by Gary Mintchell | Nov 15, 2016 | Automation, Security
Cyber protection takes on a number of forms. Most everything involves “defense in depth” strategies. I just talked with an Israeli company started by former security agents who has found a different vulnerability and counteracts it. This is the first of three press releases I’ve been sitting on for release today. I guess Nov. 15 is a magic day in the PR world.
APERIO Systems emerged from stealth mode, launching the industry’s first technology that detects artificial manipulations of industrial process data, enabling operators to take real-time corrective action without service disruption to industrial control systems (ICS). From the rate of gas flow at a petroleum refinery, to the temperature and spin rates of turbines in a power plant, or the chlorine level of water supply networks, APERIO Systems’ proprietary Data Forgery Protection (DFP) technology delivers the last line of defense in protecting critical SCADA systems against insider and external threats.
APERIO Systems, already deployed at several sites across EMEA, secured seed funding from a consortium of private investors, including prominent cybersecurity veterans Doron Bergerbest-Eilon, Liran Tancman, and Shlomi Boutnaru. Bergerbest-Eilon is renowned for his role in establishing the agency charged with protecting all critical infrastructure in the State of Israel and is the former director of the security and protection division of the Israel Security Agency (ISA). He is currently the founder, president and CEO of ASERO Worldwide, a security consulting firm. Tancman and Boutnaru, who played key roles in building Israel’s cybersecurity capabilities, founded predictive cybersecurity startup CyActive, which was acquired by PayPal in 2015.
“Current solutions focus on keeping hackers outside critical systems, but attacks like the one that took down the power grid in Ukraine clearly show that sophisticated attackers will eventually penetrate these systems,” said Bergerbest-Eilon. “Once attackers breach a system, they must blind the operators and protection mechanisms by falsifying data in order to inflict severe and long-lasting damage. This entirely new category of Data Forgery Protection (DFP) is the key to keeping our critical infrastructure safe from attacks.”
Industrial control systems (ICS) are generally outdated from a cybersecurity perspective, vulnerable and difficult to patch because mission critical systems cannot be taken offline. While the threat to ICS is growing, critical systems security products on the market today are intrusive, hard to maintain, costly to integrate, and often produce vague and unactionable alerts, which cannot be acted upon by critical utility control rooms.
“Think of APERIO Systems as a polygraph for process data — it detects when your system is lying to you,” said Yevgeni Nogin, CEO of APERIO Systems. “With the unrelenting tenacity of cybercriminals, critical infrastructure breaches are inevitable. By guaranteeing the authenticity and integrity of operational data, APERIO Systems ensures that operators always know what’s really going on, enabling them to react quickly to a breach and take corrective action — making the critical systems resilient to the most dangerous of attacks.”
APERIO Systems’ advanced proprietary algorithms search for the data’s unique fingerprints and validate its authenticity. Any mismatches generate an alert and APERIO Systems pinpoints the attacked equipment and forged process data. Using a sophisticated combination of physics and state-of-the-art machine learning techniques, APERIO Systems reconstructs the real values of the forged operational data and reverts it to its original state in real time — establishing unprecedented operational resilience.
How APERIO Systems Protects
Both internal and external attackers can penetrate the most critical infrastructures, causing severe and long lasting damage. In order to do so, they must hide their malicious activity and deceive plant operators by forging the reported values of critical devices — remaining undetected and preventing timely corrective action. APERIO Systems’ Data Forgery Protection technology immediately exposes forged system readings to safeguard critical control systems and allow quick and effective remediation.
- APERIO Systems provides:
Data Forgery Protection (DFP): Validates integrity and authenticity of reported signals to provide operators with true state awareness, enabling them to take corrective action in real time.
- Process Continuity: Enables trust in the most critical data and provides resilience when attacked.
- Operational Alerts: Fast, actionable, specific and accurate alerts integrate cybersecurity into operational emergency procedures, allowing operators to mitigate permanent damage.
- Accurate and Relevant: Alerts operators only when the reported process state does not reflect the plant’s real situation — providing an extremely low false alert rate.
- Minimized Risk: Passive and non-intrusive system minimizes operational risks, as well as installation and maintenance costs.
