Executive Order’s Impact On Embedded Device Security

While I am on a cybersecurity marathon today, here is information about a round table discussion I watched last week. Long-time acquaintance and cybersecurity guru Eric Byers drew my attention. And the event was hosted by old friend Greg Hale of ISSSource. To be honest, I’d never heard of Red Balloon. This was the more intriguing of the press releases I received regarding Biden’s Executive Order on security.

Although this reminds me of a comment in the history of JFK’s presidency by Arthur Schlesinger, Jr., “A Thousand Days”, which I read at university. Kennedy issued an executive order and commiserated with Schlesinger about how nothing really happened because of it. Yep, that’s the way government works. But there is the power of setting the agenda and priorities.

Embedded system cybersecurity provider, Red Balloon Security, and ISSSource.com are teaming up to host a discussion on the effects of industrial security incidents and the Biden Administration’s Executive Order on embedded device security.

With all the ransomware incidents in the news lately, the attention of the industry has focused on the effects on industrial control systems. However, one area that has been overlooked is the critical role embedded devices play. A panel of experts will discuss why embedded devices are critical, what the current state of security is and if the current focus and the executive order are specific enough to drive improvements.

Members of the panel include Ang Cui, Chief Executive at Red Balloon Security and embedded device expert; Eric Byers, Chief Executive at aDolus, software bill of materials (SBoMs) provider for the ICS/OT sector; Ian Crone, former DARPA/I2O Program Manager, and Enrique Salem, Managing Director at Bain Capital Ventures and former Chief Executive of Symantec. The panel will be moderated by Gregory Hale, Editor and Founder of Industrial Safety and Security Source (ISSSource.com). 

The webcast will be June 30 at 4 p.m. eastern time. Click here to register for the event.

Hexagon Announces New Version of Cyber Integrity

While I’m on a cybersecurity kick today, following is a news release from Hexagon which acquired PAS Global a few months ago. PAS had brought its holistic, enterprise-wide view of risk analytics to OT cybersecurity solution to drive remediation efforts. News release follows.

PAS Global, part of Hexagon, announced the availability of Cyber Integrity 7.2, a leap forward in visualizing, comprehending, and directing resources to mitigate vulnerability risk. As the cyber risk for critical infrastructure and process industries continues to escalate, with recent attacks including the JBS cyberattack impacting OT environments and a war on the country’s infrastructure with 65,000 ransomware attacks in 2020 alone, there has never been a more important time to safeguard these systems.

Within just a few clicks, Cyber Integrity 7.2 uniquely enables users to rapidly identify the highest risk assets, expediently prioritize and select a remediation method while deploying remediation assets and adhere to best practices with closed loop documentation. Cyber Integrity 7.2 provides the following capabilities:

● Reduces the attack surface and quickly conducts remediations in the order that reduces the greatest risk.

● Develops an enterprise-wide, holistic image of vulnerability risk and develops enhanced risk-based decision-making.

● Maintains situational awareness of the attack surface and vulnerability severity, aging and propagation paths as they relate to known weaknesses in the infrastructure.

● Rapidly identifies locations in the environment with the highest number of vulnerabilities while simultaneously considering the patching level of various assets.

● Instantly reviews meaningful and actionable data regarding patches and upgrades paths providing the highest value.

“We are excited to launch Cyber Integrity 7.2 to provide the industry’s best situational awareness and rapid remediation of vulnerabilities,” said Scott Plunkett, Senior Product Owner, Cyber, Hexagon’s PPM division. “While we could previously show vulnerabilities en masse, this version provides much more direction for customers by rapidly uncovering the most critical problems, easily prioritizing those problems and offering automated selection of the most efficacious route to remediation.”

“This is another excellent example from PAS of the practical application of analytics that enable end users to make better decisions about how to address the most pressing and impactful vulnerabilities at the OT level. OT is unique because it incorporates such a diverse range of systems and assets, from decades-old control system platforms to brand new IoT-based systems, containers, and cloud computing. This makes it even harder for end users to achieve a truly holistic view of cyber risk. PAS brings the OT level knowledge to the table to make the holistic view possible, enabling users to make good, actionable decisions to reduce risk quickly across multiple sites,” said Larry O’Brien, Vice President of Research at ARC Advisory Group.

