by Gary Mintchell | Aug 1, 2019 | Internet of Things, Manufacturing IT
Cybersecurity as a concept or even as a term didn’t exist when I discussed the future of connected control systems devices with my customer, a senior control systems engineer for an automotive component manufacturer in the 1990s. He was aware of potential problems of connectedness when he told me, “I will never run a wire from a control system in this plant.”
Today? Everything is connected. Cybersecurity is a known, if sometimes devalued, challenge. How much do organizations understand the risk exposure of IoT devices? Deloitte and Dragos, Inc. share top risks to organizations in current IoT environment.
Key takeaways:
- In the digital age, cyber is everywhere. Cyber risk now permeates nearly every aspect of how we live and work. Organizations should better understand how to manage the risks created by known and unknown Internet of Things (IoT) and Industrial IoT (IIoT) devices.
- Security-by-design saves time: it takes longer to retroactively fix issues than it does to do it correctly the first time when building the product.
- Security-by-design reduces cost: it costs more to mitigate the risk of vulnerability exploitation than to implement security in the beginning.
- According to a recent Deloitte poll, nearly half of respondents (48%) realized it is imperative, when developing or deploying secure-by-design connected products and/or devices, that both of these conditions exist:
- o DevSecOps embedded throughout the design/acquisition, implementation, and deployment lifecycle.
- o Cross-functional technology that includes teaming with legal, procurement and compliance across pre- and post-market deployments.
Why it matters?
The number of cyberattacks, data breaches and overall business disruption caused by unsecured IoT/IIoT devices are increasing because many companies don’t know the depth and breadth of the risk exposures they face when leveraging IoT devices and other emerging technologies. IoT and IIoT are a set of business and technology innovations that offer many compelling benefits, but they also present significant cybersecurity risks and a greatly expanded attack surface. Mitigating these risks by understanding IoT/IIoT platform security can help organizations realize greater potential and benefits of these innovations.
Why is security-by-design important?
Deloitte and Dragos are teaming on a number of client initiatives to help organizations embed a security-by-design approach and to manage the risk of industrial control systems (ICS) and operational technology (OT) environments by enabling them to better monitor and assess threats. Organizations can benefit from a better understanding of threats in this environment, which can then be used to develop and embed cybersecurity strategies into organizational and technology strategy.
Security-by-design (for designing an IoT/IIoT product) is about incorporating cybersecurity practices by default into the product’s design as well as (for onboarding an acquired IoT/IIoT product) incorporating cybersecurity practices by default into the environment in which the IoT product is implemented.
Beyond securing ICS and OT systems, this combination of cyber risk services and technologies can provide a more complete picture of an organization’s ICS and OT threat landscape through active monitoring that can better inform scenario planning and response.
The following top risks were outlined by leaders from Deloitte Risk & Financial Advisory’s cyber practice and Dragos in a recent Deloitte Dbriefs webcast, The Internet of Things and cybersecurity: A secure-by-design approach:
Top 10 security risks the current IoT environment poses
- Not having a security and privacy program
- Lack of ownership/governance to drive security and privacy
- Security not being incorporated into the design of products and ecosystems
- Insufficient security awareness and training for engineers and architects
- Lack of IoT/IIoT and product security and privacy resources
- Insufficient monitoring of devices and systems to detect security events
- Lack of post-market/ implementation security and privacy risk management
- Lack of visibility of products or not having a full product inventory
- Identifying and treating risks of fielded and legacy products
- Inexperienced/immature incident response processes
Key quotes
“Security needs to become embedded into the DNA of operational programs to enable organizations to have great products and have peace of mind. Today all sorts of products are becoming a part of cyber: from ovens to instant cookers, 3D printers to cars. Organizations need to consider what can actually go wrong with what is really out there and look at those challenges as a priority.”
– Sean Peasley, a partner in Risk & Financial Advisory and the Consumer & Industrial Products leader and Internet of Things (IoT) Security leader in Cyber Risk Services at Deloitte & Touche LLP
“Organizations need to think through this. There are a lot of requirements and they need to figure out a strategy. When looking at product security requirements, I see this as a challenging aspect as organizations get a handle around what they are manufacturing. There are organizations for example in industries such as health care, medical devices, and power and utilities that are starting to ask questions of their suppliers as they consider security before they deploy devices into their customer ecosystem. Where I see a lot of organizations struggle is in understanding system misconfiguration or not having the architecture they thought they did in order to make sure their manufacturing environment is reliable.”
