- Welcome back to the Automation Podcast. My name is Sean Tierney from
Insights and Automation, and this week on the show
I meet up with Barry Turner of Redline and we talk about
6 2 4 4 3 zone and conduits and how you can easily implement them with red line's compact
intelligent firewall, the RA 10 C. Barry, thank you for coming
on the Automation podcast. I'm excited to go through
your presentation today. But before we get into that, could you introduce
yourself to our audience? - Hey, Sean, glad to be here.
So, uh, thanks for this. Um, my name is Barry Turner and I am, uh, currently the technical Business
Development Manager here at Redline Controls. I've been with Red Lion for about 13 years in a
couple different roles. Always a technical role
before coming to Red Lion. Uh, I was actually a network administrator for about 15 years. Um, so I've been working in IT field for about 15 years, half my career. And then the other half a really
supporting technically, um, the application engineers,
um, for control systems. - Well, and I appreciate that because we could use your, uh, expertise. I know we had last year,
was it a year ago, a year and a half ago, we had ISA
on the talk, 6 2 4, 4 3, but it was very, very high level. So I know you have more
practical experience, especially with the products you, you, uh, manage over there at Red Lion. So, without further ado,
let me turn it back to you. - Okay, sure. So I just
wanna, um, briefly give your, your audience, um, an kind of an overview of some security models that they may be interested
in implementing in their own control system to increase
the security posture of their application. So, um, uh, the I-S-A-I-E-C 64 3 is
a cybersecurity standard that's been around for a while. And really what that is a
combination of, uh, a lot of things that we've
learned from the IT side for the past few decades,
uh, applied for, uh, applied to a control system, uh,
application or environment. And so, uh, and the interesting
thing is it's not just applied, uh, at the beginning. It's applied across the entire lifecycle of your application. And within that standard, there are a lot of different security models and security practices that
our customers can use, uh, or utilize to, like I said,
increase that security posture, uh, to make their, um, their network and their application more secure, um, and, uh, create some security measures that will help them be protected. So with that, let me kind of
dig into, uh, I've got, uh, a couple of slides here, uh,
that I'll, I'll, I'll speak to. So if you're not able to see
them, you can just listen. Um, but, uh, I want to tell
a, a story of, of a customer that I met a few years
ago that had a, a problem that he came to red line with. And that was that he had
recently, uh, allowed a, uh, third party contractor to
come into his network, uh, and do some work that was required. And the controls engineer,
uh, came in, the contractor, excuse me, came in, did the work for them. Um, but the problem was the, uh, laptop that this third party contractor
had, uh, was compromised. And so it had, um, uh, been compromised and the, uh, site had not had, uh, full patch management implemented throughout their organization. So they had a lot of hmis
that were windows based. And so this windows based laptop that was plugged into the
network, this, uh, OT network, um, was able to infect, uh,
all of the other hmis, uh, in the plant floor that
were also windows based, that were not patched. And so the, the customer
said, Hey, you know, we just let a guy come in to
do some work to, you know, hopefully, uh, improve our uptime. And then we went backwards because, uh, we had a lot of downtime because we had to go around,
uh, and, and resolve the issue. And then we had to patch
all of our, uh, hmis or wind space hmis. And so it became a, a big issue for him. And so he's looking for a way
to, uh, mitigate this, um, from happening in the future. And so, so we start having a conversation around this cybersecurity,
uh, standard here, 6 2 4, 4 3. And I mentioned, you
know, there are things that you can do like defense and death. And so, um, and he's like, well, so
what is defense and death? And so we kind of briefly
talked about that defense and death is just means that
we are, uh, uh, applying multiple layers of security
measures to protect our assets from, uh, an attack vector. And so we're taking a look at, and we're doing an assessment
of all of our devices on, on the plant floor or within our application to understand what their security level is. And then we're kind of, um,
making sure that we add layers of protection so that it's not, we're not relying on just one
thing to protect our network, but instead multiple things. And so, uh, the types of things
that I would be referring to would be like physical,
physical security. Other things might be, uh, policies, uh, and procedures that are not in place today that would help protect that. Uh, and then, uh, zoning conduits. And so zoning conduits is really the topic that I wanna talk about today
because it's very interesting and it's typically, uh, pretty difficult to implement, to be honest with you. Uh, but redline makes some products that make it a lot easier,
uh, to implement that. So I just want to, uh, make
sure your audience was aware that there is an easier approach here to implement this very,
uh, helpful security model. - You know, I wanna just jump in here and, and it's not just an integrator coming in with a pc, that could be a problem. It could be your phone. Mm-Hmm. , you could connect
to a wifi at a restaurant or at a coffee shop. And if your phone is hacked,
if your phone is compromised, then that could be the vector
that they get into your plan. And think about this, even
the charging stations at the airport have been known to
