One of our own, or a cybersuit for a factory

To look only 10 years ago – it seems that since then cybersecurity technologies have flown away somewhere far beyond the horizon and from there they arrogantly smile at the previously prevailing paradigms, theories and practices.

Although … if you thoroughly scrape most of these “technologies” and treat with magic drugs against inflammation of artifical intelligences , nekstjenny itch and other cybersecurity hype , then the same classic tangle of problems will remain at the root:

How to protect data from the wrong eyes and unauthorized changes, while maintaining business continuity?

Indeed , the holy images of confidentiality , integrity and accessibility have not disappeared from the iconostasis of the practicing cybersecurity officer. A thick layer of marketing dust only settled on them. As well as cranberries and noodles.

The number always brings the same problems with it, wherever it goes. And it will penetrate further and deeper, because the benefits of digitalization are all too obvious. Even such seemingly conservative areas as heavy machine building, oil refining, transport or energy, in fact, have been in digital for a long time already. And here begins, as they say, “triplets of desks” – and wants to and pricks.

It is clear that with numbers, business efficiency is growing by leaps and bounds. But on the other hand, the hack – will not find ( what a lot of examples ). There is a great temptation to open your arms to numbers (poetry!), But you need to do it in such a way that it does not hurt excruciatingly (read – to preserve the continuity of business processes). And for such cases in our “first aid kit” there is a special pain reliever – the cyber immune gateway KISG 100 .

This small “box” with a recommended cost of about 90,000 rubles is installed between digital industrial equipment (let’s call it a “machine”) and a server that collects various signals from this equipment. Signals are varied: performance, failure, resource consumption, vibration, CO2 / NOx measurements, and more, all of which are needed to form an overall production picture and then make informed business decisions.

The “box” is small, but remote. It allows the machine and the server to exchange only permitted data and only in one direction. Thus, we instantly cut off a whole zoo of attacks: man-in-the-middle , man-in-the-cloud , DDoS attacks and various other sores that can stick to the server on the Internet in our difficult times.

KISG 100 (runs on the Siemens SIMATIC IOT2040 hardware platform and our cyber-immune operating system KasperskyOS ) separates the external and internal networks so that not a byte of malicious code will leak between them, and industrial equipment will remain pristine. The technology (patent applications 2021130011 , 2021115238 and 2021113657 ) works on the principle of a data diode, opening the data flow in one direction only when certain conditions are met. But unlike competing solutions, it makes it (i) more reliable, (ii) easier and (iii) cheaper! Shall we figure it out? Yes!

It is not for nothing that this “box” is also called a sluice – its work is really somewhat reminiscent of a classic hydraulic sluice. The lower gate opens, the vessel enters the chamber, the water level levels off, the upper gate opens, and the vessel leaves the chamber. Likewise, KISG 100 first initializes the data source agent from the industrial network, then connects it with the data receiver agent towards the server and allows unidirectional data transfer.

When a connection is established between the machine and the server, the system is in the so-called. protected state: both agents (source and destination) are denied access to the external network and untrusted memory, but they are allowed access to the trusted memory, from which they receive operation parameters (encryption keys, certificates, etc.). In this state, the gateway cannot be compromised by attacks from the external network – all its components at this stage are disconnected from the outside world and are considered trusted, they are only loaded and initialized.

After initialization, the state of the gateway changes to working: the recipient agent gets the right to transfer data to the external network and access to untrusted memory (it contains service information and a temporary data buffer), but it is denied access to the trusted memory. Thus, even if a hack has occurred on the server side, the hackers will still not be able to develop an attack on other components of the gateway and the industrial network. Like this:

Control over compliance with the rules of interaction between agents and switching of gateway states is provided by a special KSS security monitor . This is an isolated subsystem of KasperskyOS, which vigilantly monitors the implementation of predefined security policies (which component can do what) and, according to the principle “everything that is not allowed, is prohibited” blocks all prohibited actions. The main competitive advantage of KSS is that it is very convenient to describe interaction rules in a special language and combine ready-made security models. Even if one of the KISG 100 components (for example, the recipient’s agent) is compromised, it will not be able to harm the rest of the components, and the system administrator will be notified of the attack.

Are you still with us? Then it’s time to say “but that’s not all!”

With the help of the “box” you can implement end-to-end digital services! It allows you to securely integrate industrial data into ERP / CRM and other other business systems of the enterprise!

The scenarios for such services can be very different. For example, for our esteemed customer ChTPZ (part of TMK), we made a calculation of the quality of the machine tool that cuts the pipe. Thanks to this, you can reduce the costs of choosing such a tool, and the savings from predictive analytics can reach up to 500,000 rubles per month (sic!). In fact, such integration simply provides an endless horizon of possibilities.

Another example: thanks to the connection of industrial equipment with 1C: Enterprise, LenPoligrafMash holding was able to display in an ERP environment almost real-time analytics on the production of individual operators and give calculations for actual (and not standard, average) downtime. The uniqueness of the approach and its scalability to the “small intelligent planet” were confirmed in their first “cyberimmune” report by experts from the respected analytical agency Arc Advisory.

Here is such a “miracle of technology”! Already now, in addition to combat duty at ChTPZ, KISG 100 is supplied with metal-working machines of Stankomashkompleks , there are successful pilot projects with Rostec (STAN) and Gazpromneft, dozens of pilots in other large industrial organizations. The device received a special award for outstanding technology at the largest Chinese IT event Internet World Conference, at the Hannover Messe 2021 industrial exhibition KISG 100 ranked among the best innovative solutions , and most recently it became the winner of the IoT Awards 2021 from the Russian Association of Internet of Things Market Participants, bypassing many worthy companies in the competition, including Sberbank.

In the future, we will expand the range of such smart boxes. At the “beta” stage (available for non-commercial piloting!) Is the “big brother” of the KISG 1000 , who works not only as a switchman, but also as an inspector: he not only collects, checks and distributes telemetry, but also transmits control commands to devices and protects from network attacks.