Don’t WannaCry on your Industrial IoT System

Pretty much anyone who has a computer or listens to the news has heard about the WannaCry virus that swept across the world a few days ago, installing itself on computers in businesses, hospitals, government agencies, and homes, encrypting hard drives and demanding ransom payments.  After scrambling to ensure that our operating systems are up-to-date and protected against this latest threat, the question soon comes up: How can we protect ourselves against similar threats in the future?

“How?” indeed.  That would seem difficult.  Our reliance on networked computers for business and personal use is fully entrenched, and business/personal PCs will remain vulnerable for the foreseeable future.  In the industrial arena, some may conclude this latest attack is yet another reason to hold off on their IoT strategy.  Or, at least: “You should use a VPN to keep it safe.”

And yet neither of these instincts is necessarily correct because (i) it is possible to build a secure Industrial IoT (“IIoT”) system, and (ii) VPN is not the way to do it.  Industrial control systems may use the same underlying operating systems as PCs but they are different in one critical aspect.  They exchange real-time control data, not files and emails.

How WannaCry Got In

WannaCry comes in two parts – an email “bomb” that exploits your anti-virus software and a “worm” that propagates throughout your network by exploiting configuration weaknesses and operating system bugs.  The special danger of WannaCry is that it can infect a computer through email even if you never open the email message.  Once WannaCry arrives through email, the worm takes over to attack the rest of the computers on your network.

The worm portion of the virus spreads itself by finding other machines on the network.  According to analysis of the code by Zammis Clark at Malwarebytes Labs, “After initializing the functionality used by the worm, two threads are created. The first thread scans hosts on the LAN. … The scanning thread tries to connect to port 445, and if so creates a new thread to try to exploit the system using MS17-010/EternalBlue.” (the bug that the virus exploits)

If there is no open port on the other computer, the virus cannot spread.  But the VPN is not much help here.  If anyone on the VPN is struck by the virus, then every machine on the LAN is exposed.  Suppose you have an IIoT system connecting a corporate office to a process control system over a VPN.  If the virus activates on any of the connected machines in the IT department, it can easily propagate itself to any of the connected machines on the industrial LAN.

How to Keep WannaCry Out

The tongue-in-cheek answer is “don’t use email”.  More seriously, industrial systems and IT systems should be separated from one another.  There is no need to read email from the industrial LAN.  Don’t install email software on your industrial computers, and don’t allow email traffic through your firewall.

But industrial systems still need to communicate their data.  How can you reach the data without exposing the industrial network?  The solution is spelled out in detail in the latest white paper from Cogent (a Skkynet company) titled: Access Your Data, Not Your Network. This paper explains why the traditional architecture of industrial systems is not suitable for secure Industrial IoT or Industrie 4.0 applications, and discusses the inherent risks of using a VPN.  But most important, it introduces the best approach for secure IIoT and Industrie 4.0, which is to provide access to industrial data without exposing the network at all.

Specifically, the Skkynet-provisioned devices and the DataHub can make outbound connections to SkkyHub without opening any firewall ports.  These connections are robust channels that support bidirectional, real-time communications for doing monitoring and supervisory control.  The WannaCry virus or anything similar cannot spread into this system because they can’t see anything to infect.  The devices on the network are completely invisible.  Skkynet’s approach provides access to the data only, not to the network.

Skkynet at CSIA 2017

Several of us at Skkynet had the pleasure of attending the Control Systems Integrators Association annual conference (CSIA 2017) last week, in Fort Lauderdale, Florida.  Everyone appreciated the beach-side venue and great food, and the balmy weather was a welcome change to Ontario’s cold, rainy spring. The theme of the conference this year was “From Best Practices to Transformative Business Models,” which set the tone and direction of many of the presentations and resulting conversations.

