Bedrock ICS Proxy Solution Helping Utility Transition to Cyber Secure Automation

Cybersecurity has been a frequent topic lately at The Manufacturing Connection. Bedrock Automation founders built on a secure chip set as a foundation for an Industrial Control System (ICS) that is secure in many ways. Founder and CEO Albert Rooyakkers has devoted hours explaining the details and nuances of the many ways the product is nearly invincible. (He would take issue with my qualifying word.) This case study offers a few details about a utility bolstering its defense with an upgrade to Bedrock control platform.

A Colorado utility is transitioning legacy PLCs and RTUs to the intrinsically secure Bedrock OSA (Open Secure Automation) platform. The transition is part of a multi-year automation upgrade plan, which utility management saw as an opportunity to deepen its cyber security protection while also modernizing its controls. 

“Like most other public utilities, we must adapt to an ever-changing world and that includes cyber security. We’ve always had robust physical security and required usernames and passwords for access to critical systems and controls, but we saw the world around us changing quickly. Many of today’s automation technologies are not as secure as they could be because they were developed long before security was a major issue in the industry. Most of the security added to them was an afterthought,” said Shay Geisler, I&C Administrator for Colorado’s East Cherry Creek Valley (ECCV) Water & Sanitation District.

ECCV’s legacy control architecture involved SCADA software that is housed on a dedicated Windows desktop or server along with a communications driver, in this case, an OPC Server that speaks to the PLCs via legacy protocols. Each ECCV upgrade target was using two PLCs to concentrate field data for use by the plant SCADA system, which had also been upgraded to a more secure version. 

“We knew security could not be limited to the SCADA software only. There were too many downstream systems and assets that, if left untouched, would present a huge vulnerability. We determined that the vast majority of these potential vulnerabilities could be solved by addressing the PLC and SCADA communications system,” said Geisler. 

Securing SCADA and control networks

Geisler and his team concluded that the most secure and cost-effective approach would be to connect the SCADA network and control networks with a secure communications channel. Fully implementing this, however, would have required ripping and replacing their entire system immediately, which would have been costly and required significant disruption. Instead, working with automation supplier Process Control Dynamics and system consultant RSI Company, they adopted a phased-in approach using secure Bedrock OSA Remote control units as proxy servers to enable transition ultimately to a full Bedrock platform.

“We are slowly upgrading the remote sites that have been serviced by legacy data concentrators, one-by-one as we convert each to use the secure Bedrock controller. The new controllers at the remote sites bypass the legacy concentrators and now report directly to the Bedrock proxy.  Once all sites are converted, we will remove the legacy concentrators,” said Russ Ropken, with RSI Company, the system integrator who developed the architecture that enabled the seamless transition.

The ultimate result is secure, certificated communications from the SCADA software down to the Remote PLCs/RTU. The Bedrock OSA Remote proxy units will switch over to a peer-to-peer network of infinitely scalable secure Bedrock control units connected by an encrypted radio network. 

ECCV already has field data running through 12 of its target sites, with some 74 left to go.  For more details, including the architecture of each phase, download the case history here.

 

NI Unlocks the Power of Test Data and Software

NI Connect, its annual user group done virtually again this year. It has announced several product advances this year. A couple relate to advanced driver-assisted systems with wider applicability, I’m sure. First was a brief discussion of digital thread—something NI was doing before the buzz word was invented. I loved the many years of co-founder Jeff Kodosky’s technical discussions of software defined instruments and data traces through the software.

To quote from this year, “NI’s software-connected approach creates a more complete enterprise data and insight chain, collecting and connecting the data that accelerates digital transformation, enabling customers to optimize every step of the product life cycle.”

“A digital thread of data across each phase of the product life cycle delivers powerful insights to enhance product performance,” said NI CEO Eric Starkloff. “At NI, our software-connected approach unlocks the power of test, from early research to the production floor and beyond. We continue to aggressively invest in the technology to make this compelling vision a reality.”

