Bedrock Automation, products built for security from the chips up, had a flurry of activity at the ARC Industry Forum in Orlando last week. It announced a firmware upgrade, OPC UA and partnerships for its SCADA product, and anomaly detection. Here’s a teaser—CEO and Founder Albert Rooyakkers pulled out a new piece of hardware. He didn’t have a release or specs for me, but watch for a new, lower cost, SCADA or gateway device hardened and built with security in mind from the chips up.
Bedrock and OPC UA
Bedrock Automation has published a concise, easy-to-deploy interface specification that enables users and application developers to take advantage of the security capabilities of OPC UA communications software. By following the simple procedures outlined in the Bedrock SCADA Security Platform Specification, developers can upgrade any OPC UA compliant client into a highly secure OPC UA channel, across which users can exchange data between plant floor operations and SCADA applications. Three leading SCADA software developers, Inductive Automation, ICONICS and TATSOFT, are committing and releasing support to the Bedrock interface specification.
“OPC UA provides unique cyber security advantages enabling open communications across numerous industrial devices and applications and providing the end-users options for integrating authentication keys protecting those communications. The most secure OPC level is to authenticate those keys against a known root of trust, which Bedrock supplies via a certificate authority (CA), validated against cryptographic keys built into its controller,” said Thomas J. Burke, OPC Foundation President and Executive Director, adding “Bedrock Automation is a clear leader in supporting the OPC UA standards, and provides information integration and communication that the end users have been demanding.
Bedrock designs and sources its own secure semiconductor components with encryption and authentication technologies embedded at the “birth” of their modules, assembled and tested by Bedrock in their cyber secure supply chain. The unique design then draws on the power and flexibility of public key infrastructure (PKI) and Transport Layer Security (TLS) standards similar to those used to secure ecommerce transactions and military and aerospace electronics. Bedrock Automation then uses those securely embedded keys as the basis for digital certificates that manage access and communication between SCADA applications and control systems. Bedrock Cybershield 3.0 firmware is the first control system to offer an embedded PKI for SCADA applications.
“Such a simple specification demonstrates that Open and Secure SCADA can be deployed today, and that an applications interface does not have to be thousands or even hundreds of pages. We are pleased to be working with innovative SCADA software providers such as Inductive Automation, ICONICS and TATSOFT, to help them and their customers take advantage of the secure communications capabilities of OPC UA and the intrinsic security of the Bedrock platform,” said Rooyakkers.
Bedrock Automation also announced the availability of Cybershield 3.0, a major firmware upgrade with advancements that make it easier for end users and developers to build control applications that are both open and secure. Among the six major innovations facilitated by the Cybershield 3.0 upgrade are the first public key infrastructure (PKI) built into an OPC UA server for SCADA applications; an industrial Certificate Authority (CA) for user key management; virtual crypto key locks for the controller; and a Secure Proxy server capability that can protect legacy controls systems of other vendors.
“Cybershield 3.0 is one of the most significant steps forward since the release of our Bedrock OSA platform. We now support leading SCADA companies in integrating their OPC UA client to our open security and key management tools. In addition, we start our march to converge IT cyber detection technologies into real-time OT automation with our integrated Anomaly Detection (AD) tools built into every controller. We are delivering secure SCADA and AD as intrinsic and zero-cost advancements, focused acutely on ease of use and reductions in lifecycle costs,” said Bedrock founder and CEO Albert Rooyakkers.
Bedrock Cybershield 3.0 includes the following capabilities:
1) Secure Open SCADA with OPC UA. The cryptographic keys built into all the Bedrock system electronics, provide the root of trust for the Bedrock Certificate Authority (CA) that verifies the reliability of OPC UA-managed communications between SCADA and PLCs or other industrial control systems.
2) Open Certificate Authority (CA) for SCADA. This advanced SaaS key and certificate management tool is not only FREE to our customers but is simple to deploy with our Secure SCADA Interface Specification. Leading SCADA providers, including Inductive Automation, ICONICS and Tatsoft, are committing to and releasing support to this interface specification.
