Security comes first to mind whenever we begin discussing connecting things in an industrial setting. And, of course, nothing connects things like the Industrial Internet of Things (IIoT). One place we often fail to consider in our security planning is at the endpoint of the network. Organizations and companies have been providing valuable assistance to developers by releasing best practices white papers. Here is one from a leading Industrial Internet organization.
The Industrial Internet Consortium (IIC) announced publication of the Endpoint Security Best Practices white paper. It is a concise document that equipment manufacturers, critical infrastructure operators, integrators and others can reference to implement the countermeasures and controls they need to ensure the safety, security and reliability of IoT endpoint devices. Endpoints include edge devices such as sensors, actuators, pumps, flow meters, controllers and drives in industrial systems, embedded medical devices, electronic control units vehicle controls systems, as well as communications infrastructure and gateways.
“The number of attacks on industrial endpoints has grown rapidly in the last few years and has severe effects. Unreliable equipment can cause safety problems, customer dissatisfaction, liability and reduced profits,” said Steve Hanna, IIC white paper co-author, and Senior Principal, Infineon Technologies. “The Endpoint Security Best Practices white paper moves beyond general guidelines, providing specific recommendations by security level. Thus, equipment manufacturers, owners, operators and integrators are educated on how to apply existing best practices to achieve the needed security levels for their endpoints.”
The paper explores one of the six functional building blocks from the IIC Industrial Internet Security Framework (IISF): Endpoint Protection. The 13-page white paper distills key information about endpoint device security from industrial guidance and compliance frameworks, such as IEC 62443, NIST SP 800-53, and the IIC IISF.
Equipment manufacturers, industrial operators and integrators can use the Endpoint Security Best Practices document to understand how countermeasures or controls can be applied to achieve a particular security level (basic, enhanced, or critical) when building or upgrading industrial IoT endpoint systems, which they can determine through risk modeling and threat analysis.
“By describing best practices for implementing industrial security that are appropriate for agreed-upon security levels, we’re empowering industrial ecosystem participants to define and request the security they need,” said Dean Weber, IIC white paper co-author, and CTO, Mocana. “Integrators can build systems that meet customer security needs and equipment manufacturers can build products that provide necessary security features efficiently.”
While the white paper is primarily targeted at improving the security of new endpoints, the concepts can be used with legacy endpoints by employing gateways, network security, and security monitoring.
The full Endpoint Security Best Practices white paper and a list of IIC members who contributed can be found on the IIC website.
Let me try to summarize a number of other news items gleaned from the ARC Forum featuring edge computing, IIoT Platforms, and technology. When ARC’s Paul Miller told me it would be the best ever, he turned out not to be exaggerating. More people, more news.
Stratus Technologies, known for years for secure servers, released an edge computing device. Interest in computing at the edge of the network has blossomed lately, with many companies releasing products. Lots of choices for users.
Integration Objects, firmly within another important trend, introduced an Industrial Internet of Things (IIoT) Platform. I’m beginning to see articles about users latching on to these platforms rather than building their own ad hoc connections among IoT devices and applications.
UL discussed standards with me during the show. The company known for developing safety standards and then testing for compliance has developed also a security standard. And it tests to it for compliance.
HIMA is another company combining safety and security technologies. There is so much in common between the two–especially thought processes and planning.
Yokogawa has extended and rebranded its process automation offering, now called Synaptic Business Automation. Among other things, it has refined the dashboard into a “karaoke” style.
Bentley Systems discussed the combining of engineering design tools with digital photography and other digital technologies to better represent the engineering and design of a plant. This is the most cutting edge technology I saw during the week, but I cannot do it justice in a paragraph. I encourage a tour of the Website.
Cybersecurity, digitalization, and asset performance management headlined the various press events with Schneider Electric at the recent ARC Forum. I took notes from Kim Cousteau’s presentation on APM at the main press conference and expected a follow up press release for details. I have not received one yet.
Remember the “reverse acquisition” of Aveva where Schneider Electric placed all of its software divisions into Aveva and then took a 60% share in the company? The deal is about to close. Schneider spokespeople assured me that digitalization is proceeding apace with the leveraging of Aveva design through construction applications into operations and maintenance applications—Schneider’s strong suit. This, on paper, brings the company into the competitive marketplace with Siemens and its UGS acquisition of several years ago. This is an interesting area to watch.
