Posts

Connecting Enterprises Need Secure-by-Design

All over the world, enterprises are connecting. Inspired or pushed by the growing interest in the Internet of Things (IoT), companies are looking into how they can connect and exchange data with their customers, their suppliers, their branches, and among themselves. And they are quickly discovering that current security models are not adequate. A recent Frost & Sullivan report points towards “security-by-design” instead of “security-by-default” as critical for the connected enterprise.

How did we get to this point? On the industrial side, operational technology (OT) has garnered a wealth of experience in data connectivity through SCADA (Supervisory Control and Data Acquisition) systems that provide plant-wide real-time communications for mission-critical industrial processes. In this space, the promise of the Internet of Things (IoT) is being embraced and extended as the Industrial IoT (or IIoT) among the likes of GE, IBM, and others.

At the same time, these new opportunities for connecting to the plant have caught the interest of the traditional information technology (IT) people within the enterprise. For decades the “top floor” of management has been cut off from what happens on the “shop floor” of operations. Now, using IIoT technologies, it seems that there may be new ways of connecting IT to OT, and integrating enterprise systems directly with operations and production.

The big challenge is security. “Solution providers in the IT and the OT ecosystems must join hands to deploy end-to-end cyber security solutions for industrial systems,” according to Julia Nikishkina at Frost & Sullivan in a summary of the report.

The traditional security model for OT networks has until recently relied mainly on physically restricting all access. Many companies simply do not connect their plant operations network to the Internet―at all. As demand for inbound and outbound data access has grown, companies have been turning to VPNs or other add-on security measures to allow some level of connectivity. These, according to the Frost & Sullivan report, are woefully inadequate.

“The influx of IT solutions into the operational technology space highlights the need for security-by-design rather than security-by-default,” says Nikishkina. “As a majority of industries upgrade to smart systems and processes, industrial cybersecurity will soon make the inevitable shift from a reactive operating model to a proactive design philosophy.”

The Frost & Sullivan report describes what is a daily reality for us at Skkynet. Our SkkyHub service demonstrates how secure-by-design actually works, providing a platform for seamless, end-to-end data connectivity between OT and IT. By keeping all firewall ports closed at both the OT and IT ends, it exposes no attack surface to the Internet, and yet provides bidirectional data flow in real time.

Security: Connected Car vs Connected Plant

Over the last few weeks I have been reading articles on security breaches with the connected car; hackers remotely control a Jeep, VW hides a security flaw , researchers hack a Corvette. But these challenges are not as unique as car manufacturers would like you to believe, and they are absolutely avoidable.

The main issue at hand is that we as consumers see our car as an engine with four wheels and a few seats. We don’t think of our car as a production system; with hundreds of sensors, control panels and a visual HMI to display the information in an easy-to-understand screen. But that is exactly what your car is: a mobile automation platform, with a fully integrated supervisory control and data acquisition (SCADA) system, no different than the systems found on a traditional factory floor.

So why can’t we learn from the factory to build a secure car? For the same reason that industry is having challenges securing the plant. SCADA systems were first designed in the 70’s. At that time security was not the primary concern for factories, data acquisition was. Your modern SCADA system is designed around the same principles that were founded almost half a century ago; client-server architecture, where you request the information and the system will give it to you. Sensors connected to PLCs are not programmed to automatically give you values, they must be asked for their values, and once asked they will happily provide you with those values in milliseconds. The same holds true for your car, since the control systems in your vehicle are based on exactly the same principles as industrial automation.

In your typical plant, the SCADA network is protected from operations, and again protected from business planning systems. Since the plant does not require the Internet, its network does not need to be protected against unsecured access. In some cases, plants will allow access through proxy servers, firewalls, and the use of a VPN, all in place to secure the connection. To support this access, the plant must expose a port on a firewall to allow for incoming connections. The problem is that you’re vulnerable at your weakest point as was the case with the Target hack.

Today if you asked a nuclear power facility to attach a black box on their SCADA network which uses a cellular connection to monitor water flow, they would throw you out of the office. So why is the manufacturer of your car or your insurance company doing just that? That black box that you attach to your OBD-II port, the SIM card in your vehicle or your remote key are all potential attack surfaces; exposed ports with an IP address waiting to be hacked.

The only way to prevent a hacker is to remove all attack surfaces, and keep all inbound firewall ports closed, which requires a different approach. At Skkynet, that is exactly what we do. Skkynet’s SkkyHub is a secure end-to-end platform used to connect virtually any industrial or embedded data source, visualize the data, and monitor or control your process or system from afar. Secure by design, there are no Internet attack surfaces, no VPN’s, and yet it allows for bi-directional communications and supervisory control.

Since onboard car systems are so similar to industrial automation systems in this way, the solution for providing secure remote access on industrial systems applies to cars as well.   With today’s technology there is no reason to expose a plant, device, or a connected car to Internet attack. What manufacturers need to do is change the conversation. The plant, device, or car should publish the information, to which authorized individuals or devices should subscribe in order to receive the information. It is a simple change that addresses security: no open firewall ports, no attack surfaces.