be compromised and hacked. And so who doesn't bring their phone with them everywhere, right? That's right. That's right. Yeah. So, I mean, for the audience
who are listening, if you have to go up a management
about this kind of stuff, it can even be your cell phone or tablet that could be the culprit. And unless you do like what some, uh, some secured very highly
secured government mills do and not allow any electronics in, I mean, that is not the case today. Almost everybody allows you to
bring at least your phone in. So, and of course, you have
people working for you, they gotta bring their computers in. So let me turn it back to you, Barry. - That's a great example. Uh, and that happens a lot,
uh, within an organization where somebody brings a third party device with a phone tablet or whatever, and because it didn't go through
the normal, um, procedures to make sure that it is
secure, uh, opens you up. And then when you don't have
these layers of defense, then you're kind of wide open. And so in this customer
situation where, uh, he allowed this third
party contractor to come in and plug into just a gray port that, uh, was there at the well line
one, uh, that laptop was able to access every other, uh, industrial device on the plant
floor, find all of his, uh, windows-based hmis, and then
target them and infect them and all without the third party contractor knowing that this happened. And so they only knew it happened when the production line stopped. And so, um, like I said,
a better approach here is to add those layers of protection
that will keep, uh, uh, you know, would be hacker or, uh, even, uh, something
in this case wasn't a hacker, it was just an accident, uh, from causing downtime on the plant floor. And so we talked with the
customer about, you know, the cybersecurity standard. We talked about defense and death, and we talked a little
bit about zoning conduits and how that would help him. So he wants to know more
about zoning conduits. And so we start digging
into what that really means. And so, zoning and conduits
is really a segmentation. So we're taking, uh,
one large flat network, and we're creating zones
out of that network, uh, which are smaller portions of the network. And so, uh, today that's,
that's done, right? So today it's done, but
it's on a, on a large scale. So if you look at the IT
OT side of the equation, you have one zone that's on the IT side, and you have a router that is on that separates the IT from the ot. So there is a zone for the IT side, and then you typically have
a zone for the OT side. Um, the problem is that,
uh, for a large number of our customers and a large
number of, um, industrial applications, that OT side
is one large flat network. And like I said before, when you have one large flat network, everything else can see
everything else on the network. And so you wanna really segment that and isolate, uh, parts of
the network so that, uh, data doesn't flow freely, uh, until, unless you actually want it to. So that is what the customer's
problem was initially, was that, uh, when the contractor
plugged his laptop in, it could see everything on a network. A better approach would
be to create, uh, zones so that you can isolate, uh, one, uh, line or one cell from another line or cell. And then also, uh, it's
important to know that these, uh, zones that you're creating,
uh, should be, uh, the, you know, similar devices
for the process control. So they should all be things that need real time communication or need to be communicating,
uh, very quickly. And they should all have
the same security level. And so you're gonna do an
as a security assessment before you, uh, start something like this. So the security assessment
is gonna determine what security level is required for all of the different devices
that you want to secure. And they should all be within, uh, or all the devices
within one zone should be of the same security level. And so, um, and so that
creates these boundaries that you can, uh, create
around your application or portions of your application
that were protected. So you could imagine if
a controls engineer were to plug his laptop into
line two, for example, and then it was infected like before, instead of infect,
infecting the entire plant, he only infects those, uh,
devices that are in that zone, um, instead of the larger application. So that's a huge protection there. And so, um, the next part that we, that we need when we're
talking about zoning conduits is the conduit itself. And so what, uh, function
does the conduit, uh, serve? The conduit really, uh, controls the traffic going
in and out of a zone. And so, uh, we definitely
know that we need, uh, communication to go from
line one all up the way up to the SCADA package, or, uh,
maybe even line two may need to communicate maybe that we
have a peer, uh, communication between two PLCs or something like that. We do want them to communicate, but we want to have something
in the middle there, that conduit that's
gonna control the traffic and allow just the
traffic we want to allow, and we want some type of monitoring. So we wanna be able to
kind of monitor and, and log the traffic, or sorry, log the activity,
uh, that's going across that conduit so we can
ensure that the activity that's happening is
exactly what we expect. Um, now typically this type
of method, so this type of, or this type of model
security model is done with implementing VLANs, and you would use something
like a, uh, firewall and a router, uh, to get
in and out of those zones. And so, uh, in, in my conversation
with this customer, uh, he was really excited up until we got to the part we're about
to talk to right now. And so he really liked the concept of the segmentation
within his plant floor. Uh, he liked the ability to,