Cyber Integrity 7.2 will be available to new and existing partners today at little to no additional deployment cost. A demo video is available here for more information.

End Users Lack Awareness of Major Cyber Attacks

This survey reveals that most end users in the industry lack awareness of many basic cybersecurity issues. I told the marketing person, “I’m hardly surprised.” But a little data is useful confirmation. Take a hint (although readers of this blog are probably not the problem on either side of the issue).

The news release follows. Note that the many superlatives come from Armin marketing, not me or independent studies.

Armis, the leading unified asset visibility and security platform provider, today released new data uncovering the lack of knowledge and general awareness of major cyberattacks on critical infrastructure and an understanding of security hygiene. The survey of over 2,000 respondents from across the United States found that end users are not paying attention to the major cybersecurity attacks plaguing operational technology and critical infrastructure across the country, signaling the importance of businesses prioritizing a focus on security as employees return to the office. In the past year, 65,000 ransomware attacks occurred in the United States. In other words, approximately 7 attacks per hour, a rate that is expected to continue to rise. As the U.S. looks at its vulnerable industries, the responsibility is falling on businesses to ensure that they are keeping the organization and employees safe and secure.

From the Colonial Pipeline attack shutting down services, to the Florida Water Facility hack endangering the water supply, to the ransomware attack on JBS, which could raise meat prices and also restrict access to necessary nutrients in developing countries — the impact of cyber attacks on our critical infrastructure has been evident. We’ve also seen ransomware hit healthcare in a major way, with attacks on Scripps Health’s technology systems and a chain of Las Vegas hospitals. Despite the spotlight on these attacks, the data shows that many consumers are simply not taking notice — and the responsibility of security falls on the businesses themselves.

As the risk of attack continues to rise, and businesses move toward a hybrid in-office/work from home model, it is imperative that businesses are considering security and ensuring the proper policies and protections are in place. Thinking critically about security early on, and weaving it into your company’s everyday practices, can be the difference-maker as employees return to the office.

“The attacks on our critical infrastructure are clear evidence of the need for cybersecurity and assurance to all our utility providers and players,” said Curtis Simpson, CISO at Armis. “It is also an unfortunate example of the huge vulnerability of an aging infrastructure that has been connected, directly or indirectly, to the internet. Organizations must be able to know what they have, track behavior, identify threats, and immediately take action to protect the safety and security of their operations. This data shows that there is less consumer attention on these attacks as we might expect, and so that responsibility falls to businesses to shore up their defenses.”

Key Findings of the Survey include:

● Education and Awareness Of Cyberattacks Is Still Lacking: Despite these major attacks making headlines on the national stage, respondents showed a lack of awareness of these attacks and their impact on consumers and businesses. Over 21% of respondents have not even heard about the cyberattack on the largest U.S. fuel pipeline, and almost half (45%) of working Americans did not hear about the attempted tampering of Florida’s water supply.

● The Severity Of The Attacks Is Not Sticking: Despite the complete shutdown of the Colonial Pipeline following the attack, and the halting of production at JBS, consumers don’t see the lasting effects of these attacks. 24% of respondents believe that the Colonial Pipeline attack will not have any long-lasting effects on the U.S. fuel industry.

● Healthcare Could be The Next Frontier For Hackers: According to a commissioned study conducted by Forrester Consulting on behalf of Armis, 63% of healthcare delivery organizations have experienced a security incident related to unmanaged and IoT devices over the past two years. Yet today’s data shows that when it comes to device security, over 60% of healthcare employees believe that their personal devices do not pose any security threat to their organization. What’s more, 26% said that their companies do not have any policies in place to secure both work and personal devices.

● Employees are Putting Businesses at Risk Through Devices: As COVID restrictions begin to lighten, enterprises are starting to talk about the return to the office, but as we go back, businesses need to be thinking about overall enterprise security, especially as employees have expressed their intention to continue some potentially risky habits. The data shows that over 71% of employees intend to bring their WFH devices back to the office, with over 82% of that group being IT professionals, whose main job function is to ensure the security of the organization. Despite the risks prevalent, 54% don’t believe their personal devices pose any security risk/threat to their organization.

