CD1501-LockKey
CD1501-LockKey
CD1501-LockKey
CD1501-LockKey
CD1501-LockKey

How to Stay Behind a Firewall Without Getting Burned

Jan. 5, 2015
A new BYOD solution for personal devices on the plant floor
About the Author:

Jeremy Pollard, CET, has been writing about technology and software issues for many years. Pollard has been involved in control system programming and training for more than 25 years.

Well, North Korea has certainly created a stir in the cybersecurity arena, haven't they? How timely that I received a whitepaper from a data security firm, Route1, at around the same time.

In addition to Route1's paper, I also received another from Rockwell Automation almost simultaneously. These two pieces are a match made in heaven; more on that below.

What has happened with the Sony hack and resulting fallout suggests that we could be in a world of hurt should the cyber attackers' methods become public domain.

The Rockwell piece really sets things up. Our industry produces data—both real-time and operational. This data is our lifeblood, and, if it falls into the wrong hands, who knows what fate might befall the intellectual property of a breached organization?

Mike Hannah, author of the Rockwell paper, writes about the Connected Enterprise, in which companies respond to market and business challenges by utilizing big data as working capital.

Of course, Hannah discusses cloud computing and cloud-based data. This can include highly sensitive information such as recipes, code, and database privileges, all accessed from mobile devices. We use mobile devices for remote access to critical data every day, and Tony Busseri, CEO of Route1, has major concerns about our ability to protect that data.

Network Security

Route1 offers industry-hardened, military-grade security for accessing digital assets. We have all heard about the rise of data storage and access via personal devices, which has led to infiltrations of enterprise networks time and time again. This failure to secure mobile data is what Busseri laments most. He speaks to the inadequacy of relying on the encryption of mobile data because that data will have to eventually be decrypted in order to be used. When you access stored enterprise data on your mobile device, that data has been decrypted and is completely vulnerable to cybercriminals and other malicious parties.

Would Nestle really want to know how Cadbury gets the caramel into the Caramilk bar?

Busseri notes that relying on a VPN approach for remote access of sensitive information is an Achilles heel to data protection. And while BYOD and mobility are heralded for improving productivity, they also bring major risks to the table.

Lost or stolen mobile devices present a serious issue for an organization when they are used to store data or access that data in an unsecure manner. Relying on single-factor authentication, encryption or a VPN is simply not enough to secure mobile data, he suggests.

Why should you consider a more advanced mobile security solution? Because, as Busseri points out, when an unsecured mobile device is lost, so is any data residing on it.

He suggests that organizations must focus on protecting data, rather than devices, since the integrity of the endpoint — the mobile device — cannot be known. Any endpoint device can be used by a nefarious party to access the enterprise network, wreak havoc through malware and steal intellectual property or protected data.

Remember that flashlight application I have always talked about?

Most industrial security solutions utilize firewalls for perceived protection. Managing the firewall can become “touchy,” Busseri notes, due to inbound ports that more than likely have been left open and unsecured. Imagine a compromised personal device running amok on your network on the plant side of a firewall. This would undoubtedly lead to disastrous results.

So, in our industry how do you protect critical data and the network while utilizing mobile devices?

According to Busseri, the best way to protect sensitive data is through the use of his company's MobiKey device, which is designed to ensure your data stays where it is supposed to — on the enterprise servers.

Remotely accessing corporate data with an unsecured personal device means that the integrity and management of the device cannot be guaranteed. Using MobiKey enables access to the enterprise network from the secure side of the firewall. It could also be used to securely connect to operations from the plant side of the firewall, depending on the network architecture of a particular organization.

Busseri implies that using multifactor authentication to connect a mobile device to a target machine that already exists in the network, whether it be a SCADA/HMI node or programming station through the secure firewall, is a better solution than just a password. Also, no data resides on the device, so none leaves the building, and that device never becomes a node on the network, eliminating the risk of malware propagation or the theft of corporate information.

Remote access and bring-your-own-device (BYOD) strategies need to be implemented thoughtfully in order to protect your critical data. MobiKey is a solution that allows for these productivity-increasing practices without exposing your organization to serious cyber threats.

Rather clever.

About the Author

Jeremy Pollard | CET

Jeremy Pollard, CET, has been writing about technology and software issues for many years. Pollard has been involved in control system programming and training for more than 25 years.