Posts

Working Remotely to Stop Coronavirus

Companies using Skkynet software and services expect high security for their data communications. They know they can stop computer viruses by keeping all inbound firewall ports closed. Now, with the coronavirus looming large we must do pretty much the same thing in real life. We need to keep our distance and stay behind physical walls as much as possible. And yet work must go on. The data must get through. We need to work remotely, if possible.

The problem is, logging in remotely can be risky.  Typically, you need to expose your servers via the web or a VPN―and that’s a risk that our industrial control customers cannot take.  They need tighter security, to access to their process data without exposing the process servers and networks.  Skkynet’s unique tunnelling technology provides this kind of secure access.  It lets users securely push data from their plants to our SkkyHub service, where they can access it in real time, all without opening firewalls to the outside world.

A Helping Hand

We are now offering this service at no cost to help our customers weather the coronavirus storm. For the next three months any DataHub user can connect to SkkyHub free of charge. A simple tunnel connection provides a way to access data remotely, even through DMZs and proxies. The SkkyHub service includes a web-based interface, SkkyHub WebView, that lets people build dashboards to access their data and interact with their systems from home. Those who are new to WebView can quickly get up to speed, designing pages through its web interface.  With SkkyHub, users can view and operate their control systems remotely as quickly and easily as being right in the control room.

Let’s face it. These are not easy times. Some factories have been forced to shut down, and restarting will be difficult, as Matthew Littlefield at LNS Research explains in this blog, Closing Factories is Hard, Re-Opening will be Harder. Remote access can alleviate these problems to some degree, but it must be reliable and above all, secure.

In another blog, Coronavirus Lessons for Industrial Cybersecurity: Quarantines, Sid Snitkin at ARC Advisory Group compares quarantines for coronavirus to securing industrial systems, and suggests, “Use DMZs, firewalls, zero-trust access control, anti-malware software, awareness training, and security hygiene to reduce the likelihood of an initial compromise.” He also recommends system segmentation to limit lateral movement of viruses, continuous device and system monitoring, and strengthening tools to prevent future attacks.

Doesn’t that sound a little like social distancing, washing hands, not travelling, and keeping our immune systems strong? The social structures we have developed throughout history and the technical systems we have built recently are not as different as we might imagine. They both can serve us well, but we need to protect them and keep them, like ourselves, in good health.

US Gas Pipeline Ransomware Shutdown – A Ready Solution

An entire US gas pipeline was shut down for two days due to a ransomware attack according to a recent report from the US Cybersecurity and Infrastructure Security Agency (CISA). The hackers sent a spear-phishing email to someone on the IT network that crossed over into the OT network and infected HMIs, data historians, and polling servers on the process control system. Although only one facility was hit, management shut down the whole pipeline for two days, resulting in loss of productivity and revenue to the pipeline, as well as to upstream production systems and downstream distribution networks.

This need not have happened. There is a simple remedy―isolate the OT network. They could have used Skkynet software on a DMZ to keep their firewalls closed and their gas pipeline system secure.

Using a DMZ

The first technical recommendation in the CISA report is to segment networks using a DMZ: “Implement and ensure robust Network Segmentation between IT and OT networks to limit the ability of adversaries to pivot to the OT network even if the IT network is compromised. Define a demilitarized zone (DMZ) that eliminates unregulated communication between the IT and OT networks.”

The easiest and most cost-effective way to pass production data securely through a DMZ is using DataHub tunnelling. Because it is secure by design, DataHub tunnelling can provide bidirectional data flow with no open inbound firewall ports, and no VPNs. The key is to access the data, not the network. This technology has been deployed in mission-critical systems worldwide for over 20 years, and was implemented recently in the TANAP project in which DataHub software was used to securely transmit process data from an 1800 km pipeline into a central control system through closed firewall ports.

Secure OT Assets

The second technical requirement recommended by CISA is to secure OT assets as much as possible.  The report said, “Organize OT assets into logical zones by taking into account criticality, consequence, and operational necessity. Define acceptable communication conduits between the zones and deploy security controls to Filter Network Traffic and monitor communications between zones. Prohibit Industrial Control System (ICS) protocols from traversing the IT network.”

Again, DataHub tunnelling is a ready, off-the-shelf conduit for making the necessary connections.  It provides secure, bidirectional real-time data mirroring between logical zones of OT assets, and from OT to IT. Data traverses the tunnel using the DHTP protocol, and can be converted to or from industrial protocols at either end.

Of course, the most secure system relies on sound planning and operational strategies in addition to strong technical and architectural solutions. The choice of software is one element of a larger picture. But in this case, simply using Skkynet IoT software would have prevented this gas pipeline shutdown altogether.

Case Study: TANAP Pipeline, Turkey

Skkynet’s DataHub middleware was used by ABB for secure, real-time data networking on the Trans-Anatolian Natural Gas Pipeline (TANAP) project in Turkey.

Secure IoT Gateway Architecture

An enhanced, secure-by-design OPC UA to MQTT gateway can pass data through a DMZ or IT department, keeping all inbound firewall ports on the plant closed.

Think Big, Start Small, Scale Up

Every so often we get reports of how things are going with Industrial IoT and digital transformation projects. Although our customers keep us informed, it’s also interesting to hear from the rest of the world, through trade shows, conferences, industry publications and the like. In a recent event in Singapore hosted by ARC Advisory Group, executives and technical experts shared their experiences with colleagues, suppliers, and industry gurus. A summary of three of these presentations was published in a blog titled Lessons from the Industry of Things.

