The best information isn’t worth anything of you can’t get it where it needs to go. But how are you supposed to deliver process data from sensors, instruments and applications in the field without making them and their networks vulnerable to outside probes, intrusions and potential cyber attacks?
So, to help ensure the secure and reliable transmission of data from Emerson’s Pervasive Sensing technologies, the company launched this week its Secure First Mile offering. Emerson experts provided in-depth details about Secure First Mile and its role in the larger Plantweb digital ecosystem at the Emerson Global Users Exchange this week in Austin, Texas.
“The main challenge is: How can users let that data out without opening the door to attacks, and control who gets what data?” said Claudio Fayad, Emerson’s technology vice president, Process Systems and Solutions. “We think Secure First Mile is the solution.”
Fayad reported that Secure First Mile is a set of architectural approaches and designs, enabled by a family of security services and robust, secure and flexible servers, gateways and data diodes, which work together to make certain that data in existing operational technology (OT) systems can be easily and securely connected to Internet-based applications. “Secure First Mile is located close to where process data is generated, and converts sensor and other production-level information into secure data for the Internet and cloud level,” he said.
While efforts to move process data securely aren’t new, they’re typically organized using the traditional, seven-layer Purdue model, which relies on segmenting networks, dividing them with managed Ethernet switches, and requiring data to pass through multiple layers. Data from critical OT systems must traverse a number of firewall-separated networks, many times passing data through ‘data-aggregation’ applications such as historians to provide added security and access points until it finally reaches a network level that provides controlled Internet access. These architectures are used at larger facilities, and are effective as long as IT personnel are available to support them. However, they need effort to configure and support correctly, and can require significant labor to add new sensors and make data available through those multiple layers.
“The secure OT environment include levels 0, 1, 2 and 3 in the Purdue model, while the secure IT environment includes levels 4 and 5. Secure First Mile is at Level 3.5, to protect and connect OT systems with IT,” explained Fayad. “We also use OPC-UA communications to link smart devices and our AMS software with OSIsoft on the secure OT level, and then communicate via Secure First Mile to OSIsoft and PI Cloud Connect software on the secure IT level. This approach, however, requires multiple levels of software and stakeholders; it makes network penetration difficult but not impossible. It’s effective but hard to maintain.”
To provide more concrete security, Fayad explained that Secure First Mile also offers a data diode approach to simplify protection against inbound communication. “The data diode model provides extra security because it creates a physically unidirectional network that only lets data out, but has no physical connection for letting data back in,” said Fayad.
“This enables production data to go the edge gateway for conversion to IoT cloud protocols, but physically disables the inbound path.”
To apply data diodes for valve monitoring, for example, Fayad added that Emerson’s 1410 Gateway supplies WirelessHART valve information to a field gateway, while the data diode prevents outside access to the OT environment. Further, a Microsoft Windows 10 IoT edge gateway converts the data to an IoT protocol like AMQP and sends it to Emerson Connected Services powered by Microsoft Azure cloud service. This method is also encrypted from end to end.
In addition, Fayad reported that Emerson has already added OPC-UA communications to its DeltaV DCS, but now it’s also adding OPC-UA inside its controllers. This means users will no longer need to have DeltaV on top to achieve Purdue-model security, which will make their security models simpler and leaner.
“DeltaV connects today via the Purdue model and Secure First Mile, but DeltaV, Version 14, will also provide multiple paths to the cloud and IIoT applications,” he said. “Emerson has the expertise to securely connect your OT systems to new Operational Certainty applications in whatever way you choose, either with architectures with existing plant systems such as historians, or via new ‘direct connect’ architectures.”