uh, control traffic in and out, but the requirements to
do so on a, you know, today's OT network, it's, it's a task. It's a, it's really big task. And so when we're talking
about creating new VLANs, when we're talking about creating
new networks on the plant floor, that means we need
to change the IP address, the subnet mask, and the default
gateway for every device on that network to allow
it to communicate across that new conduit and,
uh, over to the new zone or to the zone that it
needs to communicate with. And so that is, uh, a task that many controls engineers
don't really wanna take on. Um, because one of the
most important things to all controls engineers and
rightfully so, is, is uptime. And so you want that application to run, and you really don't want it to go down. So we don't wanna stop making products. But now if we make significant
changes to the network, the potential for, uh,
downtime increases a lot. You know, a mistake in
type in, uh, subnet mass, for example, or default gateway, uh, could really jeopardize the
uptime, uh, that we need for our application. So this is the part where he was like, let's pause just a little bit. You know, you're telling me
that I need to make a change to all of my controls devices, so this application's
been running smoothly for the past five years that
we, that that's been running now you want me to make a change to it? And now that introduces
a lot of risk for him. So he's like, I really want to
increase my security posture, but that risk is a lot. And so, so that, you know,
puts in a, in a tight spot, they definitely wanna do it, but then you have to figure
out, you know, the risk reward. And so, um, the, the,
the reward here is that that increased security posture. Uh, but really where the wind
comes in is when you can, uh, use a product that makes it possible to do this without making
those changes, without having to make major, uh, changes to
the industrial network itself. Um, you know, in terms
of IP addresses and mask and gateways, you don't
really have to make a change, but instead just plug
a device in the middle and then use a graphical interface
so that you can configure who should talk to who and
then, uh, and, and walk away. And so that's really the solution that I wanna talk about today
is Red Lion's RA 10 C compact industrial firewall. Um, it does that. And so it is a firewall. It also has a router mode, but if you use that product
in bridge mode, you don't have to change the IP address of any of your devices on your network. Uh, all you have to do is put it in line. So put it in line, uh,
with the, uh, from one zone to another zone, and it's going to control the traffic
going from, uh, line one to, or excuse me, zone one to zone two. Uh, and it will give you, uh,
that monitoring ability, uh, and then allow you to, like I said, control which devices are
able to communicate across that, uh, boundary. And so that is a big win for the customer when
he can implement this, when he can increase his security
posture, when he can, uh, really protect himself and implement these security
measures like this without jeopardizing the uptime that
that is so precious to them. - Yeah. You know, for the
audio audience, this product, if you haven't seen it on our show before, it looks like your
standard four port switch, but the ports are on the
wide side, not on the end. Mm-Hmm. . Mm-Hmm.
. So that's, that's, uh, it's a very
unique looking product. - Yeah. It's a very low
profile, uh, product. So it's gonna, it's not gonna
take about a ton of space, uh, uh, you know, in the panel itself. Um, and it is just exactly
what you said, it's, uh, it's four ports. Um, three of those ports are what we would consider the LAN side, and then the other one would be what we consider the WAN side. And really all you're talking
about doing here is plugging the WAN into one zone and then, uh, one port of
the LAN into the other zone. And then you configure it
using that graphical interface, which is, uh, what I'm showing here. Uh, there's a graphical interface
available to our customers with the MB net fix, uh,
software, which is, uh, free download off our website. This software, uh, is great in that it gives you a
graphical representation of the communication that's trying to happen across that conduit. And so, uh, you didn't have to go in and, you know, uh, collect
the app addresses of all of your devices that are
trying to communicate. You just plugged this device in place, it's gonna intelligently,
intelligently, uh, identify them and list them in, in a format
like what you see here. And then all you have to do is press the, the check mark if you wanna
allow that communication. Oh, okay. Or the no, if you don't wanna allow that communication. And what's happening in the background for you is there are
rules, the firewall rules that are being put in
place that will allow or disallow the traffic in
the way that you want to. And so you're able to set
this up without being, well, a network engineer, you're
able to set this up with, you know, almost no
downtime, be almost, uh, because, uh, it's so
quick and easy to set up. - So here I could say, let's
say at APLC that had to talk to another PLC and a SCADA system who
had to talk to that PLC, I could just allow those two nodes and say, everybody else, you shouldn't be talking through this. - That's right. And that really is how the network should be set up. You know, traditionally, uh,
the OT networks, you know, we, we leave it wide open and,
and we want it to communicate because we need it up and running, but really what we should be doing is kind of isolating this traffic and
only allowing things that, uh, to communicate with things that it is necessary to communicate with. So, uh, someone in the front
office should not be able to access the IO or the VFD in any way. And so implementing something
