NIS 2 Raises the Bar for Network Security

The recent adoption of a new NIS 2 Directive by the European Commission is a sign of the times.  Beset by a world-wide pandemic, many companies across the EU have turned to digital technologies to allow their workforce to stay productive, and to facilitate access to valuable production data.  This has led to unprecedented levels of industrial data being passed between company networks and across the Internet, increasing the risk of exposure to malicious intruders.

To combat the threat, the European Commission has accepted revisions to the Directive on Security of Network and Information Systems (NIS), now calling it NIS 2. Among other things, this document mandates a number of basic security elements, including standards for networking data between the production and corporate levels of a company.

The Commission has tasked ENISA, the European Union Agency for Network and Information Security, with implementing the standards.  In pursuit of this mandate, ENISA relies on the expertise of three well-known bodies, NIST, ISO, and ISA to provide detailed descriptions of how network security should be implemented, as published in its Mapping of OES Security Requirements to Specific Sectors document.

Using DMZs

For example, the recommended way to bring process data into the corporate office is summed up in NIST document SP-800-82.  It says: “The most secure, manageable, and scalable control network and corporate network segregation architectures are typically based on a system with at least three zones, incorporating one or more DMZs.”

These three zones are the control zone (OT), the corporate zone (IT), and the DMZ itself.  The document describes the value and use of firewalls to separate these zones, and to ensure that only the correct data passes from one to the other. Using a DMZ ensures that there is no direct link between corporate networks and control networks, and that only known and authenticated actors can enter the system at all.

Skkynet recommends using a DMZ for OT/IT networking, and provides the software needed to seamlessly pass industrial data across a DMZ-enabled connection.  Most industrial protocols require opening a firewall to access the data, but Skkynet’s patented DataHub architecture keeps all inbound firewall ports closed on both the control and corporate sides, while still allowing real-time, two-way data communication through the DMZ.

Secure OT to IT Connections

DataHub offers the only closed-firewall solution for networking process data.  The DataHub uses the DHTP protocol to make outbound-only connections from plant or process. This keeps all inbound firewall ports closed, supports DMZs and forward proxies, and requires no VPNs—to provide secure OT to IT data flow.

Security by Design diagram
  • No exposure of the plant network: No VPNs means no extension of the plant’s security network. Works seamlessly within network proxies, data proxies and DMZ servers.
  • No disruptions from the IT network: Read-only options and non-intrusive connectivity ensure that the plant remains secure and functional, even if remote data access is degraded or a remote location is compromised.
  • No access beyond the required data: The plant decides which data to make available remotely.
  • No compromise on performance: Real-time data is delivered at microseconds above network latency, easily scaling to 50,000+ data point changes per second, all the while preserving the data model across networks.
  • One-way or bidirectional data flow: Each connection can be configured as read-only or read-write, to support data monitoring or supervisory control.
  • Secure by design: With DataHub’s publish and subscribe architecture, security is built-in and always controlled at the Plant network.