Ability to deliver data in a protected environment is a balancing act
Brian Romansky is chief innovation officer at Owl Cyber Defense.
Tell us about your company’s state-of-the-art industrial-networking technology.
Brian Romansky, chief innovation officer, Owl Cyber Defense: A critical best practice for network cybersecurity is effective segmentation and defense in depth. This is particularly important for critical infrastructure where the most important assets were historically air-gapped and isolated from the outside world. Owl has a full suite of advanced security solutions for industrial control networks that enable the flow of high-value information without introducing risk. Our technology is based on best practices and guidelines that we learn from our work with defense and intelligence customers who are facing threats from nation-state level actors. We have developed expertise in adapting the same solutions to apply to industrial and critical infrastructure systems in a way that is practical to deploy at scale. Our latest IXD appliance brings the powerful capabilities of a military-grade “Cross Domain” solution to the industrial market for the first time. At the other extreme is our new line of embedded technology that can deliver advanced, high-speed packet inspection and segmentation in a small, low-power module that can be embedded into the design of many existing and new industrial control systems and peripherals to bring advanced security down to the level of individual components.
What have been the biggest improvements to industrial-networking technology in the past five years?
Brian Romansky, chief innovation officer, Owl Cyber Defense: The most effective trend that we are tracking is the move toward hardware-enforced security. This shift is motivated by the realization that in spite of decades of research and continuous improvement, we still see a continuous stream of devastating zero-day exploits against software systems. The move to hardware-based security brings a whole new level of security assurance along with higher performance and reliability. A simple form of hardware security is the use of an optical emitter and receiver to create a dedicated one-way transfer mechanism. When combined with intelligent proxy servers, this forms an effective data diode that can enforce the one-way flow of machine data with the confidence that there is no way for a software exploit or configuration change to change accidentally or maliciously allow data to flow in the opposite direction. A more advanced example is the use of advanced packet inspection and validation in a field-programmable gate array (FPGA). When designed and implemented correctly, these systems can ensure that there is no way for malicious data to re-program the FPGA or change the filter policy.
What’s the most innovative or efficient industrial-networking technology application you’ve ever seen or been involved with?
Brian Romansky, chief innovation officer, Owl Cyber Defense: One approach to industrial networking that solves a wide variety of data-sharing challenges is the secure replication of historian data. Most industrial networks already use a real-time historian to capture and record vast amounts of high-speed sensor data from all of their critical systems. In most plants, there is one or more local historians that serve as the official system of record that can provide a reliable and accurate snapshot of everything that has happened in the plant. These same systems also hold all of the valuable data needed for enabling advanced analysis and business process integration. However, allowing remote systems or partner networks to have direct access to that critical historian comes with high risk that historical data might be modified. The best practice is to make a safe copy of the historian by replicating the data tags through a secure gateway appliance. The copied data can be hosted in the cloud or even shared with select partners to drive business operations, given to suppliers to monitor their equipment or used to drive advanced machine and process analytics. Secure replication of historian data can unlock the value of data that was previously trapped in a plant and enable high-value applications in the near-term and prepare plants for the future.
How has industrial-networking technology benefitted from remote monitoring and connectivity?
Brian Romansky, chief innovation officer, Owl Cyber Defense: Remote monitoring has enabled a wide variety of new applications for improving reliability, performance and security for industrial systems. When data is delivered using a hardware-enforced one-way delivery mechanism, machine data can be safely delivered out of an OT environment without introducing new security risks against the protected asset. This approach has been used to enable condition monitoring and predictive maintenance and scheduled downtime. In the most advanced case, replacement parts can even be identified and delivered to a site just in time to meet up with a maintenance technician at the start of a scheduled repair cycle. Insight about the machine condition can enable the technician to immediately address important issues. Another use case is security monitoring. The same technology can allow the flow of network monitoring data to a central security-monitoring console or intrusion-detection platform to provide early warning if there is suspicious behavior on a protected network segment. Here again, the use of hardware-enforced flow control and filtering can allow security monitoring data to flow through an approved path without introducing the threat of the monitoring connection being used as a back door into the network.
Can you explain how software development has changed industrial-networking technology design and production?
Brian Romansky, chief innovation officer, Owl Cyber Defense: Software development has certainly accelerated for industrial systems. Modern systems often utilize advanced operating systems that can enable many complex operations and new protocols. However, this complexity increases the attack surface that can be exploited by malicious actors. Our approach to this is to introduce hardware-based solutions that focus on specific security functions. Our latest line of FPGA-based security technology can perform advanced packet validation and enforcement at line rates to protect potentially vulnerable software systems against a wide variety of network attacks. Advances in tools and architectures for FGPA development has enabled much more advanced processing that can now be done entirely in hardware, which is less vulnerable to the classes of attacks that are typically used to exploit software systems.
How do industrial-networking technologies figure into digital-twin platform models being used by manufacturers?
Brian Romansky, chief innovation officer, Owl Cyber Defense: The term “digital twin” is used quite broadly to describe a wide variety of different use cases. We typically focus on the notion of a machine-simulation style of digital twin where a complex model is used to run a simulation of a physical system. In cases where the model can be continuously updated using real measurements taken from the actual system, the model can track even subtle changes in the performance and condition of individual components. This technique enables advanced analysis of machine performance and utilization, early detection of wear ahead of future failures, and business-process integration based on real-system efficiency. Typically, this type of advanced digital-twin simulation requires the type of high-performance computing and AI analysis that can only be delivered by cloud-hosted resources. Therefore, the safe delivery of metrics data from a critical asset out to the cloud hosting platform is a key enabler for this approach to work. Hardware-enforced network segmentation and flow control is making this possible.
When will industrial-networking technology become IT-friendly enough that engineers are no longer required for installation and operation?
Brian Romansky, chief innovation officer, Owl Cyber Defense: For far too long, industrial system have relied on highly trained, specialist operators and systems integrators to handle complex protocols and troubleshoot issues buried deep in legacy systems. Modern industrial equipment is taking advantage of additional computing capacity and more advanced software to deliver systems that can better adapt to a complex environment, allowing process engineers to focus on the value-added workflow, rather than dealing with networking issues. Network segmentation and monitoring facilitate this change by safely allowing for monitoring data to flow to a central point for integration and analysis. At Owl, we are investing a significant amount of our ongoing R&D into making our systems easier to configure and manage in order to support large-scale deployments.
What future innovations will impact the use of industrial-networking technology in discrete-manufacturing operations?
Brian Romansky, chief innovation officer, Owl Cyber Defense: Increasing dependence on cloud-hosted applications and the proliferation of business-process integration through cloud-based brokers is driving demand for increased connectivity and the flow of data from critical systems out over the Internet. At the same time the prevalence of ransomware and looming threat of nation-state level attacks is raising concerns over connectivity. Technology that can navigate the balance of delivering valuable data while also providing exceptional protection against all forms of remote or network-based attacks will continue to grow in prominence over time as these competing trends continue over time.