like this zoning conduits, uh, security model will, uh, prohibit
that kind of conversation because you can use a firewall
at each one of those zone, uh, boundaries, uh, to prohibit that type of, uh, connection. So a little bit more information
about the software itself, Sean, is that, um, this
software is designed for a controls engineer. So, uh, instead of understanding
exactly how firewalls work and, and understanding, you
know, layer two, layer three, layer four, you don't
have to know any of that, you don't really have to
understand much except for walkthrough the
wizard, the set up wizard that the software has. Um, and there are, there's security built right into the device. And so there's secure boot, for example, that's built into the device. And then when you set it up,
you're gonna create an RSA key, so you can actually, um, lock down your project configuration. So, um, you know, it
could be on your laptop, but, uh, you know, if your
laptop were to be hacked, uh, an an individual who had,
you know, gotten access to your laptop, couldn't just
open up this configuration and do anything with it
because it would be protected. And so it's a very, uh, you
know, high secure device, uh, that's very easy to use. And so that's a balance at redline that we really strive to, uh, get. And, and we normally do, - You know, can I ask you a question? So this, this setup looks super easy and, and very, uh, very easy to
understand and set up and deploy. And I was reading, uh,
recently, uh, one of your, uh, case studies where you'd use this to block traffic from going to radios. Are you familiar with that case study? - I mean, we've run into that quite a bit. And so, um, if you are referring
to, uh, radios, uh, so a, a couple things about radio technology. It, it's not full duplex communication. So it's a half duplex
connection or communication. And so you really don't wanna
send a whole lot of, uh, information across that
expecting real time response. And then sometimes, depending on what type of radio you're using, but if
you're using a 900 megahertz radio, for example, that's
a very low bandwidth. And so, um, when we're talking
about using a radio like that, and then we're,
uh, combining traffic that is generated on the OT or maybe even the IT
side, um, that traffic and some of it is broadcast and some of that broadcast
traffic can be quite chatty. And so if we have chatty
broadcast traffic that's trying to go across this radio link,
then we need to, uh, lock that down and, and prohibit
that from going out to Radio Link because it's
just gonna block out the low bandwidth link that we have
that's, uh, not full duplex. And so what that means is that you can use a product
just like this, uh, to allow or disallow using that graphical interface and say, Hey, I do not wanna
allow this traffic from this host to go across this link and then I'll, that will
solve that problem completely. - Yeah. And that's exactly what you guys said in your case study. And, and, um, I can see it now
visually that, you know, you, you basically disallowed all
traffic to the radios except for the one PLC mm-Hmm. That was supposed to be
polling those remote stations and boom, no more problems. That's very interesting. Now let me ask you another question. So what we're seeing
here is, is the simplest, easiest understand set up we're allowing or denying by IP address? Is there, is there any
deeper levels to this? - There are, uh, so it, the,
um, the link right there that you see, uh, filter mode and rules. Okay. So if you dig it into rules, if you have just your
standard firewall rules, and so clicking on this
interface here is actually gonna create those rules in the backend for you. So once you click over, after going through this page here
mm-Hmm, , you'll see a number of rules
that are listed out there. And then from there you can really fine tune it how you want to. So if you wanted to allow
host A to talk to host B, but only using ethernet IP and nothing else, you
could certainly do that. - Okay, great. And I could like enable or disable like PO 80 80 or mm-Hmm, PO
21 if I had an FTP server. So I can go through
there to that granularity and turn things on and off. - That's right. And another, uh, feature that's built into this
piece of hardware that's, that I think you're really unique is that you can have firewall
rules that you can engage and disengage based on io. And so what that means is
that maybe there's a situation where I wanna be able
to program this PLC, uh, use my RS link software, but I don't really want
it to open all the time because I'm only gonna do
this maybe a couple times a, you know, a year, maybe less. Um, but I, I don't wanna have to go all the way out
there to enable that. You can actually enable that, tie that in with maybe something on, uh, the HMI or something in the control system that somebody presses a button and now this firewall rule is enabled, and now you get to, uh,
have the conversation that you're looking for, uh, or the connection you're trying to get. And, and then once you're
done, you shut that off and now you can't
communicate with it anymore. - So this device has an
input that can say Mm-Hmm, that can be
a permissive that says, if this input comes on, we
will allow this to happen if that input goes off weblo. Oh, that's awesome. Yep. Yeah, that's, that's definitely
something like you put on the HMI or you put a key switch on the front of the panel Mm-Hmm. . And you only
allow remote access when somebody on the plant floor
says you get that access. And that may not just be
for VPN, that might be for the guy up in the engineering office, because you know what, I dunno, how many times has somebody
done something in the engineering office and the
guys on the plant floor were steaming mad, right? Mm-Hmm. true.
