Posts

Skkynet Joins Canadian Business Mission to Japan

/by

This past month Skkynet’s President, Paul Thomas, teamed up with a group of Ontario business leaders for a business mission to Japan.  Led by Ontario Premier Kathleen Wynne and the Ontario Trade Commission, the mission met with companies like NTT-Data, Rakuten, and Softbank, and succeeded in signing 15 trade agreements valued at more than $120 million.

A high point of the visit was a signing ceremony for a memo of understanding between Cogent and BellChild at the Canadian Embassy in Tokyo to launch the next generation of the iBRESS Service in 2017.  “We are pleased to strengthen our relationship with BellChild in this way,” said Thomas, “and build on the success of the current iBRESS Secure Micro Cloud Service, which we have been offering jointly for the past 18 months.  Adding the capabilities of the SkkyHub™ service to BellChild’s portfolio will significantly enhance their ability to serve their customers.”

Shown in the picture, left to right:

  • Mr. Ian Burney, Ambassador of Canada to Japan
  • Mr. Paul Thomas, President of Skkynet
  • Mr. Yoshikuni Fujita, President of BellChild
  • Ms. Kathleen Wynne, Premier of Ontario
  • Mr. Minoru Yamazaki, Senior Advisor, Cogent DataHub Application Centre (Japan)

The signing ceremony was one of many events and meetings held over a period of two weeks to establish stronger bonds of collaboration between Skkynet’s Canadian and Japanese subisidaries (Cogent and NiC), and their Japanese partners and affiliated companies.  Building on ten years of personal, business, and technical relationships, this visit not only rekindled old friendships, but also opened new doors.  Here are some highlights:

Site visits to the Tokyo Institute of Technology, as well as the Nagoya Institute of Technology, where a team of professors has been testing the new OPC UA features of the Cogent DataHub for internal communications over OPC UA in a simultated plant environment.

The launch of the Alliance Partner Group (APG), leading proponents of the Industrial IoT that share Skkynet’s and BellChild’s vision, including TOA, IBS Japan, Kobata Gauge, Japan-Direx, Device Drivers, Haneron, MACNICA Techstar Co., and Puerto, as well as Skkynet, Cogent, NiC, and BellChild.

Meetings with the ThunderCloud Alliance as a group, as well as with individual members.  The ThunderCloud Alliance is a nine company alliance to provide Industrie 4.0 and Industrial IoT hardware, software, and services to the world market. Each company is contributes from its own specialized field. TOA Musendenki Co., Ltd is in charge of communication and various sensor devices. BellChild Co., Ltd is responsible for cloud servers. Kobata Gauge Manufacturing provides various sensors. Haneron Corporation offers remote monitoring equipment. NiC is responsible for industrial networks. Nissin Systems Co., Ltd. is in charge of control systems and embedded software. Puerto Co., Ltd develops industrial protocols, and provides expertise in OPC UA. Japan Direx Corporation does real-time network intelligence analysis. Cogent Real-Time Systems provides real-time data connectivity middleware to communicate between devices (M2M) and remote monitoring.

Leading up to these events, Skkynet/BellChild iBRESS Service was used to power demos at the following trade shows:

  • ET2016 (demos by Nissin, Renesas, Renesas Easton, and BellChild)
  • JIMTOF 2016 (demos by MACNICA and BellChild)
  • Monozukuri Business Fair 2016, Osaka (demos by BellChild)

“The business mission was a resounding success, and personally very satisfying,” said Thomas. “We have sown a lot of seeds, and look forward to seeing how they grow in the coming year.”

Making OPC UA Secure for the Industrial IoT

/by

Note: This article was originally published on the Automation.com website.

OPC UA was designed to be secure in an industrial environment, and it does a good job of it. In the world of Operations Technology (OT) you need reliable and secure data communications to run mission-critical systems. OPC UA provides robust connectivity, allowing your devices and machines to communicate, yet keeping them secure and locked down. But today’s OT world is expanding, being propelled into the larger, corporate world of IT, and beyond that, into the Industrial Internet of Things (IIoT) and Industrie 4.0. When connecting to IT and the IIoT, making OPC UA secure requires a new approach to meet new and different threats to security.

