The central concept behind the initiatives of “Industrial IoT”, “Industrial Automation”, and “Industry 4.0” shares a similar characteristic – establishing OT and IT convergence by interconnecting all the sensor, devices and equipment through mainstream communication protocols such as Industrial Ethernet and Internet protocol. However, the convergence has made OT networks vulnerable towards cyber threats, as security loopholes are exposed and intruders may attack directly through IT networks. Therefore, in order to ensure uptimes for IT/OT converged production system in the smart factory, it is critical to conduct comprehensive forensic analysis regarding ICS network vulnerability and perform early detection of abnormal events or unauthorized access that could lead to system downtimes and the derived expensive costs.
A European industrial firewall maker contacted Lanner to come up with a robust security appliance that monitors and visualizes the entire data flow traveling the networks, and performs self-learning to dynamically analyze the traffic patterns in order to fulfill industrial DPI (Deep Packet Inspection) to detect unauthorized events in a real-time manner. There are certain technological requirements demanded:
Power efficient processor
As deployed in usually unmanned, isolated and harsh environments, power efficiency is one of the main considerations for the security appliance discussed.
ICS systems are deployed at power substations, smart grid, power plants, and oil and gas sectors, the security appliance must comply with IEC-61850-3 in order to endure any potential environmental factors.
Rich and Protected LAN and COM ports
Electrical uncertainty, such as surge, may occur in critical infrastructures. Thus, the I/O ports connected with peripheral equipments, like LAN and COM ports, must be designed with isolated and ESD protection.
Advanced LAN Bypass
Unexpected downtime may occur in harsh environments. Therefore, it is necessary to have a fault-tolerance mechanism for LAN connections.
The environments in critical infrastructures may vary and therefore the needed I/O connections, such as Gigabit LAN, SFP fiber or PoE ports, shall be configurable or customizable depending on the application scenarios.
DIN Rail mounting option
In an industrial setting, DIN Rail mount is one of the most used mounting standards.
Lanner, with a wide reputation and long-experience in design quality and responsive customization capability, provides robust industrial security appliances that can analyze data traffic, learn the patterns and protect the network with 24/7 anomaly detection in real-time. The solution series by Lanner provide multi-layer, in-depth defense, and forensic-based analysis, to protect critical assets through segmentation, protocol inspection, white-listing and command blocking.
LEC-6032 series, the recommended solutions by Lanner in this case, consists of compact fanless industrial security appliances empowered by the low-power Intel® Atom™ E3845 SoC. Regarding deployments in unmanned harsh environments where electrical uncertainty and network interruptions may occur, LEC-6032 series is designed with ESD/surge COM ports and LAN Bypass fault-tolerance function. LEC-6032 series also supports extended operating temperature from -40 ºC to 70 ºC.
In terms of I/O configuration, LEC-6032 series is offered in various customizable models with versatile LAN and COM options. For instance, LEC-6032C (model C) provides two Gigabit SFP fiber ports, while LEC-6032F (model F) comes with four Gigabit SFP fiber ports. Due to its DIN Rail design, LEC-6032 series is optimized for securing ICS and SCADA networks.
For the IT infrastructure, Lanner’s NCA-4210 is empowered by Intel® 6th/7th Gen. Core-i7/i5/i3 CPU (formerly Skylake/Kabylake) and DDR4 memory with ECC data integrity capability. NCA-4210 is designed with 2 DDR4 DIMM sockets with each supporting up to 32GB. The adoption of Intel® H110 or C236 series chipset as the new PCH brings up a huge upgrade for PCI Express. Regarding expansion, NCA-4210 is designed with a NIC module expansion slot to expand bandwidth.