Background

The number of targeted cyber attacks has increased exponentially over the past years, and the rate of attacks has also risen particularly on the critical infrastructure, such as power station, gas refinery and transportation. Some major incidents of cyber attack on power sectors, like the Blackenergy attack on Ukrain’s power grids and the Stuxnet on Iranian nuclear plants, cut off their data flow and disrupt utility serviceability. Due to the increased service convergence of Information Technologies (IT) and Operational Technologies (OT), there is an urgent need for more comprehensive, multi-layer security measures for CIP (critical infrastructure protection) in order to ensure secured communications and mitigate the advanced cyber treats.

Integrated CIP Security Gateway

Most critical infrastructure operators have addressed the importance on IT infrastructures, but OT technology has not received as much attention. Despite the same purposes: access control, network monitoring, and appropriate responsive actions, IT is more oriented to open architecture while OT is highly isolated and cyber-physical due to the uses of proprietary protocols and air gaps. Thus, less attention had been paid towards OT security due to limited exposure and high maintenance costs, which make OT a less favorite option in budgeting process. Thus, the vulnerability was revealed when Blackenergy hacked Ukrainian power grid in 2015 and Stuxnet attacked Iranian nuclear plant in 2010.

Given the above incidents, it is important to build up a well-coordinated, well-converged CIP security gateways integrating both IT and OT technologies to establish visibility into control network traffic and security policy instructions. For the OT field, it is necessary to deploy security appliance to integrate SCADA, PLCs and log servers. Regarding the IT environment, network security appliance shall be deployed to protect the ERP, PLM and mail servers.

These CIP gateways must meet following technological hardware requirements:

OT Security Gateway: protecting sensors, PLC, HMI, SCADA and log servers

Fanless design

Fanless is the ideal and cost-effective thermal design in critical infrastructure environments.

DIN-Rail mount

DIN-Rail is perhaps the most practical mounting option in critical infrastructure environments, and therefore, the required gateway shall be mounted this way.

Surge/ESD protected Serial connection

Electrical abnormalities like surge and ESD occur at times in critical infrastructure environments, and thus the required gateway must be designed with surge and ESD protections for its Serial ports, as these I/Os are critical connections with industrial devices.

Advanced LAN bypass

Fault-tolerant LAN traffic is essential in ICS communication in case failure occurs.

Wide operating temperature

Given the extreme temperature in critical infrastructure environment, the system must be able to operate at wide temperature range.

Dual power path

Power design is essential in energy sector and dual power path can offer higher stability.

IT Security Gateway: protecting ERP, PLM and Mail Servers

1U 19” rackmount

1U 19” rackmount is a highly space-efficient form factor for deployment in IT data center.

Multi-core processor

To boost network capacity and performance, CPU with multiple processing cores and hardware acceleration engines is the optimal solution to run software-added instructions.

Next-generation memory

The required gateway shall be designed with the next-generation memory, like DDR4, to run efficiently.

NIC expansion

A well-protected ICS CIP must incorporate future scalability with modular architecture, such as NIC module expansion in order to scale up certain functionality.

Advanced LAN bypass

Fault-tolerant LAN traffic is essential in ICS communication in case failure occurs.

Lanner’s Converged Gateways for IT/OT Security

One of the well-known European IT/OT security providers selected Lanner appliances as their CIP security gateways deployed in both IT and OT network environments. The integrated and converged solution pack includes the LEC-6041 as the rugged industrial UTM in OT and NCA-4210 as the next generation firewall in IT.

For OT environment, LEC-6041 is a din-rail industrial gateway with small-footprint Intel Atom E3845 CPU to be deployed at ICS and SCADA sites as the firewall to perform white-listing and packet inspection. For the IT as well as the DMZ, (Demilitarized Zone), NCA-4210 is a 1U rackmount network appliance empowered by Intel 6th/7th gen. Core-i7/i5/i3 CPU to be deployed as NGFW for DPI and IPS/IDS applications.

LEC-6041 supports extended operating temperature with a maximum range of -40 ºC to 70 ºC. This provides the wide operability under harsh ambient environments at ICS deployed sites. In addition, electrical surges may occur in critical infrastructures and this might devastate implemented systems. To prevent devastations from happening, LEC-6041 comes with isolated COM ports with protection at 15KV ESD and magnetic protection for Ethernet ports. Regarding network connectivity, LEC-6041 delivers 5 RJ-45 GbE ports with 1 pair of Generation 3 LAN bypass and 2 SFP networking ports. For convenient serial connection with industrial components, LEC-6041 offers one serial port with RS-232 signals.

For the DMZ and IT infrastructure, Lanner’s NCA-4210 is empowered by Intel® 6th/7th Gen. Core-i7/i5/i3 CPU (formerly Skylake/Kabylake) and DDR4 memory with ECC data integrity capability. NCA-4210 is designed with 2 DDR4 DIMM sockets with each supporting up to 32GB. The adoption of Intel® H110 or C236 series chipset as the new PCH brings up a huge upgrade for PCI Express. Regarding expansion, NCA-4210 is designed with a NIC module expansion slot to expand bandwidth. Another significant feature of NCA-4210 is the flexible LAN configurations. Depending on the SKUs, there are Ethernet connectivity options of 6 x RJ-45 GbE LAN + 2 x SFP GbE LAN with 2 pairs of bypass, or 8 x RJ-45 GbE LAN with 2 pairs of bypass.

Given the well-designed hardware, both LEC-6032C and NCA-4210 can bring security in IT/OT convergence applications.

Featured Products


NCA-4210

1U x86 Rackmount Network Appliance Powered by Intel's 7th Gen Core Processors

CPU Intel® Core™ i7/i5/i3 or Pentium® or Celeron® (Skylake/Kaby Lake)
Chipset Intel® H110 or C236

Read more
 

LEC-6041

Industrial Grade PoE Network Appliance with Intel® Atom™ Processor

CPU Intel® Atom™ x7-E3950 or x5-E3930
Chipset None

Read more