Securing an industrial system requires at the very least securing the perimeter against unauthorized access. Whether or not anything in the plant is connected to IT or the IIoT, this perimeter must remain intact for optimal security. In the past, perimeter protection was often accomplished by air-gapping, where the industrial network was physically isolated from any other network connection. Until recently, this approach or similar solutions like DMZs were sufficient. But these make it difficult if not impossible to share OT data with the company’s own IT department, much less on the IIoT. The challenge is to fully protect the perimeter, and yet still provide access to the data from OPC UA servers inside.

Are VPNs secure enough?

Accessing OPC UA servers or any other industrial system from the IIoT should be done through a secure network connection. The typical approach, one that many take for granted, is to use a VPN (Virtual Private Network). VPN technology is well known, having been used for decades in the IT world. In essence, a VPN provides an outside user with a log-in to the network, and establishes a secure tunnel through the Internet to allow access to the system―the entire system. And that can lead to problems.

While OPC UA can work over a VPN, that doesn’t guarantee robust security. VPNs were not designed for use with industrial process control systems. In fact, they can open vulnerabilities even in the IT world. The attack on Target stores in North America that cost the company millions of dollars was perpetrated through a VPN. Hackers got hold of a user name and password, and gained access to the system. Once in, they quickly found their way to customer records and credit card numbers, and had a field day. The problem with using a VPN to access an industrial system is not only that every VPN user account is a potential access point, but that once someone is inside the perimeter they gain access to the whole system.

The drawbacks of using a VPN for the IoT are examined in detail by Clemens Vasters, a Microsoft Developer. In a paper titled Internet of Things: Is VPN a False Friend? Vasters said, “VPN provides a virtualized and private (isolated) network space. The secure tunnels are a mechanism to achieve an appropriately protected path into that space, but the space per-se is not secured, at all. It is indeed a feature that the established VPN space is fully transparent to all protocol and traffic above the link layer.”

Using Reverse Proxies

Forward-thinking people who are working on the IIoT recognize this inherent risk in using VPNs. Many IT departments now require reverse proxies for OT systems to mask all internal servers and expose just one server to the Internet. But this approach does not secure OPC UA for the IIoT.

OPC UA clients can connect through reverse proxies using HTTP, but not HTTPS due to certificate handling. The proxy will either require opening a new firewall port, or effectively create a path to the control system that could easily be overlooked in the future. Either way an attack surface gets opened in the corporate perimeter. Furthermore, even if the message itself is encrypted, the message headers are exposed to outside observers. The only alternatives involve effectively tunneling through the proxy directly to the control system, which is what the proxy is trying to prevent.

The bottom line is that a reverse proxy is an improvement over a VPN, but it still requires a point of access into the control system from the Internet or IT network. Any point of access is an attack surface, and even if the server code is bulletproof it is still a candidate for a spear-phishing compromise.

Push Instead of Pull

The best way to completely close the plant perimeter is to eliminate all inbound connections, allowing only outbound connections. This is a good idea in principle, as it does not expose the plant to attack. The system presents zero attack surface, becoming invisible to hackers who cannot attack what they cannot see.

However, outbound connections run afoul of traditional design expectations. Effectively they turn the paradigm of industrial data communications on its head. Most client/server architectures, including OPC UA, assume that the server holds the data and the client initiates a connection to interact with it. The server is the authority on the data set, while the client is the non-authoritative user. Thus, in the OPC UA world-view the server must be situated with the primary data source, inside the control system.

To make a push design work in the IIoT, the server/client relationship must be reversed. The client must be the authority (inside the control system), and the server must be a non-authoritative receiver of the data. The client must be able to construct the data set on the server on the fly, based on its knowledge of the control system. This reversal of the client/server roles is something that OPC UA cannot accomplish on its own, but can be added through appropriate gateway software.

Using Forward Proxies

Using a push mechanism allows both OT and IT to completely close the network perimeter. If there is no way to make a connection from outside the network then there is no attack surface to exploit and there is no user to fool into revealing his password.

But even a closed perimeter is not sufficient. Best practice in IT networks is to route outgoing web traffic through a forward proxy, and to deny all other network traffic to the Internet. This substantially improves security by effectively shielding the internal network from a direct Internet connection. To be robust and IT-compliant the outbound IIoT connection must be able to pass through a standard forward proxy. Although OPC UA doesn’t inherently support forward proxies, appropriate gateway software can once again add this capability.

