The Kaspersky Report: It’s Not Really About OPC UA

Automation.com, a leading online publisher of automation-related content, recently ran a commentary on a new report from Kaspersky Labs about OPC UA. The Kaspersky report identified 17 critical security flaws in OPC UA software. But although the Kaspersky methodology may be sound, the commentary in Automation.com suggested caution in drawing conclusions.

It turns out that the flaws noted by Kaspersky were simply because an OPC UA must listen for connections on a network, just like any other server on a TCP/IP network. The real problem is deeper, according to the commentary. Put simply, the standard approach to industrial data communications is not suitable for untrusted networks like the Internet. A better solution is not to allow any inbound connections at all.

Pairing OPC UA with a Good IIoT Protocol

Automation.com, a leading online publisher of automation-related content, recently ran an article on the value of pairing OPC UA with a good IIoT protocol like DHTP. The article discusses how OPC UA was initially expected to serve as an IIoT protocol, but more recently the trend seems to be towards using OPC UA at the plant level only. Other protocols, such as MQTT and AMQP are being offered as candidates for connecting outside the plant, but they are not ideally suited to IIoT. This article explains why, and introduces 9 criteria for good IIoT data communication.

Red Lion adds new platforms for cellular RTUs that further IIoT connectivity

Red Lion Controls, a global expert in communication, monitoring, and control for industrial automation and networking, announced that its RAM industrial routers and cellular RTUs now support the Microsoft Azure, Cumulocity, and Nokia IMPACT IIoT platforms.

This follows the recent announcement that Red Lion’s RAM products now support the MQ Telemetry Transport (MQTT) protocol. The addition of these two platforms moves Red Lion RAM products to lead the market in the greatest number of platform integrations, providing greater flexibility for industrial customers to quickly connect to their choice of leading IIoT cloud platforms.

In addition to those announced, RAMQTT, Red Lion’s embedded MQTT client, simplifies implementations with pre-configured profiles for AT&T M2X, Amazon AWS IoT, AutoDesk Fusion Connect and Telenor Connexion. Customers connect using a simple drop-down menu to select their cloud platform of choice. Also, using the RAM Software Development Kit (SDK), connectivity can be enabled with additional platforms, including LEC IQ Web SCADA, Set-Point IPwebcontrol, Skkynet SkkyHub, and Telit deviceWISE.

Secure by Design for IIoT

Securing the Industrial IoT is a big design challenge, but one that must be met. Although the original builders of industrial systems did not anticipate a need for Internet connectivity, companies now see the value of connecting to their plants, pipelines, and remote devices, often over the Internet. The looming question: How to maintain a high level of security for a mission-critical system while allowing remote access to the data?

As you can imagine the answer is not simple.  What’s called for is a totally new approach, one that is secure by design.  This blog entry, published on the ARC Advisory’s Industrial IoT/Industrie 4.0 Viewpoints blog, gives an overview of why standard industrial system architecture is not adequate to ensure the security of plant data on the Internet, and introduces the two main considerations that must go into creating a more secure design.

Will this be the year that your enterprise makes the IIoT leap?

For the second January in a row, we’re using this lead issue to look ahead at the industry conversations likely to follow over the next 11 months. Like last year, there’s still no bigger buzz than the impact that digital transformation and the industrial internet is having both on work and on the people who do work.

I’m writing this note on the 10-year anniversary of the launch of the iPhone, which marks a genuine milestone in the history of both internet-enabled communications and mobile computing. As the iPhone evolved and the iPad emerged, savvier organizations and IT workers caught on early to the opportunities available to digitize operations. For example, a close friend who works in commercial real estate directed his teams early on to rethink his organization’s processes as each new Apple device launched, reducing business friction in the field and moving toward nearly paperless operations.

Many other contributors this month round out the digital conversation:

  • IFS CTO Dan Matthews identifies three myths that cause organizations to hesitate on IoT projects.
  • Skkynet’s Bob McIlvride examines how to combine in-house skills with outside expertise to build systems that enable deeper data-driven insights into your assets.
  • Bruce Hawkins and Scott Bruni review the foundational IIoT steps that plant teams can take, noting that roughly 60% of the instrumentation needed for critical assets often already exists.
  • Tech Toolbox’s Sheila Kennedy surveys the network security solutions landscape in an age of IT-OT convergence.
  • Jeff Shiver of People and Processes outlines six steps that can improve the speed and quality of cultural change in your organization.
    Finally, in her Big Picture Interview, Bentley Systems’ Anne-Marie Walters looks ahead to the role that 3D modeling will play in the internet-enabled asset management landscape.

IIoT: Choose the right tools for the job

Note: This article was originally published in Plant Services magazine.

The American poet Carl Sandburg wrote, “They will go far and see much, and they will never be any good for sitting with the sitters and knitting with the knitters.” As true today as it was almost 100 years ago, those who sit tight and stick to their knitting rarely accomplish much. Right now in the world of manufacturing and industry, a new horizon is opening up: the industrial internet of things (IIoT). Are you curious? Do you want to go far and see how much you can do with it, or will you just sit back and knit?

