by Gary Mintchell | Dec 7, 2015 | Automation, News, Security
SCADA devices and networks remain a prime target for cyber attacks. Everything I’ve written has approached cybersecurity from a different angle. This is the first solution that has come my way that uses a deception approach.
Attivo Networks announced Dec. 7, 2015 a release of its deception-based Attivo BOTsink solution that provides continuous threat detection on Industrial Control Systems (ICS) SCADA devices used to monitor and control most manufacturing operations as well as critical infrastructure such as natural gas, oil, water, and electric power distribution and transmission systems around the world. Cyberattacks on these targets can and have resulted in disruption of critical local, regional, and national government and commercial infrastructures. As a result, when they are breached, the impact on societies they serve stands to be catastrophic.
According to a study by the Pew Internet and American Life Project, 60 percent of the technology experts interviewed believe that a major cyberattack will happen. The damages to property and ensuing theft will amount tens of billions of dollars, and the loss of life will be significant.
Scalable SCADA protection
“We are proud to be the first in the industry to provide customers a globally scalable, deception-based threat detection solution for SCADA protection,” emphasizes Tushar Kothari, CEO of Attivo Networks. “Many of our customers from the energy industry have requested the extension of our Attivo Deception Platform into their production and manufacturing control networks so they can get real-time visibility and the ability to promptly identify and remediate infected devices. As one stated, ‘a breach on those networks can be catastrophic and Attivo wants to do everything we can to prevent a disaster or risk to lives.”
SCADA systems had originally been designed to monitor critical production processes without consideration to security consequences. Security had been generally handled by keeping the devices off the network and the Internet using “air gaps” where malware could only be transmitted by the thumb drives used by technicians. However, today vulnerable SCADA systems are increasingly being connected to the corporate IT infrastructure and Internet, making them easily accessible to a remote attacker.
Examples of this would be the Sandworm malware that attacked Telecommunications and Energy sectors, Havex malware that infected a SCADA system manufacturer, and BlackEnergy malware that attacks ICS products manufactured by GE, Siemens, and Advantech. These attacks primarily targeted the operational capabilities of these facilities. With the increased malicious and sophistication of malware, concerns are now escalating to fears of an irreversible disaster.
Situational awareness
“Industrial systems have increasingly come under scrutiny from both attackers and defenders,” said Chris Blask, Chair of the Industrial Control System Information Sharing and Analysis Center (ICS-ISAC). “Situational awareness is the focus of the ICS-ISAC and its membership, including the ability for asset owners to detect and respond to incidents on their systems.”
These devices generally have long lifecycles creating an exposed environment driven by equipment that is less hardened and patches made infrequently. Additionally, because of their critical functions, SCADA devices cannot be taken offline frequently or for any length of time. This, along with costs that can run into the millions for every hour the network is offline, has made patching very difficult, often as infrequent as once a year, leaving many industrial facilities open to attacks. These risks are quite large considering these devices are found everywhere in electrical facilities, food processing, manufacturing, on-board ships, transportations and more.
“Companies operating in critical infrastructures like energy, utilities, nuclear, oil and gas know that they are not only vulnerable to the same security issues faced by most enterprises, they have the added enticement as a rich target for cyber terrorism,” stated Tony Dao, Director Information Technology, Aspect Engineering Group. “They recognize that securing their industrial control processes is not only critical to them, but to the institutions they serve. A loss would not only have repercussions throughout their economic sector but throughout the entire economy.”
The vulnerabilities begin with the use of default passwords, hard-coded encryption keys, and a lack of firmware updates, which pave the way for attackers to gain access and take control of industrial devices. Traditional perimeter-based solutions are designed to detect attacks on these devices by looking for suspicious attack behavior based on known signature patterns. SCADA supervisory systems are computers running normal Windows operating systems and are susceptible to zero day attacks, in which there are no known signatures or software patches. Several vulnerabilities also exist in the standard and proprietary protocols within Logic Controllers. Popular protocols include MODBUS (supervision and control), DNP3 (Energy and Water), BACNET (Building Automation), and IPMI (Baseboard Management Control).