Schneider called a special press event, with lunch, to talk specifically about cybersecurity. This response to an incident in which the company’s Triconex safety system earned some publicity—but not always accurately portrayed. The incident was a cyber attack that caused a situation that the safety system caught and initiated a safe shut down.
However, the event caused renewed concern for cyber defense. ARC Vice President, Larry O’Brien, said, “This is a wake up call for people to follow existing security standards.” Gary Freburger, who heads that division of Schneider, said, “It’s everybody’s job.”
We received this official statement from Peter Martin, vice president of business innovation and marketing, Schneider Electric
At Schneider Electric, we heartily encourage all collaborative efforts to strengthen cybersecurity. The growing problem of cybersecurity is not specific to any single company, institution or country. Rather, it’s a threat to business and public safety that can only be addressed and resolved when suppliers, customers, integrators, developers, standards bodies and government agencies work together. This collaboration starts with common standards, agreed-upon rules, appropriate funding and active cooperation. It extends beyond national borders and transcends competitive interests.
Schneider Electric continues to work diligently with our customers, partners, developers and industry peers to make the shift from reactive to proactive cybersecurity management through compliance with evolving industry standards, agreement that cybersecurity is a journey not a destination, and a commitment to standing together in the face of cyber threats.
Today, we commend the signatories to the “Charter of Trust.” It’s another important step toward ensuring that the promise of digital transformation and automation will prevail over the threat of cyberterrorism.
Regarding APM, Kim Cousteau discussed a new release of Avantis that expanded machine learning from the power industry to oil & gas. For maintenance, it incorporates a team system for operator rounds and improved workflow. It incorporates augmented reality and virtual reality (AR/VR) “because workers are so new and need help to get up to speed. Look for updated analytics to aid in catching anomalies ahead of failure. She cited a customer who has been tracking savings from this feature alone and is up to $65 million.
Bedrock Automation, products built for security from the chips up, had a flurry of activity at the ARC Industry Forum in Orlando last week. It announced a firmware upgrade, OPC UA and partnerships for its SCADA product, and anomaly detection. Here’s a teaser—CEO and Founder Albert Rooyakkers pulled out a new piece of hardware. He didn’t have a release or specs for me, but watch for a new, lower cost, SCADA or gateway device hardened and built with security in mind from the chips up.
Bedrock and OPC UA
Bedrock Automation has published a concise, easy-to-deploy interface specification that enables users and application developers to take advantage of the security capabilities of OPC UA communications software. By following the simple procedures outlined in the Bedrock SCADA Security Platform Specification, developers can upgrade any OPC UA compliant client into a highly secure OPC UA channel, across which users can exchange data between plant floor operations and SCADA applications. Three leading SCADA software developers, Inductive Automation, ICONICS and TATSOFT, are committing and releasing support to the Bedrock interface specification.
“OPC UA provides unique cyber security advantages enabling open communications across numerous industrial devices and applications and providing the end-users options for integrating authentication keys protecting those communications. The most secure OPC level is to authenticate those keys against a known root of trust, which Bedrock supplies via a certificate authority (CA), validated against cryptographic keys built into its controller,” said Thomas J. Burke, OPC Foundation President and Executive Director, adding “Bedrock Automation is a clear leader in supporting the OPC UA standards, and provides information integration and communication that the end users have been demanding.
Bedrock designs and sources its own secure semiconductor components with encryption and authentication technologies embedded at the “birth” of their modules, assembled and tested by Bedrock in their cyber secure supply chain. The unique design then draws on the power and flexibility of public key infrastructure (PKI) and Transport Layer Security (TLS) standards similar to those used to secure ecommerce transactions and military and aerospace electronics. Bedrock Automation then uses those securely embedded keys as the basis for digital certificates that manage access and communication between SCADA applications and control systems. Bedrock Cybershield 3.0 firmware is the first control system to offer an embedded PKI for SCADA applications.
“Such a simple specification demonstrates that Open and Secure SCADA can be deployed today, and that an applications interface does not have to be thousands or even hundreds of pages. We are pleased to be working with innovative SCADA software providers such as Inductive Automation, ICONICS and TATSOFT, to help them and their customers take advantage of the secure communications capabilities of OPC UA and the intrinsic security of the Bedrock platform,” said Rooyakkers.
