication from gateways or edge to any public or private cloud hosting the IOT / OT platform, enterprise apps or 3rd party solutions :

The primary use case for organizations is to secure the network for any data leaving or entering the factory or the site. The machines are connected via the LAN network to the OT / IIOT gateways / edge. The gateways or edge run the NetFoundry edge router or tunneller software to initiate zero trust  connections to apps, storage, APIs etc on the cloud. The public / private cloud data centers could be that of the OT / IIoT solution provider hosting the application or the  enterprise data center that hosts apps such as ERP, business apps, DB etc. NetFoundry's edge routers can be deployed in a few minutes from public cloud market places or with VM images, compose for docker or image for Kubernetes containers. The router acts as a gateway for the OT / IOT devices to reach apps, storage, DB, API etc running in the private or public cloud.

Not just that, NetFoundry can also help to integrate with PAAS ( example Azure Digital Twins) or any cloud solution provider that the enterprise or solution provider has to integrate with for secure communication. 

2. Device management and remote access to engineers for provisioning and ops:

OT / IIOT environments involve hundreds and thousands of devices, sensors and actuators. Many of them are network ready and some of them are connected via the endpoint or gateways. The device management app or solution can establish a secure connection over the zero trust private network to the devices. Engineers working on the solution have to securely access consoles, local apps, SSH to the devices etc with internet as the underlay. They have to be provided specific access to resources and at times, temporary access if they are from an external vendor involved in configuration, fault isolation or rectification.

NetFoundry provides a futuristic solution for a highly secure zero trust network access to device management apps and engineers (within the organization or external to the organization). Administrators can onboard the engineers with or without integration with identity providers like Microsoft Azure.  Temporary or permanent least privilege access can be provided with a combination of up to 5 different types of posture checks. 

 

3. M2M communication within the factory or site:

Factories and estates that are spread over a large area, implementing OT / IIOT require secure communication due to the following reasons:

1. A wireless or wireline LAN network that needs to be secured from external actors

2. Lack of inherent security or encryption in the communication protocol. Use of multiple protocols, outdated OS versions etc

3. Critical information or processes being accessed that have to be controlled and not available to everyone.

As depicted in the diagram above, the site may have one or more edge routers and multiple tunnellers. The tunnellers are deployed on OT devices or IIOT endpoints. The devices or machines are connected to these IIOT endpoint / OT gateway. These machines can establish secured zero trust access to each other or apps within the factory via the NetFoundry edge router(s).

NetFoundry's mTLS, E2E encryption, certs issued for identities and APPNETs help in providing highly secure, authenticated and authorized m2m communication

 

The NetFoundry Cloud Software for IIOT / OT  systems:

Edge Compute: 

Today's edge environments are either virtualized or containerized, running workloads locally on the hardware for efficient data processing, real-time decision making and to reduce the dependency on the internet for the functioning of the solutions at the site. NetFoundry provides various software options to embed zero trust software defined overlay networks on OT and IIoT edge. The edge hardware can be any x-86 or ARM or MIPs hardware running a Linux OS or virtualized as VMs or containerized via docker or Kubernetes. Large factories have the edge running in their on-premise private cloud. The OT / IOT gateways connect to the edge on the north and to hardware such as PLC / RTU / IPC or industrial servers and machines on the south. The sensors and actuators are connected to these IIOT / OT hardware systems or directly to the gateways. 

To secure the traffic leaving and entering the industrial site over the WAN, there are two solution options broadly from NetFoundry

1. The NetFoundry edge routers can be installed on the IOT / OT edge on VMs or containers. For large factories running a private virtualized environment on-prem, the routers can be installed on the VMs. Virtualization technologies such as virtual box can also be used to virtualize the IOT gateway or a single server to run the NetFoundry edge router. The edge router becomes a part of your network's fabric and can handle high volume data / sessions. 

2. The NetFoundry tunnellers can be installed on the IOT / OT gateway or any host / VM / container involved in the IOT / OT solution. The requirement is to have an OS such as Linux, Windows etc to install the NetFoundry tunneller.

 

IOT gateway or OT Gateway:

OT and IIoT electronics manufacturers or enterprises implementing the solution can embed NetFoundry's tunnellers or edge routers on the hardware deployed for their customers such as IOT or OT gateways, IPC, PLC or any other industrial automation hardware . The choice of a router vs tunneler is based on the required functionalities, traffic and sessions expected, deployment architecture etc and the hardware specification such as CPU, RAM and storage. The tunnellers are available for linux, windows and other operating systems. 

 

One platform, same software for multiple use cases and secure by design:

The use cases discussed above can be deployed within a single network on the NetFoundry cloud platform. Each network get's it's own dedicated controller and global fabric. The same NetFoundry software deployed across public & private clouds, edge, IOT / OT gateways, user devices or anywhere can be used for implementing the use cases. NetFoundry's edge software also allow having more than one identity to connect to multiple isolated networks. An organization implementing secure networks with NetFoundry gets the benefit of one solution for all needs vs multiple point solutions, bolted on hardware or capex investments.

All use cases, apps or workloads using the NetFoundry Cloud benefit from our approach of "Secure By Design" and global reach.

  • No open inbound IPs or ports - NetFoundry Cloud solution does not require customers to open ports or IPs inbound anywhere. This makes the private overlay and the edge undiscoverable over the internet for bad actors
  • No default access and services with least privilege access - After authentication, any identity in the network requires to be authorized to access a service ( application, data or resource) and admins provision services providing just the required access ( Not the entire subnet(s) or entire port range vs just the service IP and port)
  • Micro segmented networks - Each network can have multiple APPNETS or service policies which are the micro segmented networks within the network. Example, APPNET 1 could be dedicated for the OT gateways to connect to the platform solution provider cloud. APPNET 2 could be dedicated for a list of engineers to access specific devices from anywhere. Similarly, multiple other appnets can be provisioned for various use cases or workloads as needed
  • Data plane and control plane communication on mTLS based mutual trust - A significant tech used in the NetFoundry Cloud solution, one that helps our customers establish mutual trust between communicating identities is mutual TLS based control plane and data plane communications. Trust is bootstrapped in the design and cert based authentication drives the secure mTLS sessions.
  • E2E encrypted sessions - In addition to mTLS , E2E encryption via Poly 1305 Cha Cha 20 ensures data is encrypted between the source and destination.
  • Granular visibility - Metrics data on granular utilization, service dial health, events etc provide the required visibility for admins and the management in operations, decision making and even chargeback to end customers.
  • Globally available fabric with smart routing - To overcome internet's peering and performance issues, each NetFoundry network provides a global fabric that can be extended to any geographical location. Smart routing always prefers the best performing path within the fabric. The public routers of the fabric are managed by NetFoundry for the customer.

A number of companies are benefiting from our solution to secure the IIoT / OT networks,  improve reliability, scalability and business agility.  One such company is Marposs, that set up the Marposs Digital Grid with NetFoundry.

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Article is closed for comments.