Secure Critical Data Movement at Scale
Manufacturers face a constant challenge in controlling energy and maintenance costs. Equipment at their factories can consume millions of dollars of energy and water annually, and even minor performance issues can lead to costs adding up quickly.
Unexpected equipment failure is another major concern. A lack of predictive maintenance can cause production to stop, resulting in significant lost revenue with each hour of downtime.
According to Aberdeen Research, manufacturers can lose up to $260,000 each hour due to unplanned downtime. With attacks now causing 21 days of downtime on average, the stakes couldn’t be higher.
To combat these issues, manufacturers use analytics platforms and energy savings performance contracts to help maintenance teams. They use OPC and other data flows to stay on top of critical equipment at each facility, prioritize tasks, and direct investments.
However, internal OT (Operational Technology) security teams see tremendous cybersecurity risks in connecting the factory floor to the Internet:
- Legacy OT devices often lack built-in security or patching capabilities.
- Exposing OPC data feeds externally can create attack vectors for adversaries.
- Modifying production systems is costly and risks downtime.
These security concerns are well-founded and supported by federal guidance. In March 2022, the CISA (Cybersecurity & Infrastructure Security Agency) recommended the use of one-way communication diodes to enhance network segmentation and protect industrial control systems from cyberattack. This guidance was further reinforced in 2023, when both NIST and the Department of Defense recommended data diodes as an option for securing OT infrastructure in the latest NIST SP 800-82r3 and UFC 4-010-06.
The facility needed a way to extract and share OT data securely, without requiring disruptive system changes or adding new vulnerabilities.
MetaDefender Optical Diode with Enero Protocol Conversion
The manufacturer partnered with OPSWAT and Enero Solutions to design a secure, low-latency data transfer architecture.
Deploying MetaDefender Optical Diode (Fend) uses optical isolation to send data in one direction only, physically protecting key assets. It provides system visibility while prohibiting malware, ransomware, and other attacks from breaching the network connection.
Working with Enero Solutions, we brought OPC UA data feeds from legacy systems without needing to modify the original systems. The OPC Protocol Conversion with MetaDefender Optical Diode (Fend) uses a multistep, low latency approach to securely expose OPC data outside of the OT network without introducing potential attack vectors to bad actors.
How it works
An OPC Client on the protected side consumes OPC UA or DA subscriptions.
Data is serialized for TCP passthrough at the OT-side Edge Device, forwarded to the MetaDefender Optical Diode (Fend) and passed on to a TCP Server on the enterprise side, deserialized with the IT-side Edge Device and extracted as viable OPC points (path, value, timestamp). An OPC Client on the Enterprise (IT) Edge Device writes points on an OPC UA server which are accessed by the customer with a subscription.
Outcome
With the integrated solution, the manufacturing facility achieved:
- Complete OT/IT Isolation: Hardware-enforced one-way transfer ensures that no external threats can penetrate the OT network.
- Real-Time Visibility: Secure, continuous delivery of OPC UA data to IT systems, enabling faster response times, improved monitoring, and data-driven decision-making.
- Preserved Uptime and Investments: Legacy OT systems remained untouched, avoiding costly replacements or disruptive downtime.
- Reduced Cyber Risk: By removing attack vectors tied to direct connections or software-only approaches, the facility strengthened its overall cybersecurity posture.
- Regulatory Alignment: The implementation follows federal cybersecurity best practices, meeting CISA recommendations for one-way communication diodes and aligning with NIST SP 800-82r3 and DoD UFC 4-010-06 guidance for securing OT infrastructure.
Looking to the Future
Legacy OT systems don't have to be security liabilities. With the right approach, manufacturers can extract valuable operational data while maintaining complete network isolation and preserving existing investments.
Contact OPSWAT today to learn how MetaDefender Optical Diode (Fend) can enable secure data extraction from your legacy systems while maintaining hardware-enforced protection.
