A secure internet gateway is an essential component when building a safe entry point into a critical infrastructure. It helps to protect OT infrastructure from online threats by filtering internet bound traffic and is therefore embedded in security standards. All security related standards, such as the IEC 62443, the BSI or the NIST SP 800 series, demand access to critical operational technology (OT) infrastructure is secure.
These standards do not only suggest a secure web gateway or connection, but for a company to implement a demilitarized zone (DMZ) for more OT protection. Simply put, a DMZ is a physical or logical component that separates a local area network (LAN) from other untrusted networks, acting as a buffer zone between the public internet and the private network. All inbound network packets are screened using a firewall, or other security appliance, before they arrive at the servers hosted in the DMZ.
Operators require appropriate software to follow these cybersecurity measures — but where do they start?
Revamping existing systems
A secure internet gateway can be implemented without negatively impacting existing systems, such as human machine interfaces (HMIs) and supervisory control and data acquisition (SCADA). This is particularly relevant to users in a brownfield environment, where they need to implement new software to existing — and often ageing — infrastructure without causing interference.
A web gateway, such an DMZ, also needs to support other commonly accepted security standards, like transport layer security (TLS) encryption, and digital authentication methods. It also must be integrated seamlessly into the existing infrastructure, while also being able to support different ways of deployments, from a native local installation to a containerizes option.
Containerization simplifies administration and is another step to making systems secure. Here, containerization implements tools and policies to ensure that container infrastructure, apps and other container components are protected. Applications run in isolated user spaces, called containers, using the same shared operating system (OS).
With software like COPA-DATA’s zenon IIoT Services, it is easy to implement on brownfield applications. Its design allows access to data without impacting existing infrastructure. This is particularly crucial for energy grids and infrastructures that contain legacy equipment.
This method can help to prevent any unwanted denial of service (DoS) blocking an operator’s path, access information systems, devices or other network resources due to a malicious cyber threat.
Up to the standard
Scenarios like this are recognized in the security industry standards and must be supported by software.
Continuing with our aforementioned example, COPA-DATA’s zenon IIoT Services communicates using certificate-based TLS connections, ensuring secure transmission of information, even over public networks. Here, the software’s Identity Service handles data flows and access rights over the web, which is crucial for a secure web gateway.
The Identity Services does this by providing high project specific security standards and checking all connection requests from all IIoT Services by zenon connections. This service also includes a web bases interface to configure access clients, user roles and access rights.
Greater protection and a higher level of sophistication is a necessity in cybersecurity measures for the energy sector. And with the right software, adhering to industry standards and providing a more secure internet gateway, users can protect their critical OT infrastructure to significantly reduce the number of cyber security attacks.
Check out our software, zenon IIoT Services, for a more secure internet gateway.