Secure Remote Monitoring and Supervisory Control

New technologies such as Software as a Service, the Internet of Things and cloud computing for industrial process temperature bring new challenges, but there are solutions.

Interest in using cloud computing — also known as Software as a Service (SaaS) — to provide remote access to industrial systems continues to rise. Vendors and company personnel alike point to potential productivity improvements and cost savings as well as convenience. Operators and plant engineers may want to receive alarms and adjust heating controls while moving around the plant. Managers would like to see production data in real time — not just in end-of-shift or daily reports. Hardware vendors could benefit from getting live readings from their installed equipment for maintenance and troubleshooting operations.

Some industrial processors are attempting to provide this kind of window into their production systems. Yet, many question the wisdom of opening up a plant’s mission-critical control network to the possibility of malicious attack or even misguided errors. With a proper understanding of what is at stake, what is being proposed and how it can best be implemented, you can better decide whether remote access to your production data could benefit your company.

Security First for Industrial Networks

When talking about remote access to plant data, the first concern is security. Any approach that exposes the control system to unauthorized entry should be off the table. One popular approach is to secure the network against any potential intruders and open it only to trusted parties. Connections into the plant typically originate from smartphones, tablets, laptops or desktop computers. These systems usually are running a human-machine interface (HMI), remote desktop application, database browser or other proprietary connector.

In most cases, the plant engineering staff or IT department can grant client access to the network via a virtual private network (VPN), so authorized users can get the data they need. However, a typical VPN connection provides link-layer integration between network participants. This means that once on a network, an outsider has access to all other systems on the network. Thus, the company must either fully trust each person who comes is granted access to the network, or the company must task the IT manager with securing and protecting the resources within the network.

It would be unwise to risk giving visitors full access to everything that a VPN exposes. Using a VPN this way is a little like having a visitor come into your plant. Suppose a service technician arrives at the gate saying he needs to check a piece of equipment. You could just tell the guard to check his credentials, and if he checks out, give him a hardhat, directions and send him in. That is the limited-security approach. A better way would be to provide a guide to ensure that the technician finds his destination, does his work and leaves with only the information he came to get. It takes more effort and planning, but if you are going to allow someone to enter the premises, such effort is necessary to ensure security.

Better than VPN

An even better approach is to only allow access to the data itself. Consider this: the user of the data — be it vendor, customer or even corporate manager — does not need access to the whole network. Instead, they just need the data. So, rather than allowing a client to log on via a VPN connection while the IT manager works to secure confidential areas of the network from the inside, wouldn’t it be better to provide access to the data outside of the network altogether?

To continue our analogy, this would be like the guard handing the service technician exactly the data he need he arrived at the gate. There is no need to open the gate and no need to let him into the plant. In fact, the service company, vendor or other authorized party could request the data be sent to their own location, so they do not even have to go to the plant in the first place. This approach to remote monitoring is far more secure.

Is such a scenario realistic? Yes, if you use the right technology in the right way. For example, WebSocket is a protocol that supports communication over TCP, similar to HTML. But unlike HTML, once a WebSocket connection is established, client and server can exchange data indefinitely. The protocol also supports SSL encryption, a well-tested security protocol. Thus, WebSocket technology can be used to open and maintain a secure data tunnel over TCP from a plant to a cloud server without opening any ports in any firewalls. Once the tunnel connection is established, data can flow bi-directionally.

Isolating the Industrial Process Data

Such a data-centric approach to remote monitoring and supervisory control has several benefits. One key advantage is that the process can run in complete isolation from the remote client. Low-level control — and, in fact, all systems within the plant — remain completely invisible to the remote clients. The only point of contact for the remote client is the selected data set being streamed from the plant, and that data resides in the cloud.

While nobody seriously imagines making low-level control changes over a cloud connection, a solution based on WebSocket technology could allow both read-only and read/write client connections for those applications where remote changes are deemed acceptable. Authorized personnel then would have the ability to effect change in plant processes for diagnostic or maintenance purposes via a secure connection. This approach would not require any open firewall ports, so the plant remains invisible to the Internet.

Regardless of the intended use of the data, a correctly provisioned WebSocket connection to the cloud provides the process isolation needed to provide access to data without jeopardizing your in-plant systems.

Any Data Protocols

Another advantage to this approach is that it can be protocol-agnostic. Ideally, the system would carry only the raw data over TCP in a simple format: name, value and timestamp for each change in value. The connector would convert the plant protocol, such as OPC or Modbus, to a simple data feed to the cloud. Requiring a minimum of bandwidth and system resources, the data would flow in real time to all registered clients.

Each client, in turn, can convert the data into whatever format is most convenient and appropriate for their application. Options include spreadsheets, databases, web pages or custom programs.

Better yet, this approach to remote monitoring is not necessarily limited to in-plant connections. Custom-developed WebSocket connectors small enough to fit on embedded devices such as temperature sensors or flowmeters could be placed at remote locations any distance from the plant. Then, by wired or cellular connections to the Internet, the devices would connect directly to the cloud via WebSocket tunnels, without going through the traditional SCADA system, if need be. Such high-performance connectivity would support secure, real-time M2M communications and meet essential requirements of the industrial Internet of Things (IoT).

