Gateways between ICS and cloud environments

Updated on 20/06/2024
Autor
INCIBE (INCIBE)
Cover Gateways between ICS and cloud

Today, the industrial world is evolving rapidly and, with it, Industry 4.0 is becoming increasingly common in industrial environments. One of the devices that are emerging as drivers of digital transformation in industrial environments are gateways for IIoT devices, as they make it easier to scale and interconnect the different production environments, as we will explain throughout the article. This technology, together with the new production environments, with high levels of security maturity, represent a great opportunity to improve the productivity of our industrial process. 

Gateways IoT

The gateways are devices that enable previously unfeasible connections between IoT, IIoT, Internet and other traditional devices. In doing so, they facilitate connectivity between networks of IoT devices that are not located on the same network and can be managed in a cloud environment.

The way these gateways work is to connect IoT devices to transfer data between sensors and controllers on the plant floor to a cloud environment. Using gateways, companies can leverage and connect devices with difficult internet access, such as Bluetooth devices. This helps to centralise the collection of information, as by implementing these gateways, it is possible to avoid having to manage data only on local devices. 

How does an IoT gateway work?

Not all IoT gateways are built with the same capabilities and applications, but they should always have a basic set of capabilities. In addition, there are situations where advanced gateways are required to meet the requirements of complex, advanced, IoT-enabled applications.

  • Basics characteristics: They establish basic communications, wired and wireless. These IoT gateways allow different devices to communicate using different technologies and protocols (LoRa, WiFi, Celular, Ethernet...).

    The basic gateways increase the security of IoT devices, allowing the segregation of networks, facilitating the separation of IT/OT/IoT environments and the isolation of internal networks from the internet, keeping incoming and outgoing traffic management simple.

  • Advanced characteristics: In advanced feature devices we find the ability to perform edge computing. These gateways can process, aggregate, correlate and synchronise all raw data before sending it to the cloud. They also allow to offer more I/O interfaces (USB, serial interface, USB, HDMI, SPI, ModBus...).

    These devices are usually robust, i.e. assembled in such a way that they can work in industrial environments. They can also be customised with firmware that can be adapted to specific applications.

    These gateways allow advanced inbound traffic management, providing additional intelligence and capabilities to an IoT-enabled network. They can also support a multitude of equipment (offline equipment, real-time data management, data cache, etc.).

Requirements for IoT infraestructure

To ensure the Confidentiality, Integrity and Availability of IIoT devices within an Industrial plant, gateways must be able to withstand harsh, rugged environments and wide operating temperatures, among many other adverse conditions typical of an industrial environment. Therefore, they must meet the following requirements:

  • Robust certifications and standards: Deploying a traditional firewall in a rugged, harsh environment would be nearly impossible. Therefore, equipment with robustness certification guarantees the resilience of the device (humidity, electrical surges, temperatures, etc.).
  • Fault tolerance: It must ensure that, in case of failure, these gateways divert traffic to alternative or redundant paths by design.
  • Wireless network monitoring: IIoT gateways allow for better visibility, give SCADA real-time monitoring capabilities, threat intelligence.
  • Enhanced cybersecurity workloads: Technologies such as TPM (Trusted Platform Module) are designed to enforce security functions through hardware.) 
     

IoT gateway security

These devices can act as the first point of security in an OT environment, as they are often a common entry point for network traffic, acting as a proxy between the target device and the IoT equipment itself. Therefore, the use of gateways with manageable security capabilities is recommended, as it is not only IoT devices that are potentially vulnerable.

Therefore, several security requirements must be taken into account in order to protect and choose the IoT gateways we deploy in our industrial networks:

  • Choice of operating system: it is important to choose the most secure operating system possible, as this will allow us to effectively avoid certain vulnerabilities inherent to the operating system.
  • Segmentation and segregation of the assigned network: another applicable security measure would be to use a single network for the gateway and IoT devices, isolating them from other incoming connections and controlling traffic.
  • Monitoring: Monitoring the network assigned to the IoT gateway facilitates the protection and detection of potential network problems and is an essential tool for early response that can reduce serious impacts such as service or communication downtime.

ICS gateway integration in industrial enviroments

The aim of an IIoT gateway is to integrate all PLCs, adapting them for the connected industry. This type of device makes it possible to maintain a flow of data in order to send it to a data centre hosted in the cloud for processing, analysis and storage. These architectures are distinguished by different stages.

  • Phase 1, Sensors and Actuators: These are the devices closest to the field level, as they are the ones that monitor (sensors) and control (actuators) the physical processes within a production process. Sensors collect data on the processes in progress (temperature, humidity, fluid levels...). Traditionally, the sensors used are simple devices, wired with electrical signals and with little, if any, logic of their own. With the growth in the scale and complexity of production environments, there is a need to use smart sensors that can perform part of the data processing on their own or with other features to facilitate their deployment in specific environments: portable, wireless, multi-purpose sensors, with cloud storage, etc.

  • Phase 2, Data Acquisition: Data acquisition systems (DAS) collect raw data from sensors and transform it into digital format. With the inclusion of IoT gateways in this phase, it enables the use of new sensor models in data capture, as well as optimising and diversifying the communication flow and information processing.

    Among the new data collection and processing architectures made possible by sensors and IoT gateways, examples can already be found in the industrial world:

    • Preventive maintenance sensors with trained models for specific deployments thanks to direct connections to external servers
    • Portable sensor groups that can be used by operators or mobile robots throughout an industrial site without losing direct connection to the rest of the system
    • Sensors with direct actuation or warning generation capability without relying on central system logic
    • Micro-segmentation of industrial networks according to criticality, process, function or need for connection to other networks.

    And more types of infraesctructures made possible due to the adaptability of this new technologies.

  • Phase 3, Processing: Analysis at the edge: In this phase, with the data digitised and aggregated, the information is processed to reduce the volume of data, provide basic intelligence and apply detection and preventive maintenance rules and send it to central processing, typically in a data centre, SCADA or control panel.

    Many IoT devices or smart sensors are designed to liaise frequently with external servers, which process the data before forwarding it to the next stages of the industrial control process. Such deployments, which are becoming increasingly common, are often prohibitively expensive if only traditional devices are used in the data acquisition and forwarding phase.

  • Phase 4, In-depth analysis: In this last phase, the most powerful computer systems or specialised personnel are used to analyse, manage and store the data securely. In this phase, more sector-specific applications and the use of software or private intellectual property of the company are used to perform a deeper analysis.
Delete 'Rugged Industrial IoT Gateway'

- Figure 1: delete 'Rugged Industrial IoT Gateway'. Source -

Conclusion

In short, IIoT gateways allow us to improve productivity in industrial environments in an innovative way. They can not only implement different types of equipment with different protocols, but also link with cloud environments that allow the interoperability of different equipment.

On the other hand, these devices share inherent dangers with IoT devices to which special attention must be paid. It is advisable to develop good security practices for their implementation as they could facilitate a security breach and endanger our business, even affecting the continuity of the production process.

The gateways between ICS and cloud environments make it possible to implement great innovations and increase the productivity of our plant by adapting it to the new Industry 4.0 technologies, but they could represent a new risk vector in our plant if they are used without due precautions.

Etiquetas