Unified Namespace and Secure Connectivity: Transforming Industrial Data Management
What Is A Unified Namespace
Unified Namespace, or UNS is a concept born primarily of the ANSI_ISA-95 standard’s Equipment Hierarchy Model and extended well beyond it to encompass the entire enterprise. The purpose of UNS is to provide a unified approach to the collection and distribution of the current state of industrial and manufacturing environments in an event driven system. To do this, information is collected from points throughout the environment, control systems, shipping systems, ordering, personnel, etc. This information is sent via broker agents to other subscribing systems, including other brokers, unifying the data set across the enterprise in near real time. Having this single architecture for information collection and distribution empowers decision making and planning in ways that have not been realized before, and simplifies the operations and response to events.
Secure UNS Connectivity
Unified Namespace combined with zero trust connectivity can be the transformative solution you are looking for to integrate your industrial data.
Unified Namespace (UNS) requires secure, agile connectivity like NetFoundry’s Ziti for success because it enables seamless, real-time data flow across diverse and often geographically dispersed industrial environments while ensuring data security, integrity, and compliance with standards like IEC 62443.
Streamlined UNS Deployment
Leverage NetFoundry for secure, agile connectivity in evolving Unified Namespace implementations.
Using an Overlay Network To Integrate Disparate Data
As the purpose of a UNS implementation is to collect information from, and distribute information to, disparate sources, an overlay network can assist in the evolution towards a full UNS system. Protocols, like Sparkplug B, and OPC UA have been created and evolved to provide a common format for delivering information, however, the transport of this data must still meet the needs and capabilities of the sources and the facilities.
We propose the use of the NetFoundry Platform (Also Available as A Service via NetFoundry Cloud) as a solution to serve UNS deployment and evolution, in a manner that meet the requirements of IEC 62443 and other standards, enabling the secure and rapid deployment of data sources and sinks and their connections to the brokers regardless of underlying network architectures. The agility, flexibility, high availability, and completeness of operations makes NetFoundry and Ziti an easy choice for UNS and other industrial connectivity needs.
Why Do We Need UNS?
UNS provides several benefits when implemented that can make enterprises more efficient in their business, while simplifying operations and the supporting processes. With a consistent approach, organizations can utilize their own data to make better decisions,normalize [DS3] the data access methods for dependent systems, scale up to meet demands, and streamline workflows. A properly designed and implemented UNS system will also offer easier security policy enforcement, compliance and reduce integration costs. These benefits have been realized within nonindustrial spaces for years, and while there are fundamental differences in the information systems of IT and OT, the benefits are attainable while maintaining the security and availability required of OT environments.
Transformative Benefits of UNS
Unlock efficiency and scalability with Unified Namespace, enhancing operations and security compliance.
Bridging Enterprise and Industrial Data
UNS simplifies integration across layers, enhancing security and agility in industrial networking.
Network Friction In Implementing UNS
UNS combines enterprise and industrial data. While this has always been true, the networking in manufacturing and industry has often been based around the Purdue model, with strict controls [DS4] per layer of the model to protect the safety and availability of the system. This makes the integration of devices at the edge of the process difficult, due to the complexities of the separation of each layer. However, the Purdue model is an information architecture not a networking model and standards such as IEC 62443 provide guidance that allows the communication to flow directly, or via appropriate brokers for those systems not capable of utilizing the protocols, wherever they might exist within the network, connecting zones via conduits. Of course, the communications of these systems must maintain the safety and security of the system as a whole. They also need to be agile and scale, as well as provide all the functions to be operated efficiently and resiliently.
The ISAGCA has written a recent paper on the application of IEC 62443 and cloud based systems,
“IIoT System Implementation and Certification Based on ISA/IEC 62443 Standards” . While UNS does not require cloud assets, it is a good example of the appropriate way to analyze risk for these types of systems, and some UNS clients applications or enterprise level brokers may certainly exist in the cloud. The paper and accompanying webinar cover the various types of processes and the analysis of the risks deeply, with recommendations for implementation as well as future work for various working groups. The image below from the paper shows the various data usage models they investigated as part of the study.
Securing UNS with IEC 62443 Compliance via Virtual Conduits
The findings of the study identified those functions that, if placed in the cloud, would fall under the scope of IEC 62443 requirements. As one can see, the simple sending of data to a cloud based system for reasons outside the process being monitored, or to analyze and present data to a human operator who acts independently of the system are considered out of scope for the security requirements of the standard. When any information is sent from the cloud based system to the actual process, the cloud zones are in scope.
UNS, as a data collection and distribution model, is similar, and generally outside the scope of the existing standards. That said, the implementation of UNS must meet the overall security requirements of the environment it is in, and this will have large portions covered by the standard’s requirements. There is also a high likelihood that the UNS may become part of a larger solution in the examples to the right. While it would be up to the risk assessment to scope the components in or out, it makes sense to treat them as if they fall under the standard from the beginning.