- Counters Insider Threats: Protects the plant’s process continuity from both external and internal actors.
APERIO Systems is led by a veteran executive team with roots in the elite units of the Israel Defense Forces (IDF), as well as top cybersecurity and industrial companies:
- Yevgeni Nogin, CEO — a graduate of the elite “Talpiot” IDF military academy served over nine years in elite intelligence and R&D units of the IDF, and brings expertise in SCADA systems security.
- Michael Shalyt, VP Product — a graduate of the “Psagot” IDF academic program and served as leading researcher and team leader in the elite 8200 unit. Prior to joining APERIO Systems, he led the malware research team at Check Point.
- Itay Baruchi, Head of Algorithms — served as director of Industrial MRI, where he worked closely with several of the biggest oil and gas drilling companies. Before that, he founded and served as CTO of Pythagoras Solar.
- Charles Tresser, Chief Scientific Officer — a world renowned expert in dynamical systems. Tresser is one of the world’s leading experts in chaos theory and formerly Director of Research at IBM and France’s National Center for Scientific Research (CNRS).
by Gary Mintchell | Nov 1, 2016 | News
Inductive Automation recently named the six recipients of its Ignition Firebrand Awards for 2016. The announcements were made at the Ignition Community Conference (ICC), held September 19-21 in Folsom, Calif.
The Ignition Firebrand Awards recognize system integrators and industrial organizations that use the Ignition software platform to create innovative new projects. Ignition by Inductive Automation is an industrial applications platform with fully integrated tools for building solutions in human-machine interface (HMI), supervisory control and data acquisition (SCADA), and the Industrial Internet of Things (IIoT).
Ignition is used in more than 100 countries. Its popularity has helped Inductive Automation increase its revenues at an average annual rate of more than 40 percent over the past six years.
The Ignition Firebrand Awards are presented every year at ICC. The award-winning projects are part of the ICC Discover Gallery, which featured the best 18 Ignition projects submitted by integrators and industrial organizations. Inductive Automation received a record number of entries this year, and saw more innovation than ever before.
“We were extremely impressed with the quality and variety of Discover Gallery entries this year,” said Don Pearson, chief strategy officer for Inductive Automation. “It made it very difficult to select the top six. But we were very pleased to see that this year’s Firebrand Award winners represent a deeper level of understanding of the power of Ignition than we’ve ever seen before.”
“When you install the Ignition platform, it does nothing on its own,” said Travis Cox, co-director of sales engineering for Inductive Automation. “It’s inspiring to see what people can do as they innovate and build these creative and unique applications with Ignition.”
These six award winners demonstrated the versatility and power of Ignition:
- Bixby International (Newburyport, Mass.) had one of its managers learn and implement Ignition on his own, creating numerous screens for three plastics extrusion lines, showing real-time data on a number of clients.
- HTC High Tech Consultant (Vicenza, Italy) used Ignition to eliminate paper and improve production efficiencies for a large producer of leather products. The solution included the ability to expand Ignition to more than 100 tablets.
- Kymera Systems (Leduc, Alberta, Canada) used Ignition to provide an oil company with a highly cost-effective, new SCADA system that worked with numerous types of legacy field devices.
- MartinCSI (Plain City, Ohio) used Ignition in a highly creative way to make a realistic training simulation of a water purification system used by the United States Army.
- Tyrion Integration Services (Bakersfield, Calif.) used Ignition and message queuing telemetry transport (MQTT) to provide real-time data for testing of oil wells. The project included a cloud-based solution and expanded mobile capabilities.
- Vertech (Phoenix, Ariz.; Irvine, Calif.; Nashville, Tenn.) created a White Box with Ignition that can connect to a brewery’s bottling or canning line, unobtrusively, in just one day. The White Box instantly delivers valuable data that brewers were not able to see previously.
by Gary Mintchell | Sep 26, 2016 | Data Management, Interoperability, Manufacturing IT, Operations Management
The industrial software market has changed dramatically over the past 13 years. One market disruptor hails from just outside Sacramento, California. I still remember meeting Steve Hechtman at an ISA show probably in 2003. He talked about developing HMI/SCADA industrial software in an entirely new way.