Deception technology
Attivo Networks takes a different approach to detecting cyber attacks on ICS- SCADA devices. Instead of relying on signatures or known attack patterns, Attivo uses deception technology to lure the attackers to a BOTsink engagement device. Customers have the flexibility to install their own Open Platform Communications (OPC) software while running popular protocols and PLC devices on the BOTsink solution making it indistinguishable from production SCADA devices. This provides real-time detection of BOTs and advanced persistent threats (APTs) that are conducting reconnaissance to mount their attacks on critical facility and energy networks. Additionally, BOTsink forensics capture information including new device connections, issued commands and connection termination, enabling administrators to study the attacker’s tools, techniques, and information on infected devices that need remediation.
The Attivo SCADA solution is provided through a custom software image that runs on its BOTsink appliance or virtual machine. SCADA BOTsink deployment and management are provided through the Attivo Central Manager, which provides global central device management and threat intelligence dashboards and reporting.
“To a significant degree, the growing security problems impacting industrial control systems have originated from the fact that ICSs are increasingly less and less isolated from outside networks and systems, and ICSs are now more susceptible and vulnerable to attacks,” comments Ruggero Contu, Research Director at Gartner in his Market Trends: Industrial Control System Security, 2015 report. “At the heart of this change is the demand to integrate enterprise IT systems to operational technology, and for remote connectivity.”
Check out this whiter paper. Dynamic Deception for Industrial Automation and Control Systems
by Gary Mintchell | Dec 5, 2015 | Automation, Internet of Things, Networking, Operations Management, Standards
Katherine Voss, president and executive director of ODVA
ODVA announced several enhancements to its EtherNet/IP and CIP specifications during the SPS IPC Drives Trade Fair in Nuremberg. The first relates to cybersecurity. The second involves time-sensitive networking.
ODVA announced that it has achieved a milestone with the pending publication of a new volume in its specifications specifically dedicated to cybersecurity. This body of work will be released under the name of CIP Security and will join the family of distinctive CIP services which includes CIP Safety, CIP Energy, CIP Sync, and CIP Motion. CIP Security will be initially applicable to EtherNet/IP.
Because EtherNet/IP relies on commercial-off-the-shelf (COTS) technologies for Ethernet and the Internet, users have been able to deploy traditional defense-in-depth techniques in EtherNet/IP systems for some time, explained by ODVA as early as 2011 in its publication “Securing EtherNet/IP Networks.” CIP Security will help users take additional steps to protect their industrial control systems with industry-proven techniques for securing transport of messages between EtherNet/IP devices and systems and thus reduce their exposure to cybersecurity threats.
The initial release of CIP Security includes mechanisms to address spoofing of identity, tampering with data and disclosing of information. Mechanisms supported in the initial release of CIP Security include device authorization, integrity of message transport and confidentiality of messages. To support these mechanisms, ODVA has adapted encryption standards from the Internet Engineering Task Force (IETF) for encryption based on Transport Layer Security (TLS), Data Transport Layer Security (DTLS) and authentication based on the X.509v3 standard for certificate handling. Details of ODVA’s initial implementation of CIP Security and outlook for the future were presented in a technical paper at ODVA’s 2015 Industry Conference and 17th Annual Meeting of Members.
“The publication of the volume dedicated to cybersecurity in The EtherNet/IP Specification is the next step in providing users with methods to help them manage threats and vulnerabilities in EtherNet/IP systems,” said Katherine Voss, ODVA president and executive director. “Following this publication will be the realization of the mechanisms provided by CIP Security in ODVA CONFORMANT EtherNet/IP products.”
ODVA’s focus on cybersecurity is not only a function of increased emphasis on cybersecurity for industrial control systems but also because of the widespread adoption of EtherNet/IP in broad range of applications from manufacturing to critical infrastructure. As a result of the breadth of applications, the next edition of The EtherNet/IP Specification will expand support for IEC 62439-3 “Industrial communication networks – high availability automation networks – part 3” to include High Availability Seamless Redundancy (HSR) in addition to Parallel Redundancy Protocol (PRP). HSR is commonly used in electrical substation automation as specified in IEC-61850. Other high reliability techniques supported in The EtherNet/IP Specification include Rapid Spanning Tree (RSTP) and Device Level Ring (DLR).
