Industrial Control Systems Cyber Security Through Trusted Systems
The week following Thanksgiving, I participated in a press tour with Siemens visiting a number of locations in Munich, Germany and following into Nuremberg for a day at SPS/IPC/Drives. I have posted a few things already and you can check out my Twitter stream.
Three weeks of travel plus my wife’s surgery (elective, she’s doing well with Nurse/Cook Gary sort of looking after her) took a toll on catching up with writing and email. Excuses aside, following are some additional thoughts from the trip.
If company executives and engineers cannot trust data coming from the IoT system, then digitalization and its many benefits will not be implemented. It’s in this spirit that Siemens launched the Charter of Trust earlier this year at the at the Munich Security Conference. Since then, several more global companies saw the value of the Charter of Trust, and signed on.
The Charter of Trust then begins with these three goals:
- protecting the data and assets of individuals and businesses;
- preventing damage to people, businesses, and infrastructures;
- building a reliable basis for trust in a connected and digital world.
We were introduced to several companies who have joined the Charter of Trust, visiting their sites, and discussing various aspects of cyber security.
Harry Brian, Business Development Manager, Industry Security Services, Siemens, gave us a Siemens background. “As we see attacks in the wild that are specifically crafted for PLCs and safety systems, no one can ignore the relevance and the urgency,” he told us. In addition, companies also must comply with numerous industrial security regulations and standards all over the world. “Help lies in a concept called defense in depth and is to be found in the IEC 62443 – the standard for IT security for Industrial Automation and Control Systems. Siemens has been addressing the cyber challenge for decades and is employing innovation and technology for anomaly detection and vulnerability monitoring and reporting with MindSphere.”
We stopped at NXP’s office in Munich. NXP has signed on to the Charter of Trust. The first discussion dove into autonomous driving, the convergence of AI and IoT, with Lars Reger, Automotive Chief Technology Officer and Wolfgang Steinbauer, VP, Head of the NXP Innovation Center Crypto and Security.
“The paradigm shift that comes with the convergence of AI and the IoT, will be even greater than the one we have witnessed with the introduction of the personal computer or the mobile phone,” they told us. “Effective security, based on the guiding principles of security and privacy by design, will be crucial to mitigate against the risks that come with it. Cybersecurity and data privacy aspects are paramount to generate trust, particularly so in critical future applications in smart traffic and autonomous driving. People, organizations and entire societies will support this transformation only if the security of their data and networked systems can be ensured.”
The Charter of Trust, they noted, defines what it means to trust along with security levels.
We stopped next in our tour of Munich at TÜV Süd, and a discussion with Andy Schweiger, Cybersecurity section Chief Executive Officer. For Americans not familiar with the organization, it is somewhat analogous to UL.
The news here is that TÜV Süd is developing a cyber security consulting practice and has been on a hiring spree adding to its staff.
The next stop was a tour of the IBM Watson IoT Center. Here IBM brings together developers, consultants, researchers and designers to drive state-of-the-art collaborative innovation with SMEs and start-ups, government, schools and universities and investors.
Speakers stressed the importance of involving governments in industrial cyber security work. Supply chains require careful consideration establishing risk-based rule for protection across all IIoT layers with clearly defined and mandatory requirements. There are many avenues for intrusions. They brought up the case of a hacker getting into a system through a smart lightbulb.
Finally came a tour of Allianz Stadium, home of the Bayern Munich Football Club where Siemens has a strong technology partnership.
The partnership includes energy, building infrastructure, mobility and security.
Fire prevention: Allianz Arena has a maximum protection against fire. Numerous fire detectors and sprinkler heads are located throughout the stadium: 4,600 fire detectors, 1 sprinkler head per 4 visitors (about 140 times more than fire-fighters per inhabitant in a German city), 3 water reservoirs with a total volume of 1,200 m3 in each sprinkler and hydrant centre.
Energy Management: Energy supply (introduction via screen inside the stadium) – new video wall quadruples the energy consumption in comparison to previous video wall. Supply through two transformer stations of the Stadtwerke Munich (municipal utilities) (capacity about 12 MW), peek-capacity on a match-day is about6 MW, which equals the consumption of a smaller town. Plans include a complete microgrid solution by Siemens, from power generation and storage through distribution, including monitoring.
