{"id":19221,"date":"2021-12-08T15:12:15","date_gmt":"2021-12-08T11:12:15","guid":{"rendered":"https:\/\/me-en.kaspersky.com\/blog\/immunizing-factories-ksig-100\/19221\/"},"modified":"2021-12-08T15:12:57","modified_gmt":"2021-12-08T11:12:57","slug":"immunizing-factories-ksig-100","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/immunizing-factories-ksig-100\/19221\/","title":{"rendered":"A paradigm shift for industrial security: Immunizing factories"},"content":{"rendered":"

Ten years is a long time in cybersecurity. If we could have seen into the future back then and just how far cybersecurity technologies have come on by 2022 \u2013 I\u2019m sure no one would have believed it. Including me! Paradigms, theories, practices, products (anti-virus \u2013 what\u2019s that?) \u2013 everything\u2019s been transformed and progressed beyond recognition.<\/p>\n

At the same time, no matter how far we\u2019ve progressed \u2013 and despite the hollow promises of artificial intelligence<\/a> miracles<\/a> and<\/a> assorted other quasi-cybersecurity<\/a> hype<\/a> \u2013 today we\u2019re still faced with the same, classic problems we had 10 years ago:<\/p>\n

How to protect data from non-friendly eyes and having unsanctioned changes made to it, all the while preserving the continuity of business processes?<\/p><\/blockquote>\n

Indeed, protecting confidentiality, integrity and accessibility still make up the daily toil of most all cybersecurity professionals.<\/p>\n

No matter where it goes, \u2018digital\u2019 always brings with it one and the same problems. It has done, it does, and it will continue to. But of course it will \u2013 because the advantages of digitalization are so obvious. Even such seemingly conservative fields like heavy machine building, oil refining, transportation or energy have been heavily digitalized for years already. All well and good, but is it all secure?<\/p>\n

With digital, the effectiveness of business grows in leaps and bounds. But on the other hand, all that is digital can be \u2013 and is \u2013 hacked, and there are a great many<\/a> examples<\/a> of this. There is a great temptation to fully embrace digital \u2013 to reap all its benefits; however, it needs to be done in a way that isn\u2019t agonizingly painful (read \u2013 with business processes getting interrupted). And this is where our new(ish) special painkiller can help \u2013 our KISG 100<\/em><\/strong> (Kaspersky IoT Secure Gateway<\/a>).<\/em><\/p>\n

\"Kaspersky<\/a><\/p>\n

This tiny box (RRP \u2013 a little over \u20ac1000) is installed between industrial equipment (further \u2013 \u2018machinery\u2019) and the server that receives various signals from this equipment. The data in these signals varies \u2013 on productivity, system failures, resource usage, levels of vibration, measurements of CO2<\/sub>\/NOx <\/sub>emissions, and a whole load of others \u2013 but it\u2019s all needed for get the overall picture of the production process and to be able to then take the well-informed and reasoned business decisions.<\/p>\n

As you can see, the box is small, but it sure is powerful too. One crucial functionality is that it only allows \u2018permitted\u2019 data to be transferred. It also allows data transmission strictly in just one direction. Thus, in an instant KISG 100<\/em> intercepts a whole hodge-podge of attacks: man-in-the-middle<\/a>, man-in-the-cloud<\/a>, DDoS attacks<\/a>, and many more of the internet-based threats that just keep on coming at us in these \u2018roaring\u2019 digital times.<\/p>\n

KISG 100<\/em> (which works on the Siemens SIMATIC IOT2040<\/a> hardware platform and our cyber immune KasperskyOS<\/a>) divides the external and internal networks in such a way that not a single byte of malicious code can possibly get between the two \u2013 so the machinery stays fully protected. The technology (for which we have three<\/a> patents<\/a> pending<\/a>) works based on the data-diode principle: opening the flow of data in only one direction and only upon certain conditions having been met. But, unlike competing solutions, KISG does this (i) more reliably, (ii) simpler, and (iii) cheaper!<\/p>\n

OK, let\u2019s have a closer look\u2026<\/p>\n

It\u2019s not for nothing this little box called a \u2018gateway\u2019, for in principle it works just like the mechanical hydro-technical gateway found on canals \u2013 a lock<\/a>. You open the lower gate, the boat goes into the chamber; the water level rises, the upper gate opens, the boat leaves the chamber. In the same way, KISG 100<\/em> first initializes the agent of the source from the industrial network, then connects it with the agent of the receiver of data in the direction of the server and allows the one-way<\/em> transfer of data.<\/p>\n

Once a connection is made between the machinery and the server, the system has a so-called protected status: access to an external network and also untrusted memory is forbidden to both agents (source and receiver), while access to trusted memory (from which they receive working parameters like encryption keys, certificates, etc.) is permitted. With this status, the gateway can\u2019t be compromised by attacks from an external network \u2013 since all its components at this stage are disconnected from external world and are considered trusted; they are only loaded and initialized.<\/p>\n

After initialization, the status of the gateway is changed to active: the receiver agent gets the right to both transfer data to an external network and access untrusted memory (in which temporary data is contained). Thus, even if there\u2019s a hack on the server side, the hackers can\u2019t get to the other components of the gateway or the industrial network. Like this:<\/p>\n