The idea of transformative business models was presented by Mike Harvath, CEO of Revenue Rocket Consulting Group, who offered a vision of the way digital technologies and the IoT are changing how business will be done by system integrators over the next few years.  One of the main differences he and others foresee is a shift from projects and products to services.  Citing recent trends, such as companies providing lighting as a service, Harvath foresees system integrators designing projects and providing products on a service-based model.

Many of the integrators we talked to at CSIA 2017 understood the Industrial IoT in the terms of cloud-based data storage and analytics.  Offering their customers this kind of cloud service would fit the transformative business model, they felt, but a number of questions were raised about how to implement the vision.  In a special “Unconference” on transformative business models, we had a chance to brainstorm and bounce ideas off one another in a peer-to-peer environment.

Top Concerns

Among the top concerns were how to start moving towards a service-model business in general, and how to provide secure IoT services in particular.  Most of the customers for these system integrators are large manufacturing or infrastructure companies, like energy or wastewater facilities, and tend to be conservative in adopting new business models.  Likewise, being engineers and responsible for multi-million dollar budgets and mission-critical systems, the system integrators themselves are being cautious.

I spoke with a number of them about business transformation and the IoT, and most indicated that they are open to the idea, but that seeing is believing.   They and their customers want to see examples of secure IT to OT connectivity, cloud-based data collection, and good return on investment.  We had some enlightening conversations about Skkynet’s secure-by-design approach to the IIoT, and showed them on some demonstration hardware how to monitor and control a system from a web page or smart phone.  The revenue-sharing opportunities of the SkkyHub service struck a welcome chord with those who were getting serious about shifting towards a more service-oriented approach to their business.

Overall, CSIA 2017 was a good experience—a chance to meet those in a position to use or recommend the DataHub and SkkyHub, and find out whether their customers can benefit from this kind of technology.  It turns out that many of them can, and they are starting to realize it.

Embracing an Automation Economy

Since the beginning of the industrial revolution, automation has been a steadily growing trend for the manufacturing and process industries, to the joy of some and the dismay of others.  On the one hand, automation is synonymous with lower production costs and higher quality, providing more consistent output with less physical labor.  On the other hand, from time to time there is concern about job loss as machines replace unskilled labor, and put people out of work.  As far back as 1779, so the story goes, a young weaver’s apprentice named Ned Ludd vandalized a couple of knitting machines, thus becoming the namesake of the Luddite movement, a group of skilled workers who violently protested one of the world’s first industrial automation initiatives.

Now there is a new automation revolution taking place that may have an even greater social impact.  Thanks to new digital technologies like artificial intelligence, big data, robotics, satellite geopositioning, and others, jobs that we once thought only humans can do are now seen as potential targets for automation.

“In the past, automation was largely restricted to simple manual or procedural tasks,” said Carolyn Wilkins, Senior Deputy Governor of the Bank of Canada, in a recent speech to the Toronto Board of Trade. “Today’s technology makes it possible to automate an increasing number of cognitive and non-routine tasks across a wide range of industries.”

The impact of automation on virtually every employment sector for the near future was the subject of The Future of Employment by Carl Benedikt Frey & Michael Osborne of the University of Oxford.  “According to our estimates around 47 percent of total US employment is in the high risk category,” the paper states in its conclusion.  “We refer to these as jobs at risk – i.e. jobs we expect could be automated relatively soon, perhaps over the next decade or two.”

Some of the jobs most at risk were in categories like “Machine Setters, Operators, and Tenders” in various industries.  This what we might expect, given the recent robotics trend in manufacturing.  More surprising were job categories like hotel desk clerk, agricultural inspector, bill collector, animal breeder, restaurant cook, and legal secretary.  Twenty years ago, who would have imagined these occupations being automated?  Yet most of them will be in the next twenty years, according to the study.

What now?

Where does that leave us?  “What we need to do is embrace the technologies in areas where we can make a difference and promote productivity,” recommends Carolyn Wilkins.  She mentioned in particular the STEM subjects (science, technology, engineering, and math) as “solid foundations that provide a platform for future learning.”  Perhaps she is right.  The Oxford study lists a number of occupational areas with a low chance of replacement, and engineering is among them, for sure.  And for those with a more humanistic interest, health care, education, the arts and entertainment are other options, as they also are not expected to be automated any time soon.

