Gateways as Cybersecurity Appliances

Gateways as cybersecurity

Sometimes when you talk to customers you get the strangest information. Things that you would never have guessed no matter how much time you had available. When I asked one customer about cybersecurity for his machine, he said “Your Modbus RTA Gateway is our security appliance.”

I couldn’t have been more shocked. We have gateways for Modbus RTU, gateways for AB PLC communications, gateways for EtherNet/IP, and more, but none of them are what I would call a “Security Appliance.” I asked him more and he explained it to me.

“By putting the gateway between their infrastructure and ours, all we have is a data interface between their company network and our machine network. On our side, we have a network that includes a controller, some I/O devices, and other intelligent devices that run our machine. On their side, they have their control network with some of their controllers, other I/O devices, servers, and, of course, switches and routers to get to their enterprise network. What the RTA gateway does for us is to prevent messages flowing between the two networks. It’s actually a data diode.”

I had never thought of it that way, but it made sense to me. All that each side sees in our gateway is a data table. They can read the data table or write the data table, but they have no ability to do anything more than just those reads and writes of data values. It’s actually a pretty good use of our gateway technology.

Is this bulletproof? Well, no, it isn’t. If someone had access to either side, they could figure out what is in our box. They could figure out what the OS is. They could get the tools they needed to download a new program. But that’s an awful lot of trouble. My experience in cybersecurity is that people will go after the easier targets first. No one likes to take the long, difficult road. Putting an RTA gateway in an application can make the application more secure.

In a previous article, I wrote about seven simple steps to machine security. Those steps included turning off unused switch ports, capping end ports on linear segments, keying ports that the technicians use to access the network, and eliminating your USB ports. This step, using an RTA gateway, could be considered step number 8.

You never know what you might learn when you talk to a customer. I’ll have to do more of that in the future.