Security During a Pandemic

Back in March of this year, Newsweek Vantage published a special report on industrial cybersecurity titled Weathering the Perfect Storm.  No sooner had it been released than we were broadsided by the COVID-19 crisis.  In response, Newsweek editor Nigel Holloway sat down to discuss this new challenge with the two main contributors to the article: Eric Cosman, President of the International Society of Automation (ISA), and Steve Mustard, an ISA executive board member.

Their insights on industrial cybersecurity during the pandemic were recorded, and are available on the ISA website.  Here are some of the highlights:

Both Cosman and Mustard agree that you need to prepare for the unexpected, even though it is difficult to imagine what that might be.  Having so many more people working remotely during this pandemic is probably leading to more cyber vulnerabilities.  Adversaries are going to try to exploit these weaknesses, and the quick, easy solution is not always the most secure.  In any case, now is the time to act.

Security – robust yet invisible

Increasing security can add friction, and people often look for creative ways to get around it.  “Convenience is at the other end of the scale to security,” said Mustard.  Cosman suggests: “We need to find ways to make security robust, yet almost invisible….The theme that goes through all of this is to integrate security into your work processes in such a way that is not seen as something that’s added on.”

IT and OT working together?

Another challenge is the difference between IT and OT (Operations Technology) cultures.  Both are running mission critical systems, but while IT thrives on change, OT shuns it. You can’t be updating an industrial system every few hours or playing what-if scenarios on a running production line.  What Mustard and Cosman suggest is to form a team of experts from both IT and OT, the “right people with the right skills and the right experience, who have the right understanding, irrespective of what organization they may come from.”

The right tools

To this we would add: Give these people the right tools.  At the heart of the security issue is providing secure access to OT system data.  Much of the exposure for remote access comes from using IT technologies like VPNs in  environments and scenarios they were not created for.  Other risks stem from using industrial protocols not designed for open networks like the Internet.

That’s why we offer data communication tools that are secure by design.  Industrial users should not have to compromise—either on security or convenience.  For our large and growing customer base, frictionless, secure access to their industrial data provided by the DataHub is a normal daily experience.  Their plants and production lines are linked in real time, they monitor their systems securely from remote locations, and they can send control commands as needed.  When the COVID-19 pandemic hit, they simply kept on working, keeping their staff safe and their mission-critical processes secure.

A New Normal for Manufacturing?

The industrialized world is still reeling from the impact of the COVID-19 pandemic, and it may not be going away any time soon. We may not like it, but we are learning how to live with it. And some of us are looking ahead to see what the long-term impacts might be. Is the future darker or brighter?

IndustryWeek magazine recently published an article by Artem Kroupenev, Vice President of Strategy at Augury, who asks the question: What Will Manufacturing’s New Normal Be After COVID-19? The answer, he opines, involves healthy doses of automation, digitization, and remote access.

He notes that many companies saw supply chains break and raw material stocks dry up as countries closed borders. Those relying on just-in-time production were hit especially hard. In the same way, whole countries experienced shortages of manufactured goods that could not be imported.

To protect against future disruptions, Kroupenev predicts a revival in domestic manufacturing, and a decoupling of supply chains. But things will be different from 20 or 30 years ago. There will be a strong push, he says, towards automation in the new domestic industries, and companies will rely far more on digitization to manage supply chains.

A Key to Success

A vital key to success in this new reality will be data, and the ability to send and receive it securely across the Internet. “For manufacturing, greater connectivity will mean significantly accelerated deployment of Industrial IoT, including sensing, data visualization, remote collaboration tools and AI-based insights across their operations,” Kroupenev said. “Control-tower view of data and insights across the whole operation will become a standard component of running a manufacturing organization.”

Even before the pandemic, early adopters of digitization had gained an average 7% revenue growth advantage, according to a McKinsey report cited in the article. They have been able to increase efficiency through better supply chain integration, more effective operations, and more flexible maintenance programs. They have made the transition to remote access more smoothly. Companies that do not adopt this new normal will suffer, says Kroupenev, and may eventually fail.