Even from a distance, the benefits of the IIoT are visible. Plant Services contributing editor Sheila Kennedy highlighted many of them in August in her article Yes, IIoT can drive operational improvements. Put briefly, the IIoT offers a number of ways to optimize your system performance by providing data-driven insights into your processes. Among other things, you can see how well your assets are performing, implement predictive maintenance, simplify logistics, coordinate procurement, and drive down resource costs.

OK, you may say, that all sounds fine. Suppose I am interested. How will it work? Can the IIoT fit with my current system? How much will all of this cost? What about security? And supposing I do want to build IIoT connectivity and capabilities in my plant, how should I get started? Should our company try this on our own, or should we seek expert outside guidance or assistance?

Who builds it?

Taking the last question first, building your own system from scratch may not be the best way, according to those who have tried it. A recent Machina Research survey, “Lessons Learned from Early Adopters of the IoT,” shows that most early adopters in the IoT space who took a do-it-yourself approach found the task to be more complicated to implement than they had expected. “When asked about primary concerns around IoT, adopters have some insight that nonadopters just don’t yet have,” the report’s authors wrote. “Adopters point to ‘complexity of the IoT solution’ as the largest concern around IoT, a concern that nonadopters have yet to consider fully.”

On the other hand, if you do decide to bring in an expert, you’ll have to decide who is most qualified for the job. In her blog post “The IIoT Integrators Are Coming“, Stephanie Neil at AutomationWorld claims that control system integrators are not gearing up for the IIoT quickly enough and that SIs from the IT world are stepping in to fill the gap. They are more than happy to bring their experience implementing IoT for IT applications to the OT world. Naturally, some OT system integrators see things quite differently. They point out that it is easier for an OT company to add IoT to its portfolio than for an IoT company operating in the IT space to learn industrial process control. Jeff Miller of Avid Solutions wrote a blog post titled “We Are Ready for IIoT” to make the case that control system integrators are gearing up for the task.

The right tools for the job

Whomever you choose, an in-house team or a system integrator, you can save a lot of time and money by not reinventing the wheel. You can benefit by using tools, and you’ll want to choose the right ones. Because the IIoT looks a lot like SCADA, some may be tempted to continue using the same tools. This can be a mistake, though, because industrial data communications software was not built for the open spaces of the Internet.

Take security, for example. The IIoT presents security challenges that industrial system designers never contemplated. First, there is the obvious need to eliminate the chance of attack from outside the perimeter. But there’s also a need to protect the system and its data from inside as well. Using designed-for-IT approaches like Microsoft’s RDP or a VPN may seem like the logical choice, but Microsoft Developer Clemens Vasters raises valid concerns in a paper titled “Internet of Things: Is VPN a False Friend?” Useful as they are for the purposes for which they were designed, RDPs and VPNs give each user the keys to the kingdom – access to applications and data far beyond what they might need or what you might want them to see. The 2014 attack on Target via a VPN shows how dangerous and costly that can be.

What is needed is a secure-by-design technology that does not rely on a VPN and keeps all firewall ports closed. This can be done by making outbound-only connections to a secure cloud service. This design exposes zero attack surface and makes your system invisible to hackers. At the same time, it allows for bidirectional data communication through reverse proxies, which corporate IT departments are increasingly recommending as a standard for ensuring the security of OT systems. Needless to say, developing this kind of technology from scratch is not a project for your average plant engineering team. Instead, you can get the most out of your team and keep costs down by using a tool designed for the job.

The tool you choose should also support real-time data throughput speeds at scant milliseconds above network or Internet latencies. Ad-hoc approaches like collecting process data in an SQL database and then accessing it from the cloud will slow down your applications like a sloth at the DMV in “Zootopia.” You won’t get the response you need. Just because you may be using the Internet is no reason to compromise on speed.

And the tool should be convenient. It should fit unobtrusively and connect seamlessly with any new or existing system, with no need for programming and no dependencies. If the outside network or the Internet goes down, your primary control system should experience no effect whatsoever. The IIoT should be considered as data access or at most supervisory control. All low-level control should be completely isolated.

Start gradually

With the IIoT team assembled and tools in hand, start gradually. There is no need to tackle a huge project. Pick the low-hanging fruit. Kennedy suggests identifying functionality that is already close to the IIoT and using components that are easy to access. You may be able to connect sensors, monitors, or other devices in different locations and aggregate their data or even bridge their data sets.

A well-designed, cloud-based IIoT system does not require much upfront investment in time or money. As long as you work with a provider who offers a monthly subscription, you should be able to start a pilot project for as little as $100 per month. And if the service is reasonably complete, it should only take a few days to get up and running. Of course, you’ll need to ensure that such a system meets your specific needs, whether that means offering data archiving options, web-based HMI, access to analytics packages, or something else.

The adage “well begun is half done” applies here. If you work with a good team, choose the right tools, and start with something manageable, chances are you will succeed. Once you’ve got some initial experience, the next project can be more elaborate and ambitious, and the one after that even more so. Soon you will be going far and seeing for yourself what the IIoT can do for you and your bottom line.