Amongst the cloud and manufacturing IT booths in Hannover was a sizable booth nestled in the middle housing Arm, the processor company. Here Ian Ferguson, Vice President, Ecosystem Development, met with me to discuss some of the latest embedded computing news.
Arm licenses chips which are optimized to the OS for customer companies to use and customize.
Its software business includes a device manager for small device apps for provisioning and connecting. It has also announced a bridge to IBM Watson.
Its software product, Embed, runs on ARM. Among the areas of focus is smart meters and tracking of small assets. Ferguson also mentioned smart buildings–especially lighting.
Security is a key focus working at the chip level to detect intrusions, “device health”.
• Rapid industry adoption of Mbed Platform with more than 300,000 developers (>30% growth over the past year) and 80 partners
• Arm expands integration with IBM Watson IoT, and partners with Cybertrust and GlobalSign to deliver BYOC (Bring-Your-Own-Certificate) flexible IoT security authentication
• Mbed drives IoT business value for logistics, utilities and smart cities as organizations shift to Industry 4.0
Help organizations take advantage of the opportunities offered by IoT data and combine this with their business data to create valuable business outcomes. However, in talking with these organizations, many feel that pursuing opportunities to achieve these business outcomes through IoT opens themselves up to more IT complexity and greater security concerns.
Security and complexity of integration are legitimate concerns that addressed with Arm Mbed Platform. This platform provides the necessary IoT building blocks including, connectivity, device management, security and provisioning with the support of a 300,000+ strong developer community that has grown more than 30% in the past year.
It’s also supported by a growing ecosystem of 80 contributing partners such as IBM, which is bridging the Mbed Cloud with IBM Watson IoT Platform. We’ve integrated Mbed Cloud with Cybertrust and GlobalSign to provide more flexible security authentication for IoT devices.
Mbed Cloud and Mbed Cloud On Premises were designed to provide device management, connectivity and provisioning that customers demand, supported across multiple public and private clouds, on-premises and hybrid environments.
IoT security should be easy to implement, not an inhibitor. The new integrations between Mbed Cloud and Cybertrust and GlobalSign enable customers to BYOC (Bring-Your-Own-Certificate) for flexible and secure IoT authentication, leveraging the public key infrastructure they already use. Security should also be built into development, which is why Arm is planning to make its free open-sourced development platform, Mbed OS, the first OS to support PSA-Compliant trusted boot, storage and opaque cryptography.
However, even when security is built-in, software updates are often needed to maintain a strong security posture, which is a challenge when there are millions of devices already deployed out in the field. Through an expanded integration with IBM Watson IoT Platform, its users can now manage, provision and update firmware over-the-air for their IoT devices through Mbed Cloud.
Sometimes I wonder–Is it time for the entire Boomer generation to retire and pass the baton to the next generation? Here is another survey, this one on cybersecurity, that reveals executives know about a problem but have few or no plans to solve it soon.
People tell me constantly about surveys such as this one or training opportunities where executives and engineers in Europe pursue knowledge and those in Asia cannot satisfy their demand for standards and knowledge. And in the US? Not so much interest.
Here is a poll by a security company, Indegy, who (maybe not so surprisingly since it sells solutions) uncovered the gap yet again.
The poll found that nearly 60 percent of executives at critical infrastructure operators polled in a recent survey said they lack appropriate controls to protect their environments from security threats. As expected, nearly half of all respondents indicated their organizations plan to increase spending for industrial control system (ICS) security measures in the next 12-24 months.
“We have been tracking the escalation in cyber threat activity specifically targeting critical infrastructures for some time,” says Barak Perelman, CEO of Indegy. “As the recent joint DHS/FBI CERT Technical Alert illustrates, adversaries have compromised facilities across the US to conduct reconnaissance and likely develop “Red Button” capability for future attacks.”
Lack of Visibility and Control Cited
While organizations have made significant investments to secure their IT infrastructures, they have not fully addressed threats to operational technology (OT) environments. The recent Indegy poll of nearly 100 executives from various critical infrastructure organizations underscores the lack of preparedness in key sectors including energy, utilities and manufacturing. Among the key findings:
- 35% of respondents said they have little visibility into the current state of security within their environment, while 23% reported they have no visibility
- 63% claimed that insider threats and misconfigurations are the biggest security risks they currently face
- 57% said they are not confident that their organization, and other infrastructure companies, are in control of OT security
- Meanwhile, 44% of respondents indicated an increase in ICS spending was planned in the next 12 to 24 months, with 29% reporting they were not sure
Critical infrastructure control systems have been under cyber attack for years. Need we mention Stuxnet, the attack that brought the issue to the public eye? Pressure has been mounting on controls, automation, and IoT suppliers to protect a nation’s assets.