3) Intrusion detection. Even though the Bedrock control system has protection built into its core, users still need to know when system security is challenged. Cybershield 3.0 comes standard with intrinsic Anomaly Detection (AD) functionality that continuously monitors the controller’s network and system time to detect intrusions and anomalous behavior and report it to both SCADA and enterprise database applications for trending, alarming and historizing anomalous cyber activity.
4) Quickly Secure Legacy Automation with Secure SCADA. Companies can now use Bedrock security to help integrate open standard communications protocols with legacy PLC and DCS systems from other vendors. A Bedrock secure controller module acts as a gateway between SCADA platform workstation and the legacy controllers.
5) Cryptographic key locking. Cybershield 3.0 also includes a cryptographic controller engineering key lock that permits only users with the required credentials to change the mode of the controller.
6) Achilles and EMP compliance on power supplies. Bedrock Automation is certifying its standalone power supply and standalone uninterruptible lithium power supply to both MiL-STD-461-G, the military standard for advanced EMP hardening, and Achilles Level 2 certification, augmenting the EMP and Achilles certification achieved for its control system modules last year.
“Today’s increasingly connected environment drives the process industries to search for automation solutions that deliver the benefits of open communications with ‘baked in’ cybersecurity. By extending its secure automation technology to third-party software providers, Bedrock Automation addresses this key pain point of future automation requirements. ARC believes the intrinsic and no-cost approach of Bedrock’s cybersecurity strategy is the quintessential component missing in control systems, today,” writes ARC analyst Mark Sen Gupta in his recent report, Bedrock Automation’s Open Secure Automation a “Win” with End Users
Bedrock Open Secure Automation (OSATM) firmware will include intrinsic Anomaly Detection (AD). Bedrock OSA AD will be available as standard integrated functionality that continuously monitors the controller’s network and system time to detect intrusions and anomalous behavior.
“Preventing control system intrusion is fundamental to holistic cyber security. In addition, users need to know when the system security is being challenged. This is the role of anomaly detection. At no additional cost or complexity for the user, Bedrock’s AD delivers additional assurance that no one is tampering with your automation,” said Rooyakkers. Bedrock Anomaly Detection includes the following functionality:
• Dynamic Port Connection Monitoring, which records all attempts to connect any controller or communication point and captures identifying information on the intruder
• Network Port Scanning, which detects if hackers are scanning for open ports that might provide access to the control network
• System Time Monitoring, which detects attepts to manipulate log files to conceal malicious activity
• Cryptographic Controller Engineering Key Lock, which permits only users with valid user credentials to change the configuration and operation mode of the controller and records all access
• Intrusion Event Logging, which records all detected anomalies and reports them to SCADA software through OPC UA and standard database access for historian, alarming, and trending functions. Additionally, a tri-color status LED on the faceplate of Bedrock Controllers provides indication locally whenever an intrusion is detected.
Here is an interesting idea in the manufacturing services meets social media area. Let me know if you use this and how it worked. Volt480, which is dedicated to helping manufacturers recover faster during downtime, announced a new app that quickly connects plant managers with locally available service providers including automation system integrators and industrial electricians through an on-demand marketplace. The Volt480 app also uses machine learning to help solve problems faster.
The value proposition: When equipment fails due to this technology, companies can lose on average $40,000 an hour. The Volt480 app reduces downtime by quickly locating specialized technicians to troubleshoot and repair complex, interconnected systems that are sometimes mixed with obsolete technologies. The service also helps streamline the burdensome procurement process to quickly order and pay for emergency services.
“Volt480 was developed to help plant managers recover from downtime in half the time and half the cost,” said Volt480 Chief Executive Officer Bhavnesh Patel. “Because we know that every minute counts when production systems fail, we connect you immediately to a highly-skilled expert near you through our on-demand platform. Our real-time filtering algorithm enables manufacturers to find the right resource with the right skills right away.”
How it works
Volt480 combines an on-demand, crowd-sourced services platform with machine learning technology that collects data on the problem and solution across a wide variety of production equipment and technologies. This knowledge enables the company to build machine-learning models to address future failures.