The communications from the information sources to a UNS broker should be as direct as possible under the technical constraints. This simplifies the implementation and operation, as well as increasing timeliness. However, plant networks should also be architected as zones, interconnected by conduits, as noted in IEC 62443, which often causes issues ensuring that the communications are properly secured. However, IEC 62443 specifies virtual conduits. These connections can travel over the various physical network segments, directly connecting 2 zones largely separated, provided they are not accessible to systems in the zones they pass through. Virtual conduits are the key to ensuring compliance with standards such as IEC 62443, maintaining real security within the network, and realizing the benefits of UNS and other data driven initiatives, simultaneously.
Ensuring Compliance with IEC 62443
UNS integrates seamlessly with cloud and industrial systems while maintaining robust security standards.
Evolving OT Security Models
Increased focus on data integrity and confidentiality is vital for safeguarding industrial systems.
Why Do We Need To Secure UNS?
The OT security model places a lower inherent value on the integrity and confidentiality of data compared to the IT model, favoring safety first, and availability second. This is well understood and reasonable given the requirements and purposes of the two fields. However, in today’s cyber environment, it is important to note that integrity and confidentiality can cause safety and availability issues.
Examples of data integrity attacks have been seen in the wild, and research is being done to understand the potential ramifications. As seen in the IT world, one can only expect the attacks to become more sophisticated, and more disruptive over time. Within the critical infrastructure subset of ICS, it is important to note that nation state actors are directly involved in the development and deployment of cyber weapons; the risks associated with these actors are very significant. Manufacturing systems not deemed critical infrastructure may also be targeted, either as collateral damage, or as a weapon of economic terrorism.
Stuxnet: The Complex Malware That Exploited Industrial Control Systems
Perhaps the best known attack against industrial control systems, in this case targeting uranium enrichment, Stuxnet was a very complex malware program. It took many steps to mask itself, and to propagate, like other malware. However, the main function was to conduct a man-in-the-middle attack, intercepting the sensor signals, and preventing the safety systems from shutting down properly, leading to the destruction of the systems it infected.
For its targets, Stuxnet contains, among other things, code for a man-in-the-middle attack that fakes industrial process control sensor signals so an infected system does not shut down due to detected abnormal behavior. Such complexity is very unusual for malware. The worm consists of a layered attack against three different systems:
- The Windows operating system,
- Siemens PCS 7, WinCC and STEP7 industrial software applications that run on Windows and
- One or more Siemens S7 PLCs.
Source: Wikipedia
Lessons from Stuxnet
Stuxnet’s sophisticated man-in-the-middle attack highlights vulnerabilities in industrial control systems.
OT Malware in Warfare
FrostyGoop exemplifies the growing threat of malware targeting critical infrastructure in conflict.
FrostyGoop: Russia-Linked OT Malware Disrupts Critical Infrastructure in Ukraine
OT malware is also being used as a weapon of indirect warfare and terrorism. The Russia-Ukraine conflict has seen many examples over the last several years of attacks on power grids, and this one in particular, disrupting environmental controls during the winter.
Industrial cybersecurity firm Dragos on Tuesday revealed a newly discovered sample of Russia-linked malware that it believes was used in a cyberattack in late January to target a heating utility in Lviv, Ukraine, disabling service to 600 buildings for around 48 hours. The attack, in which the malware altered temperature readings to trick control systems into cooling the hot water running through buildings’ pipes, marks the first confirmed case in which hackers have directly sabotaged a heating utility
The malware, which Dragos is calling FrostyGoop, represents one of less than 10 specimens of code ever discovered in the wild that’s designed to interact directly with industrial control-system software with the aim of having physical effects. It’s also the first malware ever discovered that attempts to carry out those effects by sending commands via Modbus, a commonly used and relatively insecure protocol designed for communicating with industrial technology.
Source: Wired.com
False Data Injection: A Critical Threat to Smart Cities and Industrial Control Systems
A group of Turkish researchers published a paper on false data injection, considering industrial control systems and the growing movement of smart cities.
ICS are one of the most critical components used in smart grid and smart city infrastructures. The vulnerabilities of the ICS and infrastructure architectures built on them affect the entire system. There are several attack methods that can be done through these vulnerabilities, but the FDI attack is one of the most damaging. Because with FDI (False Data Injection) attacks, it is possible to change the data in a controlled way and to change the firmware codes. When the impact of the FDI attack on the system is evaluated, it will take a long time especially to bring the system back to its current working state and great damage may occur. In addition, with this attack, it is possible to obtain data by manipulating the data in a controlled manner. For this reason, it is critical to take countermeasures by revealing the procedures of the FDI attack.