Bedrock Automation also announced the availability of Cybershield 3.0, a major firmware upgrade with advancements that make it easier for end users and developers to build control applications that are both open and secure. Among the six major innovations facilitated by the Cybershield 3.0 upgrade are the first public key infrastructure (PKI) built into an OPC UA server for SCADA applications; an industrial Certificate Authority (CA) for user key management; virtual crypto key locks for the controller; and a Secure Proxy server capability that can protect legacy controls systems of other vendors.
“Cybershield 3.0 is one of the most significant steps forward since the release of our Bedrock OSA platform. We now support leading SCADA companies in integrating their OPC UA client to our open security and key management tools. In addition, we start our march to converge IT cyber detection technologies into real-time OT automation with our integrated Anomaly Detection (AD) tools built into every controller. We are delivering secure SCADA and AD as intrinsic and zero-cost advancements, focused acutely on ease of use and reductions in lifecycle costs,” said Bedrock founder and CEO Albert Rooyakkers.
Bedrock Cybershield 3.0 includes the following capabilities:
1) Secure Open SCADA with OPC UA. The cryptographic keys built into all the Bedrock system electronics, provide the root of trust for the Bedrock Certificate Authority (CA) that verifies the reliability of OPC UA-managed communications between SCADA and PLCs or other industrial control systems.
2) Open Certificate Authority (CA) for SCADA. This advanced SaaS key and certificate management tool is not only FREE to our customers but is simple to deploy with our Secure SCADA Interface Specification. Leading SCADA providers, including Inductive Automation, ICONICS and Tatsoft, are committing to and releasing support to this interface specification.
3) Intrusion detection. Even though the Bedrock control system has protection built into its core, users still need to know when system security is challenged. Cybershield 3.0 comes standard with intrinsic Anomaly Detection (AD) functionality that continuously monitors the controller’s network and system time to detect intrusions and anomalous behavior and report it to both SCADA and enterprise database applications for trending, alarming and historizing anomalous cyber activity.
4) Quickly Secure Legacy Automation with Secure SCADA. Companies can now use Bedrock security to help integrate open standard communications protocols with legacy PLC and DCS systems from other vendors. A Bedrock secure controller module acts as a gateway between SCADA platform workstation and the legacy controllers.
5) Cryptographic key locking. Cybershield 3.0 also includes a cryptographic controller engineering key lock that permits only users with the required credentials to change the mode of the controller.
6) Achilles and EMP compliance on power supplies. Bedrock Automation is certifying its standalone power supply and standalone uninterruptible lithium power supply to both MiL-STD-461-G, the military standard for advanced EMP hardening, and Achilles Level 2 certification, augmenting the EMP and Achilles certification achieved for its control system modules last year.
“Today’s increasingly connected environment drives the process industries to search for automation solutions that deliver the benefits of open communications with ‘baked in’ cybersecurity. By extending its secure automation technology to third-party software providers, Bedrock Automation addresses this key pain point of future automation requirements. ARC believes the intrinsic and no-cost approach of Bedrock’s cybersecurity strategy is the quintessential component missing in control systems, today,” writes ARC analyst Mark Sen Gupta in his recent report, Bedrock Automation’s Open Secure Automation a “Win” with End Users
Bedrock Open Secure Automation (OSATM) firmware will include intrinsic Anomaly Detection (AD). Bedrock OSA AD will be available as standard integrated functionality that continuously monitors the controller’s network and system time to detect intrusions and anomalous behavior.
“Preventing control system intrusion is fundamental to holistic cyber security. In addition, users need to know when the system security is being challenged. This is the role of anomaly detection. At no additional cost or complexity for the user, Bedrock’s AD delivers additional assurance that no one is tampering with your automation,” said Rooyakkers. Bedrock Anomaly Detection includes the following functionality:
• Dynamic Port Connection Monitoring, which records all attempts to connect any controller or communication point and captures identifying information on the intruder
• Network Port Scanning, which detects if hackers are scanning for open ports that might provide access to the control network
• System Time Monitoring, which detects attepts to manipulate log files to conceal malicious activity
• Cryptographic Controller Engineering Key Lock, which permits only users with valid user credentials to change the configuration and operation mode of the controller and records all access
• Intrusion Event Logging, which records all detected anomalies and reports them to SCADA software through OPC UA and standard database access for historian, alarming, and trending functions. Additionally, a tri-color status LED on the faceplate of Bedrock Controllers provides indication locally whenever an intrusion is detected.
