by Gary Mintchell | Feb 20, 2018 | Automation, Industrial Computers, Security
Bedrock Automation, products built for security from the chips up, had a flurry of activity at the ARC Industry Forum in Orlando last week. It announced a firmware upgrade, OPC UA and partnerships for its SCADA product, and anomaly detection. Here’s a teaser—CEO and Founder Albert Rooyakkers pulled out a new piece of hardware. He didn’t have a release or specs for me, but watch for a new, lower cost, SCADA or gateway device hardened and built with security in mind from the chips up.
Bedrock and OPC UA
Bedrock Automation has published a concise, easy-to-deploy interface specification that enables users and application developers to take advantage of the security capabilities of OPC UA communications software. By following the simple procedures outlined in the Bedrock SCADA Security Platform Specification, developers can upgrade any OPC UA compliant client into a highly secure OPC UA channel, across which users can exchange data between plant floor operations and SCADA applications. Three leading SCADA software developers, Inductive Automation, ICONICS and TATSOFT, are committing and releasing support to the Bedrock interface specification.
“OPC UA provides unique cyber security advantages enabling open communications across numerous industrial devices and applications and providing the end-users options for integrating authentication keys protecting those communications. The most secure OPC level is to authenticate those keys against a known root of trust, which Bedrock supplies via a certificate authority (CA), validated against cryptographic keys built into its controller,” said Thomas J. Burke, OPC Foundation President and Executive Director, adding “Bedrock Automation is a clear leader in supporting the OPC UA standards, and provides information integration and communication that the end users have been demanding.
Bedrock designs and sources its own secure semiconductor components with encryption and authentication technologies embedded at the “birth” of their modules, assembled and tested by Bedrock in their cyber secure supply chain. The unique design then draws on the power and flexibility of public key infrastructure (PKI) and Transport Layer Security (TLS) standards similar to those used to secure ecommerce transactions and military and aerospace electronics. Bedrock Automation then uses those securely embedded keys as the basis for digital certificates that manage access and communication between SCADA applications and control systems. Bedrock Cybershield 3.0 firmware is the first control system to offer an embedded PKI for SCADA applications.
“Such a simple specification demonstrates that Open and Secure SCADA can be deployed today, and that an applications interface does not have to be thousands or even hundreds of pages. We are pleased to be working with innovative SCADA software providers such as Inductive Automation, ICONICS and TATSOFT, to help them and their customers take advantage of the secure communications capabilities of OPC UA and the intrinsic security of the Bedrock platform,” said Rooyakkers.
Cybershield 3.0
Bedrock Automation also announced the availability of Cybershield 3.0, a major firmware upgrade with advancements that make it easier for end users and developers to build control applications that are both open and secure. Among the six major innovations facilitated by the Cybershield 3.0 upgrade are the first public key infrastructure (PKI) built into an OPC UA server for SCADA applications; an industrial Certificate Authority (CA) for user key management; virtual crypto key locks for the controller; and a Secure Proxy server capability that can protect legacy controls systems of other vendors.
“Cybershield 3.0 is one of the most significant steps forward since the release of our Bedrock OSA platform. We now support leading SCADA companies in integrating their OPC UA client to our open security and key management tools. In addition, we start our march to converge IT cyber detection technologies into real-time OT automation with our integrated Anomaly Detection (AD) tools built into every controller. We are delivering secure SCADA and AD as intrinsic and zero-cost advancements, focused acutely on ease of use and reductions in lifecycle costs,” said Bedrock founder and CEO Albert Rooyakkers.
Bedrock Cybershield 3.0 includes the following capabilities:
1) Secure Open SCADA with OPC UA. The cryptographic keys built into all the Bedrock system electronics, provide the root of trust for the Bedrock Certificate Authority (CA) that verifies the reliability of OPC UA-managed communications between SCADA and PLCs or other industrial control systems.
2) Open Certificate Authority (CA) for SCADA. This advanced SaaS key and certificate management tool is not only FREE to our customers but is simple to deploy with our Secure SCADA Interface Specification. Leading SCADA providers, including Inductive Automation, ICONICS and Tatsoft, are committing to and releasing support to this interface specification.
