Slider strona główna
Critical Infrastructure
is our speciality

During 25+ years of DCS control systems engineering Transition Technologies Capital Group gained significant experience with OT technology as well as with constantly evolving complex enterprise IT. 

Dealing with cybersecurity requirements on daily basis the experienced staff gained unique set of skills covering OT and IT expertise in the field of ICS-centric cybersecurity.

Cybersecurity features of TT-AS products matured with time across hundreds of projects implemented worldwide. While being the core elements of standardized industrial data processing solutions offered by TT-AS to various industries the cybersecurity modules are available as a family of generic products suited for application in any industrial environment requiring secure industrial data publication from OT networks to corporate IT environment. 

Dynamic business needs on-line data. Take care of your business and let us take care of the data. 100% safe. 

Technology

Cybersecurity solutions utilize EDS - Enterprise Data Server as industrial data processing platform. EDS is compliant with NERC CIP (for fossil power plants) and NRC 10 CFR 73.54 (for nuclear power plants) regulations and used in many fossil and nuclear power plants across the globe.

The technology behind TT-AS cybersecurity solutions is based on a unidirectional communication. In case of industrial data tunneling the unidirectional connection links OT network to the IT network with data allowed to move from OT to IT but not the other way. 

The unidirectional communication is achieved by various different solutions ranging from hardware-enforcing devices like "data-diodes" or network taps to logical-enforcing one-way packets transfer rules on generic firewalls or routers. Examples of supported unidirectional communication hardware involve Waterfall, Owl, Canary, Cisco. 

Additionally to providing turn-key solutions our products can easily fit an already utilized client's architecture - the only requirement is to provide a transparent UDP communication and generic network equipment can be adjusted to serve the role of a unidirectional gateway. Adopting generic equipment is also a good way to evaluate unidirectional cybersecurity solution before investing in a hardware-enforcing unidirectional gateways should the hardware solution be required. 

Commonly increase in security through unidirectional link implies some sort of loss in functionality, data integrity or availability (CIA triad) however TT-AS experience results in a technology where unidirectional link is effectively hidden from the data users. The supported data sources from OT networks are mirrored to the IT network. The users of industrial data on the IT side connect to data sources as if they were on the OT side although they are mirrors within the IT network. 

TT-AS technology makes the data sources mirroring seamless and maintenance-free - resilient to unidirectional link downtime or temporary failure of any proxy element in data processing chain. Thanks to extensive data validation source and mirror data is perfectly synced. 

Typical setup provides  over 500 000 process point values updates per second and 10sec or lower delay in archival data on the replica/IT side.   

Main components and data flow of a unidirectional replication based on EDS platform.

Main components and data flow of a unidirectional replication based on EDS platform.

For a summary on the technology and functionalities please refer to the brochure

Solutions

Available solutions improve cybersecurity by: 

  1. Dealing with threats external to OT network by tunneling safely industrial data over a one-way link from OT to IT.
  2. Dealing with threats internal to OT by tunneling DCS configuration metadata, SNMP, WMI, logs from OT to IT for further integration with a higher-level threat analysis or SIEM solution maintained within IT infrastructure. 
  3. Being a tool to introduce multi-layer approach to systems and networks segmentation with preserving secure communication across these layers from higher security to lower security layer.

Layered approach is advised by various cybersecurity standards and best practices. TT-AS solutions help implementing architectures being a standard in cyber critical installations for over a decade.  

DCS read-only mirroring

Emerson Ovation DCS is fully supported for replication and mirroring using EDS. EDS replicates process diagrams, process points/tags and alarms. One-way mirroring can be added to any already deployed EDS system in version 9.1 or higher. 

Other control systems are typically integrated using OPC or Modbus. EDS features both OPC clients and servers in DCOM and UA standards.  

Fleet-wide integration of DCS data with network segmentation preserved

For larger installations a hierarchical servers structure can be used with multiple replication steps. First replication typically takes place at the site level separating the control system network for any higher-level networks. Site-level replica server can be replicated further to the central location to limit the load on the WAN connection and avoid the central location interconnecting sites. 

Main components and data flow of a unidirectional replication based on EDS platform.

Industrial protocols mirroring

EDS platform can be used to mirror data sources from OT network to IT network. Since EDS tunnels both live and archival data keeping both archival databases synchronized across one-way replication link the platform can be used as a broker to tunnel industrial data protocols EDS is compatible with. 

An example of such functionality is mirroring OPC data sources: 

  1. OPC DA, HDA or UA server of a control system can be tunneled over a one-way link to IT network where OPC mirror is maintained.
  2. OPC DA server can be connected on the OT side and historian functionality of the EDS platform can be utilized to  present the OPC source on a mirror extended with HDA functionality. 
  3. Older DCOM OPC sources can be converted to UA standard during replication
  4. Newer OPC UA sources can be converted to DCOM standard during replication

Monitoring OT infrastructure from IT network

Additionally to industrial protocols other metadata can be tunneled to IT networks. Examples of such additional data include:

  1. Control system configuration files
  2. Control system logs
  3. SNMP counters and traps (e.g. to monitor OT network from IT side in a read-only way)
  4. WMI counters (e.g. to monitor control systems hosts from IT side)

Enabling OT system monitoring details available to IT solutions makes it possible to increase awareness of OT operation and helps dealing with threats internal to OT networks by analyzing system and users behavior from IT-level solutions like IDS or SIEM. 

Additionally to the solutions and products presented above TT-AS is capable of executing turn-key implementation projects including feasibility studies, infrastructure adaptation, installation and configuration of hardware and software, penetration testing and maintenance.