Product announcements include:

  • Streamlined SystemLink Software Interface to Increase Efficiency — By connecting test systems and test data to enterprise outcomes, SystemLink software substantially accelerates each phase of the product life cycle. With a unified view of test operations in design validation and production environments, SystemLink manages and simplifies test scheduling, resource utilization, system health and maintenance.​ The latest software enhancements include new UI customization options, simplified product navigation and expanded asset health monitoring capabilities. The result is test insight acceleration, more efficient use of assets and reduced cost of test.
  • New LabVIEW 2021 to Improve Interoperability with Python and MathWorks MATLAB Software — Open-source software is increasingly important as systems become more diverse and complex. NI’s 2021 version of LabVIEW, the leading software platform for building test and measurement systems, features improved interoperability with Python and MathWorks MATLAB software, improved support for version control using Git and usability enhancements. These updates make it easier for engineers to connect disparate systems and hardware to accelerate innovation, especially in the design and validation environments.
  • PXI Hardware Solution to Enable Software-Connected Workflow in a Smaller, Cost-Effective Package  Like open-source software, modular hardware is also increasingly important to flexibly connect with existing systems and workflows. PXI hardware delivers openness, software options, modularity and I/O coverage for customers seeking to develop adaptive and scalable systems. NI’s first 2-slot PXI chassis delivers these benefits in a smaller, more cost-effective package. Modular hardware like PXI enables a software-connected workflow to achieve better results. 
  • NI Collaboration with Seagate to Deliver First-of-Its-Kind In-Vehicle Edge Storage and Data Transfer Service — The next generation of autonomous vehicles requires more real road data than ever before, making efficient data storage exceedingly important. NI and Seagate Technology Holdings, a world leader in data storage infrastructure solutions, announced a new collaboration to enhance data storage services, including a first-of-its-kind advanced driver-assistance systems (ADAS) record offering. This in-vehicle data storage as a service (STaaS), powered by  Seagate’s Lyve Mobile edge storage and data transfer service, enables original equipment manufacturers (OEMs) and suppliers to modernize their data storage strategy from self-managed to STaaS, leading to reduced costs and efficient storage.
  • NI Ettus USRP X410 Software Defined Radio Platform to Accelerate Wireless Innovation — The next generation of wireless technologies, 5G and 6G, are poised to transform the way people and systems connect, making test data insights that much more important. Because wireless technologies are becoming increasingly complex, advanced tools to support research and prototyping are needed. The new NI Ettus USRP X410 Software Defined Radio Platform is high performance and fully open source, allowing engineers to achieve a faster time to prototype and accelerate wireless innovation 

Engineering in the Cloud

What?? Engineering in the Cloud? One of the joys of having been around so long is to see technologies that some said they’d never use become commonplace.

When I switched to the “dark side of the force” and landed a job as a sales engineer, my first customer told me “I’ll never run a wire from a PLC to anywhere (other than I/O of course). I’ll also never use IEC motor starters in place of these big old NEMA starters.”

Oops. By the time I left to become a magazine editor, the plant had connected controllers and IEC starters all over the new production line.

Ethernet was another one.

Then there was cloud. A poorly chosen name, perhaps, denoting a mist that blocks the sun and rains on our parade. Or, it could just be a name for a server bank somewhere.

This is somewhat “old news”, but it is interesting simply from the point of view that we just keep adapting new technologies to better serve old needs.

In brief:

  • Beckhoff Introduces Smart Engineering Directly in the Cloud
  • TwinCAT Cloud Engineering provides a foundation for efficient IoT-based automation strategies

Beckhoff Automation has introduced new TwinCAT Cloud Engineering software for IoT and Industrie 4.0 applications. Users can instantiate and use existing TwinCAT engineering and runtime products directly in the cloud. The solution is easy to access from the Beckhoff website with a web browser and requires no additional software. In addition, TwinCAT Cloud Engineering enables registered users to work with the TwinCAT development environment even from previously unsupported devices, such as tablets.

TwinCAT Cloud Engineering adds a new dimension by providing users with an easy means of engineering TwinCAT instances and controllers in the cloud.

The TwinCAT Cloud Engineering instances generated by users can be connected to physical control hardware over a secure transport channel. Users not only have TwinCAT control architecture, but also distributed collaboration support through a source control repository. For new users in particular, having access to a TwinCAT Cloud Engineering instance in the cloud provides a foundation to learn how to work in the TwinCAT environment.