– Robert M. Lee, CEO at Dragos Inc.
About the online poll
More than 4,200 professionals across industries and positions participated in and responded to poll questions during the Deloitte Dbriefs webcast, “The Internet of Things and cybersecurity: A secure-by-design approach” held May 30, 2019. Answer rates differed by question.
A majority (81%) of respondents indicated that information security is accountable for the securing of connected products in their organization. The information security team is still primarily where boards look to drive their cyber agenda but as the 2019 Future of Cyber survey indicates, cyber is becoming everyone’s responsibility. It is critical to understand that if you are the plant manager you likely have the responsibility to the safety and liability of the operation. But the challenge is that everyone does have a role to play. Ultimately, the CEO is going to be held accountable.
Organizational confidence in security
How confident are respondents that their organizations’ connected products, devices, or other “things” are secure today? Not very. More than half
of respondents (51%) were somewhat confident, while 23% were uncertain or somewhat not confident, with only 18% feeling very confident in their organizations’ ability to secure connected products and devices. This may be as a result of there being an overall lack of standardization across industries for security and awareness of cyber risks and connected devices.
Guidance for security-by-design
A positive revelation in the results was when 41% of respondents indicated that they look to industry and professional organizations for guidance in driving security-by-design within their organizations. Another 28% said that they look first to regulatory bodies and agencies that set the standards; and 22% indicated their leading practices were developed internally for providing that guidance in driving security-by-design.
According to Peasley and Lee, it is a favorable strategy for organizations to understand leading practices and standards of peer organizations first, and then look to the regulatory bodies that are starting to shape standards and regulations and help inform the standards and regulations that are to come.
These results conflict with another question regarding whether their product teams use a defined set of product cybersecurity requirements as input for requirements selection. Twenty-eight percent use an industry defined framework, and 41% indicated a custom framework, while 30% of respondents indicated “No” that they didn’t use a defined set of requirements. The results of this question indicate there is still much work to do across the industry to influence and inform on standards for cybersecurity.
Considerations for organizations
• Understand the current state of product security and develop a cyber strategy: Whether designing connected products or acquiring such products to implement internally, assess how products, including the data they produce, are protected and develop a cyber strategy to drive improvement.
• Establish security-by-design practices: Integrate security-by-design into the design of the product itself or into the design of the ecosystem architecture, through requirements, risk assessments, threat modeling and security testing.
• Set the tone from the top: Ensure the right people are engaged and have ownership of the process – from leadership to the relevant product security subject matter experts to the product teams.
• Have a dedicated team and provide them with ample resources: Don’t expect enterprise security teams to cover missions without adding new resources for them; build a dedicated team that has product-based experience and provide training as needed to increase knowledge.
• Leverage industry-available resources: Rather than developing and providing unique questionnaires to your device vendors, use publicly-available industry resources.
Worth noting
• “Secure IoT by design: Cybersecurity capabilities to look for when choosing an IoT platform”
• According to the recent Deloitte “2019 Future of Cyber” survey, there are notable gaps in organizations’ abilities to meet cybersecurity demands for the future. Results from the survey indicate that many cyber organizations are challenged by their ability to help better prioritize cyber risk across the enterprise (16%). To see additional results the Future of Cyber survey, download a copy.
The Dragos ICS asset identification, threat detection, and response platform distills decades of real-world experience from an elite team of ICS cybersecurity experts across the U.S. intelligence community and private industrial companies. Dragos’ offerings also include threat hunting and incident response services, and Dragos WorldView for weekly threat intelligence reports. Dragos is headquartered in the Washington, DC area.
Deloitte provides industry-leading audit, consulting, tax and advisory services to many of the world’s most admired brands, including nearly 90% of the Fortune 500 and more than 5,000 private and middle market companies.
by Gary Mintchell | Jun 10, 2019 | Data Management, Internet of Things, Manufacturing IT, Operations Management
The Manufacturing Connection conceived in 2013 when I decided to go it alone in the world from the ideas of a new industrial infrastructure and enhanced connectivity. I even had worked out a cool mind map to figure it out.