Traffic Control: Siemens solutions (camera-system for the surveillance of traffic routes) around suburban traffic vehicles and traffic telematics ensure that all fans reach the stadium safely and on-time. Siemens traffic management systems regulate the flow of traffic on the motorways near the stadium. Video surveillance: Siemens security concepts and technologies are optimally adapted to the large visitor flow in the Arena. A video system with 90 cameras, records images that can be used by law enforcement.
Every professional soccer stadium has an experienced greenkeeper who cares for the sacred turf. And now, for the first time, the greenkeeper at the Allianz Arena will be assisted by an application. It’s being made possible by MindSphere, the open IoT operating system, and software developers at evosoft. The FC Bayern Greenkeeper App will now assist the greenkeeper and give the grass a voice. Sensors gather data and send it to MindSphere. The MindSphere application then evaluates the data and converts it into action recommendations. Water more. Expose the grass to stronger or longer light. Start the lawn heating or turn it down.These kinds of recommendations require a huge amount of data: light, temperature, humidity, the lawn’s salt content, wind, the chlorophyll content of the blades of grass. All this data is supplied by sensors installed on the field by the Dutch stadium lighting expert SGL, allowing its customers to monitor the lighting of their lawn. Current weather data and forecasts are also fed into the system. The data from the playing field is delivered to the collector box once per minute. MindSphere evaluates the data, formulates action recommendations, and converts both into clear diagrams. The greenkeeper keeps an eye on the turf via a smartphone – and he’s immediately provided with specific action recommendations.
Hewlett Packard Enterprise (HPE) announced new HPE Edgeline Converged Edge System solutions that speed the deployment and simplify the management of edge applications, enabling customers to act on the vast amounts of data generated by machines, assets and sensors from edge to cloud.
I think this is another significant advance reflecting the utility of enterprise compute capability brought ever closer to the plant itself. If you are looking to be disruptive in your industry or are on a corporate engineering staff looking for OT alternatives, I’d suggest taking a long look at these technologies and then letting your imagination do its work.
The new solutions include:
- HPE Edgeline OT Link Platform, an open platform that automates the interplay between diverse operational technologies (OT) and standard IT-based applications at the edge to enable intelligent and autonomous decision making;
- HPE Edgeline systems management, the industry’s first systems management solutions designed specifically for the edge to ensure enterprise-grade reliability, connectivity and security;
- HPE Edgeline EL300 Converged Edge System featuring OT link and HPE Edgeline systems management, providing superior resilience against harsh edge environments for a broad range of industrial deployments; and
- HPE Edgeline Field Application Engineering Services are available from HPE Pointnext to help customers plan, build, and customize OT link-based Internet of Things (IoT) and cyber-physical systems.
To turn edge data into insight for real-time action, it must be processed close to its source to avoid the latency, bandwidth, and cost issues of sending the data to a remote data center. However, this opportunity comes with a set of unique challenges, including management of remote infrastructure, and the necessity to seamlessly connect sensors and industrial assets with IT applications at the edge.
“Deploying IoT, edge, and cyber-physical systems is a challenge requiring a fresh look at uniting the physical and digital worlds,” said Dr. Tom Bradicich, Vice President and General Manager, Converged Servers, Edge and IoT Systems, HPE. “With today’s announcements, we enable our customers to accelerate the delivery of applications that capitalize on edge data, safeguarded by enterprise-class management. And we lay the groundwork for a new ecosystem of intelligent edge solutions to drive innovation and growth across industries.”
Simplifying deployment of edge-to-cloud IoT and cyber-physical systems
Today, setting up an IoT or cyber-physical system is a laborious undertaking. It requires custom coding to orchestrate OT networks, control systems, and data flows with drivers, middleware, and applications running on IT systems. HPE Edgeline OT Link Platform is an open platform that significantly simplifies this process, reducing cost and time to market.
The solution includes:
HPE Edgeline OT Link Platform software, an open workflow engine and application catalogue, allowing customers to orchestrate components, data, and applications via a graphical drag-and-drop user interface. The HPE Edgeline OT Link Platform integrates an ecosystem of third-party applications running from edge to cloud – including AWS, Google, Microsoft, SAP, PTC, GE, and more – to make insights from the edge available across the enterprise and supply chain.
HPE Edgeline OT Link certified modules, HPE-developed adapters that connect to a broad range of OT systems, enabling bi-directional, time-sensitive, and deterministic control and communication, including high-speed digital input/output, CAN bus, Modbus, or Profinet. APIs and SDKs for these adapters are made available to the industry to facilitate third-party designs of OT link modules. OT link will also integrate FPGA modules to give customers maximal flexibility to connect to any industrial input/output device.