He told me that Inductive Automation was developing software written in Java and using IT-friendly technologies. Not only that, he would have a business model that totally disrupted the prevalent licensing by seats.
Hechtman greeted a capacity audience at the 2016 Ignition Customer Conference Sept. 19. The 430+ attendees exhausted the capacity of the Harris Center in Folsom, CA. The company has experienced double-digit growth every year since it started. It has been profitable every quarter since the launch of its flagship product, Ignition, in 2010. Privately held, it has no debt and no investors.
The company’s mission has been to reduce friction. Reduce friction to use the product, to buy the product, to develop using the product. Or, to quote from the presentation, “Our mission is to create industrial software that empowers our customers to swiftly turn great ideas into reality by removing all technological and economic obstacles.”
The technology allows for a 3-minute installation. It is scalable from a Raspberry Pi to enterprise servers.
Rather than calling Ignition HMI/SCADA software, Hechtman refers to it as a platform. Not only does Inductive Automation build modules to sit on it, the company makes it easy for customers to build, and even sell, modules, too. Part of that removing friction thing.
Hechtman brought up the IIoT and the hype surrounding it. The Gartner Hype Cycle plots a curve from early thoughts to euphoria plummeting to the trough of disillusionment to a partial recovery where 20%-30% of companies use and gain benefit from the technology. He suggested that Ignition builds a bridge over the trough of disillusionment to beneficial application of the IIoT.
Chief Strategy Officer Don Pearson followed with the other theme of the week—IT/OT convergence. ”We’ve been doing that from the beginning,” he stated.
Most people have talked about driving convergence from the IT side. That’s all backwards according to Pearson. The OT side should drive the convergence partly through adopting IT-friendly technology and learning from IT folks about their strengths such as security.
One last sign of growth—the number of partners exhibiting in the foyer. More than I can list, but start with Opto 22, Bedrock Automation, Cirrus-Link, Seeq. The company has vision and drive. And financial stability.
Summary
Here is a link to an interview I recorded with two of the original developers–Colby Clegg and Carl Gould. Owner/President Steve Hechtman was in the room, but I don’t recall that he said anything. I threw a digital audio recorder on the conference room table in early 2011. The company has grown into new offices and is now looking for more office space since then.
There was a lot of buzz at the conference. There were people from many countries, but many also were from large manufacturing companies. Several large systems integrators brought several engineers. The organizers asked if I would lead a “meet up” or round-table discussion on Monday before the actual kickoff. Wow–there were several really smart people in attendance. It was a great geek discussion.
If you are involved with developing applications with industrial software, you should check out next year’s conference. Even if you are not a customer, it’s worth it just to learn from others who come.
by Gary Mintchell | Aug 5, 2016 | Automation, Internet of Things, Operations Management, Technology
I ran a brief series on industrial data, interoperability, and the Purdue Model (see this one, for example, and others about that time). It’s about how data is becoming decoupled from the application. It’s not hierarchical, seeking out applications that need it.
This week I took a look at Opto 22’s latest innovation—use of RESTful APIs in an industrial controller. The next step seemed to be looking at MQTT. This is another IT-friendly technology that also serves as an open, standardized method of transporting data—and more.
Then I’ll follow up on a deeper discussion of OPC and where that may be fitting in within the new enterprise data architecture.
I’ll finish the brief series with an application of (perhaps) Big Data and IIoT. It’s not open standard, but shows where enterprises could be going.
MQTT and Sparkplug
Inductive Automation has been around for about 13 years, but it has shown rapid growth over the past 5. It is a cloud-based HMI/SCADA and IIoT platform. I finally made it to the user conference last September and was amazed at the turnout—and at the companies represented. Its product is targeted at the market dominated in the past by Wonderware, Rockwell Automation RS View, and GE Proficy (Intellution iFix in a former life). It’s a private company, but I’ve been trying to assemble some competitive market share guesses. My guess is that Inductive ranks very well with the old guard. Part of the reason is its business model that seems friendly to users.
Just as Opto 22 was an early strong supporter of OPC (and still supports it), so also is Inductive Automation a strong OPC shop. However, just as Opto 22 sees opportunities for better cloud and IT interoperability with REST, Inductive Automation has seen the same with MQTT. In fact, it just pulled off its own Webinar on the subject.