At Skkynet we our doing our part to make automation easy to embrace, by making our products and services convenient and affordable.  And internally, we are always looking for ways to streamline our work flow.  The more we automate the boring and repetitive jobs here in the office, the more time we have to do the cool, fun, and interesting stuff that keeps us at the leading edge.

5G Wireless Seems Optimal for Industrial IoT

A few weeks ago two hardware giants in the telecom and chip industries, Ericsson and Intel, launched a 5G Innovators Initiative, along with Honeywell, GE, and the University of California Berkeley.  5G wireless is the next standard after 4G that will convey much more data at much higher speeds, making it ideal for IIoT applications.  In fact, the 5G Innovators Initiative’s action plan states that “The first industry segment to be explored is Industrial Internet of Things (IIoT).”

Honeywell and GE, the primary industrial partners in this initiative, both recognize the value of 5G for industry.  “Industrial companies looking to optimize their assets and operations need connectivity from the edge to the cloud. … using the innovations emerging from 5G wireless will help them unlock efficiency, increase manageability and drive sustainability,” said Peter Marx, Vice President, Advanced Concepts, GE Digital.

“5G technology will be a key enabler as we continue to develop and deploy new connected solutions to improve worker productivity, safety and asset performance across our customers’ global supply chains,” said Suresh Venkatarayalu, Chief Technology Officer, Honeywell Safety and Productivity Solutions.  “It will help us bring to market new IoT solutions for aircraft, buildings, homes, industrial plants, logistics providers, manufacturers and retailers.”

Commenting on the value of 5G wireless for industrial applications, Bob Gill at ARC Advisory Group said last year, “The ramp-up in speed and performance that goes with the next evolution of the cellular story, 5G, brings with it increased relevance to the industrial flavor of IoT, i.e. IIoT, and some interesting potential applications. … More specific to Industrial IoT, 5G’s extremely low latency of one millisecond (versus about 25 ms for 4G) makes it viable for critical industrial applications involving control rather than just monitoring.”

This is the kind of performance that Skkynet users can appreciate. Already recognized by Nokia for its cutting-edge technology, Skkynet is well positioned to take full advantage of the high speed performance that 5G can provide.  The SkkyHub service adds only a few milliseconds to overall device-to-user data transmission via the cloud.  Running on a 5G network would mean real-world M2M response times of under 5 milliseconds for industrial applications.

“Remotely controlled operations are particularly applicable in industries like mining, construction, oil & gas, and power, where the operating environment may be hazardous and the sites distantly located, hard to reach, and inhospitable,” Gill continued. “For a remote worker to operate a machine in a mine, for example, as safely and efficiently as an on-site operator necessitates a level of sensory awareness of the surroundings, and this becomes possible with a fast, low latency 5G network transmitting live video and enabling real-time force feedback and haptic interaction.”

At Skkynet we are following the development of 5G wireless with interest, while we continue to build and enhance the necessary secure infrastructure to support Gill’s vision.  Even with just 3G or 4G, engineers and managers are able today to do supervisory control with live video in real time using DataHub and SkkyHub technology.  5G can only enhance the performance and user experience.

AWS Outage Calls Attention to Hybrid Cloud

At the end of February Amazon Web Services (AWS) slowed to a crawl for about four hours, causing a major loss of service for hundreds of thousands of websites in North America.  Sites with videos, images, and data files stored on the AWS cloud server suddenly lost much or all of their content, and/or shut down altogether.

After the initial weeping, moaning, and outrage died down, a lively discussion ensued among IT technicians, managers, and concerned citizens on to how to deal with this kind of incident in the future.  The comment section on a story at The Register gives a sample of the kinds of ideas put forward, and there is a clear consensus on a number of them.  Most experts agree that the occasional service outage is one of the inherent risks of using the Internet and cloud services, and that if you need high reliability for your data, you’d better have some kind of redundant or backup solution.

