TXOne Networks about IIoT Security
“We are an Advocate of the OT Zero Trust Concept”
Cybersecurity is indispensable for industrial companies which rely on the IIoT. But how can it be ensured, especially at the transitions from OT to IT and from the edge to the cloud? And how should companies proceed about it? Dr. Terence Liu, CEO of TXOne Networks, provides more information.
Markt&Technik: Why is cybersecurity in the IIoT becoming increasingly urgent?
Dr. Terence Liu: To make an air gap, which means to separate OT and IT or edge and cloud physically and logically within the IIoT, is not possible in Industry 4.0 factories. Collecting the data from the machine as feedback to the cloud for analysis is normal nowadays. But if you are able to send data to the cloud this cannot be called air-gapped.
On the other hand the hackers changed their business model. Formerly they monetized from stealing data like credentials and selling them in the darknet. Now, because of cryptocurrencies, the main way is ransomware. They try to attack companies and stop their workflow, they will look at factories and always try to hit the soft spot. For the last decades, factories didn’t have to be secured very much, because there hasn’t been any data or almost no data around. So hackers didn’t bother to attack, but that has changed. It will take them nine months to penetrate the systems of a bank, but of a manufacturer only six months.
In 2021 manufacturers have become the most attacked industrial branch in the world, comparing to financial, retail and government – according to IBM, who do a lot of services for manufacturers, like Incident Response. Thus the whole threat landscape has changed. The problem is that the responsibility of the managers for the OT security is often unclear. So far the OT managers just had to look after the outcome of the production and to ensure that the operation runs, and for the IT staff it was to secure the office systems and networks. Therefore IT guys don’t see the difference between OT and IT, and the OT managers don’t know that OT security is an issue. But when there is an incident: Who has the knowledge to protect the environment? That is why TXOne exists.
We work with the industrial leaders. Why with them? They are the biggest companies, and they have the public’s eyes on them. They can’t effort an incident. They are the first to invest in OT security. Also the operation of the factories is different from branch to branch. For example you go to a semiconductor company with large machines, very expensive, millions of dollars. But if you go to an automotive company it’s all about the controllers and robotic arms. So you have to work with the leaders in each branch to get a deep knowledge of the branch and to put together best practices.
The trend is towards IT-OT-Convergence, meaning you have data in the cloud and on the edge and you have an automation concept for both: What do you recommend how companies can build a secure connection between IT and OT and between Cloud and Edge, Cloud and Controllers and so on?
Data exchange is a big task for operation and security. I talk to many cyber security officers of large enterprises and suggest them: Don’t just try to extend your IT security guidelines to OT. If you do so, the managers in OT won’t understand why they should do that. It is not their language and not their experience. They are not often confronted with being hacked and so don’t see the necessity or even believe it. It is the IT perspective and it is quite different. So I suggest to think about the operations hub. We call it Asset Centric Lifecycle Protection because in the end for modern factories it is like this: The operations are being carried out by the machines and you buy a machine from a supplier, but how do you know that there is no virus in it, already? You should not trust a machine without knowing this for sure. In the semiconductor industry you already have a new standard that when two equivalent vendors ship their machine to a chip maker they need to show an evidence that there is no virus inside them. That is important because what you are doing with the machine is to configurate it, integrate it in moving processes, sometimes get an remote access to control it from your office, and do data exchange. So you need it on your radar as security team. And all the operations have to be secure.
Talking about data exchange: One the one hand, if you push the recipe to the machines you want to make sure that this recipe would not be distributed to someone else. Some companies change the recipe sometimes, and every time they start the machine it will download the new recipe from their secure server dynamically, afterwards establishing a secure channel from the machine to the local server and then to the cloud. All transactions have to be encrypted. On the other hand you want to make sure that the machine talks only to limited peers. For example, hacker break into the shopfloor and from there they can send out transaction command to the machines, saying they should send the data to them. Only few companies prevent this, and very few people in OT implement authentication. Therefore the machine can take commands from everyone. We suggest a network segmentation, so the machine just talks to specific workstations in a specific language. For example, here we have an important controller and only this specific workstation can configure it, while others can just read the parameters and results. In case of an attack, when hackers try to shut down the machine or change the recipe or upgrade the firmware, you can stop that with network segmentation. Otherwise, often it is like this, only Layer 2 security, like: I can talk to the server but not to the machine next to me. But that doesn’t work because if a virus infects the server it will be spread to all connected machines. So you have to look into the payload to understand the attack.
