This story is all about partnerships and collaboration. I started to write it yesterday morning, but then I saw a tweet, no not from the “big guy” but from PTC about the Rockwell Automation investment. I wanted to talk about the current trend of partnering.
It begins Roy Kok and DreamReports. We’ve chatted a little about how a company with a somewhat narrowly defined product and market can grow. He’s out in San Diego this week at the Rockwell Automation TechEd event. Rockwell is an important partner. All that data from IoT and analytics isn’t worth the storage if the information can’t be parsed and displayed. Enter Dream Reports. Kok assures me that there will be more partnerships in the future. It’s no doubt his best potential.
Another Rockwell Investment
Meanwhile, I had the opportunity to speak with Patrick McBride the CMO of Claroty about another Rockwell Automation investment. Once again a somewhat narrowly defined market—cyber security—using partnerships to grow. In this case, Claroty attracted $60M of Series B investment, bringing its total funding to $93 Million. He told me that the investment funds will be used to make the appropriate hires to expand sales and projects globally and to support its new partners.
The round was led by Temasek and included Rockwell Automation, Aster Capital (born out of Schneider Electric Ventures), Next47 (Siemens-backed global venture firm), Envision Ventures, and Tekfen Ventures. Original Claroty investors Bessemer Venture Partners, Team8, Innovation Endeavors, and ICV all participated in the round.
Founded in 2014 and exiting stealth mode in late 2016, this investment comes on the heels of a breakout year for Claroty capped by a 300% year-over-year growth in bookings and customer base. Claroty now has large-scale customers with production installations across six continents in nine market segments, including electric utilities, oil and gas, chemical, water, manufacturing, food and beverage, mining, and real estate (building management systems, data centers, warehouses).
“Our unparalleled investor syndicate, which includes some of the most important industrial companies in the world, is a ringing endorsement of Claroty’s technology and the progress our team has made,” said Amir Zilberstein, Claroty Co-founder and CEO. “Our mission is to protect the most critical networks on the planet and our comprehensive platform provides our customers with the capabilities they need to accomplish this vitally important task.”
This rapidly expanding cybersecurity market segment is the result of a “perfect storm” that has placed industrial networks running critical global infrastructures in the spotlight. Old and insecure industrial control networks, which used to be “air-gapped,” are now being rapidly connected to networks and exposed to a range of risks. Because of their criticality, these networks are increasingly targeted by advanced nation-state adversaries who are determined to harvest information and gain a persistent presence for potential future attacks. In 2017, industrial networks also became collateral damage in ransomware attacks like WannaCry and NotPetya costing companies billions in losses.
“A perimeter defense to cybersecurity in today’s connected world is not enough. An end-to-end approach, with solutions that provide deep visibility into operational technology and industrial control systems, is critical for the security of heavy processing environments,” said Hervé Coureil, Chief Digital Officer at Schneider Electric. “Leading the digital transformation of energy management and automation, Schneider Electric takes cybersecurity very seriously and the partnership with Claroty complements the cybersecurity layer of our IoT-enabled EcoStruxure architecture.”
“Protecting the critical automation systems our customers operate against cyberattacks remains a top priority for the company,” said Frank Kulaszewicz, SVP, Architecture & Software at Rockwell Automation. “Claroty has been a partner since 2016 and their advanced technology is a key element of our real-time threat detection and monitoring service. Our investment in Claroty is a logical extension of our ongoing strategic partnership.”
Claroty’s comprehensive cybersecurity platform provides extreme visibility into industrial networks and combines secure remote access with continuous monitoring for threats and vulnerabilities – enabling industrial control system operators to protect these important networks. The company will use investment proceeds to grow the Claroty brand globally, extend its sales and customer support footprint, and continue its rapid pace of product innovation.
T.J. Rylander, Partner at Next47, the Siemens-backed global venture firm said, “The recent increase in scale, scope, and frequency of cyberattacks on critical infrastructure has led to an uptick in demand for new solutions from companies around the world. Claroty has the team, technology, and market traction to deliver the kind of lasting impact that we are looking for at Next47.”
Sometimes I wonder–Is it time for the entire Boomer generation to retire and pass the baton to the next generation? Here is another survey, this one on cybersecurity, that reveals executives know about a problem but have few or no plans to solve it soon.
People tell me constantly about surveys such as this one or training opportunities where executives and engineers in Europe pursue knowledge and those in Asia cannot satisfy their demand for standards and knowledge. And in the US? Not so much interest.
