Background
Nowadays, utility productions, such as oilfield, petroleum refinery, and offshore gas drilling, have become more and more digitalized and connected. Devices deployed such as PLCs, HMIs, SCADA, sensors and embedded computing systems are inter-connected operational technologies (OT) in order to optimize automation and productions. Though digitalization and interconnections of OT devices have increased productivity and outputs for the oil and gas industry, the door is opened to cyber attacks at the same time. As a matter of fact, the numbers of cyber attacks to utility production industries have been rising continuously. According to researches, over 60% utility companies have encountered at least one attack in past years and petroleum industry is listed as one of the most targeted industries for cyber attacks
Since oil and gas are two major utilities for daily lives, critical assets like refineries, production plants, and installation sites are high-profile targets for hackers. If these OT environments are under attack, serious consequences include plant shutdown, production failure, and inception of confidential data, which will eventually sabotage national economies and create panic in public. Therefore, when OT devices are connected, we must ensure secured communication throughout the entire ICS network traffic and protocols.
Requirement
The OT protocols of traditional ICS and SCADA are vulnerable to cyber threats, as these protocols are usually left unprotected and open. This vulnerability attracts hackers to manipulate oil and gas refineries and plants by introducing malwares through different access points of control networks.
In order to protect the interconnected devices and the network protocols, critical asset owners shall implement multi-layer network security platforms for their OT/IT networks to run white-listing, traffic pattern monitoring, protocols and packet inspection and security policies. The platforms must feature robust design, optimal performance and well-configured I/O connectivity to fulfill security requests in the challenging environments.
Multi-layer Hardware Solution
To address the cyber security issues in the oil and gas industry, Lanner’s LEC-6032 and NCA-4210 are the optimal sets for OT and DMZ deployments. For OT side deployment, LEC-6032 is an industrial-grade fanless embedded system with wide operating temperature to be deployed at ICS and SCADA sites as the white-listing and packet inspection firewall. For the DMZ side, NCA-4210 is an 1U rackmount appliance with Intel 14nm micro-architecture CPU, the 6th generation Intel® Core™ processor (codenamed Skylake-S), to be deployed as UTM and IPS.
Cyber-security in OT Network
To implement security measure and prevent unauthorized remote access, LEC-6032 is a compact, 24/7 industrial firewall designed for oil and gas sectors. The rugged LEC-6032 fanless design reduces system outages and minimizes dust inside the device. LEC-6032 also boasts an extended operating temperature with a maximum range of -40 ºC to 70 ºC. This provides the wide operability under harsh ambient environments at ICS deployed sites. In addition, electrical surges may occur in critical infrastructures and this might devastate implemented systems.
To prevent devastations from happening, LEC-6032 comes with isolated COM ports with protection at 15KV ESD and magnetic protection for Ethernet ports. Regarding network connectivity, LEC-6032 delivers various LAN port configurations including GbE LAN, SFP fiber ports, and advanced Gen.3 LAN bypass, depending on the specific model sets.
Cyber-security in DMZ Networks
Designed to defend advanced cyber attacks (such as DDoS attack) at historian servers and domain controllers in the industrial DMZ, Lanner’s NCA-4210 is empowered by the new Intel 14nm micro-architecture CPU, the 6th generation Intel® Core™ processor (codenamed Skylake-S). With the next generation 3-D tri-gate design, the adoption of the 6th generation Intel® Core™ processor comes with the promise to enhance processor performance, while lowering the TDP. A new socket type, LGA 1151, has also been released for the die-shrinking architecture. In terms of memory efficiency, NCA-4210 supports dual-channel DDR4 with frequency up to 2133MHz and capacity up to 32GB by 2 x 16GB DIMM. ECC is also supported (only available for C236 chipset).
Another interesting feature of NCA-4210 is the use of Intel® H110 and C236 series chipset. The new PCH brings up a huge upgrade for PCI Express. With the new socket LGA 1151, NCA-4210 supports up to 20 PCIe Gen3.0 lanes and M.2 socket, greatly enhancing I/O efficiency up to 40 percent.
Cyber-security in Enterprise Networks
The main reason of cyber vulnerability in segregated automation network is due to the malicious code from the outside. Enterprise Networks connected to the Internet or unsecured external devices such as laptop, tablet and USB peripherals, also cause loopholes for malwares and virus to the office and industrial networks.
Built for protecting enterprise networks, Lanner provides the FW-8896, the high-performance enterprise network firewalls with high availability and reliability. This 2U rackmount x86 network appliances is equipped with the dual Intel® Xeon® E5-2600 v3/v4 CPUs/C612 chipset (codenamed “Grantley”) and DDR4 registered DIMM memory up to 2133 MHz frequency for delivering unmatched computing power for implementing advanced security measures. FW-8896 also features 8 NIC modules slots with max. 64 Ethernet ports, advanced LAN bypass and crypto acceleration support, making the appliance ideal for demanding security applications such as IDS (Intrusion Detection Systems), IPS (Intrusion Prevention Systems), DPI (Deep Packet Inspection) in enterprise networks.