Standards are useful, sometimes even essential. Standard sizes of shipping containers enable optimum ship loading/unloading. Standard railroad gauges and cars enable standard shipping containers to move from ship to train, and eventually even to tractor/trailer rigs to get products to consumers.
Designing and producing to standards can be challenging. Therefore the value of Best Practices.
Taking this to the realm of Industrial Internet of Things where data security, privacy and trustworthiness are essential, the Industrial Internet Consortium (IIC) has published the Data Protection Best Practices White Paper. I very much like these collaborative initiatives that help engineers solve real world problems.
Designed for stakeholders involved in cybersecurity, privacy and IIoT trustworthiness, the paper describes best practices that can be applied to protect various types of IIoT data and systems. The 33-page paper covers multiple adjacent and overlapping data protection domains, for example data security, data integrity, data privacy, and data residency.
I spoke with the lead authors and came away with a sense of the work involved. Following are some highlights.
Failure to apply appropriate data protection measures can lead to serious consequences for IIoT systems such as service disruptions that affect the bottom-line, serious industrial accidents and data leaks that can result in significant losses, heavy regulatory fines, loss of IP and negative impact on brand reputation.
“Protecting IIoT data during the lifecycle of systems is one of the critical foundations of trustworthy systems,” said Bassam Zarkout, Executive Vice President, IGnPower and one of the paper’s authors. “To be trustworthy, a system and its characteristics, namely security, safety, reliability, resiliency and privacy, must operate in conformance with business and legal requirements. Data protection is a key enabler for compliance with these requirements, especially when facing environmental disturbances, human errors, system faults and attacks.”
Categories of Data to be Protected
Data protection touches on all data and information in an organization. In a complex IIoT system, this includes operational data from things like sensors at a field site; system and configuration data like data exchanged with an IoT device; personal data that identifies individuals; and audit data that chronologically records system activities.
Different data protection mechanisms and approaches may be needed for data at rest (data stored at various times during its lifecycle), data in motion (data being shared or transmitted from one location to another), or data in use (data being processed).
“Security is the cornerstone of data protection. Securing an IIoT infrastructure requires a rigorous in-depth security strategy that protects data in the cloud, over the internet, and on devices,” said Niheer Patel, Product Manager, Real-Time Innovations (RTI) and one of the paper’s authors. “It also requires a team approach from manufacturing, to development, to deployment and operation of both IoT devices and infrastructure. This white paper covers the best practices for various data security mechanisms, such as authenticated encryption, key management, root of trust, access control, and audit and monitoring.”
“Data integrity is crucial in maintaining physical equipment protection, preventing safety incidents, and enabling operations data analysis. Data integrity can be violated intentionally by malicious actors or unintentionally due to corruption during communication or storage. Data integrity assurance is enforced via security mechanisms such as cryptographic controls for detection and prevention of integrity violations,” said Apurva Mohan, Industrial IoT Security Lead, Schlumberger and one of the paper’s authors.
Data integrity should be maintained for the entire lifecycle of the data from when it is generated, to its final destruction or archival. Actual data integrity protection mechanisms depend on the lifecycle phase of the data.
As a prime example of data privacy requirements, the paper focuses on the EU General Data Protection Regulation (GDPR), which grants data subjects a wide range of rights over their personal data. The paper describes how IIoT solutions can leverage data security best practices in key management, authentication and access control can empower GDPR-centric privacy processes.
The Data Protection Best Practices White Paper complements the IoT Security Maturity Model Practitioner’s Guide and builds on the concepts of the Industrial Internet Reference Architecture and Industrial Internet Security Framework.
The Data Protection Best Practices White Paper and a list of IIC members who contributed to it can be found on the IIC website
Cybersecurity is in the news more often than violence or politics, its seems. Last week I received two important pieces of news—both reported below. The first details vulnerabilities found in VxWorks—the most widely used Real-Time Operating System forming the foundation for process control. The other news concerns a survey of executives that shows continued cyber attacks on industrial systems.
Zero Day Vulnerabilities
Enterprise IoT security company, Armis, announced the discovery of 11 zero-day vulnerabilities, 6 critical, that affect Wind River® VxWorks versions since version 6.5, that include the IPnet stack, collectively known as “URGENT/11.” Updated releases have been provided. URGENT/11 does not impact versions of the product designed for certification, such as VxWorks 653 and VxWorks Cert Edition.