Here is a poll by a security company, Indegy, who (maybe not so surprisingly since it sells solutions) uncovered the gap yet again.
The poll found that nearly 60 percent of executives at critical infrastructure operators polled in a recent survey said they lack appropriate controls to protect their environments from security threats. As expected, nearly half of all respondents indicated their organizations plan to increase spending for industrial control system (ICS) security measures in the next 12-24 months.
“We have been tracking the escalation in cyber threat activity specifically targeting critical infrastructures for some time,” says Barak Perelman, CEO of Indegy. “As the recent joint DHS/FBI CERT Technical Alert illustrates, adversaries have compromised facilities across the US to conduct reconnaissance and likely develop “Red Button” capability for future attacks.”
Lack of Visibility and Control Cited
While organizations have made significant investments to secure their IT infrastructures, they have not fully addressed threats to operational technology (OT) environments. The recent Indegy poll of nearly 100 executives from various critical infrastructure organizations underscores the lack of preparedness in key sectors including energy, utilities and manufacturing. Among the key findings:
- 35% of respondents said they have little visibility into the current state of security within their environment, while 23% reported they have no visibility
- 63% claimed that insider threats and misconfigurations are the biggest security risks they currently face
- 57% said they are not confident that their organization, and other infrastructure companies, are in control of OT security
- Meanwhile, 44% of respondents indicated an increase in ICS spending was planned in the next 12 to 24 months, with 29% reporting they were not sure
Critical infrastructure control systems have been under cyber attack for years. Need we mention Stuxnet, the attack that brought the issue to the public eye? Pressure has been mounting on controls, automation, and IoT suppliers to protect a nation’s assets.
Siemens and eight partners signed a joint charter for greater cybersecurity at a recent Munich conference.
- Ten action areas for greater cybersecurity
- Call for dedicated government ministries and chief information security officers
- Independent certification for critical infrastructures and solutions in the Internet of Things
The Charter of Trust calls for binding rules and standards to build trust in cybersecurity and further advance digitalization. In addition to Siemens and the Munich Security Conference (MSC), the companies Airbus, Allianz, Daimler Group, IBM, NXP, SGS and Deutsche Telekom are signing the Charter. The initiative is further welcomed by Canadian foreign minister and G7 representative Chrystia Freeland as well as witnessed by Elżbieta Bieńkowska, the EU Commissioner for Internal Market, Industry, Entrepreneurship and Small and Medium-sized Enterprises.
“Confidence that the security of data and networked systems is guaranteed is a key element of the digital transformation,” said Siemens President and CEO Joe Kaeser. “That’s why we have to make the digital world more secure and more trustworthy. It’s high time we acted – not just individually but jointly with strong partners who are leaders in their markets. We hope more partners will join us to further strengthen our initiative.”
The Charter delineates 10 action areas in cybersecurity where governments and businesses must both become active. It calls for responsibility for cybersecurity to be assumed at the highest levels of government and business, with the introduction of a dedicated ministry in governments and a chief information security officer at companies. It also calls for companies to establish mandatory, independent third-party certification for critical infrastructure and solutions – above all, where dangerous situations can arise, such as with autonomous vehicles or the robots of tomorrow, which will interact directly with humans during production processes. In the future, security and data protection functions are to be preconfigured as a part of technologies, and cybersecurity regulations are to be incorporated into free trade agreements. The Charter’s signatories also call for greater efforts to foster an understanding of cybersecurity through training and continuing education as well as international initiatives.
“Secure digital networks are the critical infrastructure underpinning our interconnected world,” said Canadian foreign minister Chrystia Freeland. “Canada welcomes the efforts of these key industry players to help create a safer cyberspace. Cybersecurity will certainly be a focus of Canada’s G7 presidency year.” The matter is also a top priority for the Munich Security Conference. “Governments must take a leadership role when it comes to the transaction rules in cyberspace,” said Wolfgang Ischinger, Chairman of the Munich Security Conference. “But the companies that are in the forefront of envisioning and designing the future of cyberspace must develop and implement the standards. That’s why the Charter is so important. Together with our partners, we want to advance the topic and help define its content,” he added.
According to the ENISA Threat Landscape Report, cybersecurity attacks caused damage totaling more than €560 billion worldwide in 2016 alone. For some European countries, the damage was equivalent to 1.6 percent of the gross domestic product. And in a digitalized world, the threats to cybersecurity are steadily growing: According to Gartner, 8.4 billion networked devices were in use in 2017 – a 31-percent increase over 2016. By 2020, the figure is expected to reach 20.4 billion.
