The following content is a translation of an article by OT security expert Mats Karlsson Landré, originally published in Swedish in the newsletter Ot-Säkerhet. In this edition, he delves into his experiences during a visit to our lab in Spain. To read the original post, click here.
“Opscura realizes very much of the benefit that SDN provides, but in a way that does not affect the underlying network infrastructure.”
I’ve noticed that many readers are a little extra interested when I get the chance to tell them about my adventures with fun things in the OT lab. Of course, it takes a lot of time, so it’s a bit long between the times I have something to write about. This time it’s a bit extra fun… It’s not every day I get the chance to test a Spanish OT security product, but today is one of those days!
It’s the company Opscura, whose product Lunaria solves the challenges of segmenting and monitoring OT networks in a new and exciting way! Their software is based entirely on the concepts of “Zones” and “Conduits” that we recognize from our favorite standard IEC 62443. Their approach is based on the fact that you can leave your network gadgets more or less unchanged. Instead, you put a small ruggedized computer in the places in the network where there should be one or more Zones. These computers are called “VIA” and are managed in a single interface.
Initially, traffic can be allowed to continue to flow unaffected through the VIAs and the management interface analyzes the actual traffic in the network. Then you define your zones and how they can communicate with each other through Conduits.
In this way, Opscura has managed to create what is in practice a kind of Software Defined Network, but without the network equipment having to support it. The switches can even be unmanaged if you like them that way. Their solution provides a lot of nice features that can otherwise be boring surprises when deploying such a solution in an OT context:
- If you want, you can allow broadcast traffic, “Layer 2”, which makes it possible for programming tools and other things that often use broadcast to, for example, find new PLCs on the network even before they are configured.
- By defining a Conduit between two Zones, you also define the firewall rules that will apply to that communication. This means that the filtering is done on each Via and does not need to involve regular firewalls.
- If you want to collect traffic in the network to send to, for example, an IDS, such as Nozomi Guardian, it is usually difficult to get hold of traffic “far out in the network”. Opscura can aggregate traffic collected on the various Vias and present it as a consolidated copy in a suitable place where the IDS can absorb the traffic.
- With the same function that collects network traffic to an IDS, you can also record network traffic somewhere in the network and then download it as a pcap file that can be viewed in Wireshark or some other tool. Absolutely invaluable for both troubleshooting and when planning segmentation.
To test if this works in reality, I started a test process that I have written about before in Newsletter #54, a PLCnext from Phoenix Contact that controls an elevator and some conveyor belts that are simulated in Factory IO via a remote IO over MODBUS TCP.
The Via functions run on two physical PCs, which in this case are from Schneider Electric and the management server runs on another small PC. In the lab they are next to each other but in practice they may be in completely different locations with some form of network connection between them.
The connection of the two Vias between the PLC and the IO in the lab setup was completely undramatic. There is, of course, an interruption when you pull out a cable, but then the function flowed as usual even though the network traffic passed back and forth through the two Vias.
In this mode, you can choose to manually create Zones and Conduits in the administrator tool, provided you know what type of communication is needed. Otherwise, you start Opscura’s built-in analysis of all network traffic, which directly lists which devices are talking on the network, who is talking to whom, and then plots this clearly.
The blue boxes in the image are Viorna and show which Via handles which devices on the network. If you zoom in closer, you can see what’s what:
Once you have your Zones and Conduits, you ask the Vias to stop behaving like a “Wire” and instead start protecting the traffic. I turned on the protection while the “manufacturing process” was running and it worked without interference! When you look at the traffic on the network, you can clearly see that instead of MODBUS packets, only encrypted traffic is sent between the Vias.
Before:
And after:
Yes, the traffic that goes through a Conduit is thus automatically encrypted. Then someone might think: “But encryption can be a bit clever in the OT world?”. Yes, it is, but in this case I don’t actually see a downside:
- The system takes care of all key management itself
- It doesn’t matter that the traffic becomes “invisible” because Lunaria can offer a copy of all traffic to IDSs and similar security solutions.
- The encryption allows you to send traffic through networks that you do not fully trust, although of course it does not solve the risks of interruptions caused by attacks on the network.
- Although encryption always introduces a small extra delay, the solution really seems to be tuned in a way that makes the impact minimal. Maybe I wouldn’t use it on very time critical solutions but otherwise so…
If you read previous newsletters, you may know that I have high hopes that SDN, Software Defined Networking, will become a common solution for OT networks. Opscura realizes very much of the benefit that SDN provides, but in a way that does not affect the underlying network infrastructure. Of course, it becomes extra interesting in contexts where the equipment is in different physical locations and communicates between networks that may be managed by different groups.
If you are looking for a solution that makes it easy to build networks based on Zones and Conduits, I think you should definitely consider Opscura’s solution!