Secure by Design

The Chatham House Report, Cyber Security at Civil Nuclear Facilities Understanding the Risks, points out an alarming lack of security at some of the most critical infrastructure installations in the world, and makes a number of design recommendations. At one point it states, “Many industrial control systems are insecure by design, since cyber security measures were not designed in from the beginning.” And this does not just apply to nuclear facilities. Indeed, the “many industrial systems” may well include those which now or soon might incorporate OPC UA. And they require a new approach, a new design for security on the IIoT.

The new design approach must allow OPC UA clients from any location to connect and acquire data from OPC UA servers within the plant perimeter, to eliminate the need for reverse proxies and VPNs and to avoid opening any inbound firewall ports. At the same time, to fully support OPC UA’s real-time data access, the design must support bi-directional data communication between OT and IT systems and across the Internet at speeds very close to network propagation times. Secure-by-design for the IIoT should take a no-compromise approach, offering the best possible combination of speed, security, and convenience.

With this level of security, and near-real-time speeds, there is one more design consideration: practicality. To gain traction among users, the design should be convenient to implement. It should, for example, allow for seamless integration with legacy installations using OPC Classic and other industrial protocols, as well as newer OPC UA-enabled systems. It should provide a loose coupling to the IIoT, one that allows remote, authorized and secure access the data, optionally including supervisory control, but that has no impact on the primary control system if it gets disconnected. And it should be easy enough to implement that it doesn’t overly tax the time or resources of the system integrator or plant engineer who is implementing it.

This is the kind of design that is needed to secure the IIoT, and make it compatible with today’s factory or process. OPC UA is the industrial protocol of the present, and of the future. It has the ability to integrate plant data from virtually any machine or device, large or small, as well as to bring the disparate worlds of OT and IT together. When OPC UA is wedded to the appropriate, secure-by-design IoT technology, it will play a key role in Industrie 4.0 and IIoT applications.

Industrial Analytics: Extracting Value from IoT Data

/by

“Analytics is to data what refining is to oil: The process that turns the resource into a valuable product,” says the opening paragraph of a new survey report, Industrial Analytics Report 2016/17, initiated and governed by the Digital Analytics Association e.V. Germany (DAAG). The report provides a good overview of how executives in Europe and around the world, representing leading manufacturers, system integrators, automation tool vendors, and other institutions, view the value of IIoT analytics, and how this new application space will continue to expand.

The rapid growth of the Industrial Internet of Things (IIoT) is already precipitating a deluge of data, and manufacturers are anticipating much more to come. As they experience this mounting wave, they also recognize the need to extract value from it. Thus, a majority of respondents to the survey said that industrial analytics will become crucially important over the next five years. That value will be due, they believe, to increased revenue from the data sources that the IIoT will tap. The way they see it, analysis of IIoT data will open opportunities for predictive and prescriptive maintenance, better analysis of customers and markets, and a better understanding of how products are actually used in the field.

Most responses indicated that to take full advantage of the data stream, the quality of these analytics will need to gain in sophistication. For example, the majority foresee exchanging spreadsheets for Business Intelligence and advanced analytical tools. These real-time analytical tools are expected to help them evolve from a current ability to merely describe problems towards the capacity to predict the problems, and even prescribe solutions.

Challenges

Of course, there are challenges to be met. All of this will come at a cost, replied those surveyed, with the largest expenses expected to be for the software and applications needed to gain access to the data and aggregate it. Another challenge is a skills and technology gap in the area of the IIoT infrastructure. In general, a full 78% of the participants rated “interoperability between different system components” as challenging or very challenging. About 60% said the same for “data accuracy,” and about 50% rated “integration with enterprise systems” at that same level of difficulty.

These survey results validate Skkynet’s approach to the IIoT. We believe that companies should not have to get drawn into infrastructure development to reap the benefits of sophisticated analysis of live and historical IIoT data. We provide interoperability through secure, real-time data exchange between remote devices, shop-floor equipment, multiple facilities, and main-office IT departments. Companies accessing our SkkyHub™ service can gain the full value of the IIoT with no development costs or capital expenditure.

Any company looking into IIoT-based industrial analytics should dream big, sharpen their analytical skills, and choose good tools. When they are ready to connect to their data sources, integrate them, and put the results into their analytical systems, they should come to us.

Cogent and BellChild to Launch Next Generation iBRESS Service

/by
Skkynet subsidiary Cogent Real-Time Systems signs memo of understanding with BellChild to offer next generation cloud service for Industrie 4.0 and Industrial IoT.

