ICS Secure Data Transfer

I’d like to talk about a critical pillar of your ICS Business Continuity setup – ICS Secure Data Transfer. The important task of securing data connections between your Operational Technology (OT) and Information Technology (IT) environments.

What is ICS Secure Data Transfer?

ICS Secure Data Transfer refers to the controlled, monitored, and protected movement of data between your Industrial Control Systems and external networks. It encompasses the technologies, processes, and protocols that ensure data flows safely from your plant floor to your business systems – without exposing your critical infrastructure to cyber threats.

In practical terms, this means having complete control over every single data connection to your Industrial Control Systems, ensuring no uncontrolled pathways exist that could compromise your operations.

Why is This Important?

Industrial Control Systems were originally designed for reliability and efficiency – not cybersecurity. Many of these systems now need to connect to modern IT infrastructure for monitoring, analytics, and regulatory compliance. However, each connection creates a potential entry point for attackers.

Without proper secure data transfer measures:

• Your SCADA systems remain vulnerable to remote attacks.
• Operational data can be intercepted.
• Malicious commands could potentially reach your control systems.
• Your regulatory compliance status becomes uncertain.

The Consequences of Neglecting Secure Data Transfer

Consider this: In late 2024, a Polish combined heat and power plant suffered a sophisticated attack that aimed to irreversibly damage devices on its internal network using wiper malware. The attackers had infiltrated the plant's infrastructure for months, gaining access to privileged accounts that allowed them to navigate the systems freely. Only endpoint detection software prevented catastrophic damage.

This is not an isolated incident. The energy sector consistently ranks among the top targets for cyberattacks, with 73% of organisations in the Gulf region experiencing an OT-impacting breach in 2024 alone.

What's Coming Next

Over the next seven emails, we'll take you through the critical components of ICS Secure Data Transfer:

1. Obsolescence – Bridging the isolation of legacy systems
2. Standards Compliance – Meeting regulatory requirements
3. Grid Code Compliance – Communicating with updated grid requirements
4. Data Format Conversion – Speaking the language of the 21st century
5. Use Cases – From monitoring to predictive maintenance
6. Cybersecurity – Protecting what matters most
7. Data Diode Architecture – The foundation of secure one-way data transfer

Each topic builds upon the last, giving you a comprehensive understanding of what it takes to secure your plant's data connections.

Stay tuned for our next email on solving the obsolescence challenge.

Best regards,

Petr Roupec
CEO, Bohemia Market

I hope you're having a productive week. Today, we want to address one of the most pressing challenges facing power plant operators across the Middle East: Obsolescence.

What is the Obsolescence Problem?

Approximately 40% of industrial control systems worldwide are over 20 years old. These legacy systems were designed with proprietary hardware and software that have become obsolete, leading to:

• Difficulty finding replacement parts.
• Dwindling vendor support.
• Escalating maintenance costs.
• Inability to integrate with modern monitoring and analytics tools.

Most critically, these older systems were designed for isolated operation. They never anticipated the need to communicate with cloud platforms, central monitoring systems, or modern data historians.

Why Does This Matter?

Legacy ICS equipment often holds the most valuable operational data – yet this data remains trapped inside systems that cannot communicate with your broader IT infrastructure. You're essentially operating blind, unable to:

• Perform real-time monitoring from remote locations.
• Conduct meaningful data analysis for optimisation.
• Meet modern regulatory reporting requirements.
• Enable predictive maintenance capabilities.

Meanwhile, the risk increases every year. Legacy systems lack robust cybersecurity capabilities, and many protocols they use (such as older versions of Modbus or DNP3) transmit data without encryption or authentication.

The Story of Missed Opportunities

A regional power producer in the Gulf discovered that their 18-year-old control system had been generating valuable turbine performance data for years – data that could have predicted bearing failures weeks in advance. But because the system couldn't communicate with modern analytics platforms, they only discovered the pattern after two costly unplanned shutdowns.

The replacement parts alone cost hundreds of thousands of dollars. The lost production during downtime cost even more.

The Solution: Bridge Without Replacement

Here's the good news: you don't need to replace your entire control system to address obsolescence.

The Bohemia Market ICS Secure Data Transfer service acts as a secure bridge between your legacy OT environment and modern IT systems. The industrial-grade device connects to your existing control systems – regardless of their age – and securely transfers data to cloud-based data historians, SCADA systems, and analytics platforms.