3) Intrusion detection. Even though the Bedrock control system has protection built into its core, users still need to know when system security is challenged. Cybershield 3.0 comes standard with intrinsic Anomaly Detection (AD) functionality that continuously monitors the controller’s network and system time to detect intrusions and anomalous behavior and report it to both SCADA and enterprise database applications for trending, alarming and historizing anomalous cyber activity.
4) Quickly Secure Legacy Automation with Secure SCADA. Companies can now use Bedrock security to help integrate open standard communications protocols with legacy PLC and DCS systems from other vendors. A Bedrock secure controller module acts as a gateway between SCADA platform workstation and the legacy controllers.
5) Cryptographic key locking. Cybershield 3.0 also includes a cryptographic controller engineering key lock that permits only users with the required credentials to change the mode of the controller.
6) Achilles and EMP compliance on power supplies. Bedrock Automation is certifying its standalone power supply and standalone uninterruptible lithium power supply to both MiL-STD-461-G, the military standard for advanced EMP hardening, and Achilles Level 2 certification, augmenting the EMP and Achilles certification achieved for its control system modules last year.
“Today’s increasingly connected environment drives the process industries to search for automation solutions that deliver the benefits of open communications with ‘baked in’ cybersecurity. By extending its secure automation technology to third-party software providers, Bedrock Automation addresses this key pain point of future automation requirements. ARC believes the intrinsic and no-cost approach of Bedrock’s cybersecurity strategy is the quintessential component missing in control systems, today,” writes ARC analyst Mark Sen Gupta in his recent report, Bedrock Automation’s Open Secure Automation a “Win” with End Users
Anomaly Detection
Bedrock Open Secure Automation (OSATM) firmware will include intrinsic Anomaly Detection (AD). Bedrock OSA AD will be available as standard integrated functionality that continuously monitors the controller’s network and system time to detect intrusions and anomalous behavior.
“Preventing control system intrusion is fundamental to holistic cyber security. In addition, users need to know when the system security is being challenged. This is the role of anomaly detection. At no additional cost or complexity for the user, Bedrock’s AD delivers additional assurance that no one is tampering with your automation,” said Rooyakkers. Bedrock Anomaly Detection includes the following functionality:
• Dynamic Port Connection Monitoring, which records all attempts to connect any controller or communication point and captures identifying information on the intruder
• Network Port Scanning, which detects if hackers are scanning for open ports that might provide access to the control network
• System Time Monitoring, which detects attepts to manipulate log files to conceal malicious activity
• Cryptographic Controller Engineering Key Lock, which permits only users with valid user credentials to change the configuration and operation mode of the controller and records all access
• Intrusion Event Logging, which records all detected anomalies and reports them to SCADA software through OPC UA and standard database access for historian, alarming, and trending functions. Additionally, a tri-color status LED on the faceplate of Bedrock Controllers provides indication locally whenever an intrusion is detected.
by Gary Mintchell | Jan 16, 2018 | Automation, Security
Cyber security is on the mind of all of us. The Internet of Things, digital factory, Industry 4.0, and all of the new strategies for improving manufacturing and production efficiencies contain a common element. They all inherently contain connections that can possibly be attacked by cyber hackers.
We are all concerned with foreign government attacks that can blow up facilities, poison water supplies, and other doomsday scenarios we can imagine. However, most hackers are really after a pay day. A big pay day. They can hold your process—and your business—hostage until you fork over some cash.
I have had many interesting cybersecurity conversations with Albert Rooyakkers, founder and CEO of Bedrock Automation. He has built a powerful controller with security designed in from the chips on up. He’s been touting the “Open Secure Automation (OSA)” platform lately.
The company just released a new white paper on the cyber security vulnerabilities and defense of industrial control systems. The 20-page document, Securing Industrial Control Systems – Best Practices, covers the threat landscape and presents a holistic approach to defending it, including assessing risk, physical security, network security, workstation and server security, as well as the fundamentals of OSA.
I just read it and found it informative. You can download it here along with the previous three papers in the series.