Mississauga, Ontario, December 7, 2016 – Skkynet Cloud Systems, Inc. (“Skkynet”) (OTCQB: SKKY), a global leader in real-time cloud information systems, announces that Cogent Real-Time Systems, a Skkynet subsidiary, signed a memo of understanding with BellChild Ltd. of Osaka, Japan, to launch the next generation iBRESS™ cloud service. This MOU supports the rollout of an Asian-market specific SaaS (Software as a Service) for secure, real-time data communication suitable for Industrie 4.0 and Industrial IoT (IIoT) applications.

“We are pleased to strengthen our relationship with BellChild in this way,” said Paul Thomas, President of Skkynet, “and build on the success of the current iBRESS Secure Cloud Micro Service, which we have been offering jointly for the past 18 months.  Adding the capabilities of the SkkyHub™ service to BellChild’s portfolio will significantly enhance their ability to serve their customers.”

Users of the improved iBRESS service will be able to securely connect industrial plants, machines, or individual sensors and actuators to a complete Industrie 4.0 or IIoT system.  This will allow BellChild customers to monitor and control their industrial processes in real time, from a web page or mobile phone, as well as log data directly to any database or Big Data repository.  The improved service requires no programming, and allows users to seamlessly integrate existing systems using standard protocols, while incrementally adding Industrie 4.0 or IIoT capability as needed.

Underpinning the iBRESS and SkkHub services, Skkynet’s patented technology for secure, outbound-only connections is fully compatible with corporate IT policies, and ensures no exposed attack surface – no open firewall ports, no VPN, and no extra hardware.  It provides Industrie 4.0 and IIoT connectivity at in-plant networking speeds of microseconds over network latency, and processes up to 50,000+ data changes per second.

About BellChild

BellChild is a system integration company focusing on secure system development, robust infrastructure development, and advanced operations capabilities. BellChild’s BEAM platform provides highly secure cloud services for the financial sector. The company develops and maintains secure servers used to support high-speed financial transactions, which is also used to provide a robust and secure platform to support industrial cloud-based systems in the form of iBRESS™ service.  For more information, see http://www.bell-c.co.jp/.

About Skkynet

Skkynet Cloud Systems, Inc. (OTCQB: SKKY) is a global leader in real-time cloud information systems. The Skkynet Connected Systems platform includes the award-winning SkkyHub™ service, DataHub®, WebView™, and Embedded Toolkit (ETK) software. The platform enables real-time data connectivity for industrial, embedded, and financial systems, with no programming required. Skkynet’s platform is uniquely positioned for the “Internet of Things” and “Industry 4.0” because unlike the traditional approach for networked systems, SkkyHub is secure-by-design.  For more information, see http://skkynet.com.

Safe Harbor

This news release contains “forward-looking statements” as that term is defined in the United States Securities Act of 1933, as amended and the Securities Exchange Act of 1934, as amended. Statements in this press release that are not purely historical are forward-looking statements, including beliefs, plans, expectations or intentions regarding the future, and results of new business opportunities. Actual results could differ from those projected in any forward-looking statements due to numerous factors, such as the inherent uncertainties associated with new business opportunities and development stage companies. Skkynet assumes no obligation to update the forward-looking statements. Although Skkynet believes that any beliefs, plans, expectations and intentions contained in this press release are reasonable, there can be no assurance that they will prove to be accurate. Investors should refer to the risk factors disclosure outlined in Skkynet’s annual report on Form 10-K for the most recent fiscal year, quarterly reports on Form 10-Q and other periodic reports filed from time-to-time with the U.S. Securities and Exchange Commission.

Cybersecurity Top Concern for Oil and Gas Sector

/by

Among the growing concerns about cybersecurity and the IoT, the industrial sector stands out.  Industrial IoT applications are in some ways more at risk than others.  Control networks traditionally safeguarded through complete isolation are now seen as sources for valuable data for companies to tap.  But connecting plant data to outside networks or the Internet must be done securely.  The consequences of a hack can cost thousands or millions of dollars, and possible loss of life.  Nowhere is this more evident than in the oil and gas sector.

