Plug & Protect
Mercury ciphers are totally transparent to the industrial network. This means that Mercury adds extra security layer without changing current infrastructure or modifying its components. Deploying Mercury cipher in the field is seamless and can be done in minutes because it does not require changing any existing configuration. Mercury is vendor and protocol agnostic, ie, compatible with legacy devices and virtually any ethernet protocol.
Mercury enjoys a hardened Mercury OS specifically designed for industrial network requirements, and considering “availability” as the main value to preserve. To prevent for attacks against firmware manipulation, Mercury Operating System (Mercury OS) uses a combination of security features to protect content store and allowing autostart without human interaction. Among others, Mercury OS includes:
Full disk encryption
OTA (over-the-air) signed firmware updates
Alerts and logs management
Quick and robust remote access
Mercury is a secure, robust and easy to deploy solution that enables remote connection via WiFi/GSM/2G/3G/LTE, compatible with interfaces, devices, and protocols and is directly applicable to any infrastructure without replacing devices or changing configurations. Mercury is configured, managed, and monitored, from Mercury Orchestrator. Thanks to its centralized console, authorized users can remotely configure temporary ports, FW settings, send copies of the traffic to SIEM/SOC or check operational status. Updates can be done remotely and completely secure. Mercury Ciphers provides a TPM, Firewall features and enforces authentication and encryption in the channel. Also have several features for preventing DoS attacks and send alerts to the SIEM if detect any suspicious behaviour in the network. Different roles are supported in order to avoid privilege escalation.
Mercury Orchestrator offers a simple and intuitive panel to configure and manage all Mercury features and ciphers remotely from a unique dashboard. These functionalities have been designed to offer the required tools to protect the network in accordance with the best practices and recommendations of IEC-62443 Norm and other organizations. The dashboard implements different roles such as administrator, engineer and operator with different capabilities. Note that tunneled devices cannot access to the configuration interface.
Flexibility in hardware requirements
Mercury is hardware-agnostic. Mercury allows to choose the best fitting appliance to match customers’ needs depending on project requirements (environmental, performance, budget, certification, or other criteria). Mercury has been tested and validated over Harmony products. Among others, these are some of the features covered by any of our hardware alternatives:
10/100/1000 Fast Ethernet
Ethernet and Serial interfaces
POE (Power Over Ethernet)
Trusted Platform Module (TPM)
Wireless LAN: 2.4 GHz, 802.11b/g/n
Integrated 3G/4G LTE router
-30ºC to 70ºC operating temperature
Vibration, dust, and shock ready
Threat detection and security monitoring
Mercury prevents attacks to the network, whether they are connection attempts through unauthorized protocols, network scanning, or denial of service attacks. This prevention capability can be combined with the monitoring of suspicious behavior, through centralized management of logs. The Mercury Orchestrator server centralizes the logs of each Mercury Cipher. And then, these can be integrated with SIEM monitoring tools, to detect and manage alerts as well as suspicious behavior. The solution is compatible with 3rd party products such as IDS/IPS and SIEMs. Additionally, one still deploy DPI in the network without loss of visibility. Mercury approach prevents incidents, reduces complexity and standardize events to simplify correlation processes and avoid false-positive alarms.
Preventing vulnerabilities by armoring the network
Mercury encrypts all the traffic that goes through its appliances and distributes the info to validated end-points. Mercury is designed for ICS/OT environment and ciphers the industrial protocols adding less than 1ms. latency. Mercury provides extensive vulnerability masking, limiting the available attack surface. The end-point devices simply ignore all other unknown or unapproved access attempts. Most of the advanced attacks in OT requires to gather information from the targeted infrastructure as a first step. By cloaking the network, a malicious adversary is not able to perform such actions as she cannot attack what she cannot see. Mercury architecture encrypts and obfuscates the network while keeping the visibility to allowed users and its compatible with DPI/IDS/IPS solutions.
Ensure data integrity in industrial communications
Mercury ciphers implement strong authentication mechanisms such as certificates used to provide mutual authentication. A public key infrastructure (PKI) is managed according to X.509 standard. In addition, symmetric encryption schemes prevent a third party from capturing the communication in an intelligible format. Further, to ensure that the communication cannot be altered in transit without detection, security mechanisms such as hash-functions and time-stamping are used. These techniques allow us to verify data quality transmitted through the production network. Mercury ciphers include TPM (Trusted Platform Module) to store private keys and secrets. Thanks to that, hardware appliances can erase secrets and private keys in case of tamper break.