VxWorks, the leading real-time operating system (RTOS), is used in more than two billion devices across industrial, medical and enterprise environments such as mission-critical systems including SCADA, elevator and industrial controllers, patient monitors and MRI machines, as well as firewalls, routers, satellite modems, VOIP phones and printers. If exploited, URGENT/11 could allow a complete takeover of the device and cause disruption on a scale similar to what resulted from the EternalBlue vulnerability.
“VxWorks is the most widely used operating system you may never have heard of,” said Ben Seri, vice president of research at Armis. “A wide variety of industries rely on VxWorks to run their critical devices in their daily operations—from healthcare to manufacturing and even security businesses. This is why URGENT/11 is so important. The potential for compromise of critical devices and equipment especially in manufacturing and healthcare is a big concern.”
URGENT/11 includes six Remote Code Execution (RCE) vulnerabilities that could give an attacker full control over a targeted device, via unauthenticated network packets. Any connected device leveraging VxWorks that includes the IPnet stack is affected by at least one of the discovered vulnerabilities. They include some devices that are located at the perimeter of organizational networks that are internet-facing such as modems, routers and firewalls. Any vulnerability in such a device may enable an attacker to breach networks directly from the internet. Devices protected by perimeter security measures also can be vulnerable once the devices create TCP connections to the internet. These connections can be hijacked and used to trigger the discovered TCP vulnerabilities, allowing attackers to take over the device and access the internal network.
“URGENT/11 could allow attackers to remotely exploit and take over mission critical devices, bypassing traditional perimeter and device security. Every business with these devices needs to ensure they are protected,” said Yevgeny Dibrov, CEO and co-founder of Armis. “The vulnerabilities in these unmanaged and IoT devices can be leveraged to manipulate data, disrupt physical world equipment, and put people’s lives at risk.”
VxWorks is pervasive and trusted due to its rigorous and high-achieving safety certifications and its high degree of reliability and real-time accuracy. In its 32-year history, only 13 Common Vulnerabilities and Exposures (CVEs) have been listed by MITRE as affecting VxWorks. Armis discovered unusually low-level vulnerabilities within the IPnet stack affecting these specific VxWorks versions released in the last 13 years, from versions 6.5 and above. These are the most severe vulnerabilities found in VxWorks to date.
The IPnet networking stack was acquired by Wind River through its acquisition of Interpeak in 2006. Prior to the acquisition, the stack was broadly licensed to and deployed by a number of real-time operating system vendors.
Wind River has been working in collaboration with Armis on this matter, and customers were notified and issued patches to address the vulnerabilities last month. To the best of both companies knowledge, there is no indication the URGENT/11 vulnerabilities have been exploited.
Organizations deploying devices with VxWorks should patch impacted devices immediately. More information can be found in the Wind River Security Alert posted on the company’s Security Center.
Operational Downtime is the Most Common Impact of IoT-Focused Cyberattacks
As connectivity in the Industrial Internet of Things (IIoT) promises to transform the manufacturing and production industry, new research by Irdeto underlines the importance of cybersecurity, revealing that 79% of manufacturing and production organizations surveyed have experienced an IoT-focused cyberattack in the past year. This finding demonstrates the importance of cybersecurity as IoT devices proliferate across the critical infrastructure of these organizations, to ensure that the potential business benefits of IoT can be realized safely.
The Irdeto Global Connected Industries Cybersecurity Survey of 220 security decision makers in organizations in this sector (700 respondents in total) found that of the organizations that were hit by an attack, operational downtime (47%), compromised customer data (35%) and compromised end-user safety (33%) were the most common impacts. These findings clearly point to a direct bearing on revenue as well as health safety challenges presented by unsecured IoT devices.
The research also suggests that these organizations are aware of where the key cybersecurity vulnerabilities exist with their infrastructure, but do not necessarily have everything they need to address them. The most prominent vulnerabilities within manufacturing and production organizations were in mobile devices and apps (46%). This was followed by the IT network (41%) and the software used by the organization (40%) – which if referring to the OT equipment software which runs of the factory floor, could be hugely problematic.