Funnily enough, among those three presentations, two of them had an almost identical approach to implementing Industrial IoT. They even had similar terminology, which is essentially: Think Big, Start Small, Scale Up Fast. The idea is to keep your thinking about IoT as broad as possible at the beginning, with no idea left off the table. Then start with small, inexpensive, easily-managed pilot implementations. As soon as something starts working well, scale up quickly.

“Prototype small is about telling people to stop writing business plans and give it a go―quickly and at low cost,” said the Executive VP and CTO of Australia’s largest producer of natural gas, Shaun Gregory. “And because you lower the consequence of getting things wrong, as long as you’ve learned something, I don’t really care if you fail. Once you have a working prototype, if you do not scale this into your business, you won’t reap the benefits you anticipated.”

The challenge: Scale Up

It all sounds very good. But there is more to the story. There seems to be a challenge in moving from step 2 to step 3, the “Scale Up” step. The article goes on to say, “Mr. Gregory admitted that scaling solutions is the aspect the company has struggled with the most.”

He’s not alone. User surveys from industry analysts show that there is a significant drop in IoT project completion and success compared to the number of working pilots and prototypes. There are probably several factors at work here, including:

  1. Industrial IoT is very different from consumer IoT. In production-level implementations data volumes are much higher, real-time performance is typically a must, and security requirements are much more stringent.
  1. Industrial IoT is very different from in-plant industrial data communication. Again, security is a big issue, as well as protocol translation, gateway technologies, and the need to integrate with IT.
  1. Human factors, like adapting to new ways of thinking, a need for retraining, and new approaches to security, are often overlooked.

All of these factors can be addressed―the first two with the right technology, and the third by appropriate human resource development. Our focus is on the first two. Skkynet technology works equally well on turn-key projects as it does for pilots. For hundreds of connections, or just one. For thousands of data points or just a handful.

The DataHub technology, with its secure-by-design architecture and ability to seamlessly integrate the most important industrial protocols, meets the most stringent requirements for security, throughput, and ease of use that the world’s top engineering and system integration companies value.

Just last month we announced a new partnership with Siemens to use the DataHub with their DCU (Data Capture Unit) to offer “Bulletproof IIoT”. This partnership came after extensive testing of the DataHub to ensure that it meets Siemens’ high standards for security, robust performance, and ease of use that Industry 4.0 and Industrial IoT demand. Customers installing the DCU, or any other DataHub connected system, can rest assured that when it comes time to scale up, they will be fully-equipped and ready.

Security by Design

“Security by Design is strongly needed to reduce risk,” said Maximillian G. Koń, CEO at WisePlant, in a recent article in Advancing Automation: Industrial Cybersecurity. He tells how so many industrial automation and control systems were created decades ago, long before the idea of sending plant data to IT or the cloud was ever dreamed of. He says that security weaknesses were generated “during system design, engineering, construction, installation, commissioning, operation, maintenance, and retirement.” And he warns that security must be inherent in the system, not simply added as an afterthought.

Wake-Up Call

To illustrate his point, Koń tells the story of the S.S. Eastland, a passenger ship that sailed the Great Lakes at the beginning of the last century. The ship was not well-designed to start with, having problems with stability. After the sinking of the Titanic, new safety regulations required installing enough lifeboats on any ship to hold all the passengers it was rated for. The owner of the S.S. Eastland complied, and soon the vessel had a full set of new lifeboats, mounted above the upper decks.

However, the ship was not designed for this additional weight so high above the center of gravity. One tragic day as several thousand people were boarding for a pleasure cruise, the Eastland began listing heavily, and then suddenly rolled over and sank, right next to the pier, in 20 feet of water. Over 800 people were lost.

To avoid such tragedies in the industrial realm, Koń lays out an Industrial Cybersecurity Program that follows a security by design approach in three phases: Assess, Implement, and Maintain. When discussing the Implement phase, Koń talks about “bolt-on security vs. built-in security.” He says that existing systems must use bolt-on security, while new systems can be designed with built-in security. Although this principle makes sense, it begs the question: Why should existing systems have to settle for bolt-on security?

A New Approach

Most traditional technologies do require bolt-on security. But a new approach to data communication, Skkynet’s DHTP protocol, supports software and services that are secure by design and ideal for Industrial IoT and IT-to-OT applications. This security-by-design implementation works equally well for new or existing systems, providing the best of both worlds. Rather than adding security to an existing system, it connects that system to a complete, stand-alone, secure-by-design IoT implementation.  It’s almost like enveloping a ship in some kind of new, sink-proof technology, rather than simply adding lifeboats.

With Skkynet’s technology, the enterprise can keep its legacy equipment and SCADA systems as long as needed, and yet provide secure access to live production data for authorized parties―on-premise or in the cloud. Whenever new hardware is acquired, it can be phased in as necessary, with no disruption to data links between shop floor and top floor.

The important thing is the principle: Security by Design. Security is not something that can be bolted on at the end. It needs to be an integral, built-in part of the design of hardware, software, and industrial control systems. Let’s take to heart the lesson of the S.S. Eastland, and keep our systems on an even keel. With the right technology and approach, Industrial IoT and IT-to-OT data communication can be as secure as the air-gapped systems of yesteryear.