During 25+ years of DCS control systems engineering Transition Technologies Capital Group gained significant experience with OT technology as well as with constantly evolving complex enterprise IT.
Dealing with cybersecurity requirements on daily basis the experienced staff gained unique set of skills covering OT and IT expertise in the field of ICS-centric cybersecurity.
Cybersecurity features of TT-AS products matured with time across hundreds of projects implemented worldwide. While being the core elements of standardized industrial data processing solutions offered by TT-AS to various industries the cybersecurity modules are available as a family of generic products suited for application in any industrial environment requiring secure industrial data publication from OT networks to corporate IT environment.
Dynamic business needs on-line data. Take care of your business and let us take care of the data. 100% safe.
Cybersecurity solutions utilize EDS - Enterprise Data Server as industrial data processing platform. EDS is compliant with NERC CIP (for fossil power plants) and NRC 10 CFR 73.54 (for nuclear power plants) regulations and used in many fossil and nuclear power plants across the globe.
The technology behind TT-AS cybersecurity solutions is based on a unidirectional communication. In case of industrial data tunneling the unidirectional connection links OT network to the IT network with data allowed to move from OT to IT but not the other way.
The unidirectional communication is achieved by various different solutions ranging from hardware-enforcing devices like "data-diodes" or network taps to logical-enforcing one-way packets transfer rules on generic firewalls or routers. Examples of supported unidirectional communication hardware involve Waterfall, Owl, Canary, Cisco.
Additionally to providing turn-key solutions our products can easily fit an already utilized client's architecture - the only requirement is to provide a transparent UDP communication and generic network equipment can be adjusted to serve the role of a unidirectional gateway. Adopting generic equipment is also a good way to evaluate unidirectional cybersecurity solution before investing in a hardware-enforcing unidirectional gateways should the hardware solution be required.
Commonly increase in security through unidirectional link implies some sort of loss in functionality, data integrity or availability (CIA triad) however TT-AS experience results in a technology where unidirectional link is effectively hidden from the data users. The supported data sources from OT networks are mirrored to the IT network. The users of industrial data on the IT side connect to data sources as if they were on the OT side although they are mirrors within the IT network.
TT-AS technology makes the data sources mirroring seamless and maintenance-free - resilient to unidirectional link downtime or temporary failure of any proxy element in data processing chain. Thanks to extensive data validation source and mirror data is perfectly synced.
Typical setup provides over 500 000 process point values updates per second and 10sec or lower delay in archival data on the replica/IT side.
Main components and data flow of a unidirectional replication based on EDS platform.
For a summary on the technology and functionalities please refer to the brochure
Available solutions improve cybersecurity by:
Layered approach is advised by various cybersecurity standards and best practices. TT-AS solutions help implementing architectures being a standard in cyber critical installations for over a decade.
DCS read-only mirroring
Emerson Ovation DCS is fully supported for replication and mirroring using EDS. EDS replicates process diagrams, process points/tags and alarms. One-way mirroring can be added to any already deployed EDS system in version 9.1 or higher.
Other control systems are typically integrated using OPC or Modbus. EDS features both OPC clients and servers in DCOM and UA standards.
Fleet-wide integration of DCS data with network segmentation preserved
For larger installations a hierarchical servers structure can be used with multiple replication steps. First replication typically takes place at the site level separating the control system network for any higher-level networks. Site-level replica server can be replicated further to the central location to limit the load on the WAN connection and avoid the central location interconnecting sites.
Industrial protocols mirroring
EDS platform can be used to mirror data sources from OT network to IT network. Since EDS tunnels both live and archival data keeping both archival databases synchronized across one-way replication link the platform can be used as a broker to tunnel industrial data protocols EDS is compatible with.
An example of such functionality is mirroring OPC data sources:
Monitoring OT infrastructure from IT network
Additionally to industrial protocols other metadata can be tunneled to IT networks. Examples of such additional data include:
Enabling OT system monitoring details available to IT solutions makes it possible to increase awareness of OT operation and helps dealing with threats internal to OT networks by analyzing system and users behavior from IT-level solutions like IDS or SIEM.
Additionally to the solutions and products presented above TT-AS is capable of executing turn-key implementation projects including feasibility studies, infrastructure adaptation, installation and configuration of hardware and software, penetration testing and maintenance.