Isolate all SCADA traffic
Deploy quickly using non-technical staff
Segment SCADA remote access
Revoke access instantly
Provide fast network provisioning
Distributed sites using different cell networks
Staff expertise and budget
Avoid carrier lock-in
No system downtime
Shared network in datacenter
Replaced VPNs and internal firewalls
Isolated and segmented SCADA network
Eliminated lateral movement
Segmented remote access to specific systems only
Instant provisioning and revocation
Eliminated need for cellular APNs
Innovation With a Better Way to Network
A renewable energy provider in the U.S. operates wind farms in many locations across the west coast.
With a large number of supervisory control and data acquisition (SCADA) systems monitoring the sites in real time, the provider found itself faced with the challenge of protecting their infrastructure from attack. After studying the attack on the Ukrainian power grid where similar networking and security technology was in place, they determined the old model of applying traditional IT to SCADA networks was to susceptible to attack.
Clean Energy Wanted a Clean Network
Over the years the SCADA network grew to be a mix of radio, Ethernet, and cellular. The cellular network required an APN at considerable cost and prevented them from easily on-boarding new sites where a different carrier had better cell coverage. In between their energy generation and central operations was a complex chain of VPNs, firewalls, core routers, switches, ACLs, and VLANs.
They found it difficult to maintain, support, and secure their critical infrastructure. They were also faced with overlapping IP address spaces in different sites which made networking and security even more complicated.
Access, Isolation, and Segmentation Made Simple
During their pilot of Tempered Networks, the energy company created a series of private overlay networks which allowed them to simplify and harden ICS access control. Their pilot proved that no SCADA system could be discovered or connected to by unauthenticated and unauthorized machines; even those with valid tokens or credentials. Their pilot SCADA network was made invisible and inaccessible to any network communication from non-verifiable systems hardening their interior in a way that wasn't possible before.
50 sites in under 50 days
The speed of their deployment and the simplicity of their private overlay networks have not only given the security team peace of mind, but the SCADA network team's work has been simplified. Granting temporary secure remote access to a specific machine in any of their sites takes just one click of the mouse. Failover and revocation are just as quick and don't require routing updates, firewall rule changes, or certificate revocation.
They have also freed themselves from being locked into any one carrier and can use whatever transport is appropriate for their sites. Their unified access control architecture makes all of the different SCADA systems using different networks behave and act like one local, invisible, and encrypted broadcast domain.
Experience the same simplicity, security, and cost-savings