\"\"<\/a><\/p>\n

Control over the observation of rules of interaction between agents, plus switching the statuses of the gateway is done by a cybersecurity monitor KSS<\/a>. This isolated subsystem of KasperskyOS constantly monitors observance of pre-defined security policies (what component can do what) and, as per the \u2018default deny\u2019 principle, blocks all forbidden actions. The main competitive advantage of KSS is that the security policy are very convenient to describe with a special language and to combine different pre-defined models of cybersecurity. If just one of the components of KISG 100<\/em> (for example, the receiver agent) turns out to be compromised, it can\u2019t harm the rest of them, while the system operator is informed of the attack and can get to work dealing with it.<\/p>\n

So, you still with us? Then here comes the inevitable \u2018wait, there is more!\u2019\u2026<\/p>\n

The tiny box can help provide additional digital services. It allows safely integrating industrial data in ERP\/CRM and assorted other business systems of an enterprise!<\/p>\n

Scenarios involving such services can vary greatly. For example, for our respected customer Chelpipe Group<\/a> (a leading producer of steel pipes), we calculated the efficiency of a machine-tool that cuts pipe. Thanks to this predictive analysis, up to $7000 per month can be saved on outlays when choosing to buy such a tool (!). In fact, such integration provides simply endless possibilities.<\/p>\n

One more example: the St. Petersburg company LenPoligraphMash<\/a> connected its industrial equipment to 1C<\/a> ERP system, and now \u2013 almost in real time \u2013 it shows in an ERP analytics on the performance of all operators, so it can pay them based on actual (not normative or averaged) down time. The uniqueness of this approach and its scalability was confirmed by experts of the respected analytical agency Arc Advisory Group<\/a> in its first cyberimmunity report<\/a>.<\/p>\n

\"\"<\/a><\/p>\n

So, as you can see, this isn\u2019t just any old box. It\u2019s a perfectly ingenious magical one! Already, besides its being in full combat duty at Chelpipe Group, KISG 100 <\/em>is supplied together with the metals processing machinery of StankoMashKomplex<\/a>, successful pilot projects are up and running with Rostec<\/a> and Gazprom Neft<\/a>, and dozens of other pilots with large industrial organizations have begun. The device received a special award for outstanding tech achievement at the largest Chinese IT event, Internet World Conference<\/a>; at the Hannover Messe 2021<\/a> industrial exhibition KISG 100<\/em> earned a place among the best innovational solutions; and just recently it took the top prize in the IoT Awards 2021 of the Internet of Things Association<\/a>, beating many top-rated companies.<\/p>\n

In the future we\u2019ll be expanding the range of such smart boxes. Already, KISG 100<\/em>\u2018s \u2018older brother\u2019 \u2013 KISG 1000<\/em><\/a> \u2013 is being beta tested. In addition to being a gateway-guard, it is also an inspector: it not only collects, checks and distributes telemetry, it also transfers management commands to devices and protects against network attacks.<\/p>\n

\"Kaspersky<\/a><\/p>\n

The takeaway: you needn\u2019t be afraid of digital; you simply need to be able to cook it properly! And we\u2019re here to help with that \u2013 with the best chefs and recipes.<\/p>\n","protected":false},"excerpt":{"rendered":"

Kaspersky IoT Secure Gateway 100: How to protect industrial data whilst preserving business continuity. <\/p>\n","protected":false},"author":13,"featured_media":19230,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1318,1916],"tags":[1329,1487,2527,2528],"class_list":{"0":"post-19221","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-enterprise","9":"tag-industrial-cybersecurity","10":"tag-kasperskyos","11":"tag-ksig","12":"tag-ksig-100"},"hreflang":[{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/immunizing-factories-ksig-100\/19221\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/immunizing-factories-ksig-100\/23721\/"},{"hreflang":"ar","url":"https:\/\/me.kaspersky.com\/blog\/immunizing-factories-ksig-100\/9635\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/immunizing-factories-ksig-100\/25873\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/immunizing-factories-ksig-100\/23915\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/immunizing-factories-ksig-100\/23546\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/immunizing-factories-ksig-100\/26562\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/immunizing-factories-ksig-100\/26161\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/immunizing-factories-ksig-100\/32050\/"},{"hreflang":"tr","url":"https:\/\/www.kaspersky.com.tr\/blog\/immunizing-factories-ksig-100\/10352\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/immunizing-factories-ksig-100\/43097\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/immunizing-factories-ksig-100\/18264\/"},{"hreflang":"pt-br","url":"https:\/\/www.kaspersky.com.br\/blog\/immunizing-factories-ksig-100\/18639\/"},{"hreflang":"pl","url":"https:\/\/plblog.kaspersky.com\/immunizing-factories-ksig-100\/15607\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/immunizing-factories-ksig-100\/27855\/"},{"hreflang":"ja","url":"https:\/\/blog.kaspersky.co.jp\/immunizing-factories-ksig-100\/32178\/"},{"hreflang":"nl","url":"https:\/\/www.kaspersky.nl\/blog\/immunizing-factories-ksig-100\/27917\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/immunizing-factories-ksig-100\/24669\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/immunizing-factories-ksig-100\/30084\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/immunizing-factories-ksig-100\/29875\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/me-en.kaspersky.com\/blog\/tag\/kasperskyos\/","name":"KasperskyOS"},"_links":{"self":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/19221","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/13"}],"replies":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=19221"}],"version-history":[{"count":4,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/19221\/revisions"}],"predecessor-version":[{"id":19229,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/19221\/revisions\/19229"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/19230"}],"wp:attachment":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=19221"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=19221"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=19221"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}