What is SFTP?
SFTP stands for SSH File Transfer Protocol and is a secure file transfer protocol that operates over an encrypted SSH session. SFTP makes it possible to send, receive, and manage files securely across untrusted networks such as the internet or a corporate network.
In OT networks, SFTP is used for the secure exchange of configurations, log files, Firmware, and recipes between systems.
🧠 How does SFTP work?
- A client establishes an encrypted SSH connection to the SFTP server (port 22)
- Authentication via username + password or SSH key
- Files are sent or retrieved securely
- The session is logged and can be limited at file-permission level
Unlike FTP, in SFTP all communication is fully encrypted, including commands and metadata.
🏭 SFTP in industrial networks
- Transfer of process data and log files from SCADA to Historian
- Secure firmware updates or project files to PLC servers
- Remote access to OT files via Bastion Host or Jump Server
- SFTP sessions started automatically for Backup or reporting
- Restricting access via RBAC and Access Control
Example use:
- ⬆ Upload: recipe files to a production line
- ⬇ Download: audit logs for analysis
🔍 SFTP vs. FTP vs. FTPS
| Protocol | Encryption | Port | Use in OT |
|---|---|---|---|
| FTP | ❌ None | 21 | Outdated, insecure |
| FTPS | ✅ TLS (SSL) | 21/990 | Compatible with older IT systems |
| SFTP | ✅ SSH-based | 22 | Recommended for secure OT transfers |
🔐 Security aspects
- Encrypted file transfer → protection against eavesdropping and manipulation
- Use of SSH keys with a passphrase is recommended over passwords
- Read-only or upload-only permissions per user or path
- Combine with SIEM for logging of transfers
- Full support in Linux-based OT systems
- Meets the requirements of IEC 62443, ISO 27001, NIS2
SFTP avoids risks such as plain-text credentials or insecure file exchange.
📌 In summary
SFTP is the recommended protocol for secure file transfer in OT environments. It combines strong encryption over SSH with flexible and manageable file exchange, without compromising on security.