Last week I was on vacation spending some time at the beach and reading and thinking catching up on some long neglected things. Next week I am off to Las Vegas for the Hewlett Packard Enterprise “Discover” conference where I’ll be inundated with learning about new ideas in infrastructure.
Meanwhile, I’ll share something I picked up from the Sloan Management Review (from MIT). This article was developed from a blog post by Jason Killmeyer, enterprise operations manager in the Government and Public Sector practice of Deloitte Consulting LLP, and Brenna Sniderman, senior manager in Deloitte Services LP.
They approach things from a much higher level in the organization than I usually do. They recognize what I’ve often stated about business executives reading about all these new technologies, such as, cloud computing, internet of things, AI, blockchain, and others. “The potential resulting haste to adopt new technology and harness transformative change can lead organizations to treat these emerging technologies in the same manner as other, more traditional IT investments — as something explored in isolation and disconnected from the broader technological needs of the organization. In the end, those projects can eventually stall or be written off, leaving in their wake skepticism about the usefulness of emerging technologies.”
This analysis correctly identifies the organizational challenges when leaders read things or hear other executives at the Club talk about them.
The good news, according to the authors: “These new technologies are beginning to converge, and this convergence enables them to yield a much greater value. Moreover, once converged, these technologies form a new industrial infrastructure, transforming how and where organizations can operate and the ways in which they compete. Augmenting these trends is a third factor: the blending of the cyber and the physical into a connected ecosystem, which marks a major shift that could enable organizations to generate more information about their processes and drive more informed decisions.”
They identify three capabilities and three important technologies that make them possible:
Connect: Wi-Fi and other connectivity enablers. Wi-Fi and related technologies, such as low-power wide-area networks (LPWAN), allow for cable-free connection to the internet almost anywhere. Wi-Fi and other connectivity and communications technologies (such as 5G) and standards connect a wide range of devices, from laptops to IoT sensors, across locations and pave the way for the extension of a digital-physical layer across a broader range of physical locations. This proliferation of connectivity allows organizations to expand their connectivity to new markets and geographies more easily.
Store, analyze, and manage: cloud computing. The cloud has revolutionized how many organizations distribute critical storage and computing functions. Just as Wi-Fi can free users’ access to the internet across geographies, the cloud can free individuals and organizations from relying on nearby physical servers. The virtualization inherent in cloud, supplemented by closer-to-the-source edge computing, can serve as a key element of the next wave of technologies blending the digital and physical.
Exchange and transact: blockchain. If cloud allows for nonlocal storage and computing of data — and thus the addition or extraction of value via the leveraging of that data — blockchain supports the exchange of that value (typically via relevant metadata markers). As a mechanism for value or asset exchange that executes in both a virtualized and distributed environment, blockchain allows for the secure transacting of valuable data anywhere in the world a node or other transactor is located. Blockchain appears poised to become an industrial and commercial transaction fabric, uniting sensor data, stakeholders, and systems.
My final thought about infrastructure—they made it a nice round number, namely three. However, I’d add another piece especially to the IT hardware part. That would be the Edge. Right now it is all happening at the edge. I bet I will have a lot to say and tweet next week about that.
by Gary Mintchell | Nov 28, 2018 | Internet of Things, Manufacturing IT, Operations Management, Technology
Hewlett Packard Enterprise (HPE) announced new HPE Edgeline Converged Edge System solutions that speed the deployment and simplify the management of edge applications, enabling customers to act on the vast amounts of data generated by machines, assets and sensors from edge to cloud.
I think this is another significant advance reflecting the utility of enterprise compute capability brought ever closer to the plant itself. If you are looking to be disruptive in your industry or are on a corporate engineering staff looking for OT alternatives, I’d suggest taking a long look at these technologies and then letting your imagination do its work.
The new solutions include:
- HPE Edgeline OT Link Platform, an open platform that automates the interplay between diverse operational technologies (OT) and standard IT-based applications at the edge to enable intelligent and autonomous decision making;
- HPE Edgeline systems management, the industry’s first systems management solutions designed specifically for the edge to ensure enterprise-grade reliability, connectivity and security;
- HPE Edgeline EL300 Converged Edge System featuring OT link and HPE Edgeline systems management, providing superior resilience against harsh edge environments for a broad range of industrial deployments; and
- HPE Edgeline Field Application Engineering Services are available from HPE Pointnext to help customers plan, build, and customize OT link-based Internet of Things (IoT) and cyber-physical systems.