Methodology

Censuswide conducted the survey on behalf of Armis of more than 2,000 professionals in various industries from across the United States in May 2021.

Armis is the leading unified asset visibility and security platform designed to address the new threat landscape that connected devices create. Fortune 1000 companies trust our real-time and continuous protection to see with full context all managed, unmanaged, and IoT devices, including medical devices (IoMT), operational technology (OT) and industrial control systems (ICS). Armis provides passive and unparalleled cybersecurity asset management, risk management, and automated enforcement. Armis is a privately held company and headquartered in Palo Alto, California.

Coalition for Open Process Automation Launches COPA QuickStart

The Open Process Automation Forum has made progress over the past few years. You can see a chain of reports and thoughts I’ve written over that time. These ideas remind me of a phrase we had amongst the graduate assistants when I was in grad school (we were all political philosophy majors), “Operationalize your eschaton!” In other words of Wendy’s restaurants, “Where’s the beef?” Is anything practical going to evolve from all this standards work?

Then an organization called “Coalition for Open Process Automation” contacted me with information about its formation, members, and, best of all, certified products. This is a giant step forward. Check out the press release and website.

The Coalition for Open Process Automation (COPA) is pleased to announce the launch of COPA QuickStart to accelerate the adoption of Industrial Control Systems (ICS). This is aligned with The Open Group O-PAS Standard, a “standards of standards” for industrial process automation developed by the Open Process Automation Forum (OPAF).

COPA is a diverse group of leading IT and OT technology companies, led by innovative newcomers Collaborative Systems Integration of Austin, Texas and CPLANE.ai of Silicon Valley, California. Its partners include veteran industry leaders such as Phoenix Contact, R. Stahl, Supermicro, Nova SMAR, and CODESYS. With the release of COPA QuickStart, the Coalition is applying years of research, collaboration, and investment by members of OPAF to bring ICS systems to market that are built on industry standards for open, secure, and interoperable architectures.

Securing ICS’s from ransomware attacks and state-sponsored hacking is now one of the top priorities of governments and corporations. These cybersecurity issues along with outdated and crumbling infrastructure adds to the imperative to increase value generation and reduce total cost of ownership through digital transformation. The first step in digital transformation for industrial manufactures is Open Process Automation.

The COPA partner companies have engineered COPA QuickStart to incorporate components and technologies from multiple vendors into a single, advanced, and cohesive ICS. The COPA QuickStart system is the catalyst for industrial manufacturers to accelerate their adoption of state-of-the-art ICS systems that greatly improve security, flexibility, and profitability of their operations.

Industrial manufacturers can no longer take a “wait and see” approach to adopting modern and open control systems into their manufacturing operations. Until now, there have been no open control system products available for companies to buy. The COPA QuickStart system provides the critical first step in helping industrial manufacturers to start learning, proving, and adopting open architecture ICS solutions into their operations.

Don Bartusiak, who is known widely as the “Father of Open Process Automation,” previously served as ExxonMobil’s Chief Engineer for Process Control. He said, “industrial manufacturers have repeatedly told me that if O-PAS Standard aligned systems were available, they would buy them. The COPA QuickStart system is our answer to that challenge.” Dr. Bartusiak’s company, Collaborative Systems Integration (CSI) is the systems integrator for the COPA QuickStart offering.

The COPA QuickStart system is designed to accelerate the innovation efforts of leading industrial manufacturers, allowing them to realize the benefits of open systems sooner. The system includes:

A pre-packaged industrial control system, aligned with the O-PAS Standard and carefully engineered with best-of-breed components from Phoenix Contact, R. Stahl, Nova SMAR, Supermicro, CPLANE.ai, CSI, and CODESYS.

CPLANE.ai’s Fusion management software for seamless automation and orchestration across the entire life-cycle of an industrial control system from startup to operate to evolve. CPLANE.ai Fusion leverages capabilities engineered by Intel and is powered by Intel Edge Controls for Industrial.

The Advanced Computing Platform, built by Supermicro and powered by Intel Xeon D processors installed in a versatile short-depth 1U chassis.