There are normal, accepted ways of building redundancy into a data communications system, including IoT and cloud applications.  One approach mentioned frequently is “hybrid cloud“, a public and a private cloud running simultaneously.  A public cloud is service offered to anyone, typically by a company for paying customers, like AWS.  A private cloud is a service operated and maintained by an individual or company for its own internal use.  To achieve redundancy for AWS in this past outage, a private cloud would have been up and running with a copy of all the company’s data and software, the same as AWS, but just not online.  When AWS stopped serving data, the system would have automatically switched to the private cloud, and someone using the website would not even have noticed.

This is how it works in theory, but building and maintaining a hybrid cloud system that can perform this kind of redundant operation is no small task.  Depending on the level of data and functional replication, in addition to the speed of error detection and  switch-over capability, the hybrid site could cost as much, or even more than the cloud site.  Companies considering such an option would need to do a cost/benefit analysis, based on their specific circumstances.

For Industrial IoT applications a hybrid cloud approach to redundancy may be useful.  Although low-level process control systems should typically not be dependant on the Internet or cloud services, companies who use the IIoT for process monitoring, data collection, or high-level control applications may find it worthwhile to maintain a hybrid cloud.

Skkynet’s SkkyHub service lends itself particularly well to hybrid cloud solutions.  It is possible, and not very difficult, to run a replica system on an in-house server, using the DataHub. Although the DataHub is different from SkkyHub in some respects, for the primary task of data connectivity the two function in an equivalent way.  Readers interested in trying this out are encouraged to contact Cogent for technical tips to ensure a secure and robust implementation.

Skkynet at Automate Show in Chicago

There will be live demonstrations of DataHub, SkkyHub, and the ETK in two different areas of the Automate show at the McCormick Place in Chicago next week.  The Automate show is one of the largest industrial automation shows in North America, with displays of robotics, vision and motion control, and other cutting-edge technologies that attract automation and control engineers, managers, and researchers from across the world.

A Renesas demo at the Renesas pavilion, Booth #866, is being powered by Skkynet’s SkkyHub service and ETK.  The demo lets show attendees monitor the movement of a Festo linear piston from their mobile phones.  The base-level control of the piston is through a PLC that is connected to a Renesas Synergy S7 chip running on a development board.  The S7 chip has the Skkynet ETK loaded on it, which makes a connection to SkkyHub to provide the data and a user interface. Anyone can call up a URL on their smartphone and then view the data in a seamless connection.

“This demo makes the Industrial IoT come alive,” said Paul Thomas, President of Skkynet.  “Everyone attending the Automate show has probably heard about the IIoT, and now they will have a chance to experience a secure-by-design implementation of it, first-hand.”

The Cogent demo will be shown at the OPC Foundation pavilion, Booth #2265.  We will be demonstrating the latest features of the DataHub, in addition to an integrated solution using Red Lion’s mobile gateway and an embedded demo using Renesas Synergy S7 running Cogent’s beta implementation of OPC UA.  Attendees will be able to control LEDs on the S7 demo board itself, as well as control a bank of lights on the booth.  Additionally, they will be able to see output from the board’s light and motion sensors in their mobile displays.

Backing up the demo with insight, Xavier Mesrobian, Cogent’s VP of Sales and Marketing will be presenting a talk, Share your Data Not your Network, at the Future of Automation Theater on Tuesday afternoon. “Both of our demos at this show rely on our secure-by-design technology,” said Mesrobian, “but few realize how revolutionary it is. When you are talking about security for the IIoT, most people think ‘VPN’. But that’s the wrong technology, by far. We want people to know that there is a better, safer, and more affordable alternative.”

Come and meet us, hear the talk, and see the demos.  Members of the Skkynet and Cogent team will be at the Cogent area in the OPC Foundation pavilion, Booth #2265.  Don’t forget to bring your smartphone!