Your legacy systems continue to operate exactly as designed, while you gain full visibility into their operations.

Coming Up Next

In our next email, we'll explore how even your oldest systems can meet modern standards compliance requirements through secure data transfer – without expensive upgrades.

Best regards,

Petr Roupec
CEO, Bohemia Market

Regulatory frameworks across the Middle East are evolving rapidly. Saudi Arabia's National Cybersecurity Authority (NCA) Essential Cybersecurity Controls, the UAE's National Cybersecurity Strategy, and international standards like IEC 62443 are no longer optional considerations – they're becoming mandatory requirements.

What is Standards Compliance in ICS?

Standards compliance means ensuring your Industrial Control Systems meet established security and operational requirements. For critical infrastructure like power plants, the most relevant frameworks include:

• IEC 62443: The international standard for industrial automation and control system cybersecurity.
• NCA ECC-2: Saudi Arabia's Essential Cybersecurity Controls.
• NERC CIP: Critical Infrastructure Protection standards.
• IEC 61850: Communication standards for substations.

These frameworks require organisations to implement security management systems that address identification and authentication, system integrity, data confidentiality, restricted data flow, timely response to events, and resource availability.

Why is Compliance Critical?

Beyond regulatory penalties, non-compliance creates real operational risks:

• Legal and financial exposure: Substantial fines and potential disqualification from government contracts.
• Insurance implications: Many insurers now require proof of compliance for coverage.
• Operational vulnerability: Non-compliant systems are more likely to experience breaches.
• Reputation damage: Breach disclosure requirements can significantly impact stakeholder confidence.

The regulatory environment has fundamentally shifted from voluntary guidelines to mandatory, enforceable frameworks with serious consequences.

When Compliance Seems Impossible

A power generation company in the region faced an impossible situation: its 12-year-old turbine control systems needed to meet new cybersecurity monitoring requirements, but lacked a secure method to export data for analysis. The OEM quoted a multi-million-dollar upgrade project with an 18-month timeline.

Meanwhile, their compliance deadline was approaching, and their insurance renewal was contingent on demonstrating progress.

The Solution: Monitor Through a Data Diode

The Bohemia Market’s ICS Secure Data Transfer service enables compliance with standards for legacy systems through a hardware-enforced one-way data flow. Here's how it works:

A data diode physically ensures that data can only flow outward from your OT environment to your IT monitoring systems. This means:

• Your legacy systems can be monitored without modification.
• No reverse data path exists for attackers to exploit.
• You achieve "uncompromisable segmentation" between OT and IT.
• Compliance auditors can verify the physical security of your data boundary.

The solution meets the restricted data flow and system integrity requirements of IEC 62443, while enabling the monitoring capabilities needed for timely event response.

Coming Up Next

Speaking of compliance, our next email will address Grid Code Compliance – and how modern hardware can help older systems communicate with updated grid requirements.

Best regards,

Petr Roupec
CEO, Bohemia Market

The Middle East's power sector is undergoing a dramatic transformation. With Saudi Arabia's Vision 2030, the UAE's clean energy targets, and massive investments in grid modernisation across the Gulf, power plants must adapt to new communication requirements – or risk being left behind.

What is Grid Code Compliance?

Grid codes are technical standards that define how power generation facilities must interact with the electrical grid. They cover:

• Active and reactive power control.
• Frequency response requirements.
• Low voltage ride-through capability.
• Communication protocols for grid operators.
• Metering and data reporting standards

The Saudi Arabian Grid Code, updated in May 2024, formally defines connection processes and mandates Grid Impact Studies. Saudi Electricity Company (SEC) enforces technical standards for all generators connected to low and medium-voltage networks.

Why is Grid Code Compliance Essential?

Modern grids require real-time communication between generation assets and grid operators. Transmission system operators need to:

• Monitor power quality and frequency response.
• Issue control commands during grid disturbances.
• Receive accurate metering data for settlement.
• Coordinate distributed energy resources.

Older control systems often use outdated communication protocols that cannot interface with modern grid management systems. Without upgrading these communication capabilities, plants may face:

• Inability to connect new generation capacity.
• Revenue losses from inaccurate metering.
• Power Purchase Agreement (PPA) non-compliance.
• Regulatory penalties.

