Industrial Internet Consortium Releases Endpoint Security Best Practices White Paper

Industrial Internet Consortium Releases Endpoint Security Best Practices White Paper

Security comes first to mind whenever we begin discussing connecting things in an industrial setting. And, of course, nothing connects things like the Industrial Internet of Things (IIoT). One place we often fail to consider in our security planning is at the endpoint of the network. Organizations and companies have been providing valuable assistance to developers by releasing best practices white papers. Here is one from a leading Industrial Internet organization.

The Industrial Internet Consortium (IIC) announced publication of the Endpoint Security Best Practices white paper. It is a concise document that equipment manufacturers, critical infrastructure operators, integrators and others can reference to implement the countermeasures and controls they need to ensure the safety, security and reliability of IoT endpoint devices. Endpoints include edge devices such as sensors, actuators, pumps, flow meters, controllers and drives in industrial systems, embedded medical devices, electronic control units vehicle controls systems, as well as communications infrastructure and gateways.

“The number of attacks on industrial endpoints has grown rapidly in the last few years and has severe effects. Unreliable equipment can cause safety problems, customer dissatisfaction, liability and reduced profits,” said Steve Hanna, IIC white paper co-author, and Senior Principal, Infineon Technologies. “The Endpoint Security Best Practices white paper moves beyond general guidelines, providing specific recommendations by security level. Thus, equipment manufacturers, owners, operators and integrators are educated on how to apply existing best practices to achieve the needed security levels for their endpoints.”

The paper explores one of the six functional building blocks from the IIC Industrial Internet Security Framework (IISF): Endpoint Protection. The 13-page white paper distills key information about endpoint device security from industrial guidance and compliance frameworks, such as IEC 62443, NIST SP 800-53, and the IIC IISF.

Equipment manufacturers, industrial operators and integrators can use the Endpoint Security Best Practices document to understand how countermeasures or controls can be applied to achieve a particular security level (basic, enhanced, or critical) when building or upgrading industrial IoT endpoint systems, which they can determine through risk modeling and threat analysis.

“By describing best practices for implementing industrial security that are appropriate for agreed-upon security levels, we’re empowering industrial ecosystem participants to define and request the security they need,” said Dean Weber, IIC white paper co-author, and CTO, Mocana. “Integrators can build systems that meet customer security needs and equipment manufacturers can build products that provide necessary security features efficiently.”

While the white paper is primarily targeted at improving the security of new endpoints, the concepts can be used with legacy endpoints by employing gateways, network security, and security monitoring.

The full Endpoint Security Best Practices white paper and a list of IIC members who contributed can be found on the IIC website.

Software Is Center Stage at Rockwell Automation Event

Software Is Center Stage at Rockwell Automation Event

Data is the new currency.

I heard that somewhere. There is much truth buried in the thought. That makes software and connectivity key technologies. I hear this everywhere. I am thinking through what I learned at the Rockwell Automation event while at an enterprise computing event in Spain. Enterprise IT has discovered Industrial Internet of Things (IIoT). Silos are collapsing everywhere.

Still, it is surprising that Rockwell Automation, the quintessential hardware company, emphasizes software. This has become the key component of the Connected Enterprise. There must be sales dollars here, also. Theory is nice, but sales are nicer.

By the way, here is proof I was there. A “Robot Selfie” from the Innovation Booth.

The Rockwell software portfolio has been growing a step at a time. This year it looks like it has most of the pieces assembled for a full manufacturing software suite. And this is not only MES. That is a component, for sure. But also there is connectivity, historian, databases. And now what appears to be a robust analytics application.

John Genovesi, Vice President of Information Software, told me during our interview, that the company had made a couple of small acquisitions (in Silicon Valley they call it “aquihiring”) last March and already the new team has written an analytics engine that forms the guts of the new application.

Project Scio (see-oh, from the Latin to know) is the next step. To make decisions when and where they matter most, new capabilities offered through Project Scio reduce hurdles to unleashing information. These capabilities open up access to ad-hoc analytics and performs advanced analysis by pulling structured and unstructured data from virtually any existing source in the enterprise. Project Scio can also intelligently fuse related data, delivering analytics in intuitive dashboards – called storyboards – that users can share and view. Users then have the ability to perform self-serve drill downs to make better decisions, dramatically reducing the time to value.

“Providing analytics at all levels of the enterprise – on the edge, on-premises or in the cloud – helps users have the ability to gain insights not possible before,” said Genovesi. “When users gain the ability to fuse multiple data sources and add machine learning, their systems could become more predictive and intelligent. Scio puts analytics to work for everyone. By its addition to the scalable and open FactoryTalk Analytics Platform, Project Scio gives users secure, persona-based access to all data sources, structured or unstructured. And a configurable, easy-to-use interface means that all users can become self-serving data scientists to solve problems and drive tangible business outcomes.”