Customers use the app to locate and connect with service providers who are knowledgeable and experienced with their equipment. Service providers set their own rates, and Volt480 processes the payment through the service, saving customers from working through the traditional PO/invoicing process.
Manufacturers then have an opportunity to rate their experience with the service provider, which can be viewed by other potential customers.
“When manufacturing equipment breaks down and production stops, every moment counts. Plant managers don’t have time to research the equipment and match it with a service provider that may or may not be familiar with the system, especially with older or obsolete automation control systems,” said Jim Keighley, former vice president of engineering for Kraft Foods. “With Volt480 at their fingertips, they can quickly browse for local/regional service providers, see ratings, prices, profiles, distance from their facility and contact them in an instant. And payment is easily handled via credit card.”
Volt480 also opens doors for service providers, helping systems integrators, control engineers and automation engineers build their businesses through a new network of potential customers.
“By registering my services with Volt480, I can be introduced to hundreds of potential customers,” said Richard Morales, a controls technician with Tornado Automation. “And I have the potential to be paid faster and with less effort than the traditional PO/invoicing process.”
“The machine learning capabilities of the Volt480 app will help speed the repair process, getting our clients back to work faster and our technicians on to their next assignment,” said Jeff Lea, CEO of Real Time Automation.
Volt480 is being rolled out as a pilot program for small-to-midsize manufacturers in Texas. The app is available through the Apple App Store and Google Play. After completing the pilot launch, the program will be offered to more than 16,000 food manufacturers in California and Texas.
Acquisitions are a big reason explaining growth and innovation in big companies. Not that long ago Emerson acquired partner Mynah Technologies. Today I see that it acquired ProSys. These are both good acquisitions. Emerson has a better than average success with acquisitions. ProSys is a good fit. Congratulations.
Emerson announced it has acquired ProSys Inc., a global supplier of software and services that increase production and safety for the chemical, oil and gas, pulp and paper, and refining industries. By building intuitive processes for plant operators, these solutions make everything from everyday operations to responding during abnormal situations easier.
“Adding ProSys’ differentiated technologies and expertise allows us to help our customers improve plant performance, safety and profitability by optimizing their human and automation resources,” said Mike Train, executive president, Emerson Automation Solutions. “With ProSys, we can provide innovative control and operator performance capabilities to make control room operators far more effective.”
ProSys’ portfolio includes solutions that help operators manage alarms critical to plant production and safety, and efficiently handle changing plant states. In addition, ProSys provides modern, high performance and intuitive graphics for better operator communications.
ProSys complements Emerson’s May 2017 acquisition of MYNAH Technologies, which provides dynamic simulation and operator training software. Together, these technologies embed expertise to help operators navigate plant systems safely and efficiently, and prepare customers to accommodate the changing state and age of the industrial workforce.
“Our specialization in software and services that increase operator performance builds on Emerson’s market leadership in automation control systems,” said Dustin Beebe, president and CEO at ProSys. “By working together as one, we can provide even more operational and financial value to customers.”
Beebe will join Emerson Automation Solutions as vice president, control and operator performance.
The ProSys software portfolio supports Emerson’s Operational Certainty program designed to help industrial companies achieve Top Quartile performance in areas of safety, reliability, and production.
Terms of the acquisition were not disclosed.
Cyber security is on the mind of all of us. The Internet of Things, digital factory, Industry 4.0, and all of the new strategies for improving manufacturing and production efficiencies contain a common element. They all inherently contain connections that can possibly be attacked by cyber hackers.
We are all concerned with foreign government attacks that can blow up facilities, poison water supplies, and other doomsday scenarios we can imagine. However, most hackers are really after a pay day. A big pay day. They can hold your process—and your business—hostage until you fork over some cash.
I have had many interesting cybersecurity conversations with Albert Rooyakkers, founder and CEO of Bedrock Automation. He has built a powerful controller with security designed in from the chips on up. He’s been touting the “Open Secure Automation (OSA)” platform lately.
