Tag Archive for: Design

Posts

Integrating Cybersecurity into System Design

/by

Would you build a highway up a steep mountain and then wait for cars to start falling off before installing guardrails?  That’s often how cybersecurity gets added to products and services—as an afterthought—according to a recent article in Harvard Business Review titled Cybersecurity Needs to Be Part of Your Product’s Design from the Start.

The article says that security must be intrinsically designed into new products, services, and business activities, rather than added on.  If not, those who attempt to secure the service or product later on may not fully understand how it works, leaving potential gaps that hackers can exploit.

A changing role

Like civil engineers who anticipate the risks of winding mountain roads, product and system designers need to be more proactive in their approach.  The role of cybersecurity has to change, according to the article.  It says, “To be successful, companies must ensure that their products, services, and business operations are proactively resilient to cyber attacks by changing the role of cybersecurity in digital innovation.”

Cybersecurity should become an intimate part of the innovation process.  It must be integrated into the design of each component as it is being built, as well as when these components are assembled into larger systems.  This expanded role calls for deep collaboration between design and security teams.  Designers need to share details for how the product or service is built and will function, while security experts must provide guidance on how to implement best practices at each step.

Skkynet’s approach

Product design at Skkynet has been following this model for decades.  Fully aware of the high risk of transporting mission-critical production data across insecure networks, our design and security teams collaborate continually in the development of Cogent DataHub software. For years our DHTP (DataHub Transport Protocol) has provided a solid cornerstone for secure OT/IT networking, giving access to production data without exposing the networks.

With the DataHub software as a basic component, and following our documented recommendations, process control engineers and system integrators are ready to design security into their system architectures, and implement it as they build them.  When new requirements come up, such as a need to isolate OT and IT networks using a DMZ, they are fully equipped—even able to surpass the security capabilities of major industrial protocols like OPC and MQTT.

There’s no chance of forgetting the guardrails on this highway.  They come pre-installed with each meter of pavement.  Skkynet’s tools are secure by design so that our customers can build security into their systems from start to finish.

Security by Design

/by

“Security by Design is strongly needed to reduce risk,” said Maximillian G. Koń, CEO at WisePlant, in a recent article in Advancing Automation: Industrial Cybersecurity. He tells how so many industrial automation and control systems were created decades ago, long before the idea of sending plant data to IT or the cloud was ever dreamed of. He says that security weaknesses were generated “during system design, engineering, construction, installation, commissioning, operation, maintenance, and retirement.” And he warns that security must be inherent in the system, not simply added as an afterthought.

Wake-Up Call

To illustrate his point, Koń tells the story of the S.S. Eastland, a passenger ship that sailed the Great Lakes at the beginning of the last century. The ship was not well-designed to start with, having problems with stability. After the sinking of the Titanic, new safety regulations required installing enough lifeboats on any ship to hold all the passengers it was rated for. The owner of the S.S. Eastland complied, and soon the vessel had a full set of new lifeboats, mounted above the upper decks.

However, the ship was not designed for this additional weight so high above the center of gravity. One tragic day as several thousand people were boarding for a pleasure cruise, the Eastland began listing heavily, and then suddenly rolled over and sank, right next to the pier, in 20 feet of water. Over 800 people were lost.

To avoid such tragedies in the industrial realm, Koń lays out an Industrial Cybersecurity Program that follows a security by design approach in three phases: Assess, Implement, and Maintain. When discussing the Implement phase, Koń talks about “bolt-on security vs. built-in security.” He says that existing systems must use bolt-on security, while new systems can be designed with built-in security. Although this principle makes sense, it begs the question: Why should existing systems have to settle for bolt-on security?

A New Approach

Most traditional technologies do require bolt-on security. But a new approach to data communication, Skkynet’s DHTP protocol, supports software and services that are secure by design and ideal for Industrial IoT and IT-to-OT applications. This security-by-design implementation works equally well for new or existing systems, providing the best of both worlds. Rather than adding security to an existing system, it connects that system to a complete, stand-alone, secure-by-design IoT implementation.  It’s almost like enveloping a ship in some kind of new, sink-proof technology, rather than simply adding lifeboats.

With Skkynet’s technology, the enterprise can keep its legacy equipment and SCADA systems as long as needed, and yet provide secure access to live production data for authorized parties―on-premise or in the cloud. Whenever new hardware is acquired, it can be phased in as necessary, with no disruption to data links between shop floor and top floor.

The important thing is the principle: Security by Design. Security is not something that can be bolted on at the end. It needs to be an integral, built-in part of the design of hardware, software, and industrial control systems. Let’s take to heart the lesson of the S.S. Eastland, and keep our systems on an even keel. With the right technology and approach, Industrial IoT and IT-to-OT data communication can be as secure as the air-gapped systems of yesteryear.

Considering Prefab

/by

An uncle of mine was an entrepreneur and quite a do-it-yourselfer.  His main businesses included a restaurant and a propane gas distributorship, but he was a real hands-on kind of guy, and spent a few summers building a cottage on Seneca Lake in Upstate New York.  It was an ongoing project, always in a state of “finishing.”

