Research Note: AMG Secure-Net™ SFP Carrier – A New Approach to Industrial Network Security

Executive Summary

AMG Systems of the United Kingdom and USA has unveiled the AMG Secure-Net™ SFP carrier, an innovative SFP-based IP-level device providing 128-bit encryption for traffic across any IP network. This device functions as an SFP carrier, capable of hosting most standard MSA-compliant 100Mb or 1Gb SFP modules. The Secure-Net™ SFP carrier’s ability to transparently envelope various SFPs allows for the full reuse of existing equipment and facilitates straightforward deployment over diverse infrastructure types, including fiber and copper. Its compatibility with standard SFP ports on AMG and third-party devices eliminates the need for external power, saving space and reducing cabling costs. The Secure-Net™ SFP carrier supports end-to-end static IPsec in transport mode, offering highly secure 128-bit AES-GCM-ESP encrypted network links in both point-to-point and multipoint deployments.

Why Encryption at the SFP Level is a Good Idea 

The AMG Secure-Net™ SFP carrier offers several compelling advantages by implementing encryption at the SFP level, particularly for industrial environments:

• Transparent and Seamless Integration into OT/IT Convergence: In industrial settings, where Operational Technology (OT) networks are increasingly converging with Information Technology (IT) networks, the SFP carrier provides a non-disruptive way to introduce robust encryption. It can be simply plugged into existing industrial switches, media converters, and other SFP-enabled devices, avoiding complex system overhauls.
• Full Line-Rate Encryption for Critical Process Control: Industrial networks often demand real-time or near real-time data transmission for process control, monitoring, and safety systems. The Secure-Net™ SFP carrier performs hardware-level encryption at full line rate (100Mb or 1Gb), ensuring that vital operational data remains encrypted without introducing unacceptable latency or reducing critical bandwidth.
• Cost-Effectiveness for Brownfield Deployments: Many industrial facilities operate with significant legacy infrastructure. The SFP-based solution offers a more cost-effective alternative to replacing entire industrial switches or PLCs just to gain encryption capabilities. It allows organizations to secure existing connections without massive capital expenditure.
• Enhanced Security with Out-of-Band Management: Industrial Control Systems (ICS) and SCADA networks are prime targets for cyberattacks. The complete out-of-band management of the Secure-Net™ SFP ensures that its configuration cannot be accessed from within the operational network itself, providing a crucial layer of defense against sophisticated threats that might compromise other network devices.
• Environmental Robustness and Adaptability: While not explicitly stated as “ruggedized,” AMG Systems is known for providing “environmentally robust” communication solutions. The SFP form factor itself inherently reduces external points of failure and fits well within compact industrial enclosures or DIN rail mounts, which are common in OT environments. Its ability to work over fiber and copper further enhances its adaptability to diverse industrial cabling.
• Simplified Deployment in Remote or Distributed Industrial Sites: Industrial facilities often involve geographically dispersed sites, remote monitoring stations, or outdoor equipment. The plug-and-play nature of pre-configured Secure-Net™ SFPs simplifies deployment in these challenging environments, reducing the need for highly specialized IT/OT personnel on-site.
• Hardware-Level Security for ICS/SCADA Protection: Given the severe consequences of a breach in industrial systems, hardware-level encryption provides a more resilient and trustworthy security layer compared to software-only solutions, which can be vulnerable to operating system exploits or misconfigurations.

Target Markets and Use Cases

The AMG Secure-Net™ SFP carrier is particularly well-suited for industrial network connectivity, addressing critical security needs across various sectors.

Target Markets:

• Manufacturing & Factory Automation: Companies heavily invested in Industry 4.0 and smart manufacturing, requiring secure communication between PLCs, robots, sensors, and control centers.
• Energy & Utilities: Including power generation plants, substations, smart grids, oil & gas pipelines, and water treatment facilities, where securing SCADA and critical infrastructure communication is paramount.
• Transportation: Rail networks (signaling, control systems), intelligent transport systems (ITS), port operations, and airports, where secure and reliable data transfer is essential for safety and efficiency.
• Mining & Resources: Remote and harsh environments where secure communication is needed for heavy machinery control, environmental monitoring, and data backhaul.
• Smart Cities & Critical Urban Infrastructure: Securing IoT sensors, traffic management systems, public safety cameras, and other interconnected urban infrastructure components.
• Defense and Government Infrastructure: For securing sensitive communications within and between facilities, often involving highly specialized and resilient networks.
• Oil & Gas: For securing remote wellhead monitoring, pipeline control, and offshore platform communications against cyber threats.