Embracing the new normal does not need to be difficult. Skkynet’s software and services work equally well with legacy systems as new installations. There is no reason to take risks. Something as simple as making a standard-protocol connection to a secure, proven technology can transport a company into a safer, more reliable world.

Manufacturers Go Digital to Stay Safe

There’s a war on―a new kind of war.  The enemy is sneaky but deadly, taking thousands of casualties.  A new breed of soldier fights for us, on the hospital ward front lines, equipped with specialized weapons and armor.  Every country is on high alert, fighting this war together.  And, as in many other wars, manufacturers are deeply involved.

A recent survey conducted by ARC Advisory Group and Automation.com asked over 100 manufacturers large and small around the world what’s happening with them right now, and what they are doing or should have done to prepare for this pandemic.  The results show a wide range of responses, with a common theme―do what it takes to stay safe.

Some firms have had to decrease production and lay off workers.  Others, with the ability to do so, are moving production to locations less impacted by the virus.  Quite a few companies have gone on the offense, switching production to high-demand items.  Car makers are turning out ventilation equipment.  Distilleries are providing alcohol for hand sanitizers.  Some fashion and textile companies are focusing on personal protective gear. The pharmaceutical industry has ramped up production of test kits and other medical supplies. And of course, producers of disinfectants and paper products are working overtime.

Employees Need to Stay Safe

Almost all companies are also on the defense, trying to stay safe, protecting employees who must remain on-site with distancing and physical barriers, installing robots where possible, and by speeding up digital transformation programs, allowing people to work remotely.

“We learned that some manufacturers wish they had put more thought and effort into digital transformation prior to the COVID-19 pandemic,” the report said. “But many of these companies have since adapted and are now adding new digital technologies and digitally enabled solutions as opportunities arise.”

What kinds of technologies?  They are using artificial intelligence (AI) software to gather real-time production data to calculate risk for what-if scenarios and market fluctuations.  They employ optimization software linked to online processes for in-plant predictive maintenance and off-site supply chain management.  They are connecting OT staff to production data for remote monitoring, and IT staff to analytical tools. All of these technologies rely on secure, real-time connectivity to process data, which Skkynet provides.

The current situation for most companies is in flux.  In-house changes happen daily, while product demand and supply chains are also variable.  At the time of the survey many companies were still preparing for the pandemic, or were operating with reduced staff, shortages, and lack of market data. Among employees, for over 80% of respondents, the three main changes were new sanitation policies, social distancing, and working remotely.

Based on this survey, the ARC Advisory Group recommends increasing adoption of digital technology.  This will allow companies to provide their staff with the abilities to stay safe by working and collaborating remotely, monitoring production systems through digital dashboards.  Along with this recommendation comes moving data and applications to the cloud, as well as improved IT capabilities and cybersecurity. Most companies surveyed were either grateful to be on the path to digital transformation, or making it a top priority to be there.

Working Remotely to Stop Coronavirus

Companies using Skkynet software and services expect high security for their data communications. They know they can stop computer viruses by keeping all inbound firewall ports closed. Now, with the coronavirus looming large we must do pretty much the same thing in real life. We need to keep our distance and stay behind physical walls as much as possible. And yet work must go on. The data must get through. We need to work remotely, if possible.

The problem is, logging in remotely can be risky.  Typically, you need to expose your servers via the web or a VPN―and that’s a risk that our industrial control customers cannot take.  They need tighter security, to access to their process data without exposing the process servers and networks.  Skkynet’s unique tunnelling technology provides this kind of secure access.  It lets users securely push data from their plants to our SkkyHub service, where they can access it in real time, all without opening firewalls to the outside world.