However, despite this awareness, 92% of respondents feel their organization does not have everything it needs to address cybersecurity challenges. 44% state that their organization needs to implement a more robust security strategy. This is followed by a need for additional expertise/skills within the organization to address all aspects of cybersecurity (42%) and a need for more effective cybersecurity tools (37%).
This is compounded by the finding that, in the manufacturing sector, a total of 91% of manufacturers and 96% of users of IoT devices state that the cybersecurity of the IoT devices that they manufacture or use could be improved either to a great extent or to some extent. Failure to address these challenges could prove costly with the average financial impact as a result of an IoT-focused cyberattack in the manufacturing space identified as more than $280,000 USD, according to the survey.
“While the benefits of IoT may be in abundance in manufacturing and industrial environments, this connectivity also increases the attack surface and these findings demonstrate that there is an awareness of the cybersecurity challenges and impacts within the industry, but potentially a need to rethink strategies to mitigate the impact of potential cyberattacks,” said Mark Hearn, Director of IoT Security and Business Development, Irdeto. “Whatever the nature of the threat, industrial and manufacturing organizations must understand the scope of their current risk, ask hard cybersecurity-centric questions to vendors, and work with trusted advisors to safely embrace connectivity in their manufacturing process.”
As organizations fight to keep pace with the cybersecurity challenges in the manufacturing sector, they do have several security measures in place, but have often not implemented enough layers into their security strategy. 21% of organizations surveyed do not currently have software protection technologies implemented, while 39% do not have mobile app protection implemented, despite identifying mobile devices and apps as the greatest source of vulnerabilities. In addition, only 50% make security part of the product design lifecycle process.
However, the majority of organizations that don’t already have these measures in place, state that they plan to implement them in the next year. In addition, 99% of the manufacturing organizations surveyed agree that a security solution should be an enabler of new business models, not just a cost. These findings suggest that attitudes towards IoT security are changing for the better.
“As the manufacturing industry embraces IoT technology it’s clear that there are many cybersecurity challenges that must be addressed, but the industry attitude towards cybersecurity is on the right track,” added Steeve Huin, Vice President of Strategic Partnerships, Business Development and Marketing, Irdeto. “As the scope of connected manufacturing grows, the opportunities and the risks are magnified and it is imperative that organizations upskill and implement robust cybersecurity strategies to ensure they mitigate the threat and safely take advantage of the benefits that IoT can bring.”
The International Society of Automation (ISA) held a press conference today to announce the first Founding Members of its new Global Cybersecurity Alliance (GCA): Schneider Electric, Rockwell Automation, Honeywell, Johnson Controls, Claroty, and Nozomi Networks.
As we would expect, the speakers emphasized the importance of standards as the foundation for work in the Alliance. Speakers also tied in safety and productivity as partners with cybersecurity in protecting and improving manufacturing and critical infrastructure facilities and processes. I’m not so sure just exactly what the Alliance will accomplish, but if it succeeds in just raising awareness and a sense of urgency among companies it the industries, it will have accomplished an important task.
ISA created the Global Cybersecurity Alliance to advance cybersecurity readiness and awareness in manufacturing and critical infrastructure facilities and processes. The Alliance brings end-user companies, automation and control systems providers, IT infrastructure providers, services providers, and system integrators and other cybersecurity stakeholder organizations together to proactively address growing threats.
ISA is the developer of the ANSI/ISA 62443 series of automation and control systems cybersecurity standards, which have been adopted by the International Electrotechnical Commission as IEC 62443 and endorsed by the United Nations. The standards define requirements and procedures for implementing electronically secure automation and industrial control systems and security practices and assessing electronic security performance. The standards approach the cybersecurity challenge in a holistic way, bridging the gap between operations and information technology.
Leveraging the ISA/IEC 62443 standards, the Global Cybersecurity Alliance will work to increase awareness and expertise, openly share knowledge and information, and develop best practice tools to help companies navigate the entire lifecycle of cybersecurity protection. The Alliance will work closely with government agencies, regulatory bodies, and stakeholder organizations around the world.
“Accelerating and expanding globally relevant standards, certification, and education programs will increase workforce competence, and help end users identify gaps, reduce risks, and ensure they have the tools and systems they need to protect their facilities and installations,” said Mary Ramsey, ISA Executive Director. “Through the proliferation of standards and compliance programs, we will strengthen our global cyber culture and transform the way industry identifies and manages cybersecurity threats and vulnerabilities to their operations.”