Security comes first to mind whenever we begin discussing connecting things in an industrial setting. And, of course, nothing connects things like the Industrial Internet of Things (IIoT). One place we often fail to consider in our security planning is at the endpoint of the network. Organizations and companies have been providing valuable assistance to developers by releasing best practices white papers. Here is one from a leading Industrial Internet organization.
The Industrial Internet Consortium (IIC) announced publication of the Endpoint Security Best Practices white paper. It is a concise document that equipment manufacturers, critical infrastructure operators, integrators and others can reference to implement the countermeasures and controls they need to ensure the safety, security and reliability of IoT endpoint devices. Endpoints include edge devices such as sensors, actuators, pumps, flow meters, controllers and drives in industrial systems, embedded medical devices, electronic control units vehicle controls systems, as well as communications infrastructure and gateways.
“The number of attacks on industrial endpoints has grown rapidly in the last few years and has severe effects. Unreliable equipment can cause safety problems, customer dissatisfaction, liability and reduced profits,” said Steve Hanna, IIC white paper co-author, and Senior Principal, Infineon Technologies. “The Endpoint Security Best Practices white paper moves beyond general guidelines, providing specific recommendations by security level. Thus, equipment manufacturers, owners, operators and integrators are educated on how to apply existing best practices to achieve the needed security levels for their endpoints.”
The paper explores one of the six functional building blocks from the IIC Industrial Internet Security Framework (IISF): Endpoint Protection. The 13-page white paper distills key information about endpoint device security from industrial guidance and compliance frameworks, such as IEC 62443, NIST SP 800-53, and the IIC IISF.
Equipment manufacturers, industrial operators and integrators can use the Endpoint Security Best Practices document to understand how countermeasures or controls can be applied to achieve a particular security level (basic, enhanced, or critical) when building or upgrading industrial IoT endpoint systems, which they can determine through risk modeling and threat analysis.
“By describing best practices for implementing industrial security that are appropriate for agreed-upon security levels, we’re empowering industrial ecosystem participants to define and request the security they need,” said Dean Weber, IIC white paper co-author, and CTO, Mocana. “Integrators can build systems that meet customer security needs and equipment manufacturers can build products that provide necessary security features efficiently.”
While the white paper is primarily targeted at improving the security of new endpoints, the concepts can be used with legacy endpoints by employing gateways, network security, and security monitoring.
The full Endpoint Security Best Practices white paper and a list of IIC members who contributed can be found on the IIC website.
Last week I wrote about the cyber attack on a safety integrated system probably in Saudi Arabia. There has been another attack. When media relations people saw that I had written about cyber security, I started receiving more releases.
Here is some additional commentary by Eddie Habibi, CEO and founder of PAS Global. That company has moved strongly from alarm management investing heavily in building a cyber security practice.
“Since 2010, attackers have been intent on learning how process control networks in critical infrastructure plants work, what systems are in place, where vulnerabilities exist, and how best to manipulate these systems to affect plant safety and performance. Attackers have now moved beyond reconnaissance and are leveraging their acquired knowledge of control networks to interrupt production and create safety incidents. They are targeting systems that in many cases produce electricity for our businesses, gasoline for our cars, or clean water for our homes.
The TRITON (a.k.a. TRISIS) malware attack underscores the capabilities that attackers have acquired and the fact that traditional security controls – namely air gapping and security by obscurity – are no longer sufficiently effective. As TRITON targets an integral part of the independent protection layers that keep plants safe, this should raise red flags with every critical infrastructure company in the world.
One of the first steps companies must take is to get better visibility into the cyber assets in their plants. Eighty percent of the assets in a plant are outside of traditional IT cybersecurity programs. This is clearly unacceptable given the threat landscape we face today. Once companies gain visibility, they can begin to implement fundamental security controls such as monitoring for unauthorized change or discovering hidden vulnerabilities. Otherwise, malware such as TRITON will continue to find fertile ground for causing production disruptions and even environmental or physical harm.”
Cyber security challenges for practitioners
Part of my daily contact with PAS Global’s PR person included this tidbit from Habibi.