In addition, TwinCAT Cloud Engineering enables users to move their entire TwinCAT architecture to the cloud; the only difference versus a conventional TwinCAT environment is that they use a virtual machine instead of a local PC for engineering. One advantage is that users do not need to learn a new software environment but can simply continue to work in the same, familiar development environment. Another is that they do not have to install and maintain multiple software versions tailored to specific machine generations on their own PCs. Instead, users can run separate TwinCAT Cloud Engineering instances with different software versions, all of which they can access remotely whenever they need to. Project files are stored in a source code control repository that can be accessed directly from within TwinCAT Engineering.

Based on modern source control features, connecting to Git-based systems and managing automation projects on them is easy. TwinCAT Multi-User functionality enables simple, seamless access to a source control repository without the need for special technical expertise. Here, TwinCAT Cloud Engineering enables multiple users to work together on a number of instances at the same time either by integrating a Git server into the instance or using a Git-based cloud service.

Rockwell Automation Adds Computer Technology with Acquisition of ASEM

Rockwell Automation announced it has signed an agreement to acquire Italy-based ASEM, S.p.A., a leading provider of digital automation technologies. ASEM provides a complete range of Industrial PCs (IPCs), Human-Machine Interface (HMI) hardware and software, remote access capabilities, and secure Industrial IoT gateway solutions.

Here is the justification from Rockwell’s Communication people: “ASEM’s high-performance automation solutions enable The Connected Enterprise with smarter technology, enhanced productivity, and a more secure environment by integrating smart devices, the control platform, and design and operational software all on a single network.”

My friends in Italy (you can find my column in Italian in Automazione Oggi—Automation Today) tell me that ASEM is indeed a major Italian supplier. It is an interesting pick up. Rockwell acquired an Industrial PC company years ago and proceeded to gut it. I have a feeling that the new regime under Blake Moret has better strategies in mind.

The keyword I pick out centers on IIoT gateway solutions along with the “integrating smart devices…”

I’ve been closely watching the IT companies develop their compute platforms into gateways to serve as the data/information highway from the plant to the enterprise. I know that Rockwell is a target account for their sales groups. In fact, rival ABB has partnered with HPE.

Combine this technology with the close partnership with PTC/ThingWorx and there are many interesting possibilities. How Rockwell handles this acquisition will be indicative of whether Moret has shed the past and is forging a new future—or whether it was just an opportunistic buy to try to gain a European foothold with something to sell.

The transaction includes the purchase of a minority interest in ASEM held by KEB Group, Germany. Post-close, Rockwell Automation will maintain ASEM’s strategic supplier and technology partner relationship with KEB.

The transaction is expected to close in the spring of 2020, subject to customary approvals and conditions, and will be reported in the Architecture & Software business segment.

A Tablet Computer for Hazardous Environments

A Tablet Computer for Hazardous Environments

When Dell developed an Internet of Things (IoT) group, I began following it. The team developed a gateway compute device, brought together various groups within the company, along with many partners. But the market was evidently not large enough to sustain a group. Eventually IoT was moved into the OEM business and the entire team was either laid off or shuffled over to other groups.

Therefore, I found it refreshing that a large IT company not only could spell Class I, Div 2, but develop a product for hazardous areas within petrochemical (and other) plants.

Dell positions its new rugged tablet as an element of digital transformation (of course), but the Latitude 7220EX Rugged Extreme Tablet has ATEX and IECEx certification for use in potentially explosive environments that will give technicians, operators, and engineers a mobile view into operations.

Dell customers in North America and Canada can expect to see Class 1, div 2 certifications on the existing Dell Latitude 7220 Rugged Extreme tablet in the coming months. With these additional ATEX and IECEx certifications which meet EU and International standards respectively, the Latitude 7220EX Rugged Extreme tablet will make it easier for customers to procure and deploy one platform across various regions.

The Latitude 7220EX Rugged Extreme is an 11.6” fully-rugged tablet featuring the brightest-screen in an ATEX-certified tablet, for use in potentially explosive environments. It includes a 1000-nit screen, which increases direct sunlight viewability, and also offers glove-touch capacity. To balance the security of the device with user accessibility, the Latitude 7220EX Rugged Extreme features a built-in infrared camera with “Windows Hello” facial recognition and an optional next-generation fingerprint reader.