Advanced digital technologies demonstrating the value of new capabilities such as fast-cycle Model Predictive Control, Reinforcement Learning Control, AI, and advanced cybersecurity.

Hands-on training modules allowing engineers and executives to rapidly gain a deeper understanding of the next-generation control systems and the value they can deliver.

“Powered by Intel Atom x6000E series and Intel Pentium and Celeron N and J series processors with the Intel Edge Controls for Industrial software, the COPA QuickStart will help accelerate the adoption of OPAF-based control systems,“ said Richard Kerslake, General Manager of Industrial Controls and Robotics at Intel.

Steve Nunn, CEO and President, The Open Group said: “Through defining and promoting Open Process Automation™, OPAF and COPA are united by a common goal of helping industrial manufacturers accelerate their digital transformation initiatives. The launch of COPA QuickStart coupled with new developments to the O-PAS Standard represents a key milestone in the creation of open, secure, and interoperable architectures, which are critical to the future of industrial process automation systems. We are looking forward to continue working with COPA to address industry challenges and drive progress in process automation.”

“COPA QuickStart is the fruit of many years of collaboration by OPAF and COPA members. It is exciting to see the first, standards based open system become commercially available. Open Process Automation is the future, and we are excited to be a catalyst to accelerate that transformation,” shared Bob Hagenau, CEO, CPLANE.ai

First availability of COPA QuickStart system will be in Q3 of 2021. More information is available at www.copacontrol.org or by contacting CPLANE.ai.

About CPLANE.ai

CPLANE.ai automates the orchestration of distributed edge computing across a diverse landscape of hardware and software components. CPLANE.ai removes the complexity of provisioning, managing, securing, and evolving distributed systems. CPLANE.ai’s intelligent software platform automates the coordination and configuration of policies and procedures across multiple layers of distributed cloud infrastructure.

Manufacturing Reshoring Sets New Record in 2020

As companies grow, they must seek new markets. Necessity pushes these companies to expand internationally. I was a manager in two companies that were not even large but still needed overseas markets in an attempt to survive.

On the other hand, companies begin in one home country that provides access to many things that helped them start and grow. That country has certain vested interests, too.

One of the issues Trump pressed was the feeling that companies had grown too large and too much was taken overseas. He reflected the feeling of many that the US was weakened by these companies‘ growth and subsequent expansion of manufacturing jobs overseas.

Meanwhile Harry Moser and the Reshoring Initiative has been vocal about some companies’ shortsighted financial calculations moving factories from the US to international locations.

That is some background for this press release. I sympathize with both points of view, and I’m sure the pendulum will swing and things will balance. Unless we witness another huge world war again.

Reshoring has been hot in June. The U.S. Department of Commerce’s Investment Advisory Council (IAC) reported on June 9 its recommendations, including reshoring of semiconductors and pharmaceuticals. The Reshoring Initiative’s Harry Moser teamed up with TEVA’s Terry Creighton, the driving force on the pharma recommendation, and played a leading role in expanding the focus of IAC to include reshoring in addition to foreign direct investment (FDI). At the meeting, Harry advocated for an even greater focus on reshoring and followed up with Under Secretary Farrell, offering the Reshoring Initiative’s help.

On June 8, 2021, the Biden Administration announced its immediate actions based on Executive Order 14017 “America’s Supply Chains.” The actions include major improvements in self-sufficiency in semiconductor chips, pharmaceuticals, rare earth minerals and electric vehicle (EV) batteries. These emergency actions are needed because we have allowed so many supply chain gaps to develop. The Reshoring Initiative recommends also attacking the root cause: U.S. lack of price competitiveness. 

Despite the economic slowdown caused by COVID, reshoring numbers were up in 2020. Reshoring and foreign direct investment (FDI) job announcements for 2020 were 160,649, bringing the total jobs announced since 2010 tover 1 million (1,057,054). Additionally, the number of companies reporting new reshoring and FDI set a new record: 1,484 companies. All jobs added are good news, but at this rate, it will take 30 years to reach President Biden’s goal of five million jobs. Actions needed to accelerate the trend are presented in the Report.

