OT & Industrial Cybersecurity Solutions

Model: OT & Industrial Cybersecurity Solutions

Deliver Security and Trust for the Convergence of IT, OT and ICS Networks


Deliver Security and Trust for the Convergence of IT, OT and ICS Networks

The once clear distinction between information technology (IT), operational technology (OT) and Industrial Control System (ICS) networks is becoming blurred due to increased demand for connectivity. This convergence exposes OT and ICS assets to cyberattacks, which can propagate from the IT domain into operational environments. Specifically, transferring files and devices into, across, and out of secure environments is a key potential avenue for security incidents.

Removable (USB) media and transient devices present a risk since they may contain infected files, malware in hidden partitions, and malicious hardware/firmware. And business stakeholders require access to industrial operational data; however, this breaks network segmentation and air-gaps, exposing the OT/ICS environments to vulnerabilities.

OPSWAT solutions enable safe and compliant usage of removable media, transient devices and enforce unidirectional data transfers.


Experience OPSWAT’s Comprehensive OT Cybersecurity Platform

Products that Help Manage OT & Industrial Cybersecurity

OPSWAT solutions support multiple use cases for OT and Industrial cybersecurity and compliance. And they can leverage OPSWAT Central Management, offering a single pane of glass for globally managing multiple deployments, policies, settings, and health monitoring of all systems.

OT & Industrial Security Deployment Scenarios

MetaDefender Kiosk - Standalone

A common portable and removable media protection mitigation that meets and exceeds NIST, NEI, NERC CIP, ISO/IEC, and ISA/IEC requirements is to place OPSWAT MetaDefender Kiosks at key check point entrances, critical SCADA network locations, and research facilities to verify all media before use.

OPSWAT MetaDefender Kiosk software security policies are enforced to require that all portable media be scanned, sanitized, and approved prior to use in the facility.

The kiosk confirms the user, the source, and the file types; looks for any malicious partitions and malware; and determines whether the device is secure or if it requires further inspection.

  • Allowlisting: An administrator can also add enforcement (allowlisting) of the specific media devices that are allowed into the facility. The kiosk can restrict media usage to specific pre-screened vendors and types.
  • Client Certified Media: Organizations can also provide their own certified media for the copied destination of all sanitized/validated files. In this case, only these media devices would be allowed into the facility with the employee/contractor or under escort.

MetaDefender Kiosk – Standalone with Closed Loop Media Control

Other popular use cases are available to further enhance compliance. Specifically, the kiosks provide “closed-loop” media control via the OPSWAT software client or the OPSWAT USB Firewall. A closed-loop system prevents any introduction of malicious content or changes to content while in transit from the kiosk to the destined system.

For critical environments where software installation could affect vendor warranty on existing systems, the USB Firewall provides a no-install option for closed-loop control.

MetaDefender Kiosk can be obtained as a turnkey system or installed on the client’s preferred hardware or VM based systems.

MetaDefender Kiosk to Vault with Unidirectional File Transfers

The 3rd Closed Loop option for MetaDefender Kiosk provides for the security of Data at Rest and Data in Transit. In this use case, the Kiosk provides workflow control where files are delivered unidirectionally using NetWall USG to MetaDefender Vault, hosted on the target network.

MetaDefender Vault provides tiered supervisory authentication, authorization, approval, and audit reporting when transferring, storing and retrieving files into and out of protected network segments.

  • Users enter all media into the Kiosk and select MetaDefender Vault as the destination
  • File processing begins immediately by Vault in parallel to the facility entry workflow so the user does not need to wait on local processing but can proceed into the facility
  • The Kiosk Ticketing system provides the user with a unique temporary printed code that provides timed network access to the validated/sanitized files stored in MetaDefender Vault hosted by the client from within the facility
  • Unidirectional Security Gateway option: For high security “Security-in-Transit” environments, NetWall USG and Data Diodes can be added to further secure network transfers from MetaDefender Kiosk to Vault. This network device can be added to secure traffic as one-way only and guard against the potential misconfiguration (intentional or malicious) of firewalls.

All files in MetaDefender Vault are AES encryption secured, monitored, and checked for malware using 30+ anti-malware engines, sanitized, and quarantined based on configuration and workflow policies.

MetaDefender Vault to Kiosk (Data Loss Prevention)

Vendors and contractors often need to extract files from a facility for debugging and analysis purposes. In this use case, the data flow originates with MetaDefender Vault and flows to the Kiosk where the authenticated and authorized user can extract the files using approved media. Data Security and Data Privacy rules are enforced through pre-defined data redaction rules assigned to the relevant workflow(s).

These data redaction and workflow rules are designed to enhance GDPR, NIST, HIPAA, HITRUST, ISO/IEC, and ISA/IEC data security and data privacy compliance. All data transfers and workflow configuration changes are logged for detailed audit reporting.

MetaDefender Vault to Vault (Data in Transit Protection)

Whether you are working with NIST, NERC CIP, AWIA, ISO/IEC, or ISA/IEC, cybersecurity standards generally recommend that systems be profiled and grouped according to risk (threats, vulnerabilities, and consequence of compromise). These grouped systems share similar security profiles and therefore can be more efficiently and effectively secured.

System groupings are referred to in various industries with differing nomenclature. The more common terms are “Operational Network,” “Protected Network,” “Classified Network,” “Security Domains,” or “Security Zones.” Data in Transit between these Domains or Zones are then referred to as “Cross Domain” transfers, or “IT/OT” transfers, and transfers across “Network Segments.”

For operational purposes, files will need to be securely transferred between these security zones in a controlled, monitored, and logged process.

With OPSWAT MetaDefender Vault installed in each Security Zone, movement of files between zones can be multi-tier supervisory approved, secured in transit, audited, and secured at rest.

 

MetaDefender Drive

MetaDefender Drive can be used to scan laptops, workstations, and servers to identify any risks associated with malware, sensitive data loss, vulnerable binaries, and foreign country originated software. This can include remote use laptops, assets from employees, contractor machines, etc.

  • OPSWAT Central Management: A detailed audit report is provided and can be centralized for multiple instances via the OPSWAT central management software.
  • MetaDefender Vault: Drive can use MetaDefender Vault as a destination target.
  • Forensics: Drive can copy all good files to another USB device
  • Critical Infrastructure: MetaDefender Drive can handle older resource constrained systems as low as 1G RAM.

Use cases include:

  • Inspection: Inspect all transient assets coming from outside the entity’s digital security perimeter which are intended to be reconnected to secure systems and networks.
  • Supply Chain Final Check: Final inspection of purpose-built turnkey systems to be shipped to other entities.