Exclusive Webinar:

Join us Oct. 6 as Rockwell Automation & Dragos CEOs reshape the way you approach cybersecurity in manufacturing.

Skip to main content
The Dragos Blog

08.25.20 | 3 min read

Dragos Teams with Industry Veterans to Establish New Industrial Reference Architecture

Amid the Digital Transformation era for electric utilities, oil & gas, and other industrial-type organizations, there is often a struggle to converge information technology (IT) and operational technology (OT) environments without disrupting safety, reliability, security, and performance of mission-critical protection and control applications.

The Department of Energy (DOE) awarded a project to help address this situation. Its goal is to develop a software architecture that manages the trust, data, and resource allocations safely and securely between software applications from multiple suppliers that all operate on the same software-defined network (SDN) infrastructure. The solution focuses on maintaining trusted communication between devices, data security, change management, and user attribution. The solution also includes resource management capabilities based on event-driven operations, so different software applications cannot interfere or contradict each other.

The Converged Industrial Edge for Utilities (formerly called “The Ambassador Project” under the DOE CEDS Initiative*) is a reference architecture that is the result of a collaboration between Dragos, Inc., Schweitzer Engineering Laboratories (SEL), Juniper Networks, and Bonneville Power Administration. In support of the project and utility / O&G / other industrial requirements, the project team is developing a security orchestration for the SDN infrastructure to provide automated flow creation, complete network visibility, cybersecurity situational awareness, and effective defense options for detected threats within OT networks.

The strategic value of the solution includes:

  • Cybersecurity capabilities for every port, circuit, flow, and process.
  • A commitment to open, standards-based network communications to avoid vendor lock-in.
  • An emphasis on layered intelligence to predict and mitigate problems before they become hazardous (and expensive).

This open, standards-based, and multi-vendor architecture will offer the safer adoption of edge modernization and digitalization use cases by harvesting the proven power of cloud-native technologies for private networking purposes. The Converged Industrial Edge reference architecture will natively support both IT and OT use cases. It will provide this support without sacrificing any of the rigidly engineered or sub-millisecond requirements for deterministic applications to keep both energy and information flowing safely, securely, and reliably.

The Converged Industrial Edge’s defining characteristics will be its end-to-end packet-based forwarding plane, management control plane, and cybersecurity plane.

  • The end-to-end forwarding plane will leverage Juniper’s experience in Ethernet VPN and segment routing to craft the next generation of granular, optimized networking for data or control center, and Wide Area Network (WAN) requirements. Seamless integration with SEL’s OT-SDN and IEC 61850 Ethernet fabric extends the packet infrastructure into edge environments like substations, oil rigs, railways, and smart cities. A single, SDN-controlled forwarding plane can support legacy communications, deploy new services without impacting OT applications or truck rolls, and provide a platform for edge modernization.
  • The management control plane uses Kubernetes as its foundation, a secure and resilient cloud platform that only exposes application functionality through trusted, mediated application programming interfaces (APIs). The management control plane will consist of WAN and LAN software-defined networking controllers that include in-depth diagnostic and analytics capabilities, and an extensible and robust automation engine all working together to support use cases that reduce risk, mean-time-to-implementation, and human error.
  • The cybersecurity plane leverages the Dragos Platform for Industrial Control System (ICS) threat detection and response because of its unparalleled knowledge and understanding of industrial assets and the threats against them. The Dragos Platform leverages Threat Behavior Analytics (TBA) as the primary method of its four threat detection capabilities because TBA’s provide a higher degree of confidence and more context-rich insight into threat activity. It arms defenders with context-rich alerts and notifications, accompanied by investigation playbooks that guide ICS cybersecurity practitioners on the steps to respond to threats efficiently. These responses are made possible with integrations into the Connected Security framework from Juniper and SEL’s OT-SDN solution that provide path- and packet-level control of the communications flows to reduce cybersecurity risks by dynamically enforcing specific security policies on any port and device.

Dragos’ 600+ years of combined experience relating to securing ICS and countering industrial security threats partnered with the domain-specific expertise from SEL and Juniper has created a fantastic concentration of such knowledge within the industry today. As a result, the Converged Industrial Edge reference architecture demonstrates how innovation focused on these critical infrastructure environments will open the pathways to desirable business outcomes, such as lower operational costs, superior resilience, and advanced cybersecurity situational awareness.

To learn more:

Dragos Platform – https://www.dragos.com/platform/
Department of Energy (CESER) – http://energy.gov/oe/technology-development/energy-delivery-systems-cybersecurity
Bonneville Power Administration – https://www.bpa.gov/Doing%20Business/TechnologyInnovation/TIPProjectBriefs/2019-TS-TIP%20406-final.pdf
SEL – https://selinc.com/solutions/commspartners/juniper/
Juniper Networks – https://blogs.juniper.net/en-us/security/juniper-networks-brings-converged-industrial-edge-reference-architecture-to-utilities-oil-gas-and-other-industrial-markets

* Cybersecurity for Energy Delivery Systems (CEDS)
CEDS projects are funded through the Department of Energy’s (DOE) Office of Electricity Delivery and Energy Reliability (OE) research and development (R&D) program, which aims to enhance the reliability and resilience of the nation’s energy infrastructure by reducing the risk of energy disruptions due to cyber-attacks. http://energy.gov/oe/technology-development/energy-delivery-systems-cybersecurity

Ready to put your insights into action?

Take the next steps and contact our team today.