Summary
Operational Technology networks converging with IT infrastructure require security appliances designed specifically for OT/IT boundary environments. NEXCOM's ISA 120 is a compact, fanless OT security gateway featuring Intel Atom processing, multiple Gigabit Ethernet ports, and DIN-rail mountability—optimized for harsh industrial environments and built to IEC 62443 security standards. The ISA 120 functions as the control-plane filter between IT networks and critical OT systems, enforcing protocol-aware firewall rules, isolating threat traffic, and enabling secure remote access without requiring substantial electrical infrastructure changes.
Problem / Requirements
Industrial sites face a critical transition challenge:
1. Convergence Pressure: IT departments demand network unification; OT teams require isolation from IT security incidents.
2. Hostile Environments: Industrial temperature swings, electromagnetic interference, and dust require passive cooling (fanless) and robust mechanical design.
3. Network Isolation Paradox: OT systems need remote diagnostics and cloud analytics, but direct internet connectivity introduces unacceptable risk.
4. Standards Compliance: Regulatory frameworks (NERC CIP, IEC 62443) mandate formal security boundary controls between IT and OT.
Organizations lack purpose-built appliances that bridge this gap while operating reliably in temperature-extreme, electrically noisy factory environments.
Technical Approach
ISA 120 deployment creates a security perimeter at the OT/IT boundary:
Network Architecture:
- WAN-facing port connects to IT network (corporate LAN, internet)
- Multiple LAN ports connect to OT segments (control systems, field devices, historian servers)
- Traffic between ports filtered by protocol-aware rules and anomaly detection
Security Functions:
- Deep packet inspection detects Modbus, DNP3, and PROFIBUS protocol violations
- Stateful connection tracking prevents unauthorized state transitions
- Rate limiting blocks DoS attacks on industrial protocols
- Logging and alerting for compliance and incident response
Hardware Design:
- Fanless architecture: No moving parts to fail; passive thermal design handles -20°C to 60°C environments
- Wide input voltage: Tolerates 9-48V power variations common in industrial facilities
- Surge protection: Industrial-grade lightning and transient suppression
- Compact form factor: Mounts on DIN rail beside PLCs and I/O modules
OT/IT Segmentation:
- Stateful firewall rules default-deny unless explicitly permitted
- Encrypted tunnels for secure remote access (VPN) separate from open OT network
- Audit logging for compliance verification and forensic analysis
Implementation Notes
Deployment Scenarios:
1. Manufacturing Plant: ISA 120 bridges corporate IT (email, ERP, cloud backups) and factory floor (PLCs, robots, vision systems); prevents ransomware propagation from infected IT machines to critical OT.
2. Utility SCADA: Electric or water utility connects headquarters IT network to remote substations; ISA 120 enforces protocol validation on SCADA queries and alert messages.
3. Oil & Gas Wellsite: Remote drilling rig connects to corporate headquarters via satellite/cellular link; ISA 120 ensures only authorized diagnostic traffic reaches well controllers.
Configuration Examples:
- Allow corporate IT to reach historian server via SSH tunnel
- Block all unsolicited inbound traffic to PLC subnet
- Alert on unusual Modbus command frequency (potential brute-force scan)
- Forward audit logs to central syslog server
Performance Metrics:
- Throughput: 1 Gbps full-duplex across filtered connections
- Latency: <5 ms added by filtering and inspection
- Session capacity: 5,000+ concurrent OT + IT flows
- Temperature range: -20°C to 60°C (industrial-rated)
Challenge-Solution Mapping
/table
Challenge | Requirement | NEXCOM Solution
OT/IT separation without hardware replacement | Transparent boundary enforcement | ISA 120 in-line at network perimeter
Fanless operation in harsh environments | Passive cooling, no moving parts | Compact fanless design, DIN-rail mount
Protocol-aware threat detection | Block non-standard Modbus/DNP3 | Deep packet inspection engine
Regulatory compliance logging | Detailed audit trail for certification | Syslog export, packet capture, alert history
Remote access security | Secure diagnostics without open ports | Encrypted VPN tunnel with policy control
Temperature extremes (industrial sites) | Passive operation, -20°C to 60°C | Industrial-grade thermal design
Limited electrical infrastructure | Tolerates wide voltage variations | 9-48V input with surge protection
Retrofit into existing topology | Minimal network disruption | Transparent mode or policy-based routing
/endtable
Specifications Snapshot
/table
Specification | Detail
Processor | Intel Atom (energy-efficient industrial class)
Network Ports | Multiple 1GbE (exact count per SKU)
Form Factor | Compact, DIN-rail mountable
Cooling | Fanless (passive thermal design)
Operating Temp | -20°C to 60°C (industrial-rated)
Power Input | 9-48V DC (wide range for industrial)
Security Standards | IEC 62443, NIST Cybersecurity Framework
Firewall Rules | Protocol-aware, stateful inspection
Logging | Syslog export, local storage, packet capture
Remote Access | VPN support (IPSec, SSL/TLS)
/endtable
Key Takeaways
1. Fanless Design for Harsh Environments: No moving parts mean higher reliability in temperature-extreme, dust-laden industrial settings where equipment cooling is impractical.
2. Protocol Intelligence Stops Industrial Attacks: Deep packet inspection detects malformed Modbus or DNP3 commands before they reach critical systems, blocking both external threats and compromised IT devices.
3. Regulatory Compliance Built-In: IEC 62443 alignment and comprehensive audit logging simplify certification and incident response workflows.
4. Transparent Deployment: ISA 120 inserts into existing network without requiring system reboots or IP address changes on OT devices.
Contact Nexcom
For specifications, availability, and technical inquiries, contact NEXCOM via the official website.