Enterprise-grade manageability and security at the edge
HPE also announced the industry’s first systems management solutions specifically designed to simplify the provisioning and management of edge infrastructure and applications, providing enterprise-grade manageability and security for remote systems with limited connectivity and IT expertise.
HPE Edgeline Integrated System Manager is embedded into HPE Edgeline Converged Edge Systems and features one-click provisioning, ongoing system health management, remote updates, and management even with intermittent wired and wireless connections. It also supports advanced security functions like preventing system boot file changes and remote system disablement during a security event. HPE Edgeline Infrastructure Manager software can remotely manage thousands of Edgeline Converged Edge Systems.
The HPE Edgeline Workload Orchestrator hosts a central repository for containerized analytics, AI, business, and IoT applications that can be pushed to HPE Edgeline Converged Edge Systems at the edge
Unparalleled convergence of OT and IT
The HPE Edgeline EL300 is a fan-less, low-energy system equipped with Intel Core i5 processors, up to 32GB of memory and 3TB of storage. It will also support Intel Movidius Myriad X vision processing units to enable video analytics and AI inference at the edge. The HPE Edgeline EL300 provides enhanced resiliency against shock, vibration, humidity, and dust, including IP50 and MIL-SPEC certifications, and can operate from -30 to +70 degrees Celsius. These features make the HPE Edgeline EL300 suitable to be deployed as an embedded system – for example, in production machines or in building infrastructure.
Expertise to accelerate deployment and create competitive advantage
To support these new offerings, HPE Pointnext, the services organization of Hewlett Packard Enterprise, provides HPE Edgeline Field Application Services, which help customers plan, design, build, and run IoT, edge and cyber-physical systems to accelerate deployment and ensure reliable and secure operation. These services include the evaluation of use cases, proof of value, solution deployment, and management of ongoing operations – helping customers get the most from OT/IT integrations.
Moreover, HPE Pointnext can help customers develop their own data acquisition, industrial network, and control components for HPE Edgeline OT Link Platform to create custom solutions and competitive advantage. HPE Edgeline OT Link Platform based solutions can be delivered on-premises with a turnkey deployment service, operated by HPE Pointnext.
Finally, HPE Edgeline EL300 Converged Edge System will be added to HPE GreenLake Flex Capacity, to deliver a consumption-based experience with usage-based payment, capacity metering, and tailored support, for customers who need a cloud-like experience for systems at the edge.
Digitalization breeds the need for data and connected devices. Trusted connections and data are required for success. Siemens invited a diverse group of press, analysts, podcasters, and bloggers to Munich this week (November 26-28) to discuss cybersecurity and the Charter of Trust.
I will use the words of Siemens below to discuss the rationale for the Charter of Trust. However the idea is that if users cannot trust their data and connections, they will never go further into digitalization and therefore not realize the anticipated benefits.
Some of the analysts and others in the conference had trouble understanding how something seemingly vague and not specifically standards-based would work. I think they missed the point. First, standards are good, but they take a long time to develop. What was needed was not another new standard. What is needed is for many companies to agree to a set of principles and then commonly work toward them for the mutual benefit of the industry, users, and society.
Eva Schulz-Kamm, Global Head of Government Affairs at Siemens AG, and Rainer Zahner, Global Head of Cybersecurity Governance at Siemens told us the digital world is changing everything. Billions of devices are connected by the Internet of things. That holds great potential for everyone, but also great risk. The risk of exposure to cyber-attacks. The risk of losing control over the systems that run our infrastructures. Cybersecurity is therefore crucial to the success of our digital economy – because only if the security of data and networked systems is guaranteed will people actively support the digital transformation. Then explained why Siemens has initiated the Charter of Trust.
Siemens’ 171 years of experience have also shown that the best way to make a lasting difference isn’t as one company, but as an industry – not only as one nation, but as part of a global community. In modern history, competitor businesses have forged standards together that have carried the world from one industrial revolution to the next – including the unfolding digital transformation of industry. Countries without clear-cut geopolitical alliances have come together to forge cross-border agreements that grow trade and advance peace.
It’s in this spirit that Siemens launched the Charter of Trust earlier this year at the at the Munich Security Conference, a longstanding forum for business and government leaders to discuss geopolitical issues. Since then, several more global companies saw the value of the Charter of Trust, and signed on. These companies committed to create the first-of-its-kind global alliance focused on answering a very important question: How do we secure critical infrastructure – from our factories to our power grids – in the digital age?
