EON Connectors - world of IIOT & Cybersecurity

mad4x4

Member
Join Date
Mar 2009
Location
ST CYrus
Posts
352
On with the dawn of IIOT and the linking of legacy systems to the "cloud" what is the opinion on Edge Of Network Connectors, These are typically a small linux based computer (or windows IOT) running protocol software that hand the Siemens or Rockwell PLC data off to the Cloud. Often these are dual nic devices with one of Control network and one for the WAN connection.

But form a cybersecurity point of view Dual Homing (having a pc on two lans) is a no no as it would only take a minimal hack to turn a PC into a router and bridge the two NICS. Yada Yada Yada.

SO in practice are we all using these devices to squirt our data via MQTT or some other protocol to the cloud or are we implementing these devices and then still implementing a Firewall between the INTERNET and the EON (wan port).

Is Dual homing such a bad practice as Cybersecurity make out? Cybersecurity alwas preach that "airgap" is the bast way to protect a control system but that fine until you need data from said control systems.
 
Last edited:
IIOT/IOT has a lot of serious security concerns. Although im not knowledgeable enough on the topic to comment on any of your questions, I did come across this article the other day.

https://arstechnica.com/information...urned-a-250-coffee-maker-into-ransom-machine/

Obviously the manufactures of the coffee maker set themselves up for failure... There is always someone smart enough and with enough skill to virtually hack anything.

The latest trends now ive seen in the USA is to trojan horse 911 dispatch centers and demand ransom. I have serious concerns for manufactures exposing essential plants to the IOT. The country would just become too fragile with that kind of exposure. Frankly this applies to any industrialized country. The infrastructure is not in place to "fall back" in case of a malware attack and continue without major health and safety concerns.
 
On with the dawn of IIOT and the linking of legacy systems to the "cloud" what is the opinion on Edge Of Network Connectors, These are typically a small linux based computer (or windows IOT) running protocol software that hand the Siemens or Rockwell PLC data off to the Cloud. Often these are dual nic devices with one of Control network and one for the WAN connection.

But form a cybersecurity point of view Dual Homing (having a pc on two lans) is a no no as it would only take a minimal hack to turn a PC into a router and bridge the two NICS. Yada Yada Yada.

SO in practice are we all using these devices to squirt our data via MQTT or some other protocol to the cloud or are we implementing these devices and then still implementing a Firewall between the INTERNET and the EON (wan port).

Is Dual homing such a bad practice as Cybersecurity make out? Cybersecurity alwas preach that "airgap" is the bast way to protect a control system but that fine until you need data from said control systems.


We are part way through the process. Dual-homed NICs are still a no-no. Data is collected (polled, or report by exception) on the Control side, sent through the firewall to a server in the DMZ (the control side computer initiates the connection) ... then the DMZ computer doing the same sort of thing with reporting data through the firewall to the cloud ... not sure if it is MQTT or not ...


Well, as far as my limited understanding goes .. that`s what our IT guys want to see. But they don`t REALLY want to do that until they have monitoring in place for intrusion detection, so that they can establish what `normal` traffic is, within limits .. and can then report if one of the said computers begins communications on other ports, or begins to initiate connections to other computers, do ping sweeps, etc etc.


So far, the description is `report` and not `shut down` since firmware updates that only happen in turn-around, additional traffic for trouble-shooting, etc etc cannot be manually added to the `normal` traffic list.


Trying to get several industrial sites, running different PLCs, DCSs, and various third-party instrumentation vendors to agree on a method that IT and cyber security also agrees on ... is kinda painful and moves pretty slowly.


But management is pushing pretty hard, since they hear wonderful stories of IIOT, Dashboards available on their phones, and Cloud AI assisting in making our product faster, more consistently, and with better quality.
 
But management is pushing pretty hard, since they hear wonderful stories of IIOT, Dashboards available on their phones, and Cloud AI assisting in making our product faster, more consistently, and with better quality.

This is what scares me. Most of those who receive the marketing for IIOT have no idea the potential risk (management, as you pointed out), they just see the golden ticket dangling in their face and cant wait to grab it.

As I once heard someone say at a Php conference: with "IoT," the "S" stands for security.

Exactly!
 
We are part way through the process. Dual-homed NICs are still a no-no. Data is collected (polled, or report by exception) on the Control side, sent through the firewall to a server in the DMZ (the control side computer initiates the connection) ... then the DMZ computer doing the same sort of thing with reporting data through the firewall to the cloud ... not sure if it is MQTT or not ...


Well, as far as my limited understanding goes .. that`s what our IT guys want to see. But they don`t REALLY want to do that until they have monitoring in place for intrusion detection, so that they can establish what `normal` traffic is, within limits .. and can then report if one of the said computers begins communications on other ports, or begins to initiate connections to other computers, do ping sweeps, etc etc.


So far, the description is `report` and not `shut down` since firmware updates that only happen in turn-around, additional traffic for trouble-shooting, etc etc cannot be manually added to the `normal` traffic list.


Trying to get several industrial sites, running different PLCs, DCSs, and various third-party instrumentation vendors to agree on a method that IT and cyber security also agrees on ... is kinda painful and moves pretty slowly.


But management is pushing pretty hard, since they hear wonderful stories of IIOT, Dashboards available on their phones, and Cloud AI assisting in making our product faster, more consistently, and with better quality.

This is one of the better design concepts to collect data and pass across a firewall into the DMZ. Any connections to the corporate network or to the internet should be done in the DMZ with a proper firewall and intrusion detection and encryption.

When I design for maximum security I employ Airwalls on the IT and OT side and in some cases within the DMZ.

I also employ a stratix 5950 or Tofino firewall at the machine level.

If using contrologix I like to use the secure communications module.