Top Takeaways from the 2020 Report

  • President Biden is prioritizing reshoring. The gaps in Biden’s plans need to be addressed in order to achieve his goal of returning 5 million more jobs. Details of needed actions are also in our Competitiveness Toolkit
  •  In 2020, U.S. reshoring set a record of 109,000 jobs and outpaced FDI for the first time since 2013. COVID/supply chain uncertainty has resulted in companies emphasizing operations in their home countries.
  • Recent national initiatives to shorten and close supply chain gaps for essential products aim to make the U.S. less vulnerable. The following industries are most likely to benefit: personal protective equipment (PPE), medical, semiconductor chips and defense. Medical equipment and PPE are the first responders of new reshoring and FDI, with 2020 cases up nearly 2,000% and jobs up 400% from 2019.
  • There is continued growth in efforts by Manufacturing Extension Partnerships (MEPs), economic development organizations (EDOs) and states to enable reshoring. The Reshoring Initiative is deeply involved in these efforts with its Import Substitution Program (ISP). As a measure of corporate interest, the demand for this service is more than ten times the rate of 2019. 
  • We anticipate 2021 reshoring and FDI job announcements to be near 200,000, up by at least 25% from 2020.

See the full report: Reshoring Initiative® 2020 Data Report: COVID Drives Cumulative Jobs Announced Past 1 Million

Artificial Intelligence Strategy Board to Lead AI Initiatives for the Association for Advancing Automation

Go to world.hey.com/garymintchell to subscribe to my new newsletter.

Artificial Intelligence, which is neither artificial or intelligence, has been around for many years. We knew AI by machine learning (ML) or neural networks. I can remember some classes on those in the early-mid 90s. But AI has become a giant marketing buzz word in the industrial tech market.

I’m not downplaying AI as either the technology or the application. It’s just that so many marketers think of AI as a new and giant advancement instead of a maturing technology that has been, and will continue to have, useful to our applications.

Momentum has grown so much about the use of AI—as in no longer hidden under the covers but right out here in the open—that the A3 association has established a strategy board to guide its efforts in the area. Interesting…

The Association for Advancing Automation (A3) has created a new Artificial Intelligence (AI) Technology Strategy Board of leading AI experts, part of a major initiative to promote education and adoption of the applications of artificial intelligence in automation industries.

This new board places AI leadership at the same level as A3’s existing technology groups: robotics, vision & imaging, and motion control & motors. The AI Technology Strategy Board will be comprised of senior executives from leading AI and technology companies. This is the first time the global trade association has added a technology group to its leadership since adding motion control in 2006. A3 represents 1,100 companies from across the automation industry. 

Artificial intelligence is layering atop robotics, vision, motion control, and other automation technologies to create new solutions, great flexibility, and expanding opportunities. Big tech companies—once focused more on phones than factory floors—now view manufacturing, robotics, and industrial automation as key segments of their business.

“Artificial intelligence—in many shapes and forms—will be the stitching that weaves together a new age of industry,” said Jeff Burnstein, president of A3. “As the global trade group of the automation industry, we need to help prepare our members to seize this potential.”

The creation of the technology strategy board is the culmination of a three-year effort to educate and inform automation leaders about the growing importance of artificial intelligence. The board’s chairman is John Lizzi, Executive Leader-Robotics at GE Research, who has chaired and played a leading role in the A3’s AI efforts to date. Companies such as Amazon, GE, Google, Intel, Microsoft, NVIDIA, Siemens and others have helped guide A3’s initiatives. Robert Huschka, A3’s vice president of education strategies, will serve as the association’s liaison to the new board.

Last fall, A3 hosted its first virtual AI conference, the AI & Smart Automation Conference, with more than 1,600 virtual registrants. Last year, A3 released the whitepaper, “Intelligent Automation: 6 AI Applications That Are Changing Industry.” Focused on real-world use cases for AI, the 20-page paper has become the most-read whitepaper in the history of the association. The association’s new website, AUTOMATE.ORG, has devoted an entire section to artificial intelligence. A3 is also set to begin work on new industry-recognized certification programs on AI and autonomous systems.

AI technologies will play a central role at A3’s two major trade shows in 2022, The Automate Show & Conference, June 6-9, in Detroit, Michigan, and The Vision Show, October 11-13, in Boston, Massachusetts.