How far do you follow the OT Zero Trust concept?
We are an advocate of it, but there is no official definition of it. For TXOne it means: You should not trust the machine. You should not take it for granted that the machine is clean, because nowadays machines are CPS - Cyber Physical Systems. Physical is easy to understand, it is just a machine like a motor. But now comes data in and there is intelligence in the machine. It is a working system then with network connectivity to send out the data. This means the machine is open to cyber attacks because it is Cyber Physical. That is why you should not trust the machine but monitor its behaviour. In IT people talk about Zero Trust when e.g. a login happens and they are not sure if it is the real account or a hacker. If you apply this to OT then you should not trust the machine. So you have to monitor its behaviour, and when it behaves abnormal you can notice it and react. That is why we call it OT Zero Trust.
How about your solution: Do you have new technologies which you showed on SPS 2023 for the first time?
Yes. We already talked about OT Zero Trust and Asset Centric Lifecycle Protection. When you buy a new machine we have a product called Portable Inspector. It is a USB stick which you plug to the machine and it will inspect whether the machine has been compromised. Next we have the industrial Anti-Malware solution we call Stellar. You can install it in the machine as an Anti-Virus solution. Then we have the Edge-Series, consisting of appliances which monitor the traffic between the machines to make sure that other machines are not attacked thereby.
At SPS we have showcased our fourth product. A virus infection in OT is often not intentional, but a mistake. For example the employees want to update the firmware or software or application of the machine and bring in an USB stick to plug it into the workstation. How do you know that this media is clean? What, if this media carries already a virus inside which spreads from the workstation to all the machines, and suddenly the whole factory is infected? For that reason we have a new product called Safe Port: It is an appliance with several media interfaces where you plug in your USB stick or portable hard disk to be checked. Safe Port is by far the fastest scanning engine, and we were showcasing it at SPS.
How about your customers: Are your customers the automation companies, who automate other production companies, or are y
Both and many. If you have a production line you are our potential customer. Let’s take automotive, for example: We have a car OEM, which is car assembly, even in Germany. We have Tier 1 component providers and we have those solution providers who program the machine and provide it to the Tier 1 companies.
Which strategy are you following in Germany and Europe, and what does your roadmap look like?
Our strategy is quite simple: We identify specific verticals and there the leading companies and then make sure that they stay successful. We choose the highly automated industries first, like automotive or pharmaceutical or semiconductor or beverage. These four are big regarding OT security and opportunities for OT security products. We want to make sure the successful deployment of our solutions because we are talking about large manufacturers with like 100 factories around the globe, and nobody would shut down 100 factories to install OT security and restart operation. That will never happen. So there we choose new factories as a green field or the factories which are connected closely to the security team or the factory which has just a maintenance period coming. And we have to be successful, because if we fail or just interrupt the operations, it will spread very fast to other factories, so they deny our deployment. But otherwise one successful deployment leads to the next one and the next one. So we are not the traditional IT security vendor who sells a solution to you and says: “Goodbye, see you next year for the update.” We work with the companies from planning to installment and make sure that the installment is good. We work very close with our large customers. That is why we look out first for the industrial leaders. Their success is our success.
Is your technology independent from IIoT protocols like OPC UA or MQTT?
Of course. We developed decoders to understand all of them. Currently our solutions can identify and classify over 6000 different OT language protocols, like the big ones e.g. from Mitsubishi. We want to know what’s going on. For example we secure an operation and model the operation, but what is a model worth in reality? Actually we are talking about this: The operation is done by this application, running on this workstation, communicating to the other field devices, maybe controllers, through several different protocols and some parameters. So we train new applications and protocols to our solutions like Stellar or Edge. After that we put the information together, and then we can model specific operations individually. Every factory is different. Now we can understand what is happening on the employee side, on the machine side and on the network-side.
Your solution is vendor agnostic and agnostic of customer companies and automation companies: Is it agnostic for all kind of companies?
Yes, we work closely with automation solution providers. We are working with Mitsubishi, Yokogawa, Schneider and others like that. So our customers with their solutions can see that our solution is compatible.
The companies you mentioned integrate your solution depending on the customers’ wishes?
Let’s put it this way: Some companies have Alliance Partnerships and we are one of them. Others like Mitsubishi have Technology Alliances and we are a member of them. And surely we have many joint customers, so many things are going on. Last but not least TXOne is a member of VDMA now. This shows further the strategy for Germany.
The interview was conducted by Andreas Knoll.