A Helping Hand

We are now offering this service at no cost to help our customers weather the coronavirus storm. For the next three months any DataHub user can connect to SkkyHub free of charge. A simple tunnel connection provides a way to access data remotely, even through DMZs and proxies. The SkkyHub service includes a web-based interface, SkkyHub WebView, that lets people build dashboards to access their data and interact with their systems from home. Those who are new to WebView can quickly get up to speed, designing pages through its web interface.  With SkkyHub, users can view and operate their control systems remotely as quickly and easily as being right in the control room.

Let’s face it. These are not easy times. Some factories have been forced to shut down, and restarting will be difficult, as Matthew Littlefield at LNS Research explains in this blog, Closing Factories is Hard, Re-Opening will be Harder. Remote access can alleviate these problems to some degree, but it must be reliable and above all, secure.

In another blog, Coronavirus Lessons for Industrial Cybersecurity: Quarantines, Sid Snitkin at ARC Advisory Group compares quarantines for coronavirus to securing industrial systems, and suggests, “Use DMZs, firewalls, zero-trust access control, anti-malware software, awareness training, and security hygiene to reduce the likelihood of an initial compromise.” He also recommends system segmentation to limit lateral movement of viruses, continuous device and system monitoring, and strengthening tools to prevent future attacks.

Doesn’t that sound a little like social distancing, washing hands, not travelling, and keeping our immune systems strong? The social structures we have developed throughout history and the technical systems we have built recently are not as different as we might imagine. They both can serve us well, but we need to protect them and keep them, like ourselves, in good health.

US Gas Pipeline Ransomware Shutdown – A Ready Solution

An entire US gas pipeline was shut down for two days due to a ransomware attack according to a recent report from the US Cybersecurity and Infrastructure Security Agency (CISA). The hackers sent a spear-phishing email to someone on the IT network that crossed over into the OT network and infected HMIs, data historians, and polling servers on the process control system. Although only one facility was hit, management shut down the whole pipeline for two days, resulting in loss of productivity and revenue to the pipeline, as well as to upstream production systems and downstream distribution networks.

This need not have happened. There is a simple remedy―isolate the OT network. They could have used Skkynet software on a DMZ to keep their firewalls closed and their gas pipeline system secure.

Using a DMZ

The first technical recommendation in the CISA report is to segment networks using a DMZ: “Implement and ensure robust Network Segmentation between IT and OT networks to limit the ability of adversaries to pivot to the OT network even if the IT network is compromised. Define a demilitarized zone (DMZ) that eliminates unregulated communication between the IT and OT networks.”

The easiest and most cost-effective way to pass production data securely through a DMZ is using DataHub tunnelling. Because it is secure by design, DataHub tunnelling can provide bidirectional data flow with no open inbound firewall ports, and no VPNs. The key is to access the data, not the network. This technology has been deployed in mission-critical systems worldwide for over 20 years, and was implemented recently in the TANAP project in which DataHub software was used to securely transmit process data from an 1800 km pipeline into a central control system through closed firewall ports.

Secure OT Assets

The second technical requirement recommended by CISA is to secure OT assets as much as possible.  The report said, “Organize OT assets into logical zones by taking into account criticality, consequence, and operational necessity. Define acceptable communication conduits between the zones and deploy security controls to Filter Network Traffic and monitor communications between zones. Prohibit Industrial Control System (ICS) protocols from traversing the IT network.”

Again, DataHub tunnelling is a ready, off-the-shelf conduit for making the necessary connections.  It provides secure, bidirectional real-time data mirroring between logical zones of OT assets, and from OT to IT. Data traverses the tunnel using the DHTP protocol, and can be converted to or from industrial protocols at either end.

Of course, the most secure system relies on sound planning and operational strategies in addition to strong technical and architectural solutions. The choice of software is one element of a larger picture. But in this case, simply using Skkynet IoT software would have prevented this gas pipeline shutdown altogether.