Key attributes of Project Scio include the following:

  • Device Auto-Discovery: Manually mapping software to each plant-floor device can be a time-consuming and error-prone process. Project Scio can auto-discover Rockwell Automation devices and tags, as well as third-party device data, to save time and help reduce risk. Additionally, the auto-discovery process gives users access to more detailed information than is typically available through manual mapping, such as device name, line location and plant location.
  • Leave Isolated Analytics Behind: Rather than leave data at its source and take database snapshots, Project Scio brings data into a centralized location and can continually refresh that data. Additionally, connections to data sources only need to be established once. This connection allows users to create custom analytics and refresh them at their preferred rate without the support of a data scientist.
  • Flexible Machine Learning (ML): Use the right ML algorithm for the right use case. Project Scio is configurable to support many industry-leading algorithms, including SparkML, MLLib and Python.
  • Closed-Looped Analytics:Using either ML or predefined settings, Project Scio includes capabilities that can monitor operations and automatically trigger control adjustments if processes start to fall outside allowable parameters. This can help users optimize control, improve product quality and consistency, and reduce scrap and waste.
  • Applications Marketplace: Rockwell Automation will introduce an applications marketplace for applications developed in-house and by third parties. The ability to access any data source and create custom analytics for each user’s application is a central feature. However, users can also take advantage of pre-engineered FactoryTalk Analytics applications from Rockwell Automation. These applications allow users to monitor common KPIs, such as OEE and quality, in a standardized way and without any configuration.
  • Open Architecture: Industrial producers cannot be expected to rip and replace all their legacy control and information systems before gaining value from analytics. These scalable and open-architecture capabilities are designed to be extended to a full ecosystem of IIoT data sources. The quick connection to the full range of systems that feed data into a Connected Enterprise includes controllers, MES software and edge devices.

In addition to these Information Solutions, Rockwell Automation offers a range of Connected Services which helps provide customers the ability to ensure network integrity, security, infrastructure design and maintenance, and remote monitoring of equipment including predictive maintenance. These services can help customers with every aspect of their Connected Enterprise journey, including developing an IIoT infrastructure and strategy, and providing remote monitoring and analytics.

New OPC UA Support

Rockwell spokespeople made sure that I understood two things with this year’s message. Scalable. And Open. The company is adopting open, interoperable communications. Notice above that the self-discovery is not only Rockwell’s products, but also those from other companies.

Another interoperable standard that Rockwell has not supported much for years is OPC United Architecture (UA).

Interesting quote from the news release, “We actually helped develop the OPC UA specification, and we’re now adding OPC UA support into our portfolio.”

The initial offering on the software side includes OPC UA client/server functionality in the FactoryTalk Linx software, which it will be launching in early 2018. There also are future product-line extensions planned for both software and hardware portfolios. Second, the FactoryTalk Linx Gateway provides an OPC UA server interface to deliver information collected by FactoryTalk Linx from Logix 5000 and other Allen-Bradley controllers to external OPC UA clients. This permits third-party software to coexist with FactoryTalk software.

For example, custom-built MES applications can interact directly with the control layer to better coordinate production. The FactoryTalk Linx Gateway also will include a new FactoryTalk Linx Data Bridge software service that will transfer sets of tag data from one data source to another at a user-defined rate. This permits movement of data between servers and, more importantly, enables Logix 5000 controllers to indirectly interface with OPC UA servers. Among its many uses, this software could allow Logix 5000 controllers to interact and control a robot, weight scale or similar automation device using OPC UA.

Internet of Things Edge Products Unveiled at ARC Forum

Internet of Things Edge Products Unveiled at ARC Forum

I’m tackling Internet of Things Edge computing in the first of many posts as I finally have some time to gather my notes and thoughts after an intense four days in Orlando at the ARC Advisory Group Industry Forum.

Announced during the Monday press conferences and later at a special breakfast presentation, Inductive Automation announced a series of products designed to take more power to the edge of the network. Certainly much work has been done regarding computing at the edge for the past couple of years.

So, Inductive Automation announced a March release for a line of products built on an embedded version of Ignition—Ignition Edge. Inductive Automation was recently in the news with an announcement that growth has been so good that it bought a building to house its growing workforce.

Ignition Edge by Inductive Automation is a line of lightweight, low-cost Ignition products to be embedded into field and OEM devices at the edge of the network. Ignition is designed to work on central servers and deploy to multiple clients, while Ignition Edge products can be installed on devices at the edge. With Ignition and Ignition Edge together, organizations can build scalable and affordable enterprise-wide systems.

Don Pearson, Inductive Automation, discusses Ignition Edge“To truly have IIoT, industrial organizations need a new architecture,” said Don Pearson, chief strategy officer for Inductive Automation. “A big part of that involves collecting data near the source, at the edge of the network. It means polling as close to the devices as possible, rather than from the SCADA system. Ignition Edge is a very affordable way to get data from the edge and into a database so it can be leveraged for analysis and better decision-making.”

