I just had an opportunity to talk Industrial cybersecurity with two leaders of The Industrial Internet Consortium (IIC) (now incorporating OpenFog) who gave an overview of the new Security Maturity Model (SMM) Practitioner’s Guide. This document provides detailed actionable guidance enabling IoT stakeholders to assess and manage the security maturity of IoT systems.
Along with the publication of the SMM Practitioner’s Guide is an update to the IoT SMM: Description and Intended Use White Paper, which provides an introduction to the concepts and approach of the SMM. This white paper has been updated for consistency with the SMM Practitioner’s Guide, including revised diagrams and updated terminology.
As organizations connect their systems to the internet, they become vulnerable to new threats, and they are rightly concerned with security. Addressing these concerns requires investment, but determining investment focus and amount is a difficult business decision. The SMM helps by enabling a structured top-down approach toward setting goals as well as a means toward assessing the current security state, taking into account various specific practices. The SMM allows an organization to trade off investment against risk in a sensible manner.
Building on concepts identified in the groundbreaking IIC Industrial Internet Security Framework published in 2016, the SMM defines levels of security maturity for a company to achieve based on its security goals and objectives as well as its appetite for risk. Organizations may improve their security state by making continued security assessments and improvements over time, up to their required level.
“This is the first model of its kind to assess the maturity of organizations’ IoT systems in a way that includes governance, technology and system management,” said Stephen Mellor, CTO, IIC. “Other models address part of what is addressed by the SMM: they may address a particular industry, IoT but not security, or security but not IoT. The SMM covers all these aspects and points to parts of existing models, where appropriate, to recognize existing work and avoid duplication.”
The practitioner’s guide includes tables describing what must be done to reach a given security comprehensiveness for each security domain, subdomain and practice and can be extended to address specific industry or system scope needs. Following each table is an example using various industry use cases to demonstrate how an organization might use the table to pick a target state or to evaluate a current state.
One example is that of an automotive manufacturer considering the possible threats interfering with the operations of a vehicle key fob. The manufacturer sets its target maturity comprehensiveness level to “1” as it considers some IT threats, such as a Denial of Service attack that may prevent a driver from opening the car door using the key fob. Over time, as new threats emerge, the manufacturer realizes it needs additional threat modeling and enhanced practices so raises its target maturity comprehensiveness level to a higher level “2.”
The practitioner’s guide contains three case studies that show IoT stakeholders how to apply the process based on realistic assessments, showing how the SMM can be applied in practice. The case studies include a smarter data-driven bottling line, an automotive gateway supporting OTA updates and security cameras used in residential settings.
The IIC designed the Security Maturity Model to be extended for industry and system specific requirements. The IIC is collaborating with various industry groups to develop industry profiles that extend the model. Industry associations interested in developing profiles are encouraged to contact the IIC. Please send an email to [email protected]
For more information about the IIC SMM Practitioner’s Guide, IIC members have prepared a webinar “Get a True Sense of Security Maturity,” which will air on March 18th at 12:00 pm for 60 minutes. Use this PIN: 12374028
The full IIC Security Maturity Model Practitioner’s Guide and a list of IIC members who contributed can be found on the IIC website.
ARC’s annual Industry Forum gathering provided an opportunity rare these days of meeting with a wide variety of people and companies. Today’s post summarizes most of the rest of information gathered not previously published.
Interestingly, IIoT was not a major theme. Perhaps it underlies the other things. Most of the time we talked security and software. This round up involves Schneider Electric, Bedrock Automation, Bentley Systems, Siemens, and ioTium.
Profitable Safety for Industry
Schneider Electric has announced EcoStruxure Process Safety Advisor, an IIoT-based digital process safety platform and service that enables customers to visualize and analyze real-time hazardous events and risks to their enterprise-wide assets, operations and business performance.
Safety Advisor is built on Schneider Electric’s EcoStruxure SIF Manager application for tracking and validating safety instrumented function (SIF) performance over the life of a plant. It provides a single view into the health and status of the user’s safety instrumented functions, which helps to identify potential risks and their impact on operations performance.
It also identifies the need to take corrective action via easy-to-understand performance dashboards and leading indicators for safety health and then documents the entire process using an embedded SIF audit trail that supports safety compliance.