To turn edge data into insight for real-time action, it must be processed close to its source to avoid the latency, bandwidth, and cost issues of sending the data to a remote data center. However, this opportunity comes with a set of unique challenges, including management of remote infrastructure, and the necessity to seamlessly connect sensors and industrial assets with IT applications at the edge.
“Deploying IoT, edge, and cyber-physical systems is a challenge requiring a fresh look at uniting the physical and digital worlds,” said Dr. Tom Bradicich, Vice President and General Manager, Converged Servers, Edge and IoT Systems, HPE. “With today’s announcements, we enable our customers to accelerate the delivery of applications that capitalize on edge data, safeguarded by enterprise-class management. And we lay the groundwork for a new ecosystem of intelligent edge solutions to drive innovation and growth across industries.”
Simplifying deployment of edge-to-cloud IoT and cyber-physical systems
Today, setting up an IoT or cyber-physical system is a laborious undertaking. It requires custom coding to orchestrate OT networks, control systems, and data flows with drivers, middleware, and applications running on IT systems. HPE Edgeline OT Link Platform is an open platform that significantly simplifies this process, reducing cost and time to market.
The solution includes:
HPE Edgeline OT Link Platform software, an open workflow engine and application catalogue, allowing customers to orchestrate components, data, and applications via a graphical drag-and-drop user interface. The HPE Edgeline OT Link Platform integrates an ecosystem of third-party applications running from edge to cloud – including AWS, Google, Microsoft, SAP, PTC, GE, and more – to make insights from the edge available across the enterprise and supply chain.
HPE Edgeline OT Link certified modules, HPE-developed adapters that connect to a broad range of OT systems, enabling bi-directional, time-sensitive, and deterministic control and communication, including high-speed digital input/output, CAN bus, Modbus, or Profinet. APIs and SDKs for these adapters are made available to the industry to facilitate third-party designs of OT link modules. OT link will also integrate FPGA modules to give customers maximal flexibility to connect to any industrial input/output device.
Enterprise-grade manageability and security at the edge
HPE also announced the industry’s first systems management solutions specifically designed to simplify the provisioning and management of edge infrastructure and applications, providing enterprise-grade manageability and security for remote systems with limited connectivity and IT expertise.
HPE Edgeline Integrated System Manager is embedded into HPE Edgeline Converged Edge Systems and features one-click provisioning, ongoing system health management, remote updates, and management even with intermittent wired and wireless connections. It also supports advanced security functions like preventing system boot file changes and remote system disablement during a security event. HPE Edgeline Infrastructure Manager software can remotely manage thousands of Edgeline Converged Edge Systems.
The HPE Edgeline Workload Orchestrator hosts a central repository for containerized analytics, AI, business, and IoT applications that can be pushed to HPE Edgeline Converged Edge Systems at the edge
Unparalleled convergence of OT and IT
The HPE Edgeline EL300 is a fan-less, low-energy system equipped with Intel Core i5 processors, up to 32GB of memory and 3TB of storage. It will also support Intel Movidius Myriad X vision processing units to enable video analytics and AI inference at the edge. The HPE Edgeline EL300 provides enhanced resiliency against shock, vibration, humidity, and dust, including IP50 and MIL-SPEC certifications, and can operate from -30 to +70 degrees Celsius. These features make the HPE Edgeline EL300 suitable to be deployed as an embedded system – for example, in production machines or in building infrastructure.
Expertise to accelerate deployment and create competitive advantage
To support these new offerings, HPE Pointnext, the services organization of Hewlett Packard Enterprise, provides HPE Edgeline Field Application Services, which help customers plan, design, build, and run IoT, edge and cyber-physical systems to accelerate deployment and ensure reliable and secure operation. These services include the evaluation of use cases, proof of value, solution deployment, and management of ongoing operations – helping customers get the most from OT/IT integrations.
Moreover, HPE Pointnext can help customers develop their own data acquisition, industrial network, and control components for HPE Edgeline OT Link Platform to create custom solutions and competitive advantage. HPE Edgeline OT Link Platform based solutions can be delivered on-premises with a turnkey deployment service, operated by HPE Pointnext.