One of the products features embedded MQTT protocol. Cirrus Link Solutions is based in Kansas City, Kan. Arlen Nipper, president of Cirrus Link, is a co-inventor of Message Queueing Telemetry Transport (MQTT). MQTT is a lightweight pub/sub messaging transport that’s perfectly suited to the IIoT. MQTT provides fast, bi-directional communication in a very simple manner, so it requires minimal network bandwidth.

Nipper co-invented MQTT with Andy Stanford Clark of IBM specifically for real-time, mission-critical SCADA systems. Ignition Edge capitalizes on MQTT for more efficient, easier access to data. “Having the power of Ignition extend down to edge devices in the field offers a disruptive approach to how industrial network infrastructures are designed, deployed, and managed,” said Nipper.

Ignition Edge Panel enables creation of local HMIs for field devices. It enables edge-of-network HMI functionality with robust Ignition features, including one local client, one remote web client for mobile access, and alarming features including email notification. It includes one week of data buffering for trending and local client fallback for mission-critical applications.

Ignition Edge Enterprise acts as an Agent Gateway in a multi-Gateway Ignition system by leveraging the Ignition Enterprise Administration Module (EAM). So it requires that the EAM be installed on the central Ignition Gateway. It’s got powerful features such as remote backup, restoration management, centralized monitoring of performance and health metrics, and remote alarm notification. Edge Enterprise comes with up to a week of data buffering, and it can synchronize local tag history to a central Ignition historian for store-and-forward.

Ignition Edge MQTT by Cirrus Link was developed by Cirrus Link Solutions, a strategic partner of Inductive Automation. Ignition Edge MQTT enables publication of field device data through MQTT. It turns virtually any field device, such as a touch panel or a client terminal, into a lightweight, MQTT-enabled edge gateway. Ignition Edge MQTT uses MQTT to transmit data to any MQTT broker and supports the Sparkplug data-encoding specification.

Edge Devices On The Industrial Internet

Edge Devices On The Industrial Internet

What is an “edge” device in terms of network architecture for today’s Industrial Internet of Things? Classical networking practice has had it’s definition. But how do you extend the definition in today’s industrial networks with perhaps thousands of devices at the edge? Do you label all those smart devices as edge?

I have been spending much time with Dell Technologies and its IoT division. It has built a computing device with a multitude of connection ports, data storage, and computing capability. This device is named Gateway, but it is labeled as an edge device. Meanwhile I interviewed two GE Automation and Controls executives who labeled controllers (PLCs) as edge devices.

I ran across this article by ARC Advisory Group’s Greg Gorbach. I’ve quoted some of it below. You can read it in its entirety here. He analyzes a number of points of view. Does it all matter to you what is called an edge device? How do you configure a modern IIoT network?

arcbanner-300x250

Power of Edge – Greg Gorbach

What is the industrial edge, and why does it matter?  Is it network infrastructure? Can the edge be found in a sensor that feeds a controller in a plant?  Or is it in a smart machine that’s in service halfway around the globe?

In networking, an edge device is a device which provides an entry point into enterprise or service provider core networks.  Examples include routers, routing switches, integrated access devices, multiplexers, and a variety of local area network (LAN) and wide area network (WAN) access devices. Edge devices also provide connections into carrier and service provider networks.  Network providers and others have been pushing intelligence – compute power and the ability to run applications and analytics – to these edge devices for some time.

But the growth of the Industrial Internet of Things (IIoT) extends the ‘edge’ beyond the network devices, into industrial and commercial devices, machines, and sensors which connect to the network.  Edge computing and analytics can, often should be, and increasingly is close to the machines and data sources.  As the digitization of industrial systems proceeds, we expect that analysis, decision-making, and control will be physically distributed among edge devices, the network, the cloud, and connected systems, as appropriate.

These functions will end up where it makes most sense for them to be.

IIoT will change the way industrial organizations generate, collect, and analyze data. Data will be generated faster and in greater volume than ever before. This will require today’s plant information infrastructure to evolve. One part of this new infrastructure will be intelligent edge devices, which will include the latest generation of controllers, such as DCS’s, PLC’s and PACs. Besides providing control, these edge devices will securely collect, aggregate, filter, and relay data, leveraging their close proximity to industrial processes or production assets. They will also be capable of collaborating with powerful analytics tools, detecting anomalies in real time, and raising alarms so that operators can take appropriate actions.

With edge computing and analytics, data is processed near the source, in sensors, controllers, machines, gateways, and the like.  These systems may not send all data back to the cloud, but the data can be used to inform local machine behaviors as it is filtered and integrated.  The edge systems may decide what gets sent, where it gets sent and when it gets sent.

Placing intelligence at the edge helps address problems often encountered in industrial settings, such as oil rigs, mines, chemical plants, and factories.  These include low bandwidth, low latency, and the perceived need to keep mission critical data on site to protect IP.

As you think about digitizing and transforming your industrial operations or your products and services, pay special attention to the edge.  Consider the optimal location for analysis, decision-making, and control, and the best way to distribute these among edge devices, the network, the cloud, and other connected systems.

Follow this blog

Get a weekly email of all new posts.