The future of industrial artificial intelligence (AI) seems bright. Many initial studies and pilot projects have shown that by connecting production systems to AI engines, significant efficiency gains and cost savings can be achieved. But the reality is that there is a serious challenge that must be faced.
How can we ensure the absolute security of these production systems and their data? After all, most AI tools are cloud-based. What we need is secure and real-time connectivity from the factory to the AI systems running in the cloud.
The recommended method to ensure the security of industrial data is full network segmentation. Operational technology (OT) systems should be completely isolated from iWanhe's cloud systems. This is best done using the Demilitarized Zone (DMZ), keeping the production network behind a closed firewall. Governments and industry leaders around the world agree on this basic industrial cybersecurity practice, and it is required by the NIS2 Directive and NIST CSF 2.0.
Challenges for industrial communication
Transferring data from the production environment to the cloud-based AI system via the DMZ requires two steps: factory to DMZ; and from DMZ to the cloud. However, OPC-UA and MQTT are not designed for such pathways. Although they are often used in IIoT and Industry 4.0 systems, they were conceived in the early 2000s, long before people considered migrating industrial data to the cloud.
The OPC UA protocol itself is too complex to replicate well in a daisy-chain pattern across multiple servers. Information may be lost at the first hop. The synchronous multi-hop interactions required to transfer data across the DMZ will be very fragile and can result in high latency.
MQTT, on the other hand, can be daisy-chained, but it requires each node in the chain to be configured individually and realize that it is part of the chain. Quality of Service (QoS) guarantees in MQTT cannot be propagated through the chain, which makes data at the end of the chain unreliable. Therefore, MQTT is best used only as a final step to move data from the DMZ to the cloud.
So, what happens when OPC UA and MQTT are combined? Securely transferring data from the plant to the DMZ is a challenge. There is a serious pitfall with using OPC UA in this step, as it requires a firewall to be turned on on the production network. Any OPC UA client on the DMZ needs to be connected to the OPC UA server in the factory via a firewall. The risk of having a factory firewall open for such a connection is too high for most security administrators to allow it.
Tunneling/mirroring technology
Since OPC-UA and MQTT alone or together are not sufficient to pass data over the DMZ, an alternative approach is needed, one that integrates well with both protocols. Secure tunneling/mirroring software with a unified namespace provides a solution. It can establish a connection at both ends and pass data along the daisy-chain pattern connection required for DMZ support.
Tunneling or mirrored connections typically use two software components. The first component makes the necessary connections at the production level to collect data from various industry protocols into a single, unified namespace. It then tunnels the data to a second component running on the DMZ.
The second component converts the data into MQTT and sends it from the DMZ to the AI service in the cloud. The mirroring capabilities of tunneling/mirroring software keep data consistent between the original data source, DMZ, and AI systems.
Firewalls and data diodes
As mentioned earlier, all inbound firewall ports on the production system must remain down at all times. The tunneling/mirroring system must be able to establish an outbound-only connection from the production network to the DMZ.
In addition, some high-security critical infrastructure applications require hardware data diodes to ensure that no data packets can be sent back from the DMZ to the industrial network. Tunneling/mirroring systems need to support this level of security architecture for these applications.
Implementations of other AI applications may require bi-directional data flow to enable hands-off supervisory control or similar data input back into the production system. The tunneling/mirroring technology should be flexible enough to support this when needed.
Under no circumstances should you access data other than the data used by the AI system. Plant engineers should have complete control over what data can be used.
All in all, many companies today are turning to industrial AI in order to optimize production systems. The challenge is how to access the data they need without compromising security. It's difficult, but not impossible. You can have an OT network with zero attack surface and still provide data to cloud-based AI systems. Security is provided by DMZ. Production data can be accessed via the DMZ using well-designed tunneling/mirroring software.