With these seismic attacks looming over manufacturing plants/facilities and other critical infrastructure, PAS Global has identified the top 8 critical challenges ICS directors are facing:
- Lack of overall visibility of ICS vulnerabilities
Vulnerability exploits are under reported
- False sense of security in many ICS environments
- More disclosures than capacity to investigate
- Limited visibility into ICS vulnerabilities and risks
- Vulnerability investigation is manual and research-intensive
- Limited visibility into vulnerability remediation effectiveness
- Manual, inconsistent patch management
And this from Emily S. Miller, Director of National Security and Critical Infrastructure Programs at Mocana:
“ICS-CERT’s analysis of the HatMan malware revealed some interesting and novel tidbits. Not only did the actor develop a ‘more traditional PC-based component that interacts with the safety PLC,’ but the malware also contained components specifically designed to compromise the safety device itself, which allowed changes to the device firmware. The fact that this actor has the capability to access the safety instrumentation device, and potentially make changes to the device firmware unnoticed, should make critical infrastructure owner-operators sit up and take heed. Yes, in this case the malware tripped the safety systems and was noticed, but who’s to say the actor won’t learn from its mistakes or hasn’t already? Current recommended mitigations promote defense-in-depth strategies. While these are absolutely pieces of the puzzle, things like network monitoring and segmentation alone are clearly not sufficient when the bad actors keep getting in and doing bad things to both the devices and the data contained therein. We have to do better about both defending the network AND protecting the devices themselves.”
Link to How Mocana Protects graphic on Dropbox.
Yet more cyber attacks in the news
Further communications from the agency for PAS Global. I appreciate the humor. “I didn’t want you to go a day without hearing from me. What a concerning week we are having for critical infrastructure!”
The warning is from Nyotron, which says it has spotted a threat actor with likely links to Saudi Arabia, Iran, or Algeria using a repurposed malware tool to target specific critical infrastructure organizations in the Middle East.
“We’ve seen a seven-fold increase in the number of cyberattacks on industrial control systems (ICS) since 2010. What makes this increase particularly alarming is the enhanced level of sophistication of the attacks and the success they have shown in achieving their goals.
The fact that infected USBs are behind the Copperfield attack underscores the lack of adequate, foundational security within industrial facilities. Critical infrastructure security is clearly not trending in the right direction.
The simple fact is that 80% of cyber assets in a facility are highly proprietary, do not work with IT security controls, and are largely invisible to security personnel. If we cannot see these assets, how can we hope to secure them? If we cannot secure them, then we are staring at a tumultuous 2018 because the bad guys are savvy to the insecurity of these systems.”
Meanwhile, here is another defense
Most experts I talk with discuss the need for a defense-in-depth strategy. Occasionally entrepreneurs in the field wax enthusiastically about their particular solution. Albert Rooyakkers is one of those intense entrepreneurs who has designed an industrial control product with cyber security at the heart of the design.
Here is the latest news from Bedrock Automation.
It has announced Bedrock Open Secure Automation (OSA) firmware will include intrinsic Anomaly Detection (AD). Bedrock OSA AD will be available as standard integrated functionality that continuously monitors the controller’s network and system time t0 detect intrusions and anomalous behavior.
“Preventing control system intrusion is fundamental to holistic cyber security. In addition, users need to know when the system security is being challenged. This is the role of anomaly detection. At no additional cost or complexity for the user, Bedrock’s AD delivers additional assurance that no one is tampering with your automation,” said Rooyakkers. Bedrock Anomaly Detection includes the following functionality:
- Dynamic Port Connection Monitoring, which records all attempts to connect any controller or communication point and captures identifying information on the intruder
- Network Port Scanning, which detects if hackers are scanning for open ports that might provide access to the control network
- System Time Monitoring, which detects attempts to manipulate log files to conceal malicious activity
- Cryptographic Controller Engineering Key Lock, which permits only users with valid user credentials to change the configuration and operation mode of the controller and records all access
- Intrusion Event Logging, which records all detected anomalies and reports them to SCADA software through OPC UA and standard database access for historian, alarming, and trending functions. Additionally, a tri-color status LED on the faceplate of Bedrock Controllers provides indication locally whenever an intrusion is detected.
Anomalous behavior detected at the controller level signifies a high likelihood of a cyber security event. Embedding detection into the controller provides advanced cyber defense while reducing complexity and lifecycle cost. Bedrock AD will be standard on all Bedrock systems and is available as a free firmware upgrade to installed systems as part of Cybershield 3.0 in March 2018.