Siemens and eight partners signed a joint charter for greater cybersecurity at a recent Munich conference.
- Ten action areas for greater cybersecurity
- Call for dedicated government ministries and chief information security officers
- Independent certification for critical infrastructures and solutions in the Internet of Things
The Charter of Trust calls for binding rules and standards to build trust in cybersecurity and further advance digitalization. In addition to Siemens and the Munich Security Conference (MSC), the companies Airbus, Allianz, Daimler Group, IBM, NXP, SGS and Deutsche Telekom are signing the Charter. The initiative is further welcomed by Canadian foreign minister and G7 representative Chrystia Freeland as well as witnessed by Elżbieta Bieńkowska, the EU Commissioner for Internal Market, Industry, Entrepreneurship and Small and Medium-sized Enterprises.
“Confidence that the security of data and networked systems is guaranteed is a key element of the digital transformation,” said Siemens President and CEO Joe Kaeser. “That’s why we have to make the digital world more secure and more trustworthy. It’s high time we acted – not just individually but jointly with strong partners who are leaders in their markets. We hope more partners will join us to further strengthen our initiative.”
The Charter delineates 10 action areas in cybersecurity where governments and businesses must both become active. It calls for responsibility for cybersecurity to be assumed at the highest levels of government and business, with the introduction of a dedicated ministry in governments and a chief information security officer at companies. It also calls for companies to establish mandatory, independent third-party certification for critical infrastructure and solutions – above all, where dangerous situations can arise, such as with autonomous vehicles or the robots of tomorrow, which will interact directly with humans during production processes. In the future, security and data protection functions are to be preconfigured as a part of technologies, and cybersecurity regulations are to be incorporated into free trade agreements. The Charter’s signatories also call for greater efforts to foster an understanding of cybersecurity through training and continuing education as well as international initiatives.
“Secure digital networks are the critical infrastructure underpinning our interconnected world,” said Canadian foreign minister Chrystia Freeland. “Canada welcomes the efforts of these key industry players to help create a safer cyberspace. Cybersecurity will certainly be a focus of Canada’s G7 presidency year.” The matter is also a top priority for the Munich Security Conference. “Governments must take a leadership role when it comes to the transaction rules in cyberspace,” said Wolfgang Ischinger, Chairman of the Munich Security Conference. “But the companies that are in the forefront of envisioning and designing the future of cyberspace must develop and implement the standards. That’s why the Charter is so important. Together with our partners, we want to advance the topic and help define its content,” he added.
According to the ENISA Threat Landscape Report, cybersecurity attacks caused damage totaling more than €560 billion worldwide in 2016 alone. For some European countries, the damage was equivalent to 1.6 percent of the gross domestic product. And in a digitalized world, the threats to cybersecurity are steadily growing: According to Gartner, 8.4 billion networked devices were in use in 2017 – a 31-percent increase over 2016. By 2020, the figure is expected to reach 20.4 billion.
Security comes first to mind whenever we begin discussing connecting things in an industrial setting. And, of course, nothing connects things like the Industrial Internet of Things (IIoT). One place we often fail to consider in our security planning is at the endpoint of the network. Organizations and companies have been providing valuable assistance to developers by releasing best practices white papers. Here is one from a leading Industrial Internet organization.
The Industrial Internet Consortium (IIC) announced publication of the Endpoint Security Best Practices white paper. It is a concise document that equipment manufacturers, critical infrastructure operators, integrators and others can reference to implement the countermeasures and controls they need to ensure the safety, security and reliability of IoT endpoint devices. Endpoints include edge devices such as sensors, actuators, pumps, flow meters, controllers and drives in industrial systems, embedded medical devices, electronic control units vehicle controls systems, as well as communications infrastructure and gateways.
“The number of attacks on industrial endpoints has grown rapidly in the last few years and has severe effects. Unreliable equipment can cause safety problems, customer dissatisfaction, liability and reduced profits,” said Steve Hanna, IIC white paper co-author, and Senior Principal, Infineon Technologies. “The Endpoint Security Best Practices white paper moves beyond general guidelines, providing specific recommendations by security level. Thus, equipment manufacturers, owners, operators and integrators are educated on how to apply existing best practices to achieve the needed security levels for their endpoints.”
The paper explores one of the six functional building blocks from the IIC Industrial Internet Security Framework (IISF): Endpoint Protection. The 13-page white paper distills key information about endpoint device security from industrial guidance and compliance frameworks, such as IEC 62443, NIST SP 800-53, and the IIC IISF.