Safety Advisor enables customers to understand their risks within minutes, and then act decisively to drive better business results.
Albert Rooyakkers, Bedrock Automation CEO, pointed to advances with Bedrock’s offering including “Zero Cost Software”, having an OSA Proxy, using MQTT Sparkplug-B secure, Role-Based access control, and a partnership with SI firm Wood Group.
Wood’s automation and control group will deliver Bedrock Open Secure Automation (OSA) to its clients in energy and industrial markets. Wood has active membership in The Open Process Automation Forum, which is focused on the development of a standards-based, open, secure, interoperable process control architecture.
“This partnership centers on combining our diverse capabilities and innovative solutions in automation with Bedrock’s OSAtechnology to bring open and secure systems to our clients, advancing our position as a world leading automation providerand bringing greater cyber protection to our client’s projects,” said Jeff Shannon, Senior Manager of Strategy and Development in Wood’s automation and control group.
Planning and Design Assessment Solutions for Grid Modernization
Bentley Systems announced availability of OpenUtilities DER Planning & Design Assessment Solutions that provide decision support and cost-based models and simulations for Distributed Energy Resources (DER) integration.
In partnership with Siemens’ Digital Grid business unit, OpenUtilities Solutions for DER empowers electric utilities, electricity suppliers, and distribution network operators (DSO) with software applications to analyze, design, and evaluate DER interconnection requests through desktop and cloud-based services, while supporting the reliability and resilience of network operations.
The solutions generate an electrical digital twin for utilities – a GIS digital twin that enables owner/operators to more efficiently model the grid for decentralized energy without compromising safety and reliability. Digital twins can provide huge efficiencies in grid operations by streamlining DER interconnection applications with optimized workflows to better assess operational impacts, long-term strategic scenarios and investment decisions.
OpenUtilities Design Optioneering advances OpenUtilities Analysis one step further with cost-based decision support for planning and designing complex utility networks with DER. The application provides the ability to analyze both planned and existing infrastructure, optimize equipment sizing, and estimate materials and labor costs for DER projects. This helps utilities minimize design construction costs associated with DER and streamline the DER interconnection process with detailed cost estimation included with the impact analysis studies.
Finally, I talked with Ron Victor of ioTium. The product consists of a soft node on, for example, a Dell Gateway device providing baked-in security. It runs as server in cloud enabling easier deployment.
ioTium’s IoT network isolates IT and OT network and data, preventing IT traffic from touching OT traffic and thus eliminating the possibility of backdoor threats. Further, ioTium isolates data streams from different sub-systems, preventing a compromise on one sub-system from affecting any other sub-system.
ioTium’s virtualized edge platform enables deployment, update and upgrade of edge services across thousands of remote sites in one click from the cloud, making analytics, DPI, machine learning, encryption, compression and more possible closer to the data source.
If HMI SCADA absorbed about 40% of my ARC Industry Forum appointments, then industrial cybersecurity took up another 40%. Not all of them were the usual networking solutions, either.
This one, for example, comes from Honeywell. It announced the latest release of Secure Media Exchange (SMX), a cybersecurity solution to protect industrial operators against new and emerging Universal Serial Bus (USB) threats. SMX now includes patent pending capabilities to protect against a broad range of malicious USB device attacks, which disrupt operations through misuse of legitimate USB functions or unauthorized device actions.
These advanced protections complement additional SMX enhancements to malware detection, utilizing machine learning and artificial intelligence (AI) to improve detection by up to 40 percent above traditional anti-virus solutions according to a Honeywell study. Together, these updates to the SMX platform deliver comprehensive, enterprise-wide USB protection, visibility and control to meet the demanding physical requirements of industrial environments.
USB devices include flash drives and charging cables, as well as many other USB-attached devices. They represent a primary attack vector into industrial control system (ICS) environments, and existing security controls typically focus on the detection of malware on these USBs.
While important, research shows an emerging trend toward new categories of USB threats that manipulate the capabilities of the device standard to circumvent traditional security controls and directly attack ICS. Categorically, these malicious USB device attacks represent 75 percent of today’s known USB attack types, a clear indication of the shift toward new attack methodologies. Because these attacks can weaponize common USB peripherals — like keyboards, speakers — effective protection requires sophisticated device validation and authorization.