Other ODVA Industrial Networking News
One area of focus will be the adaptation of certain emerging standards for Time-Sensitive Networking (TSN) to EtherNet/IP. In particular, ODVA will create enhancements to The EtherNet/IP Specification for frame preemption and stream reservation based on the standards being defined in the IEEE-802.1 projects. ODVA’s adaptation of TSN technologies is a straightforward evolution of the EtherNet/IP technology, which relies on commercial-off-the-shelf (COTS) technologies for Ethernet and the Internet to solve demanding applications in industrial automation. Users of EtherNet/IP will be able to realize performance improvements in systems using EtherNet/IP by as much as two orders of magnitude by combining TSN with existing standards already included in The EtherNet/IP Specification, such as Quality of Service, Gigabit Ethernet and CIP Sync — ODVA’s adaptation of IEEE-1588.
To complement the adoption of EtherNet/IP in a diverse range of industries and applications, ODVA is expanding CIP to include data models to facilitate the exchange of application information within EtherNet/IP systems and between EtherNet/IP systems and supervisory systems which may or may not use EtherNet/IP. One application area where specification enhancements are underway is the adaptation of the recommendations in NAMUR NE-107 “Self-monitoring and Diagnosis of Field Devices“ to the data format and access methods needed to retrieve such process data from EtherNet/IP field devices. Another application area where enhancements to the ODVA specifications are expected in 2016 is the inclusion of a machine data model and services for machine-to-supervisory communications. By instantiating standards for application data models for process field devices and machinery, EtherNet/IP will provide yet another way for users to decrease their reliance on proprietary implementations by using vendor-independent standards designed for multi-vendor interoperablity.
ODVA is now expanding The EtherNet/IP Specification to include standards for the integration of data between EtherNet/IP and HART and IO-Link. Joining the already-published integration of data between EtherNet/IP and Modbus-TCP, these standards will allow users to accelerate their progress towards a converged network architecture.
“Because EtherNet/IP is based on commercial-off-the-shelf technologies and uses widely accepted standards from the Ethernet and Internet, EtherNet/IP is now a major industry catalyst for the realization of the Industrial Internet of Things,” said Katherine Voss, ODVA president and executive director. “The enhancements to EtherNet/IP that are underway for 2016 are at the forefront of innovations that are driving the future of industrial automation toward the fourth industrial revolution.”
by Gary Mintchell | Dec 2, 2015 | Automation, Interoperability, News, Process Control, Standards, Technology
Here is an industrial automation announcement from the recent SPS IPC Drives trade fair held annually in Nuremberg, Germany. This one discusses a new open integration, some say interoperability, program based upon open standards.
This blog has now complete eight years—through three names and domains: Gary Mintchell’s Radio Weblog, Gary Mintchell’s Feed Forward, and now The Manufacturing Connection. Through these eight years one consistent theme is advocating for what I believe to be the user’s point of view—open integration.
Users have consistently (although unfortunately not always vocally) expressed the view that, while they love developing a strong partnership with preferred suppliers, they also want to be able to connect products from other suppliers as well as protect themselves by leaving an “out” in case of a problem with the current supplier.
The other position contains two points of view. Suppliers say that if they can control all the integration of parts, then they can provide a stronger and more consistent experience. Customers worry that locking themselves into one supplier will enable it to raise prices and that it will also leave them vulnerable to changes in the supplier’s business.
With that as an introduction, this announcement came my way via Endress+Hauser. That company is a strong measurement and instrumentation player as well as a valued partner of Rockwell Automation’s process business. The announcement concerns the “Open Integration Partner Program.”
I’m a little at a loss to describe exactly what this is—other than a “program.” It’s not an organization. Rather its appearance is that of a memorandum of cooperation.