The one industry conference where manufacturing industry insiders network and discuss the latest technologies, standards, and applications occurs a little later this year at the ARC Forum Orlando from Feb. 12-15.
This year’s theme is Digitizing and Securing Industry, Infrastructure, and Cities. You can meet me here as I head south for the 21st straight year. I always take away something from the event. ARC Advisory Group’s Paul Miller tells me that this year is shaping up to be one of the best.
Read about the conference from the organizer’s promotion material:
It’s happening fast. Everywhere we turn, things and processes are becoming more connected and intelligent. Streetlights, cars, gas turbines, and thermostats stream data. Buildings, refineries, oil platforms, mines, and wind turbines are optimizing asset and operating performance. Parking meters and distributed power grids deliver value to both consumers and operators. Design software can link to additive machines to print parts directly. And it’s only the beginning.
Challenges continue to grow for the industrial cybersecurity community. Broader deployment of operational technology is expanding the use cases requiring protection. Resource shortages are undermining the effectiveness of established defenses. Blurring boundaries between IT, OT, and IoT are increasing the need for more integrated, collaborative cybersecurity strategies.
How will disruptive technologies change existing products, plants, and cities? Can cybersecurity threats be overcome? When will machine learning and artificial intelligence transform operations? Will open source solutions impact traditional software and automation domains? How will a digitally-enhanced workforce stem the loss of tribal knowledge? How do connected products create opportunities in aftermarket services? What steps can organizations take to foster innovative thinking?
There are countless ways to conduct your digital transformation journey, too many technologies and suppliers to evaluate, and endless choices to make along the way. Embedded systems, networks, software platforms, augmented reality, and machine learning may play a role as you begin to improve uptime, optimize operating performance, enhance service, and re-think business models.
Cyber security is on the mind of all of us. The Internet of Things, digital factory, Industry 4.0, and all of the new strategies for improving manufacturing and production efficiencies contain a common element. They all inherently contain connections that can possibly be attacked by cyber hackers.
We are all concerned with foreign government attacks that can blow up facilities, poison water supplies, and other doomsday scenarios we can imagine. However, most hackers are really after a pay day. A big pay day. They can hold your process—and your business—hostage until you fork over some cash.
I have had many interesting cybersecurity conversations with Albert Rooyakkers, founder and CEO of Bedrock Automation. He has built a powerful controller with security designed in from the chips on up. He’s been touting the “Open Secure Automation (OSA)” platform lately.
The company just released a new white paper on the cyber security vulnerabilities and defense of industrial control systems. The 20-page document, Securing Industrial Control Systems – Best Practices, covers the threat landscape and presents a holistic approach to defending it, including assessing risk, physical security, network security, workstation and server security, as well as the fundamentals of OSA.
I just read it and found it informative. You can download it here along with the previous three papers in the series.
“As we discuss cyber security with users of automation, we find that many are aware of the threat potential but are not sure if they are doing enough to protect themselves. We saw the need for a technical paper that explains both the mindset and motives of an attacker, as well as the tools and technologies of defense. This paper defines the issues in a practical, holistic way while providing recommendations on how to begin and sustain best practices for cyber defense,” said Rooyakkers.
The first half of the paper covers conventional cyber security practices that apply to all industrial control systems. It provides an assessment of the threats, including drive-by attacks, advanced persistent threats (APTs), espionage, process attacks, and ransomware. It also looks at assessing the related risks, with an introduction to Process Hazards Analysis (PHA) and Hazards and Operability (HAZOP) methodologies used to identify malfunctions that might harm people, the process, or the environment.
To assist with risk assessment, the paper provides an overview of conventional protection practices. This includes network segmentation, firewalls, and DMZs; managing workstations, servers, end-users, and applications; and implementing active defense measures, including security event monitoring and management.
The second part of the paper is devoted to more recent techniques, based on the application of intrinsic cyber security advances that have been applied in military, aerospace, and ecommerce, and are now being used to protect industrial control systems. These create a hardware end-point root of trust that combines advanced cryptography, digital signing techniques, an industrial certificate authority, and public key infrastructure (PKIs) built into the control system to create an infrastructure for user defense.
The paper also presents the features of the Bedrock Open Secure Automation platform, which embraces the best practices discussed and details the process by which they can be applied to legacy and new systems.