Network Security Software Modules
The OPDS (Owl Perimeter Defense Solution) product line consists of a number of DualDiode hardware models (OPDS-100, OPDS-100D, OPDS-1000, etc.) designed to meet different bandwidth requirements (10 Mbps – 10 Gbps) and different physical network interfaces (Ethernet, USB, RS232, modem dial-up). Offered as a 1U 19” rackmount solution, a DIN rail solution or as a card kit to be installed in off-the-shelf servers, these platforms all run the core Owl software.
The combination of the Owl software and the DualDiode Technology provide a deterministic, one-way only, transport layer data transfer solution with complete network segmentation.
To expand the applicability of the OPDS product line, Owl has developed a software library that contains a number of different software modules. These modules allow OPDS to interoperate with a wide range of process control devices and also provide additional functionality like remote HMI screens and data diode performance management
Some of these modules are “connectors” meaning they are integrated with an application from a specific vendor. For example, OSIsoft’s PI, a widely deployed historian in the process control environment, requires a specific connector. Others are more generic and support standards based interfaces like OPC, MODBUS and SQL.
We have developed additional modules that allow centralized monitoring of one or more OPDS products, the remote viewing of HMI screens from within the plant and the forwarding of maintenance logs.
See below for a full description of each software module we offer, its functionality and a product sheet describing it.
Owl Performance Management Service (OPMS)
OPMS provides centralized monitoring and management (if permitted) of one or more OPDS or OCDS DualDiode products. Performance and operating information (log files, alarms, etc.) from both the Send and Receive sides of the DualDiode(s) is sent to a web server that stores this information. Users then use their browser to log into the web server and obtain both current and historical performance information about the DualDiodes in their network.
Typical Uses | Examples:
Customers are using OPMS globally to manage local and remote facilities where either an OPDS or OCDS solution is deployed. Customers typically use OPMS when they have DualDiode deployments with multiple diodes and want a consolidated view or they have remote facilities that need to be monitored and managed from a central facility.
Owl Log Forwarding Transfer Service (OLFS)
OLFS provides a secure, automated method for the collection of performance data from a DualDiode. The performance information generated by any OPDS or OCDS DualDiode is captured from both the Send and Receive sides and is transmitted to a remote server for use with a monitoring and management tool like the Owl OPMS or a third party tool like HP’s Openview. Individual transfer applications (i.e. file transfers vs. video streams) operating on the DualDiodes, along with overall system activities, can be tracked, examined and performance levels checked.
Software components are activated on both the Send and Receive side of the DualDiode which capture system performance and health information including logs, transfer activity, error conditions and keyword notifications. This information is then encrypted and sent to the remote server where it is decrypted and formatted for use by network managers.
Owl PI Transfer Service (OPTS)
Owl has been a partner with OSIsoft® for many years and supports a large number of critical infrastructure deployments that securely transfer PI historian information out of Operational Technology (OT) networks to IT networks. The OPTS software connector allows business users outside of the OT network segment to readily access PI information without jeopardizing the cyber security of the OT network.
Function | Usecase:
OPTS is a software connector that runs on the Owl OPDS DualDiode platform. Via a single UDP connection, OPTS transfers PI database records, snapshot data, historical archive data and schema definition. This provides real-time transactional data updates, access to historical information to backfill after any service interruption, the ability to build a new PI database from scratch and full support for add/modify/delete for both data and the schema. This robust capability also supports true PI to PI replication.
OPTS For Rockwell FactoryTalk®
One of the tools critical infrastructure providers are using to improve their cybersecurity posture is network segmentation coupled with data diodes. The data diodes protect the boundaries of network segments from cyber threats while simultaneously allowing data to securely flow out of them. This is important when end-users outside the plant or facility need access to Rockwell Automation FactoryTalk® historian data. Owl’s solution is a combination of software and patented DualDiode technology™ which securely transfers historian data to end users.
Function | Use Case:
OPTS software was developed specifically to securely transfer historian data across network boundaries. OPTS interfaces directly with the Rockwell Automation Historian on the source network, replicates the data and utilizes the DualDiode to securely transfer the data to the destination network. On the destination network, OPTS can either build the historian from scratch or append to an existing one.
OPTS is configured to run on any of the Owl data diode appliances: OPDS-5D, OPDS-100D, OPDS-100 or OPDS-1000. Appliance devices feature the convenience of a single, all-in-one solution capable of supporting the majority of historian data transfer situations. Owl also offers server-based configurations which support larger historians (or a large number of) historians with higher throughput requirements.
