One Open Firewall Port is One Too Many

The buzz about Industrial IoT and Industrie 4.0 all sounds good. Using production data to improve operations and boost profits is fine, but a big question looms–what about security? How can you access live production data and still keep the plant secure?

Until recently, this has not been an easy question to answer, because getting data out of a production system typically means opening at least one firewall port. And like a boat with an open drain hole, one open firewall port is one too many. Port scan attacks are incessant, and it only takes one open firewall port for a hacker to gain entry into your system.

The problem is, industrial systems typically use client/server connections, where the client requests data from the server. When both are on the same network, behind the same firewall, all is fine. But when the client is outside the plant, it cannot ask for data without opening a firewall. Most industrial data networking protocols, including OPC UA, work this way and have this problem.

The most common work-around is a VPN. This may seem safe, almost like bringing the client into the secure environment of the plant. But actually, it’s the other way around. Using a VPN simply expands the security perimeter of the plant to include the client. Now the plant is exposed to whatever risks the client is exposed to. This is how the NSA EternalBlue exploit propagated the well-known WannaCry virus, and still remains a serious threat today.

A better solution is to make all plant connections outbound-only, which keeps all inbound firewall ports closed. This is how Skkynet’s Cogent DataHub works. The DataHub connects to the server within the firewall, and then makes an outbound connection from the firewall to a DataHub running on a DMZ, or to a DataHub connected directly to the client. The DataHub supports bi-directional, real-time data transfer, with thousands of tag changes per second. It recovers quickly from network breaks and has no impact on the working system.

In addition to closing all inbound firewall ports, DataHub technology can also be used for containing intrusions at zone firewalls, edge gateways, and device firewalls. Wherever you have firewalls, you can make outbound-only connections with zero attack surface. This is essential to any Industrie 4.0 or IIoT implementation, because even one open firewall port is one too many.