Cengiz Özemli
Akademisyen
- Thread Author
- #1
## Securely Transferring Your OT Data to AI
In an era where AI is transforming the competitive landscape of industry, the ability to securely transfer Operational Technology (OT) data to AI is not just an advantage but a necessity for sustainable growth. There is a growing need for unified databases that feed AI models without exposing the production infrastructure to risks.
Establishing an environment that provides secure and zero attack surface is challenging, but achievable through the strategic use of outbound connections and robust network segmentation.
### Risks of Inbound Connections
In industrial OT networks, every inbound connection is like an unlocked door in critical facilities, allowing attackers direct access to sensitive control systems. Attackers scan for open ports with tools like Shodan or masscan, exploiting known vulnerabilities to gain unauthorized access, which can lead to operational disruptions or malware infections.
The use of VPNs often creates an illusion of security; because a VPN extends the security boundary of the IT network into the production network, and when the IT network is compromised, access to all nodes in the OT network becomes possible. Therefore, the most effective security practice is for firewalls to block all inbound connections to production systems.
### DMZ and Standard Protocols
Standards like NIS2 Directive and NIST CSF 2.0 require full network segmentation using a DMZ (demilitarized zone). However, popular industrial protocols like OPC UA and MQTT face difficulties in establishing secure connections through a DMZ. OPC UA is not ideal for DMZ use due to its complex structure, which increases the risk of high latency or data loss. MQTT, on the other hand, is difficult to configure in a chained manner within a DMZ, and because QoS guarantees cannot be transmitted across the chain, end-users may encounter stale or unreliable data.
For this reason, MQTT is primarily used for collecting data from edge devices or transferring data from the DMZ to cloud systems. It is not appropriate to consider it the backbone of Industrial IoT.
### Tunnel/Mirror Solution
To build a secure bridge between plant and AI systems, a different approach is needed that is DMZ-compatible, can integrate with existing protocols, and can maintain a closed firewall policy. Secure tunnel/mirror software establishes only outbound TCP connections directed from the OT side to the DMZ; this eliminates the attack surface, and the risk is moved to the DMZ, which can then be independently strengthened.
By mirroring complete datasets at each node, data consistency and reliability are ensured from the production facility to the AI service. This technology connects to the data source with standard protocols (like OPC UA) and mirrors it to a unified namespace in the DMZ, then securely converts the data to MQTT and transmits it to the AI system.
### Flexibility and Additional Features
Another tunnel/mirror option that supports multi-stage connections is to create an additional node in the AI system. This is particularly beneficial for internal AI systems that do not require an MQTT broker. Tunnel/mirror software, offering universal namespace support and various protocol options, can transfer data directly to historians, event streams, or specialized AI tools.
With the right software, tunnel/mirror implementation can even be done in data diode-enabled systems; this prevents data packets from returning to the industrial network. This is highly valuable for critical infrastructures requiring high security.
### New Threats
The best security algorithms used today may be vulnerable to quantum computer attacks in the future. With a "collect now, decrypt later" strategy, attackers can use the power of quantum computers to break ciphers and certificates. Tunnel/mirror and other software used in industrial data communication should support post-quantum cryptography (PQC), which provides quantum-resistant encryption.
In conclusion, secure and reliable data transfer from production to AI continues to be a challenging task for control engineers. However, isolating networks using a DMZ and transferring data via tunneling/mirroring is an effective way to protect OT and IT systems while ensuring data connectivity. With this method, companies can optimize their processes by keeping production data secure.