We also are carrying an important message together: that when we talk about security today, it isn’t just about diplomacy and resolving military conflicts – it is increasingly about cyber attacks that seek to undermine our democratic and economic values.
The Charter of Trust then begins with these three goals:
- protecting the data and assets of individuals and businesses;
- preventing damage to people, businesses, and infrastructures;
- building a reliable basis for trust in a connected and digital world.
“We know at the outset that a one-size fits all approach won’t work. We have instead agreed to 10 principles – from ensuring the highest levels of responsibility for cybersecurity within every company, to securing supply chains, products, and working with governments. Together, we will develop and continuously improve coordinated strategies and shared standards to protect critical infrastructures, public facilities and private companies.”
Charter of Trust members: The AES Corporation, Airbus, Allianz, Atos, Cisco, Dell Technologies, Enel, IBM, Munich Security Conference, NXP Semiconductors, SGS,. Deutsche Telekom, Total and TÜV SÜD.
I will only be at SPS for a few hours this year to check in with old friends and see some of the latest automation goodies. But I’m glad to be there at all. Thank you to Siemens who is sponsoring a press tour that includes a couple of days of intense cybersecurity briefings and workshops.
Oh, and a trip to Allianz Stadium to see the technology and a Bayern Munchen football match.
Some early SPS news:
- Avnu Alliance Demonstrates New Conformance Test Reference Tool
- OPC Foundation promises much news plus addition of Rockwell Automation
OPC Foundation has sent a couple of emails inviting us to a press briefing at SPS promising much news. I won’t be in Nuremberg on Tuesday, but I’ll catch up with Stefan and Tom for sure on Wednesday.
The mating dance has ended after a few months. Rockwell Automation has rejoined the OPC Foundation and gained a board seat. OPC Foundation has elected Juergen Weinhofer, vice president of common architecture and technology for Rockwell Automation, to its board of directors. Note that Weinhofer is also the Rockwell delegate to the ODVA board.
Weinhofer’s election to the board extends Rockwell Automation’s engagement in the technical work of the OPC Foundation and its technical advisory council.
“OPC UA has become the dominant open protocol for machine-to-software and machine-to-cloud solutions, and it is becoming critical for companies deploying a Connected Enterprise,” Weinhofer said. “I look forward to helping the OPC Foundation become a leader in machine-to-machine applications and helping OPC UA users unlock more value from their production systems.”
This quote is from the OPC news release. We should note that “Connected Enterprise” (capitalized) is the Rockwell Automation theme. I also note while parsing the comment that Rockwell is still firmly fixed in the factory floor area where Weinhofer specifically states “become a leader in machine-to-machine applications.”
“Rockwell Automation is a proven leader in industry standardization and open information technologies,” said Stefan Hoppe, president of the OPC Foundation. “I welcome not just Juergen’s business and political skills on the board but also the increased technical and commercial contribution that the wider Rockwell Automation team will also bring to the foundation.”
Avnu Alliance, an industry consortium enabling open, standards-based deterministic networking, will exhibit at SPS IPC Drives in the University Stuttgart ISW booth. Avnu Alliance, alongside ISW and Industrial Internet Consortium (IIC), will showcase the role of conformance test plans, testbeds and test reference tools in ensuring an interoperable ecosystem of Time Sensitive Networking (TSN) devices.
“We are in cooperation with IIC, IEEE, IEC and others in creating an interoperable ecosystem through a common network foundation that stems from industry open standards and testing,” said Todd Walter, Avnu Alliance Industrial Segment Chair. “The market will continue to require multiple application layer protocols for networked industrial systems. The Avnu Alliance charter is to enable interoperability at the network layer, to ensure ‘One TSN.’ We are the organization focused on providing TSN test plans and reference test architectures to anyone in the industry that wants to test for TSN compatibility.”
As such, Avnu serves to support Fieldbus organizations by providing its TSN conformance tests and procedures to ensure those organizations’ interoperability in the wider Ethernet system.
Leveraging the industry-defined requirements for TSN network interoperability, Avnu ensures there is a universal set of test plans for conformance to guarantee interoperability at the network layer. Avnu has developed a baseline test plan in the industrial market that ensures industrial devices, whether end device, infrastructure component or silicon, conform to the relevant IEEE standards, as well as the industrial automation profile being defined by IEC/IEEE 60802 Joint Project working group.