Source: ScienceDirect.com
Threats of False Data Injection
FDI attacks can manipulate critical ICS data, posing severe risks to smart city infrastructures.
Risks Beyond Nation States
A young hacker’s tram manipulation highlights vulnerabilities in urban transport systems and oversight.
Lodz, Poland Tram Hack: Another Real-World Example of Cyber Vulnerabilities
Lastly, so we don’t get the impression that these sorts of risks are only coming from nation state actors, theoretically or actually. In 2008 a 14 year old Polish boy built a device that allowed him to “play” with the city trams like a model train set.
“He treated it like any other schoolboy might treat a giant train set, but it was lucky nobody was killed. Four trams were derailed, and others had to make emergency stops that left passengers hurt. He clearly did not think about the consequences of his actions,” Micor added.
Securing Connected Industrial Systems: The Critical Role of Risk Management
As industrial systems become more and more connected, these risks will continue to increase. The potential ramifications of all cyberattacks must be taken into account in proper risk management programs. While the priority on safety is paramount, one must understand the threat landscape of how safety may be compromised, which may be in ways that are not commonly considered in the OT space.
Industrial systems continue to evolve into more data driven architectures.I It is critical that we learn from the mistakes of the IT events that have happened over the last decades; true security by design should be implemented in every step. As UNS is a major step forward in the collection and dissemination of data across entire enterprises, special care must be taken to ensure the security of the system as a whole.
Navigating Cyber Risks in Connected Systems
As industrial systems evolve, robust risk management and security by design are essential.
Ziti: Simplifying Secure Connectivity
NetFoundry’s Ziti offers a lightweight, open-source solution for seamless industrial and enterprise networking.
How NetFoundry’s Ziti Platform Can Enable UNS and Beyond
Ziti, the core architecture and technology of NetFoundry, is a software defined and implemented secure network. It operates at the communication layer, offering security and simplicity, while maintaining the features and functionality of a production class network. Options are available for embedding the functions directly into software via software development kits (SDKs) in a multitude of languages, and the C-SDK is built to be lightweight, suitable for resource limited environments. The software is open source, and is fully available for integration into products and solutions. This allows vendors and operators to utilize the software as a primary communication method, or an available option, without licensing costs.
The challenge of networking across both industrial and enterprise systems is real. The security requirements of both can be very different, and implementing common systems is difficult. However, Ziti provides the opportunity to deploy UNS data senders and brokers wherever needed without complexity. Ziti endpoints use outbound only connectivity, from an underly perspective, even when used to host services that others initiate towards. The configuration of the identity provides the Network Controller address, and this allows the endpoint to attach to the network instance. Once authenticated and authorized, the endpoint receives additional configuration information, and connects to Edge Routers as appropriate.
Dynamic, Policy-Driven Connectivity: Simplifying Network Operations with Ziti for UNS and Beyond
From an underlay networking perspective, this allows the various firewalls, access control lists, and other systems to simply block all inbound traffic to the device, allowing outbound only. This simplifies network configurations, because the system as a whole does not have to record and allow the various connections, forcing rule updates per device additional or change or the resulting audits and other ongoing work associated with network operations. Instead, the Ziti network instance allows or disallows connectivity by policy, and is dynamic. A policy change to allow or disallow connections between identities and services is applied within seconds, either to allow, or to disallow and break current connections. To view or audit the connectivity, a central location across the entire enterprise can be used, with built in tools.
The same connectivity can be applied to systems within the enterprise network that need to connect to the UNS to publish or extract data. Prebuilt software is available for all major operating systems, or the SDKs can be used to embed. Other deployment models to utilize Edge Routers or tunnelers as gateways are also available, and all models can coexist, depending on need.
Once a Ziti network exists, it is a resource to be used for connectivity, UNS is just one use case. Remote access and other uses are easily deployed using the same models, and the availability of APIs to integrate with existing software can provide flexibility far beyond legacy networks, enabling models like just-in-time access (JIT) integrated with existing processes.
Dynamic Secure Networking with Ziti
Ziti streamlines outbound-only connectivity, enhancing security and simplifying network management across systems
Ziti: Simplifying Secure Connectivity
NetFoundry’s Ziti offers a lightweight, open-source solution for seamless industrial and enterprise networking.
Implementing UNS in Industry 4.0: Simplifying Secure Data Integration with Ziti
UNS is an evolution, tied to the Industry 4.0 movement that enables businesses with manufacturing and other industrial processes to collect and distribute data to more effectively monitor and manage the state of the business, increasing efficiency, reducing costs, and enabling higher profitability As an information system, UNS has some potential to be difficult to fully implement in OT environments, due to more stringent requirements to meet safety and availability needs. Ziti enables organizations to implement UNS simply and efficiently, regardless of the network configuration or node types, and to be secure in the design, protecting the business, and meeting the requirements of relevant standards, such as ANSI_IEC 62443.