Driving the Next Wave of Intelligent Edge Adoption

Driving the Next Wave of Intelligent Edge Adoption

This week is IT week in my study of how IT and OT are coming together. I am in Las Vegas at the annual Hewlett Packard Enterprise (HPE) customer conference called Discover. This rather long post looks at many of the announcements that show how far HPE has come in its expansion into manufacturing.

An interesting point (and you can see some pictures on my Twitter feed @garymintchell) is that there is a manufacturing demo at the entrance into the show area this week. It demonstrates partnerships with PTC (CAD, augmented reality, and IoT), ABB (robotics in this case, more later), along with video and predictive maintenance analytics.

Following are summaries of a number of announcements at this very busy event that have an impact on manufacturing technology and use cases. HPE calls the Edge—meaning basically not in the servers.

Things announced included new edge solutions, research labs, and programs to simplify and accelerate Intelligent Edge adoption, enabling customers to create unique digital experiences and leverage analytics and machine learning to adapt to changes in real-time.

The new offerings and programs include:

  • Major enhancements to Aruba Central, the only cloud-based platform that unifies network management, AI-powered analytics, user-centric service assurance and security for wired, wireless and WAN at the edge.
  • Integrations and new turnkey edge-to-cloud solutions, delivered with ABB, Microsoft, Rittal, and PTC, enabling real-time intelligence and control in industrial environments.
  • The Intelligent Edge and IoT Center of Excellence (CoE) and Labs, part of Hewlett Packard Labs, to develop and commercialize new capabilities and technologies that accelerate customers’ and partners’ Intelligent Edge journey.

Research suggests that over the next decade, the Internet of Things (IoT) and related data growth has an economic potential of up to $11 trillion per year. To capture this potential, organizations need to implement an Intelligent Edge, an architecture that is fully connected, secured, distributed and autonomous. However, to scale the Intelligent Edge across the value chain, organizations need solutions that secure and simplify deployment and management, converge operational technology (OT) with IT and address the lack of skills and funding.

“The edge has emerged as the new center of the digital universe, opening up opportunities for organizations to create new digital experiences and gain competitive advantage,” said Keerti Melkote, founder and president, Aruba, a Hewlett Packard Enterprise company. “Today, we announce innovations that will enable our customers to capitalize on these experiences and opportunities by dramatically simplifying, securing and accelerating the deployment of the Intelligent Edge.”

Unified cloud-based platform

Siloed network management solutions are creating complexity and increasing time to remediation. To accelerate IT operations and allow IT professionals time to focus on innovation, Aruba is making significant enhancements to Aruba Central. With these enhancements, customers will benefit from AI-powered network analytics, improved security and user-centric assurance for wired, wireless and WAN edge infrastructures from a single point of control. Significant advancements include:

Advanced AI-powered analytics and assurance capabilities based on Aruba NetInsight and User Experience Insight allow IT professionals to resolve infrastructure problems quickly before they impact the organization. Now integrated into the Aruba Central cloud-based platform, Aruba’s Analytics and Assurance capabilities deliver IT professionals a way to quickly remediate intermittent network issues while also proactively identifying how to optimize customers’ infrastructures to ensure optimal experiences.

Software-defined branch (SD-Branch) and SD-WAN, managed on Aruba Central, is now enhanced with improved branch management and orchestration capabilities to centrally define business-intent policies to meet the hybrid cloud connectivity needs for distributed enterprises and reduce operational costs. The new SD-WAN Orchestrator in Aruba Central makes it easier for IT professionals to deploy flexible and secure overlay topologies in a large-scale edge infrastructure, connecting thousands of branch locations with multiple data centers. Aruba Virtual Gateways now available for AWS and Azure, combined with orchestration, cost-effectively extends network and security policies to workloads running in the public cloud. The new SaaS prioritization feature not only enhances the performance of SaaS applications but also provides visibility about the end-user experience for business-critical applications, such as Microsoft Office 365 and Salesforce.

