Ten years of Secure OT for cyber-secure machines.
Cyber-secure machine networks will become mandatory for anyone putting machinery on the market with the current provisions of the EU Machinery Regulation and IEC 62443. Helmholz already recognized this challenge much earlier and developed a both effective and easily configurable solution for networked machines and production systems: the first Security Gateway – Industrial NAT Gateway/Firewall WALL IE came onto the market exactly ten years ago.
With the triumphal march of Ethernet networking in machinery and production systems, cybersecurity must also play an entirely central role there. This necessity is reflected accordingly in the current norm and guideline situation: the international norm series IEC 62443, for example, most recently revised in 2023, deals with the cybersecurity of “Industrial Automation and Control Systems” (IACS), thereby pursuing a holistic approach for operators, integrators, and manufacturers. The European Union has also acknowledged the seriousness of the situation and is reacting, for example, with the NIS-2 Directive (Network and Information Security Directive, in force since 2023) and the new EU Machinery Regulation 2023/1230. The latter will apply for the putting onto the market of machinery as of January 20, 2027.
Integrating machinery networks securely
Not only these current specifications show: the theme of machine security affects everyone in the meantime. In the process, the central task is to securely integrate machine networks into the higher level production network. The keyword here is “Secure OT”, meaning secure operative technology consisting of software and hardware for the control, securing, and monitoring of industrial control systems, devices, and processes.
In the face of growing amounts of data communication, there is no way around the separation or segmentation of networks against this background. Concepts with confidence zones and secure zone transitions (Zones & Conduits) have proven especially effective here. IEC 62443 therefore also prescribes a corresponding protection concept: in keeping with this, it is often inappropriate for large or complex systems to utilize the same protection needs for all components, as these demonstrate different threats and risks. Differences can be represented through the concept of the “security zone”.
Robust and affordable securing with WALL IE
At this point, the question arises of how such a zones & conduits protection concept can be implemented in concrete
terms for networked machinery. The market offers numerous high-end solutions for this, which are, however, most often too large for securing a single machine. This generally also means: excessively complex, not to mention unnecessarily expensive. Especially the medium-sized mechanical engineering segment and its customers are therefore searching for more practicable solutions, which should be not only secure and reliable, but also be realizable in a streamlined, efficient, and simple manner without further external support.
Since 2015, such a solution is the Industrial Security Gateway WALL IE from Helmholz: installed once and permanently between the machine and the production network, the robust and especially compact Ethernet components connect bridge and firewall functions in the scope actually required.
In concrete terms, the components protect the networks in that they precisely regulate which participants may exchange data with which device. The prerequisite for this is created by a packet filter functionality: this enables the limitation of access between the production network and the automation cell. With the WALL IE, IP addresses, ports, MAC addresses, and the telegram type can then be filtered in both directions.
The Helmholz portfolio for security gateways in the types: plus, standard, compact. Also for gigabit Ethernet networks depending upon the variant.
At the same time, the WALL IE also allows adjustment of the existing IP addresses of the machine to the IP addresses in the factory network through NAT (Network Address Translation). Each device in the machine that is meant to be outwardly visible is thereby assigned an IP address in the address space of the factory. Devices in the machine that should not communicate with the outside world are simply excepted in the process. The use of NAT also makes it possible to incorporate several automation cells of the same kind with the same address range into the production network without having to reconfigure the machines.
In the event that there are not enough IP addresses available in the factory network, the WALL IE can also be incorporated into the production network with a single IP address. Access to the devices in the machine then takes place via port forwarding. Filtering and protection always function in both directions. A factory network can thus also be protected from compromising devices in the machine in this way.
As another special feature, WALL IE can also be used in both the NAT operating mode and as a bridge. In the bridge mode, the network participants of the machine already have IP addresses in the same range as the factory network. All filter functions are active. Only NAT is switched off here.
Even more possibilities in the anniversary year
Since the market introduction of the Industrial Security Gateway WALL IE precisely ten years ago, this has in the meantime proven itself in more than 15,000 applications. For the most part based on concrete customer inquiries, the functional scope has been growing constantly, also in this anniversary year: among the latest innovations is the implementation of 802.1X for authentication. With this new function, the end customer can ensure in the factory network that no unauthorized devices are active in the network.
In addition, functions like expanded logging and improved user management have been implemented. Further features like ping and Traceroute will be integrated into the web interface in future. In addition to this, Helmholz is permanently adapting the firmware of the WALL IE to the specific requirements of IEC 62443-4-2.
The configuration of the WALL IE can be downloaded, secured, and edited as needed at any time.
With these expansions too, Helmholz stays true to the goal that basic network knowledge should be adequate for the commissioning of the WALL IE. Thus, for example, no adjustment of the network configuration in the LAN network is necessary. Series machines can also be easily integrated into a large factory network with identical IP addresses.
Summary
For ten years now, the easy-to-configure Industrial Security Gateway, NAT Gateways, or machinery firewalls of the WALL IE series from Helmholz have been protecting sensitive data and critical systems from cyber-threats without a great deal of effort. And the future has already started: certification pursuant to IEC 62443 by the testing company TÜV Süd will be completed at the beginning of 2026.
