Secure data transmission between the Operational Technology (OT) and Information Technology (IT) layers is a critical concern in industrial automation. Traditional methods often expose critical systems to vulnerabilities by opening ports on the OT level when leveraging standard OPC deployments. While OPC UA has streamlined industrial communications by eliminating the complexities of DCOM configuration and its associated security risks, the continued use of open ports still leaves potential vulnerabilities for attackers to exploit.
DataHub Tunneling has often been viewed as just another way to bypass DCOM or an alternative to OPC UA, but it is much more than that. In this blog post we’ll explore four ways Cogent DataHub, a versatile middleware software solution, can address these security challenges by leveraging its advanced tunneling capabilities and more.
1. Closing off Vulnerable Operation Access Points
Open, inbound ports on OT systems create significant security risks. We covered in a previous blog, “There’s More to It and Why Your IT Team has Concerns” , how attackers can exploit these entry points to launch malicious attacks such as unauthorized access, malware deployment, and ransomware, which can disrupt operations and lead to substantial financial losses. As the industrial landscape increases dependence on interconnected smart operations, the need for robust security measures becomes paramount to protect critical systems from these growing cyber security threats.
Cogent DataHub offers a secure and efficient method for tunneling industrial automation data by reversing the traditional connection nature of these systems and preserving the integrity of your plant network firewall. This architectural change helps close the vulnerabilities created by open ports by allowing users to dictate which side of the connection initiates the communication.
2. Maximizing Security with Support for Isolated DMZ
For years, VPNs have been a popular solution for securing networks. However, their inherent flaw lies in their all-or-nothing approach: once a user gains access to the VPN, they have unrestricted access to all network resources. This centralized access point becomes a prime target for cyberattacks, as a successful breach can compromise the entire network. Now a single-entry point accessed through a successful phishing attempt could infect the entire network.
A more secure approach involves limiting network access and establishing secure data connections. A DMZ, a physically or logically isolated network segment, provides an effective way to segregate OT and IT networks. By placing a DMZ between the two networks, organizations can significantly reduce the risk of unauthorized access and lateral movement of attacks. This approach is now part of the standard guideline outlined in the EU's NIS 2 Directive and NIST SP 800-82, both of which emphasize the importance of network segmentation and secure data transfer and is rapidly becoming a necessary compliance requirement for many businesses. With this architecture the only open ports are in the DMZ, where they should be, keeping your OT and IT firewalls locked down.
3. Minimizing Downtime Data Loss with Secure Store and Forward
DataHub provides automatic recovery from network interruptions and link detection timeouts can be as fast as 50 milliseconds. However, sometimes network issues can be prolonged, and you need a way to ensure data integrity and prevent data loss. One of Cogent DataHub's most valuable features is its Store and Forward capabilities. So when a network connection between DataHub instances is lost, the local DataHub instance can be configured to temporarily store incoming data values to a local InfluxDB instance. This feature increases the value of implementing tunnel solutions by preventing data gaps during those network disruptions. Combining the power of tunneling with Store and Forward creates more resilient data streams.
Once the connection is re-established, the stored data is forwarded to the remote DataHub, ensuring that no data is lost during network outages. This feature is beneficial for historical data-collection, seamlessly filling in any data gaps that would otherwise occur between downtime events.
4. Extending Interoperability with Advanced Features & Plug-Ins
Tunneling solutions come in a variety of forms, but one of DataHub’s greatest benefits is that it's more than solely a tunneling solution. Over Cogent DataHub’s long history of successful implementations in industrial control applications, users have and continue to leverage multiple aspects of the Cogent DataHub’s functionality to drive change and implement cost-effective, scalable solutions for their unique operations.
The combination of the secure tunneling features on top of the variety of protocol support, historian access, user-specific security profiles, and plug-ins opens extensive possibilities. As a natural data aggregator, any data source the DataHub can communicate with can then be tunneled and shared with other parts of the business. Multiple tunnels can be strategically placed along networks to securely section off vulnerable operations, while also benefiting from the various options DataHub provides such as its local Store and Forward mechanism discussed earlier. Let Cogent DataHub be your secure conduit for all sorts of communications.
Key Benefits Include:
OPC and Multi-Source Connectivity: Cogent DataHub seamlessly integrates data from various sources, including OPC DA, HDA, UA, MQTT, A&C and A&E, enabling a unified collection of industrial processes. Once data is collected into the DataHub, it is stored and processed in a common format to easily operate the various plug-ins.
Secure Data Mirroring: Data is mirrored between DataHub instances, ensuring data integrity across instances with encrypted communications enabled by SSL support and optional password protection.
Value, Quality, and Time Synchronization: Data values, quality, and time are synchronized across DataHub instances regardless of protocol, creating an invisible tunnel for communications where the end source wouldn’t know any difference.
Customized Security Profiles: DataHub V11 provides a secure out-of-the-box experience with a largely configurable security profile. Limit access to specific IP addresses, subnets, and protocols all within DataHub. Create and manage users with MFA/TOTP support to further secure user access. For more information, we recommend reading our blog, “Enhancing Remote Config Access Security with MFA/TOTOP”.
Conclusion
By leveraging the secure benefits of DataHub tunneling, you can safeguard your industrial network, mitigate risks, and build a more resilient and secure operational environment.
Ready to get started with secure network Tunneling in DataHub? Download the free trial from our website now. All features are enabled during a 1-hour demo period which can be reset by simply restarting the application.
Be sure to also subscribe to our blog for future technical how-tos, video tutorials, and more!