In a recent report, Countering the Threat of Cyberattacks in Oil and Gas, the Boston Consulting Group (BCG) enumerates the concerns in that sector for cybersecurity.  They pointed in particular to upstream systems, such as remote data acquisition systems, gateways, transmission bridges, and controllers in exploratory rigs and drilling control systems.  This equipment and these networks are spread across vast areas, and are responsible for tracking and controlling the extraction and production of the oil and gas resources in the field.  Once considered too remote to worry about, as these systems come online, they should be considered possible targets for an attack.

“Until recently, the industry considered the traditional upstream systems in the oil and gas sector to be relatively safe because they were, in most cases, isolated,” the report said.  “But the industry’s growing use of connected industrial systems and networking technology—coupled with the ever-increasing need for real-time data and analytics—has introduced new risks.”

The BCG report outlines several specific areas of risk, and recommends a number of steps for CIOs and other executives to take.  These fall into three categories:

  • Boundary protection – The exploding popularity of mobile devices has driven operators and others to request or expect the same convenience they get at home or anywhere else in the world at their workplace.  Each device adds to the potential attack surface.  Wherever possible, remote users in the oil and gas sector should be given access to the data only, and not to the control system itself.
  • Remote access – This is essential to monitoring and controlling a wide-spread enterprise like oil and gas production.  Strong control over remote access points includes both physical access and software-based safeguards.  On the software side, we would recommend a secure-by-design, outbound-only architecture wherever possible for remote equipment or devices.
  • Information flows – If a malicious agent is able to interrupt, alter, or redirect the flow of information through the system, it could cause significant problems.  Firewalls, reverse proxies, DMZ technology and hardware solutions like data diodes can reduce or eliminate unauthorized access, while employing network-monitoring equipment and network-use rules can help identify any intrusions that do occur.

In all of these, there are both human and technical factors.  On the human side, operators and managers need to be trained and supervised to ensure that they are keeping security as a top priority, and adhering to the relevant policies.  The technology, for its part, should support those efforts by being as convenient and unobtrusive as possible, while still providing the highest possible level of security.

The BCG report concludes, “To protect themselves, their shareholders, and their customers adequately, industry players must make cybersecurity a highest priority and an ongoing consideration at the executive level.”  We agree.  And we would add that starting from there, this attitude should spread throughout the organization, and be present in each of its members, and the tools they use.

IBM Realizes the Value of the Industrial IoT

/by

A recent report in Fortune magazine claims that one of the key areas for growth at IBM this year has been its Industrial IoT (“IIoT”) business.  In the past 9 months alone, the number of their IIoT customers shot up 50%, to 6,000.  The area of IIoT is one of IBM’s “strategic imperatives”, which contributed an overall increase in growth of 7% for the company.  In contrast, the more traditional hardware and services areas experienced a 14% decline year-on-year.

The report quotes a survey released last month from IDC (International Data Corporation) that found the trend towards IIoT implementation is increasing industry-wide. Over 30% of the companies participating in the survey have already launched IoT initiatives, and another 43% expect to do so in the coming year.  “This year we see confirmation that vendors who lead with an integrated cloud and analytics solution are the ones who will be considered as critical partners in an organization’s IoT investment,” said Carrie MacGillivray, Vice President, Mobility and Internet of Things at IDC.

Results of the IDC survey of 4,500 managers and executives from a wide range of industries in over 25 countries suggest that many companies have completed proof-of-concept projects, and are now moving towards pilot implementations and scalable IoT deployments.  This trend is acknowledged by Bret Greenstein, IBM’s vice president for IoT platforms, who commented in the Forbes interview, “There was so much tire-kicking a year ago. Now you are seeing adopters in every single industry actually building solutions.”

What is driving this demand for IoT among IBM’s customers?  The Forbes article didn’t say, but the IDC survey found that much of the value of the IoT is seen to be internal to the company itself, to become or stay more competitive.  Respondents cited boosting productivity, streamlining procedures, and cutting costs as reasons for implementing the IoT, rather than any direct services or other benefits for customers.

Although the IDC survey was for the IoT in a broad range of industries, including manufacturing, retail, utilities, government, health, and finance, its results correlate with the experience of IBM in the Industrial IoT.  The company plans to bring on 25,000 new people for IIoT-related projects and services worldwide, with 1,000 of them in their Munich global IoT headquarters alone. As we see it, both the survey results and the experience of IBM point to a common reality: the Industrial IoT is quickly moving into the mainstream.