The first stage, a small one-story, was mostly done, with panelled living room and functional kitchen, although some of the bedrooms in the back were unfinished—partially drywalled with exposed plumbing and electrical.  The next stage was planned as a large two-car garage to be capped by a second story master bedroom and office with large glass doors and picture windows overlooking the lake.

That was the plan, anyway.  The reality was that his various businesses and other interests intervened.  For the several summers that my brother and I worked with and for him, the garage was his workshop, while progress on the second story proceeded in fits and starts.  A year or two after I’d moved away from the area, it was a heartbreak to find out that the cottage had caught fire and burned to the ground,  due to a short-circuit in the wiring.  Nothing useful was left but the original concrete slab.

I never got to see that cottage completed.  But my uncle was not deterred.  He rebuilt, prefab.  In a few weeks he had a very nice two-story cottage, with a two car garage and great views of the lake from picture windows on both stories.  Rather than wasting his time framing rooms, running wiring, joining pipes and hanging sheetrock, he was out on the water sailing, or cooking up a barbeque with his cousins and family.

The lesson for me?  Sure, maybe you can do it all yourself.  But should you?  It could take more time than you expect, and the results may not be what you were hoping for.  Sometimes it’s best to leave the tedious, difficult, and specialized work to the experts, and focus on what brings the most value, or the most fun.

As we explained in a recent article published in Automation.com, this is the principle behind working with Skkynet’s ETK, and its OPC UA framework, rather than a software development kit (SDK).  Using an SDK can take an expert programmer 12 to 18 months to build an OPC UA server.  Meanwhile, a developer who uses the ETK gets a pre-built OPC UA server, and can focus on his or her applications.

Some people, like my uncle, seem to enjoy doing it themselves.  They rise to the challenge, and given enough time they can succeed.  And then there’s the prefab option: buy, install, and run.  The grunt work is done.  Drop your hammer and rig the sailboat.  That’s the benefit of the ETK’s OPC UA framework—the difficult and boring work is done, so the developer can focus on what he or she knows and does best.

Developing DHTP, the Ideal Protocol for IIoT

/by

Ever since the concept of the Industrial IoT (IIoT) became popular, people have been trying to find the ideal protocol for it.  After all, IIoT is something new.  As the “Internet of Things,” it clearly involves data travelling across the Internet.  But because it is also “Industrial”, it requires more than the common Internet protocols like FTP or HTTP to do the job.  The best choice for an IIoT protocol is one that has been designed from the ground up to fulfill both industrial and Internet requirements.

Here at Skkynet we use such a protocol every day—DHTP (DataHub Transfer Protocol).  From its inception over 20 years ago, DataHub technology involved connecting disparate systems in real time over a network and the Internet.  It all started back in the ’90s with a product called Cascade Connect that exchanged data between programs running on a QNX real-time operating system, and the InTouch HMI running in Windows.  Cascade Connect used two connectors, precursors of DataHub, one running in QNX and the other in Windows.  Each of these connected to programs running on their respective operating systems using standard industrial protocols, and they also connected to each other using TCP over a network.  The protocol they used to connect over TCP way back then has evolved into what we now call DHTP.

An Open Protocol

DHTP was made open from the start, with a published Cogent API.  Each subsequent Cogent product, such as Cascade DataHub, the Gamma scripting language, Cascade Historian, and so on were accessible through the Cogent API.  As the DataHub product evolved to become the OPC DataHub and then the Cogent DataHub, more commands were added, and the API was made available in Windows.  Today DHTP consists of the DataHub API and DataHub Command Set.

Meeting the Needs

Each step of this evolutionary process took place within an industrial context, in response to the needs of specific projects.  As our customers demanded more robust and secure data communication over TCP, we improved DHTP capabilities by adding SSL and other features.  Nowhere is that more obvious than the success of the Cogent DataHub for OPC tunnelling applications.  The DataHub DA Tunneller and DataHub UA Tunneller are unrivalled for their ability to connect OPC servers and clients across a network or the Internet.

Cloud and Embedded

As one of the first companies to recognize the value of industrial communications via the cloud, Skkynet enhanced DHTP with WebSocket capability for DataHub-to-SkkyHub connectivity.  DHTP’s unique, patented ability to support secure, outbound connections from industrial systems for bidirectional communication without opening any firewall ports is key to Skkynet’s secure-by-design architecture.  The introduction of the ETK for embedded systems a few years later completed the picture. DHTP is now the standard protocol used by DataHub, SkkyHub, and the ETK, the three core components of Skkynet’s IIoT products and services.

In our next blog we will explain in more detail why DHTP is the ideal protocol for the IIoT.  We will provide an overview of the criteria for effective IIoT data communications, and show how DHTP meets all of them.  As you learn more about DHTP, keep in mind that its success as an IIoT protocol is due to how it was developed—in the challenging environment where industrial and Internet communications meet.