Starting with Time Synchronization, or 802.1AS as the foundation for all TSN devices, Avnu released the first set of test plans at SPS IPC Drives in 2017. Avnu will soon publish additional conformance test plans for end devices, such as enhancements for scheduled traffic.
At SPS IPC Drives 2018, Avnu Alliance will show a new proof-of-concept (POC) Conformance Test Reference Design that offers a single, streamlined way for vendors to test TSN interoperability. The POC Conformance Test Reference Design is designed to automatically test TSN devices for compliance to 802.1AS. The demonstration features a Linux open-source test tool created by ISW in partnership with Avnu. This tool would also allow other protocol organizations to test application stacks on top of a TSN network in a streamlined way enabling one-stop certification at any test house.
Last week I gave a short presentation at a breakout session of the Industry of Things East World event in Orlando. This podcast is a recap of the talk done in a slightly different style. As the fourth speaker in the afternoon surveying the audience, I switched styles to one I hope kept everyone awake.
I wanted to talk about data. Why we collect it. How we can use it. And good management practices. All in fewer than 20 minutes. Allowing time for a decent discussion at the end.
My response to automation and robot dystopian writers is that for the most part these technologies have removed humans from dangerous and monotonous manufacturing work. Humans are freed to do things using their heads as well as their hands. This report from A.T. Kearney and Drishti further contradicts hype about accelerating factory automation; demonstrates the need for greater investment in the human workforce.
According to new data released today by A.T. Kearney and Drishti, humans still perform 72 percent of manufacturing tasks. This data, from a survey of more than 100 manufacturing leaders, suggests that despite headlines about robots and AI replacing humans in factories, people remain central to manufacturing, creating significantly more value on the factory floor than machines.
Respondents also noted that there’s an almost universal lack of data into the activities that people perform in the factory. This analytical gap severely limits manufacturers’ ability to make informed decisions on capacity planning, workforce management, process engineering and many other strategic domains. And it suggests that manufacturers may overprioritize automation due to an inability to quantify investments in the human workforce that would result in greater efficiencies.
“Despite the prominence of people on the factory floor, digital transformation strategies for even the most well-known, progressive manufacturers in the world remain largely focused on machines,” said Michael Hu, partner at A.T. Kearney. “This massive imbalance in the analytics footprint leaves manufacturers around the globe with a human-shaped blind spot, which prevents them from realizing the full potential of Industry 4.0.”
While manufacturing technology has seen increasing innovation for decades, the standard practices for gathering and analyzing tasks done by humans – and the foundation of holistic manufacturing practices like lean and Six Sigma – are time-and-motion study methodologies, which can be directly traced back to the time of Henry Ford and have not been updated for the digital age.
“The principles underlying these 100-year-old measurement techniques are still valid, but they are too manual to scale, return incomplete datasets and are subject to observation biases,” said Prasad Akella, founder and CEO of Drishti. “In the age of Industry 4.0, manufacturers need larger and more complete datasets from human activities to help empower operators to contribute value to their fullest potential. This data will benefit everyone in the assembly ecosystem: plant managers, supervisors, engineers and, most importantly, the operators themselves.”
Additionally, the survey respondents noted the significant overhead needed for traditional data gathering methodologies: on average, 37 percent of skilled engineers’ time is spent gathering analytics data manually.
“Humans are the most valuable asset in the factory, and manufacturers should leverage new technology to extend the capabilities of both direct and indirect labor,” said Akella. “If you could give your senior engineers more than a third of their time back, you’d see immediate gains. Instead of spending so many hours collecting data, their attention and capabilities would remain focused on the most critical decisions and tasks.”
The survey also revealed the flip side of human contributions to manufacturing systems: Survey respondents noted that 73 percent of variability on the factory floor stems from humans, and 68 percent of defects are caused by human activities. Perhaps as a result, 39 percent of engineering time is spent on root cause investigations to trace defects – another manual expenditure of time that could be greatly reduced with better data.
“The bottom line is that better data can help both manufacturers and human operators across the board,” said Hu. “Data illuminates opportunities for productivity and quality improvements; simplifies traceability; mitigates variability; and creates new opportunities for operators to add even greater value. Humans are going to be the backbone of manufacturing for the foreseeable future, and the companies that improve their human factory analytics are the ones that will be best positioned to compete in Industry 4.0.”
To view the full report, click.
A.T. Kearney is a leading global management consulting firm with offices in more than 40 countries.