The press release notes that first Founding Members of the Alliance are leading multi-national, industrial-technology providers with deep expertise in technology and applications, and they’ll apply their experience and knowledge to accomplish the Alliance’s priorities. However, two of the members were represented by building automation divisions. Two of the members are cybersecurity suppliers. Rockwell Automation is a pure play factory and process automation company and its Maverick Technologies division has been an ardent supporter of ISA. Schneider Electric is a large, multi-disciplined company, and I’m not sure which division within it is the sponsor.
“Participating in the Alliance truly shows the commitment our founding members have to the safety and security of the industrial ecosystem, as well as the criticality of collectively moving forward together to ensure the standards, best practices and methods are applied,” Ramsey said.
“ISA engaged with discussions, initiated by Schneider Electric, to create an ISA-led global, open and industry-wide alliance comprised of all cybersecurity stakeholder companies. ISA quickly expanded those conversations to include Rockwell Automation, Honeywell, Johnson Controls, Claroty, and Nozomi Networks. These first Founding Members have since worked together to help us define the Alliance’s objectives. We are thankful for their collaboration and commitment. Together we welcome companies and organizations from all segments of industry to join our efforts.”
The Alliance is seeking additional members to support its initiatives. End-user companies, asset owners, automation and control systems providers, IT infrastructure providers, services providers, and system integrators and other cybersecurity stakeholder organizations are invited to join. Annual contributions to fund initiatives are based on company revenues and are tax-deductible.
Perspectives: Quotes from the ISA Global Cybersecurity Alliance Founding Members
“Over the last few years, global industry has recognized that taking on increasingly dangerous cyber risks can’t be limited to a single company, segment, or region. However, until now, there has been limited ability to respond as a unified whole to these worldwide threats. But by establishing an open, collaborative, and transparent body, with a focus on strengthening people, processes, and technology, we can drive true cultural change. We are pleased that ISA has stepped forward, and we look forward to working openly and collaboratively with them, our fellow Founding Members, and many others affiliated with global industry, especially end users. Together we will bring to bear the standards-based technology, expertise, and special skills required to better secure and protect the world’s most critical operations and the people and communities we serve.” — Klaus Jaeckle, Chief Product Security Officer, Schneider Electric
“Cybersecurity is critical to digital transformation. It’s critical not only for the protection of information and intellectual property, but also for the protection of physical assets, the environment, and worker safety. We make it a priority to collaborate with partners and research institutions to develop secure products. Rockwell Automation participated in the development of the 62443 standards from the beginning and continues to support ISA cybersecurity initiatives. Our engagement with the Global Cybersecurity Alliance will be another important step in our efforts to help customers identify and mitigate risks.” — Blake Moret, CEO, Rockwell Automation
“Cybersecurity is the great equalizer to all companies. It’s critical to the connected world we live in and the cornerstone of trust that the world needs to be able to operate. Whether protecting critical infrastructure or managing a building’s operations, users need to do this with the confidence the employed systems are robust and secure. We are committed to and proud to work together ISA and the GCA members to continue to drive the adoption of the ISA/IEC 62443 series of standards and identify further ways to secure and protect the connected world which we live. At Honeywell, we see cybersecurity as a core part of the future we are making, and we see the GCA as an important way to work together to make that happen.” — Matthew Bohne, Vice President and Chief of Product Security, Honeywell Building Technologies
“Digital transformation in the building sector continues to accelerate, which heightens the urgency for cybersecurity across the industry and beyond. As a leader in the industrial automation controls business, Johnson Controls is already a strategic member of the ISASecure program and is consistently taking proactive actions to protect customers against cyber-threats and risks. Joining ISA Global Cybersecurity Alliance is a necessary and meaningful step as it supports our company values, customer adoption of the ISA/IEC 62443 standard and efforts to educate global government and regulatory bodies. We are proud to solidify our commitment to this important effort.” — Jason Christman, Vice President, Chief Product Security Officer, Global Products, Johnson Controls
“One of the most effective ways to drive consistency in an industry is by putting standards in place, and we’re looking forward to collaborating with all of these founding members, as well as future Alliance members, to help drive global best-practices forward in this historically standard-less environment. Claroty is committed to the mission of protecting all IoT and OT networks from cyber risks. Through our work with the Global Cybersecurity Alliance, we will be able to help shape the future of cybersecurity in these high-risk industries.” — Dave Weinstein, Chief Security Officer, Claroty
“Nozomi Networks believes real community collaboration, actionable standards and effective education are key ensuring a secure future for industrial organizations around the world. That’s why we are helping develop secure-by-design standards as a working member of ISA99 standards committees, why we’ve designed our industrial cyber security solutions for easy integration across the broadest possible set of industrial and IT technologies; and why we are thrilled to help establish the Global Cybersecurity Alliance. Together we will build a secure future for the industrial infrastructure that runs the world.” — Andrea Carcano, Nozomi Networks Co-founder and Chief Product Officer
Industrial Automation. I guess sometimes it’s good and sometimes not. Tesla had difficulty ramping up production on its low-end vehicle. Elon Musk blamed automation for his problems. Well maybe it was vaguely automation. But maybe they tried automating too much, or they automated things they shouldn’t have. Maybe Rockwell Automation now has a place he can drive to to learn more about automating production.