Cyber Security: Over 90% of IIoT Experts Express Concerns

/by

Respondents to the 2017 Industrial Internet of Things Security Survey by Tripwire paint a pretty bleak picture of cyber security for the Industrial IoT (IIoT).  Among the more than 400 IT professionals responsible for securing their companies against IIoT-related threats, 96% said they expect to see an increase in cyber attacks in the coming year.  At the same time, less than 50% of them feel prepared for those attacks.

This is cause for concern, according to David Meltzer, chief technology officer at Tripwire, who said, Industry professionals know that the Industrial Internet of Things security is a problem today. More than half of the respondents said they don’t feel prepared to detect and stop cyber attacks against IIoT.

At the same time, 90% of these same IIoT experts expect the use of IIoT to increase.  They acknowledge that innovation must go forward, and that the benefits of the IIoT outweigh the costs.  Two out of three of them recognize the need to protect against cyber attacks, despite the fact that less than half of them feel prepared for attacks on insecure IIoT devices.

The Industrial Internet of Things ultimately delivers value to organizations, and that’s why we’re seeing an increase in deployments, said Meltzer.  Security can’t be an industry of ‘no’ in the face of innovation, and businesses can’t be effective without addressing risks. The apparent contradiction of known risks and continued deployment demonstrates that security and operations need to coordinate on these issues.

Meltzer points out that the consequences of insecure IoT implementations leading to a cyber attack are far more severe for industrial applications.  Greater connectivity with operational technology (OT) exposes operational teams to the types of attacks that IT teams are used to seeing, but with even higher stakes, he said.  The concern for a cyber attack is no longer focused on loss of data, but safety and availability. Consider an energy utility as an example – cyber attacks could disrupt power supply for communities and potentially have impact to life and safety.

Here at Skkynet, we could not agree more. It was this kind of thinking that led us to develop our secure-by-design SkkyHub service. Those who understand the risks of the IIoT and the difficulty of securing it using conventional IT or OT approaches recognize the value of what we are doing. We invite every survey participant and anyone else who wants to get the most out of the IIoT to see for themselves how these concerns fall away when using an IIoT platform that is secure by design.

Top 10 IoT Technology Challenges for 2017 and 2018

/by

Gartner, Inc., the IT research firm based in Stamford, Connecticut, recently published a forecast for the top ten IoT technology challenges for the coming two years.  The list covers a lot of ground, from hardware issues like optimizing device-level processors and network performance to such software considerations as developing analytics and IoT operating systems to abstract concepts like maintaining standards, ecosystems, and security.

“The IoT demands an extensive range of new technologies and skills that many organizations have yet to master,” said Nick Jones, Gartner vice president analyst. “A recurring theme in the IoT space is the immaturity of technologies and services and of the vendors providing them.”

Heading the list of needed expertise is security.  “Experienced IoT security specialists are scarce, and security solutions are currently fragmented and involve multiple vendors,” said Mr. Jones. “New threats will emerge through 2021 as hackers find new ways to attack IoT devices and protocols, so long-lived ‘things’ may need updatable hardware and software to adapt during their life span.”

To anyone considering the IoT, and particularly the Industrial IoT (IIoT) or Industrie 4.0, this should be a wake-up call.  As the recent power-grid hack in the Ukraine shows us, old-school approaches like VPNs will not be sufficient when an industrial system is exposed to the Internet. In the IoT environment, Skkynet’s secure by design approach ensures not only a fully integrated approach for the security issues that many are aware of today, but also a forward-looking approach that will meet future challenges.

Having taken security into consideration, there are other items on the list that we see as significant challenges, and for which we provide solutions.  Among these are:

  • IoT Device Management – Each device needs some way to manage software updates, do crash analysis and reporting, implement security, and more. This in turn needs some kind of bidirectional data flow such as provided by SkkyHub, along with a management system capable of working with huge numbers of devices.
  • Low-Power Network Support – Range, power and bandwidth restraints are among the constraints of IoT networks.  The data-centric architecture of SkkyHub and the Skkynet ETK ensure the most efficient use of available resources.
  • IoT Processors and Operating Systems – The tiny devices that will make up most of the IoT demand specialized hardware and software that combine the necessary capabilities of low power consumption, strong security, tiny footprint, and real-time response.  The Skkynet ETK was designed for specifically this kind of system, and can be modified to meet the requirements of virtually any operating system.
  • Event-Stream Processing – As data flows through the system, some IoT applications may need to process and/or analyze it in real time.  This ability, combined with edge processing in which some data aggregation or analysis might take place on the device itself, can enhance the value of an IoT system with little added cost.  Skkynet’s unique architecture provides this kind of capability as well.

According to Gartner, and in our experience, these are some of the technical hurdles facing the designers and implementers of the IoT for the coming years.  As IoT technology continues to advance and mature, we can expect other challenges to appear, and we look forward to meeting those as well.