Juniper Networks is pleased to announce the completion of Project Ambassador, a Department of Energy (DOE) funded initiative, and with it, the general availability of Juniper Networks’ Converged Industrial Edge solution architecture for IT and Operational Technology (OT) convergence in critical infrastructure and industrial IoT markets.
With DOE support, Project Ambassador sought to improve cybersecurity resilience, operational agility and cost of operations through an accelerated use of cloud-native technologies in critical infrastructure. Project Ambassador brought together the domain expertise of Juniper Networks, Schweitzer Engineering Laboratories (SEL Inc.) and Dragos, Inc. to address ever-growing connectivity and cybersecurity demands placed on critical infrastructure. Today, the Converged Industrial Edge solution architecture is the commercialized result of this effort. The solution architecture is now in field trials at electric and gas utilities in the United States and Europe as well as shipping terminals throughout Europe.
“Protecting critical infrastructure and industrial IoT as IT and OT converge is becoming more difficult, but also more important,” said Samantha Madrid, VP of Security Business and Strategy at Juniper Networks. “Together with SEL and Dragos, Juniper is able to defend these systems while keeping them connected and running smoothly with the newest release of the Converged Industrial Edge.”
Current events have placed the spotlight on the challenges that critical infrastructure markets, including the energy and utilities organizations, need to address. With recent ransomware attacks shutting down pipelines and extreme weather events affecting energy delivery, the challenges of engineering resiliency, cybersecurity and automation to support the transition to a new era of energy production can seem daunting.
“Bringing research and technological innovations like this one to real-world use at the agency is important to actively defend our grid from cyberattacks.” – Gary Dodd, Chief Information Security Officer, Bonneville Power Administration
These challenges, codified through our industry partners, Bonneville Power Administration (BPA) and New York Power Authority (NYPA), served to form the solution requirements that the new version of the Converged Industrial Edge solution architecture is now engineered to address.
The Value of the Converged Industrial Edge Solution
The Converged Industrial Edge solution architecture uses context-aware, automated information sharing between subsystems to reduce the friction and cost of information exchange, resulting in greater agility and awareness. For example, communications that span the IT-OT divide can now be instantiated from the control center to the substation, tested, fingerprinted and placed under surveillance in minutes.
Automation controllers reduce repetitive tasks and the potential for misconfigurations and provide network owners with exact knowledge of what devices are allowed on the network, what conversations each device is allowed to have, and what purpose those devices and conversations are fulfilling.
The Converged Industrial Edge solution architecture uses a deny-by-default, zero-trust forwarding fabric, guaranteeing that only authorized messages traverse the network. In this way, the architecture eliminates many of the inherent vulnerabilities present in other network fabrics. Unauthorized packets that access the network are denied by default and immediately dropped. Sensors detect and track known malicious behaviors and tactics and trigger a response for fast-moving, east-west attacks—before compromise and exfiltration occur. This serves the need for a purpose-engineered network architecture that is cybersecure, dynamic and efficient.
About the Converged Industrial Edge Solution Architecture
The Converged Industrial Edge solution architecture is open, standards-based and multi-vendor, enabling the safe adoption of edge digitalization by harvesting the power of cloud-native technologies for private network purposes.
This release of the Converged Industrial Edge architecture augments the substantive capabilities of the original Juniper, SEL Inc. and Dragos Inc. offering with the introduction of powerful new features, including:
- The Multi-site Event Bus (MEB): This standards-based, multi-site data bus allows for the secure, frictionless flow of information between vendor-specific devices, systems and domains. This capability:
- Reduces the amount of on-site customization for information exchange, with robust security integrated as a pre-engineered solution
- Reduces cost by replacing the engineering and integration required between systems by predefining key message schemas and interactions for intersystem information exchange
- Replaces expensive applications and databases currently used for exchange of traffic across IT and OT network boundaries
- Accelerates the response to cyber incidents by reducing the number of steps necessary to coalesce control and telemetry data into actionable information
- Ensures all transactions are encrypted and authenticated using leading certificate authorities
- Policy Enforcement Integration with Junos Space® Security Director: Dragos provides asset visibility, vulnerability management, threat detection and response capabilities within industrial control system environments, such as substations. Dragos’ sensors and the user-facing Site Store integrate with the SEL and Juniper solutions through the Multisite Event Bus (MEB). The combined solution:
- Provides advanced threat detection capabilities that include recognition of anomalous, malicious behavior and adversary “tradecraft” that is mapped to the MITRE ATT&CK for ICS framework
- Notifies Juniper’s Security Director and Policy Enforcer when the Dragos Platform detects behavior that matches a known set of malicious tactics and procedures
- Acts as a cyber attack circuit breaker to either provide an actionable recommendation for a staff member, automatically execute a quarantine or block function to mitigate a fast-moving attack
- Juniper® Paragon Active Assurance integration: Juniper Paragon Active Assurance (formerly known as Netrounds) is a programmable, active test and service assurance platform for physical, hybrid and virtual networks. Unlike passive test and assurance approaches, Paragon Active Assurance uses active, synthetic traffic to verify applications and service paths at the time of delivery and throughout the life of the service. Now, in addition to the ability to automate the instantiation of a VPN circuit and place it under monitoring, the Converged Industrial Edge solution architecture leverages active testing to continually ensure predictable performance.
- ServiceNow integration: With ServiceNow, the most prevalent and full-feature IT portal in the world, the challenging parts of providing automated workflows are abstracted from users, leading to better user experiences and business outcomes. Leveraging ServiceNow’s tooling, Juniper’s integration helps to streamline the development of powerful automation workflows. No single vendor product is going to provide everything in a single pane of glass across IT and OT networks; integrating with ServiceNow lets customers bring their interface to the Converged Industrial Edge solution and lets Juniper extend its product capabilities into customers’ ServiceNow instance.
Juniper is thrilled to be working alongside SEL and Dragos in delivering this solution developed with the DOE and vetted with trusted customers and advisors in the critical infrastructure community. “Juniper’s confidence in the new release of the Converged Industrial Edge solution architecture reflects our relentless commitment to continued innovation for critical infrastructure and industrial IoT markets,” said Kireeti Kompella, SVP and CTO of Architectures at Juniper Networks. Only such a partnership can be successful in truly gathering the full scope of considerations and requirements for such complex systems.