OPC Server Transfer Service (OSTS™)
Created by the OPC Foundation, OPC is the interoperability standard for the secure and reliable exchange of data in the industrial automation space. Owl’s OSTS application provides a mechanism where data (real-time data, monitoring of alarms and events, historical data) can be accessed within an OT network using the OPC standard interface. The Owl OPDS DualDiode Technology™ then transfers the data across the network security boundary to business users on the IT networks. This provides external users with access to plant data without jeopardizing the cyber security of the OT network.
Function | Use case:
The Owl OPC Server Transfer Service (OSTS) application operates as an OPC client and retrieves “point” data from one or more OPC servers in the network. The point data is then securely transferred from the source side of the OPDS one-way data diode across to the destination side. On the destination side an OPC server makes the point data available to OPC clients operating on the IT networks. OSTS has received OPC Foundation Laboratory Certification and supports both OPC Data Access (DA) and OPC Alarms and Events (A&E) specifications.
Owl Virtual Screen View Service (OV2S)
Owl Virtual Screen View Service is a software application that allows HMI screens within a plant or facility to be replicated at a remote location. OV2S collects real-time HMI screen images from within the plant and uses the OPDS platform to transfer those images across the security boundary of the plant to end-users on other networks. The secure one-way transfer of screen content by the OPDS enables operators and administrators in different networks to monitor activity, troubleshoot systems, and recommend process changes.
OV2S is comprised of a Server component and a Client component. The OV2S Server is installed within the plant on the computer platform(s) to be monitored. The application gathers display changes as they occur, and sends them as a UDP datagram stream to the source side of OPDS platform for transfer. OPDS securely transfers the data to end-user platforms where the OV2S client is installed. The client then renders the original HMI screen in its own window on the user’s computer. OV2S can support multiple segregated network inputs and outputs, and supports unicast, multicast and broadcast user destinations.
Secure Database Transfer Service (SDTS)
As demands increase for greater efficiency and operational intelligence, access to operational data has become vital to improve outcomes and decision making. However, much of this data resides in databases inside highly sensitive and secure networks. The traditional method of enabling external users to reach into secured networks has proven disastrously unsafe as it pokes holes in theses networks’ defenses. In order securely support this growing demand for data, businesses require a method to access the information contained in the databases without compromising network security.
SDTS, in conjunction with OPDS data diode hardware, provides secure SQL database replication and one-way data transfer from a protected source network (data center, plant, field office) to an external network or the cloud. Highly scalable and flexible, SDTS supports both “snapshot” replication, for copying an entire database at infrequent intervals, or “change” replication for near real-time updates of individual data rows. SDTS currently supports Microsoft SQL Server 2008 and above, and is compatible with all products in the OPDS product family.
Modbus Transfer Service (MBTS)
Modbus is a communications protocol and de facto standard developed for use with Programmable Logic Controllers (PLCs), SCADA systems and other industrial devices. Owl’s Modbus Transfer Service (MBTS) is a software application that allows real-time data to be collected from industrial control systems within a plant and securely transfer it across the Owl DualDiode to end-users (operations, production, maintenance, etc.) outside the security perimeter of the plant. The DualDiode protects the plant from cyber attacks while securely transferring data outside of the plant.
MBTS has two components, a “Master” and a “Slave”. The Master runs on the source side of the OPDS platform and interfaces with industrial control systems in the plant, collecting register data from them and transferring it across the DualDiode to the destination side. The Slave runs on the destination side of the OPDS, receiving the register data and providing it to any “Masters” operating outside the security perimeter of the plant. MBTS is a non-intrusive solution working within the existing architecture, becoming an additional Master collecting data and a new Slave to collect register data from.
Remote File Transfer Service (RFTS)
RFTS is designed as a secure file transfer application that doesn’t have the inherent vulnerabilities of commonly used protocols like FTP and NFS, with the added benefit that files can be encrypted, scanned and filtered before being transferred. Fully integrated with the OPDS and OCDS product lines, RFTS is a client/server architecture that identifies and securely moves files from the source network, across the network security boundary via the DualDiode to network directories on the destination network. RFTS can transfer single files, multiples files and complete directory structures.
The RFTS client traverses the designated directories/folders on the source network for new files that need to be transferred at predetermined intervals. Once identified, the client can encrypt the files before starting the transfer to the server running on the DualDiode platform. The file passes through the DualDiode from the source side to the destination side and is then routed to the destination network where the local RFTS server places it in the final directory.