The program promotes the cooperation between providers of industrial automation systems and fieldbus communication. To date, eight companies have joined the program:
AUMA Riester, HIMA Paul Hildebrandt, Honeywell Process Solutions, Mitsubishi Electric, Pepperl+Fuchs, Rockwell Automation, R. STAHL and Schneider Electric.
“By working closely with our partners, we want to make sure that a relevant selection of products can be easily combined and integrated for common target markets,” outlines Michael Ziesemer, Chief Operating Officer of Endress+Hauser. This is done by using open communication standards such as HART, PROFIBUS, FOUNDATION Fieldbus, EtherNet/IP or PROFINET and open integration standards such as FDT, EDD or FDI. Ziesemer continues: “We are open for more cooperation partners. Every market stakeholder who, like us, consistently relies on open standards is invited to join the Open Integration program.”
Reference topologies are the key
Cooperation starts with what are known as reference topologies, which are worked out jointly by the Open Integration partners. Each reference topology is tailored to the customers’ applications and the field communication technologies used in these applications. “To fill the program with life in terms of content, we are going to target specific customers who might be interested in joining us,” added Ziesemer.
Depending on industrial segment and market, the focus will be on typical requirements such as availability, redundancy or explosion protection, followed by the selection of system components and field instruments of practical relevance. This exact combination will then be tested and documented before it is published as a joint recommendation, giving customers concrete and successfully validated suggestions for automating their plant.
Ziesemer adds: “With this joint validation as part of the Open Integration, we go well beyond the established conformity and interoperability tests that we have carried out for many years with all relevant process control systems.”
by Gary Mintchell | Nov 30, 2015 | Automation, News, Operations Management, Organizations, Standards
New power generation technologies will only optimize when high capacity storage becomes reality. You never know when or where you might learn about advances.
Consider this example of always remaining open toward gaining new knowledge and contacts. My wife and I were at breakfast in a Napa Valley Bed and Breakfast on vacation last September. We began a conversation with another couple about our age regarding which winery tours might be best.
The man asked me what I did. “Write about industrial technology and applications.” You might be interested in this, he replied. Turns out he was an electrical power utility general manager and had become involved with a standards initiative–MESA. No, not the MESA (MES Association) that I’m involved with. This one develops standards for connecting to energy storage. This area holds immense importance for the future of the power grid.
Storage Standards Association
So he shared some contact information and connected me with the association. I’ve talked with people there and am sharing some information from the Website to introduce this important initiative. Expect more in the future.
(All of this information comes from the Website.)
Why MESA?
Grid-connected energy storage promises large potential benefits. And yet, before safe, affordable energy storage can deliver on its promise, electric utility customers and their suppliers must solve significant problems. Many of these problems boil down to lack of standardization.
Standards are required for any technology to be deployed at scale. The personal computer industry grew from few to millions of units per year, while dramatically improving price-performance, based on standards for its software and hardware components. Like other industries, the energy storage industry needs to organize for scale, based on a cohesive industry vision and technology standards.
MESA Standards clear barriers to growth in energy storage. By making standard connections between components possible, MESA frees utilities and vendors to focus on delivering more cost-effective electricity to more people.
Today’s Problem
Current utility-grade energy storage systems (ESS) are project-specific, one-off solutions, built using proprietary components that are not modular or interoperable. Connecting these proprietary systems with key utility control software such as SCADA platforms is cumbersome and time-consuming.
Before an ESS can function, the batteries, power converters, and software that make up the ESS must be intelligently “plugged into” each other and the electrical system. Then the ESS as a whole must be intelligently plugged into the utility’s existing information and operations technology. Without established standards, components and systems offer their own proprietary connectors, and the process of plugging them together must be repeated for each new project.
Time, Money, Safety
Connecting the proprietary pieces can result in a motley collection of custom interfaces, or “kludges,” designed to address vendor-specific hardware. Creating such systems is a complex process that comes with its own heavy baggage:
- High project costs, and decreased reliability and safety.
- Component vendors tempted to stretch their expertise and offer a complete ESS solution, losing focus on their own core competency. Instead of developing innovative, best-of-breed components—such as a better, cheaper battery—these vendors simply re-invent yet another proprietary wheel.