The company just released a new white paper on the cyber security vulnerabilities and defense of industrial control systems. The 20-page document, Securing Industrial Control Systems – Best Practices, covers the threat landscape and presents a holistic approach to defending it, including assessing risk, physical security, network security, workstation and server security, as well as the fundamentals of OSA.
I just read it and found it informative. You can download it here along with the previous three papers in the series.
“As we discuss cyber security with users of automation, we find that many are aware of the threat potential but are not sure if they are doing enough to protect themselves. We saw the need for a technical paper that explains both the mindset and motives of an attacker, as well as the tools and technologies of defense. This paper defines the issues in a practical, holistic way while providing recommendations on how to begin and sustain best practices for cyber defense,” said Rooyakkers.
The first half of the paper covers conventional cyber security practices that apply to all industrial control systems. It provides an assessment of the threats, including drive-by attacks, advanced persistent threats (APTs), espionage, process attacks, and ransomware. It also looks at assessing the related risks, with an introduction to Process Hazards Analysis (PHA) and Hazards and Operability (HAZOP) methodologies used to identify malfunctions that might harm people, the process, or the environment.
To assist with risk assessment, the paper provides an overview of conventional protection practices. This includes network segmentation, firewalls, and DMZs; managing workstations, servers, end-users, and applications; and implementing active defense measures, including security event monitoring and management.
The second part of the paper is devoted to more recent techniques, based on the application of intrinsic cyber security advances that have been applied in military, aerospace, and ecommerce, and are now being used to protect industrial control systems. These create a hardware end-point root of trust that combines advanced cryptography, digital signing techniques, an industrial certificate authority, and public key infrastructure (PKIs) built into the control system to create an infrastructure for user defense.
The paper also presents the features of the Bedrock Open Secure Automation platform, which embraces the best practices discussed and details the process by which they can be applied to legacy and new systems.
Interoperability spurs innovation. After years of technological consolidation in the process automation industry with “distributed control systems” becoming ever more centralized, we are witnessing a resurgence of distributed, along with open and interoperable.
Open Process Automation Forum
Yesterday I discussed Foxboro promoting the Open Process Automation Forum. Today, I can report that the OPC Foundation has also formally joined the forum. It fits given that OPC UA is one of the key standards that the OPAF will need for its interoperable system to work.
The OPC Foundation has developed a whitepaper, an introspective on process automation, elaborating on the vision of OPC UA and why the OPC Foundation is engaging in The Open Process Automation Forum.
The OPC Foundation vision includes the key element of information modeling, providing a foundation for other standards organizations to directly plug-in their data/information models into OPC UA.
OPC UA Seminar Tour
Here is a free opportunity to learn about open standards, OPC UA, a chance to meet with leaders in the interoperability field – in one day, in one place. Oh, and at two of those sessions (Milwaukee and Cleveland) one of those leaders will be me!
The seminar is designed for corporate leaders, IT professionals, students and all interested in IT to learn more about open standards, their place in this constantly changing arena of IIot, Industre 4.0, the Cloud and beyond and how this knowledge will benefit their life, their career and their company.
This seminar tour will focus on the rich feature set of OPC UA and the unique ways these features are put to use in real applications. By attending these conferences you will:
- Learn how OPC UA provides Industrial Interoperability for the Internet of Things and Industry 4.0
- Learn about OPC UA in the world of the IIC, China 2025, Korea Manufacturing Innovation 3.0
- Hear why end-users are requiring vendors to build OPC UA into their products
- Get latest update on OPC-UA technology and further roadmap enhancements
- Learn how active collaborations with other industry organizations are working to revolutionize the transformation of data, providing an infrastructure for the modeling of information
- Network with industry experts and peers
- Hear how Microsoft is positioning Azure with OPC UA extensions
- How to connect your machine to SAP easily and standardized
- Learn why OPC UA is the one and only recommendation for communication channel for RAMI4.0 – the Reference Architecture Model Industrie 4.0
Here are the event details:
September 26 – San Diego
September 27 – Santa Clara
September 28 – Seattle
September 29 – Vancouver
October 3 – Minneapolis
October 5 – Toronto
October 9 – Milwaukee
October 11 – Cleveland