The Challenge of Protocol Mismatch

A renewable energy developer in the Gulf completed a solar installation only to discover that their inverter control systems could not communicate with the grid operator's updated SCADA system. The grid code required IEC 61850 communication, but their equipment only supported older Modbus protocols.

The resulting delay in commercial operation cost them months of revenue and strained their relationship with the offtaker.

The Solution: Modern Hardware for Legacy Systems

The Bohemia Market ICS Secure Data Transfer service includes protocol conversion capabilities that enable older systems to communicate with modern grid requirements.

The device supports:

• OPC UA broker on the IT side for standardised data exchange.
• Support for multiple industrial protocols.
• Data format conversion to match grid operator requirements.
• Secure VPN connections to transmission operator systems.

By installing modern hardware between your legacy control systems and the grid interface, you can achieve grid code compliance without replacing your entire control infrastructure.

Coming Up Next

In our next email, we'll dive deeper into Data Format Conversion – how new protocols and formats can bring your legacy devices into the 21st century.

Best regards,

Petr Roupec
CEO, Bohemia Market

Have you ever tried to have a conversation with someone who speaks a different language? Without a translator, communication breaks down completely. The same principle applies to Industrial Control Systems.

What is Data Format Conversion?

Data format conversion is the process of translating data from one protocol or format to another, enabling communication between systems that would otherwise be incompatible.

In the ICS world, this typically means converting between:

• Legacy protocols: Modbus RTU/TCP, DNP3, IEC 60870-5-104.
• Modern protocols: OPC UA, MQTT, REST APIs.
• Data formats: Serial communications to Ethernet, proprietary formats to standardised structures.

Why is Protocol Conversion Critical?

Your legacy SCADA systems and PLCs were designed in an era when each manufacturer had their own proprietary communication methods. These systems work reliably within their original design parameters – but they cannot natively communicate with:

• Cloud-based analytics platforms.
• Modern enterprise resource planning (ERP) systems.
• Centralised monitoring dashboards.
• Machine learning and AI systems for predictive analytics.

The industrial automation market is projected to reach $420 billion by 2033, and organisations that cannot integrate their legacy systems with modern technologies will miss out on efficiency gains that directly impact the bottom line.

The Cost of Incompatibility

A combined-cycle power plant operator wanted to implement predictive maintenance analytics to reduce their unplanned downtime. They had years of valuable operational data locked inside their control systems – but those systems used serial communication protocols that couldn't interface with modern analytics platforms.

The initial quote for a complete system upgrade: several million dollars. The actual solution required only a protocol gateway.

The Solution: Universal Translation

The Bohemia Market ICS Secure Data Transfer service provides comprehensive protocol conversion capabilities:

• OPC UA broker on the IT side for universal connectivity.
• Support for multiple industrial protocols on the OT side.
• NodeRED calculations for data transformation and processing.
• Automated file transfer to data centres in modern formats.

The device acts as a universal translator, receiving data from your legacy systems in their native protocols and converting it to formats that modern IT systems can understand – all while maintaining the one-way security of the data diode.

This means your 50-year-old PLC can now send data to cloud analytics, your Modbus devices can communicate with OPC UA clients, and your operators can view everything on modern dashboards.

Coming Up Next

Now that your data can flow securely in modern formats, what can you actually do with it? Our next email explores Use Cases – from basic monitoring to sophisticated predictive maintenance.

Best regards,

Petr Roupec
CEO, Bohemia Market

We've spent the past few emails discussing how to securely extract data from your legacy systems. Today, let's explore what you can actually accomplish once that data is flowing.

The Spectrum of Use Cases

ICS Secure Data Transfer enables a wide range of applications, from simple to sophisticated:

Basic Monitoring

• Real-time visibility into plant operations from anywhere.
• Remote access for engineers without physical presence.
• Centralised dashboards for multi-site operations.

Performance Optimisation

• Identify inefficiencies in equipment operation.
• Compare actual performance against design specifications.
• Fine-tune parameters for better fuel efficiency or output.

Regulatory Compliance

• Automated reporting to grid operators.
• Accurate metering data for billing and settlement.
• Audit trails for compliance documentation.