I put in a call and got into a conversation with Don Pearson and Travis Cox. Following is a synopsis of the conversation. It is also a preview of the ICC user conference in Folsom, CA Sept. 19-21. At the conference you can talk to both Arlen Nipper, president and CTO, Cirrus Link and co-developer of MQTT along with Tom Burke, president of the OPC Foundation.
Don and Travis explained that MQTT itself is a middleware “broker” technology. It describes a lightweight, publish/subscribe transport mechanism that is completely agnostic as to the message contained in the communication. So, you could send OPC UA information over MQTT or other types of data. The caveat, as always, is that the application on the receiving end must speak the same “language.”
They see apps talking directly to PLCs/PACs/controllers as going away. We are in the midst of a trend of decoupling data from the application or device.
MQTT is “stateful”, it can report the last state of the device. It rides on TCP/IP, uses TLS security, and it reports by exception.
Describing the message
MQTT is, in itself, agnostic as to the message itself. However, to be truly useful it needs a message specification. Enter Sparkplug. This technology describes the payload. So, it is needed on both sides of the communication. it doesn’t need to know the device itself, as it is all about information. it is a GitHub project and, as is MQTT, part of the eclipse foundation.
I have known Don and Travis for years. I have never heard them as passionate about technology as they were during our conversation.
If you are coming to Folsom, CA for the conference, you’ll hear more. I will be there and would love to have a breakfast or dinner with a group and dive into a deep discussion about all this. Let me know.
by Gary Mintchell | Jul 28, 2016 | Manufacturing IT, Operations Management, Software
A manufacturing software supplier must go beyond where they are to keep pace with today’s needs. GE Digital just announced such an extension–to offer decision support capabilities. The new GE HMI/SCADA software offers “comprehensive and best-in-class monitoring and visualization capabilities,” as well as work process management, analytics, and mobility. Based on ISA high performance design principles, this solution enables companies to troubleshoot faster, reduce waste and increase productivity.
“Most SCADA systems are still configured as HMIs – simply a display to indicate status,” said Matthew Wells, General Manager Automation Software for GE Digital. “In developing this new generation solution, we have combined industry standards, GE research and Industrial Internet technologies to exceed traditional HMI/SCADA, increasing operational efficiency and delivering on business outcomes.”
Context-driven navigation and situational awareness
The new GE software features a context-rich HMI that changes as the user moves through the system. Navigation is derived from a structured asset model. Using the model, the software always can provide operators with the most relevant information – in context – and minimize time to response. Additionally, the structured asset model mapped to the SCADA database significantly speeds configuration. Modern technologies such as HTML5 and Web HMI allow for centralized development and deployment, as well as accessibility anywhere in multiple form factors.
“With high performance HMI/SCADA, operators are able to quickly determine an abnormal situation and get to the root causes of many issues,” said Sergio Chavez, Automation Engineer with Los Angeles Dept. of Water and Power. “We help operators visualize a process and make alarms very visible. We’re shaving the time it takes for operators to act on a situation.”
To help engineers create the right user experience, GE also provides predefined smart objects and templates designed using efficient HMI concepts. Standard layouts and cards – such as trends, alarms, alarm summaries, and KPIs – are available out of the box, speeding configuration and improving user situational awareness.
Task management and mobility
Additionally, GE’s fourth generation HMI/SCADA portfolio has task management capabilities, triggering the right actions, at the right time, by the right person, in the right place based on alarms or other events. GE’s new Workflow 2.5 and Mobile 2.0 solutions extend the capabilities of Decision Support HMI/SCADA further, helping companies achieve their critical business outcomes with integrated workflows and intelligent alarming, available anytime and anywhere.
“Operator effectiveness allows operators the opportunity to grow professionally,” according to Bill Fritz, Director of Public Works, Waterford Township, Michigan. “They can reinvent themselves and gain new value-added skills. They can take on new roles.”
GE’s Wells explained, “Use technology to improve the operator experience and manage operations for greater efficiency. With just a quick look, operators today should be able to recognize which information requires their attention and what it indicates – which speeds response and drives to business outcomes.”