Equipment manufacturers, industrial operators and integrators can use the Endpoint Security Best Practices document to understand how countermeasures or controls can be applied to achieve a particular security level (basic, enhanced, or critical) when building or upgrading industrial IoT endpoint systems, which they can determine through risk modeling and threat analysis.
“By describing best practices for implementing industrial security that are appropriate for agreed-upon security levels, we’re empowering industrial ecosystem participants to define and request the security they need,” said Dean Weber, IIC white paper co-author, and CTO, Mocana. “Integrators can build systems that meet customer security needs and equipment manufacturers can build products that provide necessary security features efficiently.”
While the white paper is primarily targeted at improving the security of new endpoints, the concepts can be used with legacy endpoints by employing gateways, network security, and security monitoring.
The full Endpoint Security Best Practices white paper and a list of IIC members who contributed can be found on the IIC website.
Let me try to summarize a number of other news items gleaned from the ARC Forum featuring edge computing, IIoT Platforms, and technology. When ARC’s Paul Miller told me it would be the best ever, he turned out not to be exaggerating. More people, more news.
Stratus Technologies, known for years for secure servers, released an edge computing device. Interest in computing at the edge of the network has blossomed lately, with many companies releasing products. Lots of choices for users.
Integration Objects, firmly within another important trend, introduced an Industrial Internet of Things (IIoT) Platform. I’m beginning to see articles about users latching on to these platforms rather than building their own ad hoc connections among IoT devices and applications.
UL discussed standards with me during the show. The company known for developing safety standards and then testing for compliance has developed also a security standard. And it tests to it for compliance.
HIMA is another company combining safety and security technologies. There is so much in common between the two–especially thought processes and planning.
Yokogawa has extended and rebranded its process automation offering, now called Synaptic Business Automation. Among other things, it has refined the dashboard into a “karaoke” style.
Bentley Systems discussed the combining of engineering design tools with digital photography and other digital technologies to better represent the engineering and design of a plant. This is the most cutting edge technology I saw during the week, but I cannot do it justice in a paragraph. I encourage a tour of the Website.
Cybersecurity, digitalization, and asset performance management headlined the various press events with Schneider Electric at the recent ARC Forum. I took notes from Kim Cousteau’s presentation on APM at the main press conference and expected a follow up press release for details. I have not received one yet.
Remember the “reverse acquisition” of Aveva where Schneider Electric placed all of its software divisions into Aveva and then took a 60% share in the company? The deal is about to close. Schneider spokespeople assured me that digitalization is proceeding apace with the leveraging of Aveva design through construction applications into operations and maintenance applications—Schneider’s strong suit. This, on paper, brings the company into the competitive marketplace with Siemens and its UGS acquisition of several years ago. This is an interesting area to watch.
Schneider called a special press event, with lunch, to talk specifically about cybersecurity. This response to an incident in which the company’s Triconex safety system earned some publicity—but not always accurately portrayed. The incident was a cyber attack that caused a situation that the safety system caught and initiated a safe shut down.
However, the event caused renewed concern for cyber defense. ARC Vice President, Larry O’Brien, said, “This is a wake up call for people to follow existing security standards.” Gary Freburger, who heads that division of Schneider, said, “It’s everybody’s job.”
We received this official statement from Peter Martin, vice president of business innovation and marketing, Schneider Electric
At Schneider Electric, we heartily encourage all collaborative efforts to strengthen cybersecurity. The growing problem of cybersecurity is not specific to any single company, institution or country. Rather, it’s a threat to business and public safety that can only be addressed and resolved when suppliers, customers, integrators, developers, standards bodies and government agencies work together. This collaboration starts with common standards, agreed-upon rules, appropriate funding and active cooperation. It extends beyond national borders and transcends competitive interests.
Schneider Electric continues to work diligently with our customers, partners, developers and industry peers to make the shift from reactive to proactive cybersecurity management through compliance with evolving industry standards, agreement that cybersecurity is a journey not a destination, and a commitment to standing together in the face of cyber threats.
Today, we commend the signatories to the “Charter of Trust.” It’s another important step toward ensuring that the promise of digital transformation and automation will prevail over the threat of cyberterrorism.
Regarding APM, Kim Cousteau discussed a new release of Avantis that expanded machine learning from the power industry to oil & gas. For maintenance, it incorporates a team system for operator rounds and improved workflow. It incorporates augmented reality and virtual reality (AR/VR) “because workers are so new and need help to get up to speed. Look for updated analytics to aid in catching anomalies ahead of failure. She cited a customer who has been tracking savings from this feature alone and is up to $65 million.