Use Cases:

• Securing SCADA and PLC Communications: Encrypting data exchanged between SCADA master stations and remote terminal units (RTUs) or Programmable Logic Controllers (PLCs) to prevent unauthorized access or manipulation of industrial processes.
• Inter-Building/Campus Connectivity in Industrial Parks: Establishing secure, encrypted fiber or copper links between different buildings, production lines, or departments within a large industrial complex.
• Protecting Video Surveillance in Industrial Settings: Encrypting high-resolution video streams from IP cameras used for facility monitoring, process oversight, and security in industrial environments to prevent eavesdropping or tampering.
• Backhauling Sensor Data from Remote Sites: Providing secure encryption for data gathered from remote sensors in oil fields, utility substations, or environmental monitoring stations to central control rooms.
• Securing Connectivity for Edge Devices in IIoT: Implementing encryption at the network edge for Industrial Internet of Things (IIoT) devices, ensuring data integrity and confidentiality from the point of origin.
• Retrofitting Legacy Industrial Networks: Adding a layer of strong hardware encryption to existing industrial Ethernet networks without replacing expensive legacy industrial switches or control devices.
• Preventing Man-in-the-Middle Attacks on Industrial Networks: The end-to-end IPsec encryption prevents adversaries from intercepting and altering critical operational data, a significant concern in industrial cybersecurity.
• Compliance with Industry Regulations: Helping organizations meet stringent cybersecurity regulations and standards (e.g., NERC CIP for utilities, IEC 62443 for industrial automation) by providing a robust encryption layer.

Competitive Landscape

Currently, AMG Systems is the only notable vendor selling fiber SFP carriers with integrated IP-level encryption. While other companies offer SFP-compatible devices with MACsec (Layer 2) or specialized encryption for specific applications like GPON, AMG’s Secure-Net™ SFP carrier uniquely provides transparent, hardware-level IPsec encryption directly at the SFP port. 

Key Differentiators and Advantages of AMG Secure-Net™ for Industrial Use:

• Form Factor and Ease of Integration: The SFP form factor is uniquely suited for industrial environments where space is often limited, and ease of deployment is crucial. It simplifies the integration of strong encryption into existing or new industrial networks without requiring large, dedicated security appliances.
• “Fit and Forget” Operation: The ability to pre-configure and simply plug in the devices is a major advantage in industrial settings, reducing the need for highly specialized IT personnel on-site and minimizing potential for human error in configuration. This aligns well with the “set it and forget it” mentality for reliable industrial systems.
• Hardware-Based, Line-Rate Performance: Industrial applications cannot tolerate latency or bandwidth degradation. The Secure-Net™’s hardware-level encryption at full line rate is essential for maintaining the performance of critical control systems.
• Out-of-Band Management for ICS/SCADA Security: This feature is particularly valuable in industrial networks, as it reduces the attack surface by isolating the management interface from the operational network, making it harder for attackers to compromise the encryption device itself if they gain access to the main network.
• Leveraging Existing Industrial Ethernet Infrastructure: The ability to work with any MSA-compliant SFP port on existing industrial switches, media converters, and other Ethernet devices means organizations can add encryption without a costly forklift upgrade of their operational technology.

Potential Competitors/Alternatives:

1. Industrial Ethernet Switches with Integrated Security Features (e.g., Siemens, Rockwell Automation, Moxa, Hirschmann/Belden):
   • Pros: Designed for harsh industrial environments, often include features like VLANs, QoS, and sometimes basic network access control or firewall capabilities. Some higher-end models might offer integrated MACsec (Layer 2 encryption).
   • Cons: Integrated encryption (like MACsec) is often Layer 2, limiting its scope to direct physical links between compatible switches. Full IPsec encryption (Layer 3) is less common or requires higher-end, more expensive models, which might still have performance overhead.
   • AMG’s Position: AMG Secure-Net™ offers an easy way to add robust IPsec (Layer 3) encryption to any SFP-enabled industrial device, regardless of the switch’s built-in security features or vendor. It offers a more flexible solution for securing links that may traverse multiple network segments or even public infrastructure.
2. Dedicated Industrial VPN Routers/Gateways (e.g., Moxa, Westermo, Phoenix Contact):
   • Pros: Specifically designed for industrial environments, often come with robust enclosures, wide operating temperature ranges, and certifications. Provide secure remote access and site-to-site VPNs.
   • Cons: Can be more expensive than an SFP, require their own power and mounting, and may introduce more complexity in network design. Their primary function is routing and VPN, which might be overkill if the main goal is just link encryption.
   • AMG’s Position: The Secure-Net™ SFP is a simpler, more compact, and potentially more cost-effective solution for securing point-to-point or multipoint links within an industrial network or connecting industrial segments, without the full routing capabilities of a dedicated VPN router.
3. Software-based VPNs on Industrial PCs/Servers:
   • Pros: Cost-effective for individual endpoints, flexible.
   • Cons: Performance limitations due to software overhead, vulnerable to host-level compromises, not suitable for high-speed, low-latency control communications, and require managing software on each endpoint.
   • AMG’s Position: Secure-Net™ offers a dedicated, hardware-based solution that is more resilient, performs at line rate, and doesn’t consume resources on critical industrial computers.

Analyst Take

The AMG Secure-Net™ SFP carrier is a timely and highly relevant solution for the evolving industrial network landscape. Its unique SFP form factor, combined with seamless hardware-level IPsec encryption, offers a compelling value proposition for industrial organizations grappling with increased cybersecurity threats and the demands of IT/OT convergence. By enabling robust encryption to be easily integrated into existing industrial Ethernet infrastructure without compromising performance or requiring complex reconfigurations, the SFP provides a practical and cost-effective pathway to enhanced security for critical operational data. This positions AMG well in the growing market for secure and resilient industrial networking solutions.