Data from process systems has never been more in demand. With Industrial IoT, Industry 4.0 and other initiatives, corporate leaders and government policy makers alike understand the value of remote access to production data for increasing efficiencies and cutting costs. Access to this data is essential they say, but it must be secure access.
Corporate cyberattacks are increasing, costing far too much for companies and nations. The average loss due to a successful data breach on a corporate system is estimated at $4.25 million, according to IBM. Even small business losses are typically in the hundreds of thousands, enough to shut many companies down. Such damage, when sustained by multiple enterprises in a country, can have a crippling effect on the national economy.
To stem this rising tide of ransomware attacks and other exploits on critical infrastructure, the European Union has issued a tough new policy: the NIS 2 Directive, effective October 2024. NIS 2 applies to all areas of the enterprise. For data communications, it mandates “a level of security of network and information systems appropriate to the risks posed.” More specifically, the recommended way to securely access process data from corporate systems is by segregating OT (operations technology) and IT networks, using a DMZ (demilitarized zone).
Given the rewards of data connectivity, the risks of cyberattacks, and the inevitable implementation of the NIS 2 Directive and other government policies, what is the best way forward?
1. Invest in prevention
Considering the risks, it is wise to invest in prevention. Most successful corporate hacks are targeted at office systems. If you are allowing connections from IT to operations, you need to ensure that the production system is not compromised by an attack on IT. Cybersecurity experts, industry leaders and government agencies all agree that the most secure way to connect IT and operations is to segregate networks using a demilitarized zone, or DMZ.
2. Isolate production
A DMZ isolates the production system from IT, ensuring no direct link between corporate networks and control networks. Only known and authenticated actors can enter the system at all. Firewalls can protect both operations and IT sides and should be configured to allow only outbound connections to the DMZ. This ensures that only the correct data passes between networks.
3. Avoid VPNs
Until recently, many companies have used VPNs (virtual private networks) to access data on their OT networks. But this is what the recommendations to segment networks advise against doing. Rather than segmenting networks, VPNs join them. A VPN extends the IT security perimeter into the plant network, effectively connecting the two networks. Anyone hacking the IT network and accessing a VPN can use it to reach every other connected node, including those on a linked OT network.
4. Tunnel/mirror the data
To make a secure, robust connection across a DMZ, and enable real-time bi-directional communication, Skkynet recommends secure tunnel/mirroring. Well-designed tunnel/mirror middleware can mirror data securely across a DMZ in real time to clients running in IT or the cloud. There is no need for virtual private networks, and all inbound firewall ports can stay closed. Access to operations data is becoming essential in today’s competitive environment. But there is no reason such access cannot be secure. It is possible to fully comply with the NIS 2 Directive and still provide qualified users access to your production data. Segregating networks using a DMZ is the recommended approach, and this is best implemented with secure tunnel/mirroring.
Xavier Mesrobian is vice president of sales and marketing at Skkynet Cloud Systems.