So I love that. That's great. - Yeah. Say something from
having to make a, you know, trip all the way out there. Um, mm-hmm. . mm-Hmm,
, but maybe this, you know, one customer
buys multiple machines and so, but we wanna pull data out of that. So when you, uh, have the same IP address for IP address duplication
within your network gonna cause problems putting a device like this and using the net technology
is gonna allow you to separate those and so that you don't have the
duplicate IP address, allow them to communicate out and allow
you to communicate back in. And again, uh, with the RA 10 C, you get that graphical interface
to configure all that. - Now, I noticed that there's
AUSB port on the front of it. Do I have to program via USB
or can I program via ethernet? - You do have to program it via, uh, USB. So today, when you pull up
the, um, when you open up the software, the m vnet,
uh, fixed software, uh, you're gonna connect, uh,
USB in from your laptop to the device and you're
gonna create a project, and your project is just
really the configuration. You can do that configuration offline or you can do it online. If you do it online, you're
connected over the USB, but it's really doing AUSB
over IP to communicate with it. Um, and then, uh, it is at
that point a very secure device and has fewer attack surfaces. So there is no web server built into this, so you're not gonna be able
to, so someone's not gonna, you know, hack, uh, port 80 or 4 43, it is a, uh, you
know, security centric device that, uh, has less attack
surfaces than, uh, many of the applica or many
of the devices out there. - Yeah, that's, uh, I can see
the positive of that is that, hey, you're not nobody. You have to physically plug
into it to connect to it. You cannot get a, you cannot hack it through the network port.
It's very interesting. That's - Right. And, and once, you know, usually once these things are
set up, it is a, you know, set it, forget it, it's
out there and it's done. Um, and then if you do
need to make, you know, if there are dynamic
changes that need to be made to the firewall rules, again,
you could use that IO to, to enable disabled rules. - Yeah. And, and like once you
set this up, it's very rare that you would add a new CADO system or a new PLC that has to
talk to the existing PLC, but if you did, you're already
doing some physical wiring down there on the plant floor anyways, or do you know, us
doing some major setups. So just walking down there and plugging in shouldn't be a big deal. Right. Um, to, to get that
done. So. Alright. Great. Wow. What a very interesting product and uh, I really appreciate, was there anything else we wanted to cover before we close out the show? - Uh, I think that's really about it. Uh, like I said, I just really wanted to impress upon your
audience the, the importance of using some of these,
uh, security models that are in 6, 2, 4, 3. Um, encourage them to, you know,
uh, seek out more resources to learn how to increase
their security posture, um, and, uh, use products like
the RA 10 C to make that, uh, that implementation,
uh, as easy as possible. - Yeah. You know, I can definitely
see, like I've seen some, uh, some of the setup for some
of these high-end firewalls and it makes your eyes water
if you're not, like, I don't have your background,
I have APLC background, so it's like something like this where the software's
intuitive, easy to install. Mm-Hmm. easy
to set up, you know, and, and it doubles as a nat
device too, which is great. Mm-Hmm. . So it can kind of play two different roles
is um, is really good. And it's not, we, we
say it's for security, but it can also be for like
we, we gave in an example with the radios to kind of Mm-Hmm keep the traffic off the radios as well. So, Mm-Hmm. .
Um, great little device. And Barry, I really
want to take, thank you for taking time outta your
busy schedule to come on and tell us all about
the, uh, redline RA 10 C. Well thanks for having me.
I really appreciate it. Well, I hope you enjoyed that episode and I wanna thank Barry
for taking time out of his busy schedule to come on the show and bring us up to speed
on zone and conduits and tell us about the RA 10 C
compact intelligent firewall. Now, if you did enjoy this
episode, please give us a, like a sub and a sheer because that is the fuel
that keeps us on the air. Also, if you wanna join our community or just follow me, you can do
so over@automation.locals.com and of course you'll find
all my trading courses over@theautomationschool.com. With that, I wanna wish
you an awesome week and I wanna encourage you to stay courageous and stay fearless. And until next time, my friends peace.