Predictive Maintenance

• Detect early warning signs of equipment degradation.
• Schedule maintenance before failures occur.
• Extend equipment life through condition-based maintenance.

Why Predictive Maintenance is Transformational

The predictive maintenance market in energy is projected to reach $7.08 billion by 2030, growing at 25.77% annually. This growth is driven by proven results:

• 25-30% reduction in maintenance costs.
• 35-50% decrease in unplanned downtime.
• 20-40% extension of equipment life.

One large utility in the United States deployed over 400 AI models across 67 generation units, achieving $60 million in annual savings.

The Story of the Invisible Failure

A turbine bearing in a gas-fired power plant started running slightly warmer than usual. Vibration patterns shifted by fractions of a millimetre. Oil samples showed microscopic metal particles that weren't there last month.

Individually, these signals meant nothing. Together, they indicated a bearing failure would occur in approximately six weeks.

Without data flowing to analytics systems, the operators never saw these warning signs. The bearing failed catastrophically during a peak-demand period, requiring emergency repairs that cost 10 times as much as a planned replacement would have, plus the revenue lost during unplanned downtime.

The Solution: Data That Works for You

The Bohemia Market ICS Secure Data Transfer service doesn't just move data – it puts it to work:

• Cloud-based data historian stores your operational data for long-term analysis.
• Mini SCADA system provides immediate visibility on first power-up.
• Preconfigured AWS Cloud works out of the box for rapid deployment.
• NodeRED calculations enable on-premises data processing and analytics.

Whether you're starting with basic monitoring or ready to implement sophisticated predictive maintenance, the infrastructure is ready to support your journey.

Coming Up Next

Of course, all of this data flowing creates security considerations. Our next email addresses the critical topic of Cybersecurity and how to protect your systems while enabling data flow.

Best regards,

Petr Roupec
CEO, Bohemia Market

I've saved one of the most critical topics for near the end of our series: cybersecurity. In today's threat landscape, it's not a question of if your systems will be targeted – it's a question of when.

The Current Threat Landscape

The numbers are sobering:

• 73% of organisations in the GCC experienced an OT-impacting breach in 2024, up from 49% the year before.
• The energy sector ranks 4th globally in cyberattack frequency.
• State-sponsored actors are increasingly targeting critical infrastructure.
• Ransomware groups have expanded their focus to include SCADA systems.

Threat actors like Volt Typhoon have demonstrated the ability to maintain persistent access to US electric utility networks for over 300 days while collecting data on OT operating procedures. In Europe, coordinated attacks on Polish power substations and renewable energy sites have resulted in loss of view, loss of control, and denial-of-service conditions.

Why Traditional Security Isn't Enough

Industrial Control Systems face unique security challenges:

• Legacy protocols like Modbus and DNP3 transmit data without encryption.
• Patching is difficult because systems run continuously and downtime is costly.
• Firewalls can be bypassed through sophisticated attack techniques.
• Air gaps are being eliminated as plants connect for monitoring and analytics.

The fundamental problem: every connection you create for data access becomes a potential entry point for attackers. Traditional firewalls, while necessary, are software-based solutions that can be compromised through vulnerabilities, misconfigurations, or insider threats.

When Attackers Get Inside

In early 2024, the Ransomhub group claimed to have gained access to the SCADA system of a Spanish bio-energy plant. They posted screenshots showing they had gained control of the Digestor tank controls and heating systems. The attackers demonstrated they could potentially manipulate critical processes.

What made this attack possible? An unsecured connection between the plant's OT network and the outside world.

The Solution: Hardware-Enforced Security

The Bohemia Market ICS Secure Data Transfer service provides security that cannot be compromised through software vulnerabilities:

The Data Diode Difference:

• Physical one-way data flow ensures no reverse path exists.
• Hardware-enforced segmentation cannot be bypassed by software attacks.
• Optical isolation makes the security guarantee based on physics, not code.
• No patching required because there's no software to exploit.

Complete Network Control:

• Take control over all data connections to your ICS.
• Ensure no uncontrolled pathways exist.
• Achieve compliance with cybersecurity frameworks literally overnight.

Even if attackers compromise your IT network, they cannot use the data diode as an entry point to your OT systems. The laws of physics prevent data from flowing in the wrong direction.