“Malicious USB attacks are increasingly sinister in their ability to emulate, exploit and manipulate USB devices, often causing damage and operational outages,” said Sam Wilson, global product marketing manager, Honeywell Industrial Cybersecurity. “Honeywell is the first to deliver a powerful industrial cybersecurity solution to protect against malicious USB device attacks, which represent the majority of USB threat types and advanced malware. And as USB usage increases and devices proliferate, human verification of device actions will continue to play an important role.”
SMX protection includes Honeywell’s Trusted Response User Substantiation Technology (TRUST), which introduces a human validation and authentication step to ensure that USB devices are what they claim to be. TRUST helps prevent unwanted or suspicious devices from introducing new threats into the industrial control environment. In the case of USB storage devices, additional layers of advanced malware detection technology are used to further protect against malware, including machine learning and AI to improve detection of increasingly complex malware, including zero days and evasive malware.
SMX helps customers make changes across people, process, and technology that will improve their industrial cybersecurity maturity. It trains USB users to look for potential issues as they plug in, while reinforcing plant check-in and check-out processes for plant managers. As a technical control, SMX continuous threat protection and its latest enhancements ensure that customers can check USBs anywhere to scale industrial cybersecurity with ease.
The latest SMX technology release includes a host of additional features including:
- New Centralized Management: provides unmatched visibility of USB devices entering industrial control environments and centralized threat management across all SMX sites, for time-saving security management and simple-to-view insights unique to the customer’s environment.
- New ICS Shield Integration: provides additional visibility into USB activity on protected end nodes, closing the loop between centralized management services and distributed protections inside the ICS, without violating industry best practices of zone segmentation.
- Expanded SMX offering: provides multiple form factors to meet specific industrial needs, including portable SMX ST models for busy operational staff, and fully ruggedized models that meet industrial use cases including hazardous environments, military standard conditions and gloves-on worker situations.
Discussing industrial technology while ignoring cybersecurity is impossible these days. I just saw a survey that contends CEOs are more worried about cybersecurity than recession.
Note—I have been traveling for meetings and finally got my schedule together to post something. I’m also compiling my schedule for the annual ARC Advisory Group Industry Forum in a couple of weeks. If you’re going, I’d love to meet you. Send a note or a text. Maybe we can have coffee.
Schneider Electric Partners with Nozomi Networks
Schneider Electric has signed a global partnership agreement with Nozomi Networks to collaborate with Nozomi to provide customers in the industrial manufacturing and critical infrastructure segments advanced anomaly detection, vulnerability assessment, and other cybersecurity solutions and services, helping them to control, prevent and mitigate risks to their operations and business performance.
“The industry-wide transformation taking place today enables our customers to improve their business performance in ways they never imagined, but it requires them to expand connectivity across their operations, so they can extract, contextualize and apply new levels of rich data,” said Nathalie Marcotte, senior vice president, Industry Services and Cybersecurity, Schneider Electric. “However, extending connectivity also extends the attack surface for would-be cyber criminals. Therefore, cybersecurity can no longer be an afterthought. There’s too much at stake, financially and operationally. By adding Nozomi Networks to our family of partners, we strengthen our ability to help customers understand and eliminate risks and threats to their operations and assets, while reducing potential impact on their business success.”
The partnership enables Schneider Electric to respond more aggressively to immediate demand for effective, operational technology cybersecurity services, solutions and expertise in oil and gas, power, building automation and other industrial sectors. Schneider Electric will offer Nozomi Networks’ advanced solutions for industrial control system cyber resiliency and real-time operational visibility to customers worldwide. Schneider Electric will combine its EcoStruxure IIoT process automation and industrial control solutions with Nozomi’s SCADAguardian platform for real-time operations visibility, including:
- Advanced ICS Cybersecurity Solutions: The bundled solution will deliver the deep network visibility and OT cybersecurity industry operators require in one, comprehensive and highly scalable solution.
- Nozomi Networks SCADAguardian solution provides accurate asset discovery, superior threat detection and flexible and scalable deployment options to Schneider Electric customers.
- Nozomi Networks Certified Consultants: Schneider Electric consultants around the world will continue to be trained as certified Nozomi Networks engineers, scaling to support clients throughout their cybersecurity solution implementation, and providing expert OT threat hunting and forensic analysis.