“As we discuss cyber security with users of automation, we find that many are aware of the threat potential but are not sure if they are doing enough to protect themselves. We saw the need for a technical paper that explains both the mindset and motives of an attacker, as well as the tools and technologies of defense. This paper defines the issues in a practical, holistic way while providing recommendations on how to begin and sustain best practices for cyber defense,” said Rooyakkers.
The first half of the paper covers conventional cyber security practices that apply to all industrial control systems. It provides an assessment of the threats, including drive-by attacks, advanced persistent threats (APTs), espionage, process attacks, and ransomware. It also looks at assessing the related risks, with an introduction to Process Hazards Analysis (PHA) and Hazards and Operability (HAZOP) methodologies used to identify malfunctions that might harm people, the process, or the environment.
To assist with risk assessment, the paper provides an overview of conventional protection practices. This includes network segmentation, firewalls, and DMZs; managing workstations, servers, end-users, and applications; and implementing active defense measures, including security event monitoring and management.
The second part of the paper is devoted to more recent techniques, based on the application of intrinsic cyber security advances that have been applied in military, aerospace, and ecommerce, and are now being used to protect industrial control systems. These create a hardware end-point root of trust that combines advanced cryptography, digital signing techniques, an industrial certificate authority, and public key infrastructure (PKIs) built into the control system to create an infrastructure for user defense.
The paper also presents the features of the Bedrock Open Secure Automation platform, which embraces the best practices discussed and details the process by which they can be applied to legacy and new systems.
by Gary Mintchell | Dec 22, 2017 | Automation, News, Security
Last week I wrote about the cyber attack on a safety integrated system probably in Saudi Arabia. There has been another attack. When media relations people saw that I had written about cyber security, I started receiving more releases.
Cyber security
Here is some additional commentary by Eddie Habibi, CEO and founder of PAS Global. That company has moved strongly from alarm management investing heavily in building a cyber security practice.
“Since 2010, attackers have been intent on learning how process control networks in critical infrastructure plants work, what systems are in place, where vulnerabilities exist, and how best to manipulate these systems to affect plant safety and performance. Attackers have now moved beyond reconnaissance and are leveraging their acquired knowledge of control networks to interrupt production and create safety incidents. They are targeting systems that in many cases produce electricity for our businesses, gasoline for our cars, or clean water for our homes.
The TRITON (a.k.a. TRISIS) malware attack underscores the capabilities that attackers have acquired and the fact that traditional security controls – namely air gapping and security by obscurity – are no longer sufficiently effective. As TRITON targets an integral part of the independent protection layers that keep plants safe, this should raise red flags with every critical infrastructure company in the world.
One of the first steps companies must take is to get better visibility into the cyber assets in their plants. Eighty percent of the assets in a plant are outside of traditional IT cybersecurity programs. This is clearly unacceptable given the threat landscape we face today. Once companies gain visibility, they can begin to implement fundamental security controls such as monitoring for unauthorized change or discovering hidden vulnerabilities. Otherwise, malware such as TRITON will continue to find fertile ground for causing production disruptions and even environmental or physical harm.”
Cyber security challenges for practitioners
Part of my daily contact with PAS Global’s PR person included this tidbit from Habibi.
With these seismic attacks looming over manufacturing plants/facilities and other critical infrastructure, PAS Global has identified the top 8 critical challenges ICS directors are facing:
- Lack of overall visibility of ICS vulnerabilities
Vulnerability exploits are under reported
- False sense of security in many ICS environments
- More disclosures than capacity to investigate
- Limited visibility into ICS vulnerabilities and risks
- Vulnerability investigation is manual and research-intensive
- Limited visibility into vulnerability remediation effectiveness
- Manual, inconsistent patch management
HatMan Malware
And this from Emily S. Miller, Director of National Security and Critical Infrastructure Programs at Mocana:
“ICS-CERT’s analysis of the HatMan malware revealed some interesting and novel tidbits. Not only did the actor develop a ‘more traditional PC-based component that interacts with the safety PLC,’ but the malware also contained components specifically designed to compromise the safety device itself, which allowed changes to the device firmware. The fact that this actor has the capability to access the safety instrumentation device, and potentially make changes to the device firmware unnoticed, should make critical infrastructure owner-operators sit up and take heed. Yes, in this case the malware tripped the safety systems and was noticed, but who’s to say the actor won’t learn from its mistakes or hasn’t already? Current recommended mitigations promote defense-in-depth strategies. While these are absolutely pieces of the puzzle, things like network monitoring and segmentation alone are clearly not sufficient when the bad actors keep getting in and doing bad things to both the devices and the data contained therein. We have to do better about both defending the network AND protecting the devices themselves.”