Digital Twins Thrive on Data Integration

Digital twins. The term was coined only ten years ago, but the concept is rapidly becoming a must-have in the manufacturing sector. Last year a Gartner poll found that 62 percent of respondents expect to be using digital twin technology by the end of this year, although only 13 percent of them were actually using it at the time. A key factor in this sudden interest is that “digital twins are delivering business value and have become part of enterprise IoT and digital strategies.”

What exactly are digital twins, and why are they getting so much attention lately? A digital twin is made up of three basic components: a physical system, a virtual representation of it, and the data that flows between them. The physical system could be an individual device, a complex machine, a whole production line, or even an entire factory. The virtual representation can be as complex as necessary to represent the system. The data connection keeps the virtual twin as closely in sync as possible with the physical twin, often tracking and updating changes in real time.

The Value and Challenge of Data Integration

A digital twin operating in isolation is useful, but the real rewards come through making connections. Data integration between multiple sub-components of a digital twin, or between multiple digital twins, is key when advancing beyond simple pilot projects. “The ability to integrate digital twins with each other will be a differentiating factor in the future, as physical assets and equipment evolve,” says the Gartner report.

There are at least three types of relationships:

  • Hierarchical, in which digital twins can be grouped together into increasingly complex assemblies, such as when the digital twins for several pieces of equipment are grouped into a larger digital twin for a whole production line.
  • Associational, where a virtual twin for one system is connected to a virtual twin in another system, in the same way that their physical counterparts are interrelated, such as wind turbines connected to a power grid.
  • Peer-to-peer, for similar or identical equipment or systems working together, like the engines of a jet airplane.

Making these connections is not always easy. A recent publication from the Industrial Internet Consortium (IIC), titled A Short Introduction to Digital Twins puts it this way, “Since the information comes from different sources, at different points in time and in different formats, establishing such relations in an automatic way is one of the major challenges in designing digital twins.”

The IIC article briefly discusses some of the technical aspects this kind of integration, such as:

  • Connectivity, the necessary first step for data integration.
  • Information synchronization keeps a virtual twin in sync with its physical twin, and among multiple connected twins, maintaining a history and/or real-time status, as required.
  • APIs allow digital twins to interact with other components of a system, and possibly with other digital twins as well.
  • Deployment between the edge and the cloud pushes data beyond the OT (Operations Technology) domain to the IT domain, that is, from the physical twin to the virtual twin.
  • Interoperability between systems from different vendors may be necessary to gain a more complete picture of the total system functionality.

Another useful resource, Digital Twin Demystified from ARC Advisory Group, identifes data connectivity, collection, tracking volume & fidelity, and ensuring the quality of real-time data as being “key challenges associated with using real-time and operational data” in digital twins.

A Good Fit

Skkynet’s software and services are well-positioned to provide the kind of data integration that digital twins require. Most data on an industrial system is available to an OPC client like the DataHub, which ensures robust connectivity. Virtually any other connection to or between digital twins, such as from legacy hardware or custom software, is possible using the DataHub’s open APIs.

Real-time data mirroring between DataHubs can handle the synchronization needed for tight correlation between the physical and virtual systems. The secure-by-design architecture of DHTP provides a proven way to connect twins across insecure networks or the Internet, even through a DMZ, to ensure the highest level of security for both the physical twin on the OT side, as well as the virtual twin on the IT side.

By supporting the most popular industrial communications protocols, and through secure, real-time data mirroring, Skkynet software and services are often used to build fully integrated systems out of components from different vendors. A recent example of this is in the TANAP project in which DataHub software was used to integrate OPC A&E (Alarm and Event) data from ABB systems with other suppliers, effectively creating a virtual digital twin of the entire 1800 km pipeline.

Digital twinning can be seen as one aspect of the whole area of digital transformation in industry. As companies move towards digitizing their operations, the ability to create a virtual twin of each component, machine, production line, or plant, and connecting that twin to their IT systems will put better control of production into the hands of managers and executives, leading to greater efficiencies. The success of this undertaking, at every step of the way, depends on secure data integration among the digital twins.