1 Project Manager
2 Project Engineers
1 Automation Engineer
The network set up at the client’s had the particular feature of having all their equipment being on the same VLAN.
This project comprised a total of 4350 pieces of equipment in about 50 different buildings.
On account of such horizontality in the network, the information can be easily transmitted from one piece of equipment to another, without any need of interaction with the firewall.
We can see that there is a total of 2 VLAN installed (the orange bars). On each VLAN, there are multiple devices connected (computers, servers, …). Therefore, in the case of a cyber-attack, if one piece of equipment is affected, the intruder could easily move around between all the terminals connected to that VLAN.
The visual aid below demonstrates the network before RealDev involvement.
RealDev is at the forefront of Operational Technology (OT). Our collaborators expertise allows us to reach to the top of the market in re gard to the level of quality delivered.
We delivered to our client a service which encompasses the entirety of the steps required in order to migrate to OT. This includes the planning, the migration as well as the follow-up of all computers and devices needed to create the OT network.
A security project through segmentation had to be carried out.
In these circumstances, a new VLAN had to be created in order to regroup the equipment and provide them with the same solution. The entirety of the VLAN were put into place were divided into 4 network layers (L1, L2, L3/L3.5 and L4).
Each individual migration of a piece of equipment to its new VLAN required us to change its IP address. This transfer had to be made directly on site via the HMI of the equipment.
The OT network consist of the totality of the computers and devices used in the production, the research and the technical management. It directly handles the industrial production, the automation and the instrumentalisation.
They are responsible for giving the instructions to all the pieces of equipment and machinery, as well as for the conversion of electrical energy into mechanical energy or physical actions.
This network is defined by:
1. VLAN, a computer subnetwork containing the assets.
2. Firewall rules authorising the different communications between multiple VLAN through a Firewall.
3. Active Directory, an access management service utilised to authenticate and authorise the “objects” on a network
The OT network is only accessible from the IT network through a Firewall configured by specific rules. These rules are established by the authorisations that can be found in each VLAN in order to communicate with the Firewall.
The OT network is divided into VLAN, a combination of different equipment (servers, devices, workstations, …) which can be regrouped depending on various criteria, such as:
1. Solution, indicating the system to which each equipment belongs to (Archestra, OsiPi, …)
2. Physical/network location, depending on the building/network layer where the equipment is installed.
3. Function, depending on the type of equipment (PLC, server, workstation, …)
These VLANs are defined by the OT switches and can set themselves apart from the limitations that can be found with physical architecture.
The IT network comprises the totality of terminals and other technology employed to save, study, invoke, transfer and treat data or information, without being directly responsible for the conversion of electrical energy into mechanical energy or physical actions.
As can be seen in the figure below (Figure 2), we can
count a total of 4 network layers in this design:
L1: compiles the equipment said to be devices (PLC, measuring instruments, …)
L2: compiles the equipment said to be workstations, client IW10, servers.
L3/3.5: zone called DMZ compiling the OT services (Active Directory, Print, …)
L4: zone corresponding to the IT network
The L1, L2 and L3/3.5 networks all have un access that must go through the Firewall. They compromise to the OT network. In the image below, you can see the different partitioning for each equipment in the network layers. The colored arrows represent the communications of each terminal/equipment/server with the Firewall.
The Firewall is of sorts the “security door” which separates all the VLANs. Each data transfer that passes from one network to another must go through this Firewall.
The rights of passage are thus planned and encoded by RealDev.
The major modification realised on the Firewall throughout the project was the implementation of an information filtration system that occurs through multiple VLANs and not just one.
RealDev identified the pre-existing communication flows between the equipment and created the Firewall rules accordingly. These allowed the equipment continue to function correctly. Some flows of communication take place unilaterally with the other equipment, whereas others occur bilaterally. Concretely, the information exchange can be:
Unilateral: IT --> Firewall --> VLAN
The information is only transmitted from the IT network to the VLAN intended.
Bilateral: IT <-> Firewall <-> VLAN
The information is transferred from the IT network to the VLAN and vice versa.
These fluxes of information are illustrated (in Figure 2) in the form of colored arrows.
Some of the modifications had to be carried out directly on site but the majority of the work was performed in at our office.
This type of project is what we call “TIS”, Totally Integrated Service.
In these projects, we will take over the entirety of the project and perform the most part of the work at our office. We rarely operate on the site at the client and only do so when necessary.
Given the considerable scope of the client’s network, a significant number of equipment required modifications.
However, thanks to our TIS approach, our operations at the client’s site were minimal (less than 5% of the time spent on the project were carried out on site). In so doing, we kept our impact on the client’s activities were kept to a minimum.