Link to How Mocana Protects graphic on Dropbox.
Yet more cyber attacks in the news
Further communications from the agency for PAS Global. I appreciate the humor. “I didn’t want you to go a day without hearing from me. What a concerning week we are having for critical infrastructure!”
The warning is from Nyotron, which says it has spotted a threat actor with likely links to Saudi Arabia, Iran, or Algeria using a repurposed malware tool to target specific critical infrastructure organizations in the Middle East.
“We’ve seen a seven-fold increase in the number of cyberattacks on industrial control systems (ICS) since 2010. What makes this increase particularly alarming is the enhanced level of sophistication of the attacks and the success they have shown in achieving their goals.
The fact that infected USBs are behind the Copperfield attack underscores the lack of adequate, foundational security within industrial facilities. Critical infrastructure security is clearly not trending in the right direction.
The simple fact is that 80% of cyber assets in a facility are highly proprietary, do not work with IT security controls, and are largely invisible to security personnel. If we cannot see these assets, how can we hope to secure them? If we cannot secure them, then we are staring at a tumultuous 2018 because the bad guys are savvy to the insecurity of these systems.”
Meanwhile, here is another defense
Most experts I talk with discuss the need for a defense-in-depth strategy. Occasionally entrepreneurs in the field wax enthusiastically about their particular solution. Albert Rooyakkers is one of those intense entrepreneurs who has designed an industrial control product with cyber security at the heart of the design.
Here is the latest news from Bedrock Automation.
It has announced Bedrock Open Secure Automation (OSA) firmware will include intrinsic Anomaly Detection (AD). Bedrock OSA AD will be available as standard integrated functionality that continuously monitors the controller’s network and system time t0 detect intrusions and anomalous behavior.
“Preventing control system intrusion is fundamental to holistic cyber security. In addition, users need to know when the system security is being challenged. This is the role of anomaly detection. At no additional cost or complexity for the user, Bedrock’s AD delivers additional assurance that no one is tampering with your automation,” said Rooyakkers. Bedrock Anomaly Detection includes the following functionality:
- Dynamic Port Connection Monitoring, which records all attempts to connect any controller or communication point and captures identifying information on the intruder
- Network Port Scanning, which detects if hackers are scanning for open ports that might provide access to the control network
- System Time Monitoring, which detects attempts to manipulate log files to conceal malicious activity
- Cryptographic Controller Engineering Key Lock, which permits only users with valid user credentials to change the configuration and operation mode of the controller and records all access
- Intrusion Event Logging, which records all detected anomalies and reports them to SCADA software through OPC UA and standard database access for historian, alarming, and trending functions. Additionally, a tri-color status LED on the faceplate of Bedrock Controllers provides indication locally whenever an intrusion is detected.
Anomalous behavior detected at the controller level signifies a high likelihood of a cyber security event. Embedding detection into the controller provides advanced cyber defense while reducing complexity and lifecycle cost. Bedrock AD will be standard on all Bedrock systems and is available as a free firmware upgrade to installed systems as part of Cybershield 3.0 in March 2018.
by Gary Mintchell | Sep 26, 2017 | Automation, Security
Inductive Automation included a number of partner companies in its Ignition Community Conference last week in Folsom, CA. Among these companies was Bedrock Automation. I’ve written about Bedrock before a few times. This trip I was looking at its display when its CEO in disguise appeared.
Why it matters: Cyber security is at the top of everyone’s mind these days. Bedrock Automation has designed a system to be secure from all parts of the supply chain.
Albert Rooyakkers, founder/CEO/CTO, was wearing a hat and sunglasses and I walked right past him. However, he came over and gave me his usual high energy explanation of the entire Bedrock system.