Coming Up Next

In our final email, we'll provide a technical deep dive into Data Diode Architecture – explaining exactly how this technology delivers such robust security guarantees.

Best regards,

Petr Roupec
CEO, Bohemia Market

Welcome to the final email in our ICS Secure Data Transfer educational series. Over the past seven emails, we've covered the what, why, and business case for secure data transfer. Today, we'll explain the how – the technical architecture that makes it all work.

What is a Data Diode?

A data diode is a hardware device that enforces physically unidirectional data flow between two networks. Unlike software-based firewalls that control traffic through rules and configurations, a data diode uses hardware design to make reverse data flow physically impossible.

The core principle is simple: the device contains optical components that transmit light only in one direction. Data encoded as light pulses can travel from the sending side to the receiving side, but the receiving side has no physical mechanism to send signals back.

How Does the Architecture Work?

A typical data diode deployment includes:

OT Side (Sending)

• Industrial-grade computer that collects data from your control systems.
• Protocol handlers for legacy systems (Modbus, DNP3, serial).
• Data formatting and packaging for transmission.

Data Diode (One-Way Link)

• Optical components that physically enforce unidirectional flow.
• No software that could be compromised.
• Security based on the laws of physics.

IT Side (Receiving)

• Industrial-grade computer that receives and processes data.
• Protocol conversion to modern formats (OPC UA, MQTT).
• Connections to cloud services, data historians, and analytics platforms.

The Bohemia Market ICS Secure Data Transfer device includes three routing components: two industrial computers and one data diode, providing 16 configurable Ethernet ports for flexible integration.

Why Hardware Security Matters

Consider the fundamental difference between software and hardware security:

Software-Based Security (Firewalls):

• Relies on rules that can be misconfigured.
• Requires regular patching for new vulnerabilities.
• Can be bypassed through zero-day exploits.
• Susceptible to insider threats and credential theft.
• Fails "open" during some error conditions.

Hardware-Based Security (Data Diodes):

• Physical construction prevents reverse flow.
• No software vulnerabilities to exploit.
• Zero-day exploits cannot change physics.
• Insider threats cannot bypass hardware limitations.
• Fails "closed" during error conditions.

The security guarantee of a data diode comes from physics, not code. Light cannot travel backwards through the optical components any more than water can flow uphill.

The Complete Solution

The Bohemia Market ICS Secure Data Transfer service combines data diode architecture with comprehensive operational features:

Hardware Power:

• Industrial-grade computers on both OT and IT sides.
• Spare computer for FAT, diagnostics, and remote access.
• Excellent thermal management with redundant cooling.
• Industrial-grade power supply supporting 24VDC to 240VAC.

Software Power:

• Cloud-based data historian and mini SCADA.
• Preconfigured AWS Cloud working out of the box.
• NodeRED calculations for on-premises processing.
• Active Directory integration for user management.

Communication Power:

• 10 Ethernet ports configurable for your environment.
• One-way OT to IT communication via built-in data diode.
• VPN capability to data centres from the IT computer.
• Support for any internet connection (fibre, mobile, Starlink).

Operational Excellence:

• Plug-and-play deployment with factory testing.
• Comprehensive backup and recovery procedures.
• Detailed documentation for your engineering team.
• Battle-tested solution proven worldwide for over a decade.

Where Do We Go From Here?

Over these eight emails, we've covered:

1. What ICS Secure Data Transfer is and why it matters.
2. How to solve the obsolescence challenge.
3. Achieving standards compliance for legacy systems.
4. Meeting grid code requirements.
5. Converting data formats for modern integration.
6. Enabling use cases from monitoring to predictive maintenance.
7. Protecting against cybersecurity threats.
8. The technical architecture that makes it possible.

Every power plant has different challenges, but the need for secure, controlled data transfer is universal. Whether you're operating a legacy gas turbine installation or managing a fleet of renewable assets, the Bohemia Market ICS Secure Data Transfer service can help you achieve your objectives.

Ready to Take the Next Step?

We'd welcome the opportunity to discuss your specific situation and demonstrate how our solution can address your secure data transfer challenges. Please reply to this email or contact us to schedule a technical consultation.

Thank you for joining us on this educational journey. We look forward to supporting your secure data transfer requirements.

Best regards,

Petr Roupec
CEO, Bohemia Market