Finally, HPE Edgeline EL300 Converged Edge System will be added to HPE GreenLake Flex Capacity, to deliver a consumption-based experience with usage-based payment, capacity metering, and tailored support, for customers who need a cloud-like experience for systems at the edge.
by Gary Mintchell | Nov 26, 2018 | Internet of Things, Organizations, Security
Digitalization breeds the need for data and connected devices. Trusted connections and data are required for success. Siemens invited a diverse group of press, analysts, podcasters, and bloggers to Munich this week (November 26-28) to discuss cybersecurity and the Charter of Trust.
I will use the words of Siemens below to discuss the rationale for the Charter of Trust. However the idea is that if users cannot trust their data and connections, they will never go further into digitalization and therefore not realize the anticipated benefits.
Some of the analysts and others in the conference had trouble understanding how something seemingly vague and not specifically standards-based would work. I think they missed the point. First, standards are good, but they take a long time to develop. What was needed was not another new standard. What is needed is for many companies to agree to a set of principles and then commonly work toward them for the mutual benefit of the industry, users, and society.
Eva Schulz-Kamm, Global Head of Government Affairs at Siemens AG, and Rainer Zahner, Global Head of Cybersecurity Governance at Siemens told us the digital world is changing everything. Billions of devices are connected by the Internet of things. That holds great potential for everyone, but also great risk. The risk of exposure to cyber-attacks. The risk of losing control over the systems that run our infrastructures. Cybersecurity is therefore crucial to the success of our digital economy – because only if the security of data and networked systems is guaranteed will people actively support the digital transformation. Then explained why Siemens has initiated the Charter of Trust.
Siemens’ 171 years of experience have also shown that the best way to make a lasting difference isn’t as one company, but as an industry – not only as one nation, but as part of a global community. In modern history, competitor businesses have forged standards together that have carried the world from one industrial revolution to the next – including the unfolding digital transformation of industry. Countries without clear-cut geopolitical alliances have come together to forge cross-border agreements that grow trade and advance peace.
It’s in this spirit that Siemens launched the Charter of Trust earlier this year at the at the Munich Security Conference, a longstanding forum for business and government leaders to discuss geopolitical issues. Since then, several more global companies saw the value of the Charter of Trust, and signed on. These companies committed to create the first-of-its-kind global alliance focused on answering a very important question: How do we secure critical infrastructure – from our factories to our power grids – in the digital age?
We also are carrying an important message together: that when we talk about security today, it isn’t just about diplomacy and resolving military conflicts – it is increasingly about cyber attacks that seek to undermine our democratic and economic values.
The Charter of Trust then begins with these three goals:
- protecting the data and assets of individuals and businesses;
- preventing damage to people, businesses, and infrastructures;
- building a reliable basis for trust in a connected and digital world.
“We know at the outset that a one-size fits all approach won’t work. We have instead agreed to 10 principles – from ensuring the highest levels of responsibility for cybersecurity within every company, to securing supply chains, products, and working with governments. Together, we will develop and continuously improve coordinated strategies and shared standards to protect critical infrastructures, public facilities and private companies.”
Charter of Trust members: The AES Corporation, Airbus, Allianz, Atos, Cisco, Dell Technologies, Enel, IBM, Munich Security Conference, NXP Semiconductors, SGS,. Deutsche Telekom, Total and TÜV SÜD.
by Gary Mintchell | Nov 9, 2018 | Automation, Industrial Computers, Internet of Things
Advantech has been appearing on a variety of lists of prominent Internet of Things suppliers. The Taiwanese computer company with a US office in Cincinnati, OH and intellectual leadership, supplies intelligent I/O, a variety of computing devices, and HMI devices.
Several years ago I was privileged to be invited to Suzhou, China to attend Advantech’s user conference. It was an impressive event. This year they called it the “first IoT Co-Creation Summit.”
More than five thousand Advantech clients and partners from around the world attended the summit. Here Advantech introduced its newest IoT platform structure WISE-PaaS 3.0 and 32 IoT solution ready packages (SRPs) co-created with software and industry partners.
The event in itself will aid in the software/hardware integration for various industries, connect and build a complete industrial IoT ecosystem and value chain, and allow Advantech and partners to officially step into the next IoT stage.