Bedrock Automation builds an industrial control system (PLC) that was designed from the beginning with security in mind. Not just cyber security, but also security from tampering, lightning, high-energy electromagnetic interference, and more.
Intrinsic Security begins with Strong Cryptography, then adds Secure Components, Component Anti Tamper, Secure Firmware, Secure Communications, and Module Anti Tamper.
The metal construction showcases the secure construction, just as does the design of the I/O modules and communication with the controller (no insecure backplane).
Public Key Infrastructure
Rooyakkers always gives me the deep dive into Public Key Infrastructure which leads to Hardware Root of Trust—the essential element of security in the product.
Use of asymmetric cryptography for authentication and key exchange is the basis of secure e-commerce. In the internet context, there is a critical additional piece, a root of trust at the center of an exchange. This is called Certificate Authority. Key pairs, certificates, a root of trust and interoperable algorithms together form a Public Key Infrastructure (PKI) which includes the infrastructure and policies to manage and maintain the trust. Some of the building blocks include:
• Signatures
• Transport Layer Security
• X.509 Certificates
• Certificate Chain of Trust
• Root Certificate Authority
Until now PKI has not been implemented in industrial control systems. Bedrock Automation embeds the Hardware Root of Trust in the control system. It is designed from the ground up with security in mind.
Bedrock Automation has always gone to market with systems integrators—a strategy that fits with Inductive Automation. In many remote control and SCADA systems, the two form a perfect pair.
by Gary Mintchell | Jul 21, 2017 | Internet of Things, Security
When you begin connecting “things”, that is, data sources and data consumers, and exposing them to a network or the Internet, then cyber security assumes a role of primary importance. Or, at least it should assume such a role. Here is a slightly different take on Internet of Things data security.
Entrust Datacard, a provider of trusted identity and secure transaction technology solutions, has introduced Entrust Datacard ioTrust Security Solution. The solution delivers a secure and trusted digital infrastructure that safeguards data between devices, sensors, and backend platforms connected within an Internet of Things (IoT) ecosystem. By applying digital identities managed through definable policy — the ioTrust Security Solution allows companies to do business in new ways and create the trusted products and experiences that these environments demand.
Today, digital businesses are striving to create new business models that turn stand-alone products into highly interactive and connected services, but are faced with a variety of challenges ranging from complicated integrations and extended deployment timelines to mitigating safety and privacy concerns. ioTrust is based on enterprise-grade encryption technologies and leverages Entrust Datacard’s 30 years of expertise in establishing identity-based, trusted infrastructures for the world’s most secure environments.
With capabilities such as identity, authentication and authorization, credential lifecycle management, and secure communications ioTrust helps organizations securely connect the people, applications and devices that power the connected world. ioTrust speeds deployment timelines, allowing organizations to more quickly realize business value in areas such as process optimization and automation, supply chain visibility, and delivery of new services. The Entrust Datacard ioTrust Security Solution is designed to secure IoT data across a variety of industries including industrial control systems, automotive, telecommunications and manufacturing supply chains.
“Unlike existing solutions that have been simply repurposed from IT environments, Entrust Datacard has spent several years working with customers and ecosystem partners to design a solution that recognizes the unique needs of IoT environments and incorporates sound security practices,” said Josh Jabs, vice president of PKI and IoT for Entrust Datacard. “We’ve created a solution that allows organizations to enhance their service offerings, improve the user experience and enable new business models while leveraging a trusted infrastructure.”
ioTrust Ensures a Trusted Internet of Things by:
- Enabling a secure and trusted ecosystem of people, applications and things throughout the IoT value chain
- Providing greater visibility into the security of the supply-chain, spanning from device manufacturer to the final product
- Reducing time-to-market and total cost of ownership by helping organizations to develop solutions based on heterogeneous device categories and profiles
- Empowering organizations to leverage existing infrastructures and devices, while supporting new products and services without the need to “rip and replace”
- Facilitating the secure and timely delivery of data and outcomes generated by trusted people, applications and things to the value-creation engine
For more information on Entrust Datacard ioTrust Security Solution and the specific industry use cases, visit .