While I was traveling, Rockwell Automation released some news. I had to seek clarification on some. Here are two interesting items.
The first piece of news concerned Rockwell Automation opening an 8,000 square-foot Electric Vehicle (EV) Innovation Center at 111 North Market Street in San Jose, California, within its Information Solutions development facility. The center will provide live manufacturing demonstrations, hands-on trials utilizing new technology and events showcasing collaboration with industry experts and Rockwell Automation partners.
Upon first glance I thought maybe it was getting into the EV business. Actually it is bringing its experience and products from “Detroit” building cars to Silicon Valley building cars—just with different power trains.
Utilizing augmented and virtual reality modeling, the EV Innovation Center provides automotive start-ups and established manufacturers an environment to learn new technologies and standards, enabling them to deliver electric vehicles to market faster, with less risk and at lower cost.
The Center features not only traditional Rockwell products, but also features partners such as its FactoryTalk InnovationSuite powered by PTC, Eagle Technologies’ battery pack assembly machine, and FANUC robot technologies.
Other partners featured include Hirata, a turnkey assembly line builder, provides an assembly cell that demonstrates electric drive unit assembly and testing; Emulate 3D, Rockwell Automation’s simulation software, helps to prototype and test machines before they’re built; teamtechnik performs functional testing to confirm performance before building the drive into the electric vehicle.
“With growing global consumer demand, electric vehicle companies are challenged to meet aggressive production timelines,” said John Kacsur, vice president, Automotive and Tire Industries, Rockwell Automation. “We established the Electric Vehicle Innovation Center to expand their possibilities and get their products to consumers quickly and at the lowest possible cost, while operating more efficiently.
The second Rockwell news concerns its partner Claroty and cybersecurity services. To help prevent incidents and combat the unpredictable threats that cause them, industrial companies around the world can now manage cyber risk in their operations using the Rockwell Automation Threat Detection Services powered by the Claroty threat detection platform.
“A scary aspect of security threats is what you don’t know about them – what techniques they’ll use, what attack vector they’ll leverage, what vulnerabilities they’ll exploit,” said Umair Masud, manager security services portfolio, Rockwell Automation. “Our Threat Detection Services combine our innate understanding of industrial automation with Claroty’s trusted OT network visibility. The services can give companies peace of mind by protecting not only one facility but their entire supply chain from unpredictable threats.”
The Threat Detection Services help safeguard connected operations in three key ways:
- Identify and Protect: Identifying all industrial control networked assets, and their vulnerabilities, to help companies know what to protect
- Detect: Monitoring networks for not only known threats but, more importantly, anomalous traffic or behaviors to alert companies of a security incident – possibly before it even happens
- Response and Recovery: Developing plans for containing, eradicating and recovering from attacks to keep operations running or more quickly return to a fully operational state
The Claroty threat detection platform creates an inventory of a user’s industrial network assets, monitors traffic between them and analyzes communications at their deepest level. Detected anomalies are reported to plant and security personnel with actionable insights.
“The Claroty platform, used within the Threat Detection Services, can accelerate a company’s journey to more connected and digitally driven operations,” said Amir Zilberstein, co-founder and CEO, Claroty. “Most critically, the platform can help companies detect and quickly respond to threats that bypass their security controls. But it can also give companies a deeper understanding of their industrial assets and improve their ability to keep operations running.”