- One-off, proprietary solutions that are inflexible, not easily scaled, and have limited operational control. The utility customer becomes dependent on a single ESS supplier, with few options to upgrade, expand or re-purpose their energy storage investment.
Despite willing buyers (electric utilities) and willing sellers (battery, power converter, and software suppliers), market growth is limited. Significant opportunities – for example, the potential for broad deployment of standardized ESS configurations at many utility substations – are beyond the industry’s reach in its current form.
To fully enable broad deployment of grid-connected storage, and grow the market for all, standards are required to address these limitations.
The MESA Solution
Modular Energy Storage Architecture (MESA) is an open, non-proprietary set of specifications and standards developed by an industry consortium of electric utilities and technology suppliers. Through standardization, MESA accelerates interoperability, scalability, safety, quality, availability, and affordability in energy storage components and systems.
Key MESA Goals:
- Standardize communications and connections, which will accelerate interoperability and scalability.
- Give electric utilities more choice by enabling multi-vendor, component-based ESS.
- Reduce project-specific engineering costs, enabling a more robust energy storage market.
- Enable technology suppliers to focus on their core competency, facilitating quality, safety, and cost-effectiveness.
- Reduce training costs and improve safety for field staff through standardized procedures for safety and efficiency.
by Gary Mintchell | Nov 25, 2015 | Automation, Security, Technology
Bedrock Automation extends to the industrial Ethernet domain its commitment to deliver “Simple, Scalable and Secure” automation. The SIO4.E Ethernet I/O module plugs into the Bedrock pinless electromagnetic backplane to receive Bedrock’s patented Black Fabric cyber security protection.
Each of the module’s five I/O channels is independently software configurable. The initial library of Ethernet protocols includes EtherNet/IP. Modbus TCP, OPC UA, and Profinet are slated for future releases on firmware updates. All channels also deliver Power over Ethernet (PoE).
Ethernet as a real-time control variable
Tightly coupling Ethernet into the process control and I/O network enables deployment of a wide range of edge device and enterprise data into real-time control logic, much in the same way an engineer incorporates more typical process sensor and actuator data. This results in real-time communication channels for the exchange of data between OT production and IT enterprise systems.
“Unlike an Ethernet switch traditionally sitting at Purdue levels 3 to 5 with the operations and business networks, the SIO4.E module delivers Ethernet as secure I/O at levels 0 and 1 with the sensor, actuator and process control logic. This collapses the legacy hierarchical ICS model into a simplified and inherently more secure automation architecture. Equally empowering is the deployment of OPC UA on any of the SIO4.E Ethernet I/O channels, opening up a world of opportunity and innovation while reducing all aspects of software lifecycle cost. This is the way of the future,” says Bedrock CTO and Engineering VP, Albert Rooyakkers.
Securing Ethernet I/O
Ethernet is becoming widely adopted for open industrial control system (ICS) applications because it builds on proven, high-speed stacks that have been enhanced for use on industrial devices such as robots, PLCs, sensors, CNCs and other industrial machines. Bedrock secures Ethernet I/O in many ways, including by connecting the FIPS compliant anti-tamper SIO4.E I/O module on a pinless electromagnetic backplane, embedding authentication logic, true random number generation (TRNG) and cryptographic keys into the semiconductor hardware, and by isolating information flow within each channel by way of separation kernel functionality in a secure real-time operating system (RTOS).
“Robust ICS cyber security is just part of the tremendous value that the new Bedrock module brings to process automation,” says Bedrock Automation President Bob Honor. “The fact that each channel can be software configured adds new levels of flexibility and scalability. No other I/O module allows process engineers to program so much communications capability into one system component. We are especially excited about the positive impact for ICS users. That user experience is increasingly configurable and Bedrock uniquely offers the tools and platform to shape it securely to their advantage.”
Pricing and availability
The Bedrock SIO4.E Ethernet I/O module is available at a price of $2000, about the same as a traditional Ethernet IP card. But unlike a typical Ethernet card, the five channel SIO4.E is cyber secure, software configurable for multiple protocols, and has more bandwidth, higher computing power and additional performance advantages.