Advantech Chairman KC Liu stated that in view of IoT application characteristic’s diversity and fragmented market, Advantech has assisted industries in integrating and connecting existing hardware and software and regards creating a complete industry value chain as its primary task in IoT industry development.
Advantech is introducing new features for its WISE-PaaS 3.0 and sharing a number of IoT solution ready packages (SRPs), based on WISE-PaaS, developed with numerous co-creation partners. The company is also outlining future co-creation strategies and schedules for the upcoming year.
Allan Yang, Chief Technology Officer at Advantech said, “While IoT is currently flourishing and many companies have invested in connectivity and data collection equipment, we are still in the early stages of generating value from IoT data. Since WISE-PaaS launched in 2014, Advantech has continued its integration and improved connectivity with open source communities. Our IoT software modules are developed to create operational cloud platform services oriented around the commercial value generated by data acquisition. Data-driven innovation has thus become the main target for our WISE-PaaS evolution.
WISE-PaaS 3.0 offers four main function modules:
- WISE-PaaS/SaaS Composer: a cloud configuration tool with visible workflow. WISE-PaaS/SaaS Composer supports customized component plotting for simple and intuitive 3D modeling application and interaction. It updates views at millisecond rates and, together with WISE-PaaS/Dashboard, presents critical management data in a visually intuitive display to help extract valuable data and improve operational efficiency.
- WISE-PaaS/AFS (AI Framework Service): an artificial intelligence training model and deployment service framework. The WISE-PaaS/AFS provides a simple drag and drop interface that allows developers to quickly input industrial data. When combined with AI algorithms, the service builds an effective inference engine with automatic deployment to edge computing platforms. AFS offers model accuracy management, model retraining, and automated redeployment. It simultaneously controls multiple AI models in the application field; offering automated model accuracy improvements and life-cycle management services.
- WISE-PaaS/APM (Asset Performance Management): an equipment network connection remote maintenance service framework. WISE-PaaS/APM connects to a wide array of on-site industrial equipment controls and communication protocols. It supports the latest edge computing open standard, EdgeX Foundry, and includes built-in equipment management and workflow integration templates. Jointly with the AFS, APM accelerates Machine to Intelligence (M2I) application development.
- Microservice development framework: WISE-PaaS contains a micro service development framework to help developers rapidly create program design frameworks while reducing development requisites. Micro service functions, such as service finding, load balancing, service administration, and configuration center, all offer built-in flexible support mechanisms.
Advantech recently established a water treatment system, jointly developed with GSD (China) Co., Ltd., and a CNC equipment remote operation service, jointly developed with Yeong Chin Machinery Industries Co. Ltd. Both partnerships demonstrate how industrial digital transformations, led by Advantech and its partners through the co-creation model, offer innovative win-win IoT solutions.
Advantech’s IIoT iAutomation Group has launched a broad selection of rackmount GPU Servers from 1U to 4U. The SKY-6000 GPU server series are powered by Intel Xeon scalable processors and each of these highly scalable GPU-optimized servers support up to five NVIDIA Tesla P4 GPUs. IPMI management functions and smart fan control ensure better temperature control and thermal management environments. Every GPU pair includes one high-speed PCIe slot for highly parallel applications like artificial intelligence (AI), deep learning, self-driving cars, smart city applications, health care, high performance computing, virtual reality, and much more.
AI Deep Learning GPU Solution
With support for up to five pcs of half-length half-height (HHHL) GPU cards or one full-height full-length (FHFL) double deck card, plus one full-height half-length (FHHL) GPU card, the SKY-6100 series are designed for NVidia Tesla P4 HHHL GPU cards, making it the best choice for deep learning applications.
IPMI Server Management
With IPMI 2.0 support, the SKY-6000 series allows users to monitor, manage, and control servers remotely and receive alerts if any sensors detect device or component faults. In addition, event logs record important information about the server which can be controlled remotely using the IPMI KVM.
Smart Fan Control
The optimized thermal design separates the CPU and GPU fan zones, making sure the GPU card is not preheated or thermally affected by any other heat source. Also, with the smart fan control mechanism, fan speeds are controlled based on different CPU and GPU workloads and ambient temperature. This feature lowers the acoustic noise of GPUs that have heavy loading but not CPUs. Advantech’s SKY-6000 server series are available for order now.