Cyber Security got a shout-out during the Siemens Spotlight on Innovation forum in Orlando last week. Leo Simonovich, VP and Global Head, Industrial Cyber and Digital Security at Siemens Gas and Power, and Mike Wiacek, co-founder & CSO of Chronicle (an Alphabet company) took the stage discussing their newly signed cyber security agreement.
Key phrase—“customers can own their environment”. Perhaps the most interesting conversation I had during the networking event was with a Chronicle tech person who gave me a deep dive into the product. This is security unlike everything else I investigate in the OT realm. This isn’t a network monitoring app. Nor is it a device that acts as a firewall for industrial control devices. It builds a huge database and adds analytics (which is “in our DNA”). The solution has two parts—visibility and context. It bridges IT and OT worlds with the intent to “democratize security for the success of the digital economy”; that is, make it accessible to customers, simple, affordable, easy-to-use.
Through a unified approach that will leverage Chronicle’s Backstory platform and Siemens’ strength in industrial cyber security, the combined offering gives energy customers unparalleled visibility across information technology (IT) and operational technology (OT) to provide operational insights and confidentially act on threats.
The energy industry has historically been unable to centrally apply analytics to process data streams, cost-effectively store and secure data, and identify malicious threats within OT systems. Research conducted by Siemens and Ponemon Institute found that while 60 percent of energy companies want to leverage analytics, only 20 percent are utilizing any analytics to do security monitoring in the OT environment. Small and medium enterprises are particularly vulnerable to security breaches as they frequently do not have the internal expertise to manage and address increasingly sophisticated attacks.
“The innovative partnership between Siemens and Chronicle demonstrates a new frontier in applying the power of security analytics to critical infrastructure that is increasingly dependent on digital technology,” said Simonovich. “Cyber-attacks targeting energy companies have reached unprecedented speeds, and our cutting-edge managed service unlocks the analytics ecosystem offers a new level of protection from potential operational, business and safety losses.”
“Energy infrastructure is an obvious example of cyber-attacks affecting the physical world and directly impacting people’s lives,” said Ansh Patnaik, Chief Product Officer, Chronicle. “Backstory’s security telemetry processing capabilities, combined with Siemens’ deep expertise, gives customers new options for protecting their operations.”
The partnership between Siemens and Chronicle will help energy companies securely and cost-effectively leverage the cloud to store and categorize data, while applying analytics, artificial intelligence, and machine learning to OT systems that can identify patterns, anomalies, and cyber threats. Chronicle’s Backstory, a global security telemetry platform for investigation and threat hunting, will be the backbone of Siemens managed service for industrial cyber monitoring, including in both hybrid and cloud environments. This combined solution enables security across the industry’s operating environment – from energy exploration and extraction to power generation and delivery.
I booked a vacation several months ago that conflicted with Hannover Messe. I missed the usually chilly and damp north of Germany in favor of the definitely chilly and damp Pacific Northwest.
Many announcements from Hannover reached me anyway, though, so I’ll be going through a few this week. First up concerns using the new CIP Security protocol from ODVA. This one from Rockwell Automation.
This release talks about Rockwell’s developing solutions toward closing a cybersecurity opening within industrial automation communication.
“As the world’s leading company focused on combining industrial automation with digital technology, we’re uniquely positioned to help close security gaps in connected operations,” said Megan Samford, director of product security, Rockwell Automation. “Our new offerings with built-in security deliver the industry’s best available protection of control-level traffic. This can give users confidence that the integrity of their systems and their device-to-device communications are protected from day one.”
The Allen-Bradley ControlLogix EtherNet/IP communication module is among the first industrial devices to use the CIP Security protocol from ODVA. The protocol helps make sure only authorized devices are connected in industrial operations. It also helps prevent tampering or interference with communications between those devices. CIP Security is the first industrial automation protocol to support transport layer security (TLS), the most proven security standard available.
Also, the newly enhanced Allen-Bradley ControlLogix 5580 controller is the world’s first controller to be certified compliant with today’s most robust control system security standard, IEC 62443-4-2. The standard defines the technical security requirements for industrial automation and control system components. This certification builds on the 2018 certification of the Rockwell Automation Security Development Lifecycle (SDL) to the IEC 62443-4-1 standard.