Adroit Perimeter Defence Solution

Potential cyber-attacks and various other constantly escalating external threats are a source of real concern for those responsible for implementing and deploying enterprise information solutions that incorporate the likes of the Adroit Smart SCADA software suite. As well as the clear need to protect critical infrastructure from these threats, there is a growing requirement to comply with rigorous security standards from regulatory bodies such as NERC, NIST, and the NRC.

Being at the heart of numerous high-integrity, critical industrial applications ranging from Defence, Transport, Energy Management & Distribution, Water Treatment, right through to Nuclear Power Generation, Adroit Technologies have been obliged to provide a solution to this problem.

The diagram shows the Adroit Perimeter Defence Solution, which involves creating a Secure Zone within a designated secure boundary. Local I/O, shown on the diagram as PLC 1 through PLC n, are connected to an Adroit server (or dual-redundant server-pair) within the secure zone. The server(s) in the secure zone exclusively connect to the outside world via a Data Diode device, such as the OPDS-MP Perimeter Defense unit from Owl Computing Technologies.

The data diode physically separates its in-bound network interface from its out-bound network interface in such a way that data flow is possible only in a unidirectional sense: secure zone -> unsecured zone. In so doing, the diode renders the infrastructure behind the perimeter defence totally secure from outside cyber-attack, and other escalating external threats. At the same time, thanks to Adroit’s new Tag Synchronization Service (TSS), any number of servers outside the secure zone can be kept in-sync with a server inside the secure zone, and offer client connectivity to local and/or remote client workstation HMIs and other applications, without in any way compromising the security of the critcal infrastructure within the secure zone.

Why the need for TSS

The reason something as comprehensive as a specialized Tag Synchronization Service is required, is worth some explantion: Most application network protocols, including all the hitherto available Adroit network APIs, require some kind of Request-Response, bi-directional chit-chat at the application level. The data diode obviously prevents this from happening successfully, and so a new, purely unidirectional Adroit application protocol, TSS, has been created.

TSS is implemented as an Operating System service so that, just like the other Adroit services, it can be configured to start up automatically, without any user intervention, when a server machine is booted.

Once installed, the service will appear in the Windows Services.msc snap-in, as shown in the screenshot. From here it can be Started or Stopped, configured to run Automatically or Manually, assigned Log On credentials, etc. – just like any other operating system service.

TSS operates in one of two modes, depending on whether it is running on a server within the secure zone, or whether it is running on one of the servers outside the secure zone. Within the secure zone, TSS operates as a Source service, and outside the secure zone it operates as a Destination service.

Configuration

Configuration of TSS is done purely for Source servers, i.e. no configuration at all is necessary for Destination servers other than configuring an inbound firewall rule to allow connections from a source server. Source server configuration is done via an XML file containing the following XML tags:

Tag Purpose
<Mode> Defines whether TSS is to run as Source or Destination service. If the configuration XML file does not exist in its designated folder, or the value of the <Mode> tag is anything other than “Source”, TSS will run as a Destination service
<Server> For each secondary server outside the secure zone that is to be synchronized, a <Server> tag must exist. The name attribute of this tag is not important and can be used just for clarity/readability of the XML
<IPAddress> IP address of the destination server. Once again, the name attribute shown for this tag is of no real significance other than clarity
<RefreshEvery> Interval in seconds at which the destination server will be refreshed. The source TSS service subscribes to all Adroit tags configured in the configuration XML file. This means TSS is notified every time an Adroit tag value or status changes. The changed tag values and agent status words accumulated since the last refresh are then sent to the destination server on expiry of the next refresh interval
<FullSyncEvery> Because TSS is purely unidirectional and no application-level acknowledgment is possible, it is important that the destination server is periodically updated with all tag data and agent status words, irrespective of whether there have been any changes or not. The <FullSyncEvery> interval is used for this, and should clearly be longer than the <RefreshEvery> interval. Typical values for these may be 60 seconds and 1 second, respectively
<SyncFromStandby> This tag is used to determine whether you want a Standby partner in a dual-redundant source configuration to sync the destination server. A value of ‘false’ for this tag will prevent a standby source server from synchronizing the destination server and a value of ‘true’ will do the opposite
<Tag> For every Adroit tag to be synced in the destination server, a <Tag> entry must exist in the configuration XML file. The Adroit tags themselves should exist in both the source and destination servers, but there is no requirement that every destination server should have every tag. This means that it is possible to sync different sub-sets of source server tags into different destination servers

Conclusion

Potential cyber-attacks and other external threats present an ever-increasing challenge to enterprise-critical information and operational infrastructure. Hardware solutions such as data diodes may offer signficant assistance in this regard, but because they have such an overwhelming impact on most application network protocols, it can often be a case of "throwing the baby out with the bathwater", i.e. the data diode renders existing network APIs and therefore the complete solution inoperable.

To overcome this, Adroit Technologies, in conjunction with hardware partners 4 Secure and Owl Computing Technologies, have implemented an application network protocol that provides all the security a data diode has to offer, without limiting access to Adroit tag data from local and/or remote client applications. Find out more about acquiring this solution