I top this off with CIP security and Factory Talk Security enabled and setup properly.

Airwalls are one of the best defense tools because you can't hack what you can't see and what you don't know is there.
 
One of the highest level of security you can use is a data diode / unidirectional network. There are design hurdles for data transmission and hand off, but it’s what all the big boys use.
 
One of the highest level of security you can use is a data diode / unidirectional network. There are design hurdles for data transmission and hand off, but it’s what all the big boys use.

Data diodes ... that's what they call it! All communications initiated from inside the protected area, and the other side of the firewall can only respond.
 
This is one of the better design concepts to collect data and pass across a firewall into the DMZ. Any connections to the corporate network or to the internet should be done in the DMZ with a proper firewall and intrusion detection and encryption.

When I design for maximum security I employ Airwalls on the IT and OT side and in some cases within the DMZ.

I also employ a stratix 5950 or Tofino firewall at the machine level.

If using contrologix I like to use the secure communications module.

I top this off with CIP security and Factory Talk Security enabled and setup properly.

Airwalls are one of the best defense tools because you can't hack what you can't see and what you don't know is there.

Going through your steps ... what's an Airwall? Hopefully I know it by another name ... and I'm not simply clueless on established procedures!
GOOGLE ANSWER - a product suite that 'hides' your network nodes. It seems complex. I'm interested in how it works!
https://cdn2.hubspot.net/hubfs/7040131/Tempered Sales Tools/What is Airwall (Product Brief).pdf

I have 2 (OLD!) Tofinos loaded with ethernet/IP collecting dust in storage ... we were part of the initial beta, I hope. They booted up properly about one time in 5 tries. When they did not boot properly, they ended up with a default config ... I could not rely on them to boot, so I gave up on them.

The Tofinos were originally tested in our link between the firewall and the 'contact' PLC VPNs.

What is a secure communications module for ControlLogix? Again, I hope I'm not completely clueless and I just know it by some different name :(
GOOGLE ANSWER A product released last year. I'm not sure exactly what it does ... I'm still interested in explanations!
https://literature.rockwellautomation.com/idc/groups/literature/documents/um/enet-um003_-en-p.pdf

We have not jumped into CIP security or Factorytalk Security as yet. We have asset Center installed and monitoring. But we have yet to get the same description from 2 consultants on how CIP Security and Factorytalk Security work, or how they work together. I am paranoid about getting locked out of my system! All of the companies that I have had pitch their services ... I ask 2 or 3 questions and get to "we'll have to get back to you on that" answers. This does not inspire confidence!

I'm OK with back-doors into the system with physical access to the processors. Secure everything on the network side ... but if all else fails I can connect direct with a USB cable and get things going. If we have hackers visiting the site, getting through security, locating the machine cabinets, and connecting to the USB ports directly ... then we DESERVE to be hacked!

Back to the Tofino ... I lost the contact info of the person who sent them to me on trial. Perhaps he moved on, perhaps he was promoted ... I never did get them running. Maybe all they need is flashing to newer/more stable firmware?
 
Last edited:
One of the highest level of security you can use is a data diode / unidirectional network. There are design hurdles for data transmission and handoff, but it’s what all the big boys use.

Don't drink the marketing Kool-Aid and be fooled. Yes Data Diodes are very secure and have their place but they also are limited in application because most needs require bi-directional access which can be done with 2 data diodes but once you introduce bi-directional communications into the mix by any accord you vastly increase the attack surface.

Nothing is unhackable. Data Diodes can be compromised and air-gapped networks can be jumped/hacked.

Security in layers is still your best defence and data diodes can be an important part of your overall layered security measures but some customers buy into a data diode is all you need program that many of the data diode manufactures sell with and thats where problems begin for the customer / end user.

As my grandpa used to say "locks are to keep the honest man honest because a determined criminal will find a way"
 
We've been using remote access devices for many years now. The edge devices form a secure VPN connection via a service on the internet to facilitate access to the remote machine network. The VPN Router devices have no ports open on the WAN side so nothing for an attacker to attack as all communications are established outbound.

So far so good for the encrypted VPN connection. To compromise this an attacker would need to obtain your credentials for the gateway service.

More recently we've been experimenting with sending data to/from machines via MQTT from these same edge of network devices. The issue here is more one of data security rather than hacking per se. People don't want details of their production being spewed across the internet without encryption. Again, the connection to an MQTT server is originated outbound.

The bad news is that MQTT usually gets setup first off without encryption.

The good news is that MQTT supports TLS 1.2; this is the same kind of encryption used by email and secure web servers (such as your bank) and you should use it!

All of these devices we have deployed sit behind a firewall but I have seen examples of these devices directly accessible from the internet and still with the default username and password so: Never connect one directly to the internet unless you really know what your doing and always change the default username and password!

The best security is still an air gap. Anything beyond that is a compromise between Utility and Security but people are generally the weakest link.

Nick
 

Similar Topics

I would like to use the external clock source function to display time on a 15" C-more EA9 panel. The source would be a Logix processor. When I...
Replies
2
Views
1,324
Hello Ladies and Gents. I am budgeting for a new Work Station desk top tower Computer. Less than $10k. Is it better to go with i9 or Xeon for...
Replies
43
Views
10,760
Hi there. I am fiddling with tidying up our PC installations, and I would like to install everything in racks. Then I get the idea to use rack...
Replies
14
Views
4,407
i have an device which can support serial (RS485,RS232),CAN protocol . i want to connect it to an existing MIB 1553B bus ,what device will I need...
Replies
0
Views
57
Hi. I always do my best to terminate all cable wires, including unused wires. But I find that it gets difficult when for example I have...
Replies
21
Views
8,069
Back
Top Bottom