- SCADAguardian Live in Schneider Electric Sites: Schneider Electric customers can experience Nozomi Networks’ real-time operational visibility and cybersecurity solutions via live threat scenarios running in Schneider Electric sites around the world.
EcoStruxure is Schneider Electric’s open, interoperable, IoT-enabled system architecture and platform.
“Years of multi-industry experience discerning the complexities of industrial control system networks, continuous innovation and expertise in artificial intelligence and machine learning have made Nozomi Networks SCADAguardian the most comprehensive, scalable and mature product in its category,” said Edgard Capdevielle, chief executive officer, Nozomi Networks. “Our partnership with Schneider Electric accelerates our joint efforts to further protect global infrastructure while helping to improve the safety, efficiency, reliability and profitability of the world’s most critical operations.”
“The digital enterprise requires a holistic security approach that not only provides safeguards, but continually assesses, manages and monitors business and operating systems, which Nozomi Networks’ solutions do seamlessly,” Marcotte said. “Addressing cybersecurity head on can’t be limited to a single company, segment or region. That is why we are committed to being open, transparent and collaborative when it comes to helping global industry prevent and respond to cyberattacks. As this partnership shows, we will continue to collaborate with industry leaders who have the technology, expertise and unique skills required to secure and protect our customers’ people, production and profits.”
Mocana Integrates with Unified Automation’s High Performance OPC UA SDK
Simplifies Replacement of OpenSSL with Mocana’s FIPS 140-2 Validated Cryptographic Engine
Mocana announced the integration of Mocana TrustPoint, the company’s embedded cybersecurity software, with Unified Automation’s High Performance OPC Unified Architecture (UA) Software Development Kit (SDK). This integration enables industrial manufacturers and operators to easily replace OpenSSL, an open source crypto library, with Mocana’s proven cybersecurity software solution that is FIPS 140-2 validated and compliant with leading industrial cybersecurity standards.
“Mocana’s embedded cybersecurity solutions are used by the largest industrial companies for mission critical systems,” said Uwe Steinkrauss, Executive Director at Unified Automation. “We’re committed to partnering with Mocana to provide the OPC UA community with solutions that are secure and compliant with industry standards.”
OPC UA is an open machine-to-machine communication platform for industrial automation developed by the OPC Foundation. The OPC UA standard enables industrial control system (ICS) devices across multiple platforms to communicate using a services-oriented architecture (SOA) including enhanced publish / subscribe capabilities. The standard is broadly used across many industries including pharmaceutical, oil and gas, building automation, industrial robotics, security, manufacturing, process control, and transportation.
By default, most OPC UA SDKs have been designed to use OpenSSL, open source security software, to handle security functions such as authentication and encryption. Besides the large footprint hindering implementation on the smallest embedded devices, OpenSSL has been shown to have thousands of vulnerabilities, a hard to maintain complex code base, and slow vulnerability remediation times. Additionally, the latest NIST 140-2 standards cannot be met by the current version of OpenSSL. As a result, industrial companies are migrating away from OpenSSL to meet cybersecurity compliance standards.
Mocana’s integration with Unified Automation’s OPC UA SDKs makes it easy to replace OpenSSL with Mocana’s FIPS 140-2 validated cryptographic engine and comprehensive device security lifecycle management platform. Mocana provides an OpenSSL Connector, a shim that transparently intercepts the device application’s OpenSSL API calls, changes the arguments, and passes them onto Mocana’s cryptographic engine without requiring any application code changes.
“Unified Automation has deep expertise with OPC UA and was instrumental in developing the OPC UA stacks, in particular the ANSI C stack,” said Srinivas Kumar, Vice President of Engineering at Mocana. “We are committed to making it easy to enable the highest level of security and device integrity for OPC UA-enabled industrial devices.”
Mocana’s proven device security solution facilitates compliance with cybersecurity standards, such as the NIST FIPS 140-2, IEC 62443, NIST 800-63, and CIP-007. Mocana and Unified Automation are members of the OPC Foundation.
Industrial Control Systems Cyber Security Through Trusted Systems
The week following Thanksgiving, I participated in a press tour with Siemens visiting a number of locations in Munich, Germany and following into Nuremberg for a day at SPS/IPC/Drives. I have posted a few things already and you can check out my Twitter stream.