Integrated in Aruba Central, Aruba ClearPass Device Insight provides IoT visibility and security via a single pane of glass, employing automated device discovery, and machine learning-based fingerprinting and identification. Used in conjunction with Aruba ClearPass Policy Manager and Aruba’s dynamic segmentation security capabilities, networking and security teams can automate unique policy enforcement down to each device and user.

New network management workflow enhancements are integrated into Aruba Central to accelerate device provisioning with an automated mobile app to deliver network health views and troubleshooting across all locations allowing IT to focus on delivering the needs of the business.

Flexibility in how to obtain and support edge infrastructure

To provide organizations more flexibility and choice in how they obtain and support their edge infrastructure, Aruba solutions are also available via HPE GreenLake for Aruba a Network-as-a-Service (NaaS) subscription-based offering.

Turnkey edge-to-cloud solutions

In industrial environments, the Intelligent Edge requires an intricate interplay between sensors, actuators, networks, applications and infrastructures from edge to cloud. It also involves unique challenges including harsh environmental conditions, intermittent network connectivity and lack of qualified on-site staff. Consequently, such deployments are often costly, slow and vulnerable to security and reliability problems. To simplify, accelerate and secure deployments, HPE is launching pre-integrated turnkey edge-to-cloud solutions in collaboration with key industry partners:

The integration of ABB Ability Smart Sensor technology with Aruba access points is designed to deliver a scalable, high-performance wireless connectivity solution for operational technology (OT) equipment such as motors, mounted bearings and pumps. This allows industrial companies to capture valuable data and insights from their equipment to proactively monitor their condition and performance, and plan maintenance in advance in order to avoid costly and disruptive downtime.

Jointly developed by ABB, HPE, Microsoft and Rittal, the Secure Edge Data Center for Microsoft Azure Stack is the industry’s first enterprise-grade edge appliance for Microsoft Azure Stack, enabling real-time intelligence and action in harsh industrial environments, while providing seamless integration with Microsoft Azure. The appliance provides IP55-rated environmental protection, cooling, redundant power supply and distribution and automated management – allowing customers to run pre-configured, high-end enterprise applications in locations such as factories or oil rigs.

HPE Edgeline IoT Quick Connect dramatically simplifies the convergence of OT and IT, enabling customers to monitor and control OT equipment such as machines or motors in real time. Jointly delivered with Microsoft, HPE Edgeline IoT Quick Connect is based on the HPE Edgeline OT Link Platform, which connects OT devices, the HPE Edgeline EL300 Converged Edge System and Microsoft Azure IoT, a collection of cloud services to connect, monitor and control IoT assets.

Fast Start Condition Monitoring enables customers set up condition monitoring within 90 days to deliver performance and availability of their OT equipment. An end-to-end solution implemented by HPE Pointnext Services, Fast Start Condition Monitoring is designed for customers who want to get started quickly with condition monitoring, but lack the skills to do so. HPE Pointnext Services help define use cases, OT data sources and workflows, and implement pilots for proof of value, based on HPE Edgeline Converged Edge Systems, the HPE Edgeline OT Link Platform and PTC’s ThingWorx Industrial IoT platform.

The newly established Intelligent Edge and IoT CoE & Lab provides critical capabilities and technologies to HPE’s partners and customers to accelerate Intelligent Edge adoption. It will guide partner activities, M&A and research in the following areas:

  • Knowledge transfer to HPE’s channel partners to accelerate market adoption of the Intelligent Edge with the Channel to Edge Institute (CEI), a program which helps HPE’s channel partners gain the required expertise to effectively recommend, sell, implement and manage Intelligent Edge solutions for their customers. The CEI provides training on Intelligent Edge use cases and business cases and will deploy joint go-to-market programs with HPE’s channel and ecosystem partners.
  • Research programs to drive rapid commercialization of Intelligent Edge technologies that simplify edge-to-cloud management and OT-IT convergence and enable new use cases – this includes, among others, a unified provisioning, policy and security management across wired networks, Wi-Fi and 5G; the next generation of HPE’s first-of-a-kind HPE Edgeline Converged Edge Systems and HPE Edgeline OT Link Platform; and real-time video analytics for quality, security and customer experience applications.

Follow this blog

Get a weekly email of all new posts.