Three weeks of travel plus my wife’s surgery (elective, she’s doing well with Nurse/Cook Gary sort of looking after her) took a toll on catching up with writing and email. Excuses aside, following are some additional thoughts from the trip.
If company executives and engineers cannot trust data coming from the IoT system, then digitalization and its many benefits will not be implemented. It’s in this spirit that Siemens launched the Charter of Trust earlier this year at the at the Munich Security Conference. Since then, several more global companies saw the value of the Charter of Trust, and signed on.
The Charter of Trust then begins with these three goals:
- protecting the data and assets of individuals and businesses;
- preventing damage to people, businesses, and infrastructures;
- building a reliable basis for trust in a connected and digital world.
We were introduced to several companies who have joined the Charter of Trust, visiting their sites, and discussing various aspects of cyber security.
Harry Brian, Business Development Manager, Industry Security Services, Siemens, gave us a Siemens background. “As we see attacks in the wild that are specifically crafted for PLCs and safety systems, no one can ignore the relevance and the urgency,” he told us. In addition, companies also must comply with numerous industrial security regulations and standards all over the world. “Help lies in a concept called defense in depth and is to be found in the IEC 62443 – the standard for IT security for Industrial Automation and Control Systems. Siemens has been addressing the cyber challenge for decades and is employing innovation and technology for anomaly detection and vulnerability monitoring and reporting with MindSphere.”
We stopped at NXP’s office in Munich. NXP has signed on to the Charter of Trust. The first discussion dove into autonomous driving, the convergence of AI and IoT, with Lars Reger, Automotive Chief Technology Officer and Wolfgang Steinbauer, VP, Head of the NXP Innovation Center Crypto and Security.
“The paradigm shift that comes with the convergence of AI and the IoT, will be even greater than the one we have witnessed with the introduction of the personal computer or the mobile phone,” they told us. “Effective security, based on the guiding principles of security and privacy by design, will be crucial to mitigate against the risks that come with it. Cybersecurity and data privacy aspects are paramount to generate trust, particularly so in critical future applications in smart traffic and autonomous driving. People, organizations and entire societies will support this transformation only if the security of their data and networked systems can be ensured.”
The Charter of Trust, they noted, defines what it means to trust along with security levels.
We stopped next in our tour of Munich at TÜV Süd, and a discussion with Andy Schweiger, Cybersecurity section Chief Executive Officer. For Americans not familiar with the organization, it is somewhat analogous to UL.
The news here is that TÜV Süd is developing a cyber security consulting practice and has been on a hiring spree adding to its staff.
The next stop was a tour of the IBM Watson IoT Center. Here IBM brings together developers, consultants, researchers and designers to drive state-of-the-art collaborative innovation with SMEs and start-ups, government, schools and universities and investors.
Speakers stressed the importance of involving governments in industrial cyber security work. Supply chains require careful consideration establishing risk-based rule for protection across all IIoT layers with clearly defined and mandatory requirements. There are many avenues for intrusions. They brought up the case of a hacker getting into a system through a smart lightbulb.
Finally came a tour of Allianz Stadium, home of the Bayern Munich Football Club where Siemens has a strong technology partnership.
The partnership includes energy, building infrastructure, mobility and security.
Fire prevention: Allianz Arena has a maximum protection against fire. Numerous fire detectors and sprinkler heads are located throughout the stadium: 4,600 fire detectors, 1 sprinkler head per 4 visitors (about 140 times more than fire-fighters per inhabitant in a German city), 3 water reservoirs with a total volume of 1,200 m3 in each sprinkler and hydrant centre.
Energy Management: Energy supply (introduction via screen inside the stadium) – new video wall quadruples the energy consumption in comparison to previous video wall. Supply through two transformer stations of the Stadtwerke Munich (municipal utilities) (capacity about 12 MW), peek-capacity on a match-day is about6 MW, which equals the consumption of a smaller town. Plans include a complete microgrid solution by Siemens, from power generation and storage through distribution, including monitoring.
Traffic Control: Siemens solutions (camera-system for the surveillance of traffic routes) around suburban traffic vehicles and traffic telematics ensure that all fans reach the stadium safely and on-time. Siemens traffic management systems regulate the flow of traffic on the motorways near the stadium. Video surveillance: Siemens security concepts and technologies are optimally adapted to the large visitor flow in the Arena. A video system with 90 cameras, records images that can be used by law enforcement.
Every professional soccer stadium has an experienced greenkeeper who cares for the sacred turf. And now, for the first time, the greenkeeper at the Allianz Arena will be assisted by an application. It’s being made possible by MindSphere, the open IoT operating system, and software developers at evosoft. The FC Bayern Greenkeeper App will now assist the greenkeeper and give the grass a voice. Sensors gather data and send it to MindSphere. The MindSphere application then evaluates the data and converts it into action recommendations. Water more. Expose the grass to stronger or longer light. Start the lawn heating or turn it down.These kinds of recommendations require a huge amount of data: light, temperature, humidity, the lawn’s salt content, wind, the chlorophyll content of the blades of grass. All this data is supplied by sensors installed on the field by the Dutch stadium lighting expert SGL, allowing its customers to monitor the lighting of their lawn. Current weather data and forecasts are also fed into the system. The data from the playing field is delivered to the collector box once per minute. MindSphere evaluates the data, formulates action recommendations, and converts both into clear diagrams. The greenkeeper keeps an eye on the turf via a smartphone – and he’s immediately provided with specific action recommendations.
Digitalization breeds the need for data and connected devices. Trusted connections and data are required for success. Siemens invited a diverse group of press, analysts, podcasters, and bloggers to Munich this week (November 26-28) to discuss cybersecurity and the Charter of Trust.
I will use the words of Siemens below to discuss the rationale for the Charter of Trust. However the idea is that if users cannot trust their data and connections, they will never go further into digitalization and therefore not realize the anticipated benefits.
Some of the analysts and others in the conference had trouble understanding how something seemingly vague and not specifically standards-based would work. I think they missed the point. First, standards are good, but they take a long time to develop. What was needed was not another new standard. What is needed is for many companies to agree to a set of principles and then commonly work toward them for the mutual benefit of the industry, users, and society.
Eva Schulz-Kamm, Global Head of Government Affairs at Siemens AG, and Rainer Zahner, Global Head of Cybersecurity Governance at Siemens told us the digital world is changing everything. Billions of devices are connected by the Internet of things. That holds great potential for everyone, but also great risk. The risk of exposure to cyber-attacks. The risk of losing control over the systems that run our infrastructures. Cybersecurity is therefore crucial to the success of our digital economy – because only if the security of data and networked systems is guaranteed will people actively support the digital transformation. Then explained why Siemens has initiated the Charter of Trust.
Siemens’ 171 years of experience have also shown that the best way to make a lasting difference isn’t as one company, but as an industry – not only as one nation, but as part of a global community. In modern history, competitor businesses have forged standards together that have carried the world from one industrial revolution to the next – including the unfolding digital transformation of industry. Countries without clear-cut geopolitical alliances have come together to forge cross-border agreements that grow trade and advance peace.
It’s in this spirit that Siemens launched the Charter of Trust earlier this year at the at the Munich Security Conference, a longstanding forum for business and government leaders to discuss geopolitical issues. Since then, several more global companies saw the value of the Charter of Trust, and signed on. These companies committed to create the first-of-its-kind global alliance focused on answering a very important question: How do we secure critical infrastructure – from our factories to our power grids – in the digital age?
We also are carrying an important message together: that when we talk about security today, it isn’t just about diplomacy and resolving military conflicts – it is increasingly about cyber attacks that seek to undermine our democratic and economic values.
The Charter of Trust then begins with these three goals:
- protecting the data and assets of individuals and businesses;
- preventing damage to people, businesses, and infrastructures;
- building a reliable basis for trust in a connected and digital world.
“We know at the outset that a one-size fits all approach won’t work. We have instead agreed to 10 principles – from ensuring the highest levels of responsibility for cybersecurity within every company, to securing supply chains, products, and working with governments. Together, we will develop and continuously improve coordinated strategies and shared standards to protect critical infrastructures, public facilities and private companies.”
Charter of Trust members: The AES Corporation, Airbus, Allianz, Atos, Cisco, Dell Technologies, Enel, IBM, Munich Security Conference, NXP Semiconductors, SGS,. Deutsche Telekom, Total and TÜV SÜD.