Changes and Challenges

However you look at it, change is on the horizon for industrial process control systems. The current state of the art for networked control systems was made possible by dramatic technical breakthroughs in the 80s and 90s. Many industry experts say that we are now on the verge of similar breakthroughs in remote monitoring and supervisory control. Whether they call it cloud computing, Software as a Service (SaaS), Industry 4.0 or the Industrial Internet of Things (IIoT), most will agree that the biggest challenge right now is security.

New technology provides new capabilities, and it also presents new demands that may challenge our way of thinking. Accessing data from a plant or remote sensor halfway across the world needs a different approach to security than our current models were designed for. Yet, there is no need to remain attached to the status quo if it does not truly meet the needs. These are engineering problems, and there are engineering solutions.

Bob McIlvride is the director of communications with Skkynet Cloud Systems Inc., Mississauga, Ontario, Canada. Skkynet provides secure cloud-service remote monitoring services and can be reached at 888-628-2028 or visit the website at http://skkynet.com.

Skkynet Welcomes New Advisory Board Member

Internet and SCADA security expert Dr. José Fernandez to oversee security strategy and development for SkkyHub™ as new Advisory Board Member.

Mississauga, Ontario, February 9, 2015 – Skkynet Cloud Systems, Inc. (“Skkynet” or “the Company”) (OTCQB:SKKY), a global leader in real-time cloud information systems, is pleased to announce that Dr. José M. Fernandez, Associate Professor in the Department of Computer Engineering and Software at the École Polytechnique de Montréal has joined Skkynet’s Advisory Board. Dr. Fernandez is currently involved in research in computer security for Internet applications and SCADA systems, and will be a valuable asset to ensuring the integrity of the SkkyHub™ service.

“We are fortunate to gain the benefit of Dr. Fernandez’s wisdom and experience,” said Paul Thomas, President of Skkynet. “There are strong and growing concerns for the security of the Internet of Things (IoT), particularly in the industrial area. From the start Skkynet has striven to put security the forefront in the design of SkkyHub, and we expect Dr. Fernandez to contribute significantly to our efforts.”

“I’m looking forward to working with the Skkynet security team,” said Dr. Fernandez. “The approach to security taken by the SkkyHub service is unique, and may well become a key factor in ensuring the success of cloud-based industrial computing.”

Skkynet’s SkkyHub allows industrial and embedded systems to securely network live data in real time from any location. Secure by design, it requires no VPN, no open firewall ports, no special programming, and no additional hardware. It enables bidirectional supervisory control, integration, and sharing of data with multiple users, and real-time access to selected data sets in a web browser. The service is capable of handling over 50,000 data changes per second per client, at speeds just a few milliseconds over Internet latency.

About Skkynet Cloud Systems, Inc.:

Skkynet Cloud Systems, Inc. (OTCQB:SKKY) is a global leader in real-time cloud information systems. The Skkynet Connected Systems platform includes the award-winning SkkyHub™ service, DataHub®, WebView™, and embedded toolkit software. The platform enables real-time data connectivity for industrial, embedded, and financial systems, with no programming required. Skkynet’s platform is uniquely positioned for the “Internet of Things” and “Industry 4.0” because unlike the traditional approach for networked systems, SkkyHub is secure-by-design. Customers include Microsoft, Siemens, Metso, ABB, Honeywell, IBM, GE, Statoil, Goodyear, BASF, Cadbury Chocolate, and the Bank of Canada. For more information, see http://skkynet.com.

Safe Harbor:

This news release contains “forward-looking statements” as that term is defined in the United States Securities Act of 1933, as amended and the Securities Exchange Act of 1934, as amended. Statements in this press release that are not purely historical are forward-looking statements, including beliefs, plans, expectations or intentions regarding the future, and results of new business opportunities. Actual results could differ from those projected in any forward-looking statements due to numerous factors, such as the inherent uncertainties associated with new business opportunities and development stage companies. We assume no obligation to update the forward-looking statements. Although we believe that any beliefs, plans, expectations and intentions contained in this press release are reasonable, there can be no assurance that they will prove to be accurate. Investors should refer to the risk factors disclosure outlined in our annual report on Form 10-K for the most recent fiscal year, our quarterly reports on Form 10-Q and other periodic reports filed from time-to-time with the Securities and Exchange Commission.

Skkynet Wins Best IoT Security Solution Award at M2M Expo 2015

SkkyHub™ service recognized as secure, commercially available, end-to-end Internet of Things (IoT) solution with “Best IoT Security Solution” win.

Mississauga, Ontario, February 3, 2015 – Skkynet Cloud Systems, Inc. (“Skkynet” or “the Company”) (OTCQB:SKKY), a global leader in real-time cloud information systems, is pleased to announce that its  SkkyHub™ service won the Battle of the Platforms for Best IoT Security Solution at the M2M Evolution Conference and Expo in Miami on January 27, 2015. The M2M (machine-to-machine) show brings together CIOs, CTOs, managers, engineers, and other key players working to connect devices and machines on the Internet of Things (IoT). Live demonstrations of SkkyHub connected an on-site industrial control panel to the cloud, enabling show participants to interact with the system from their smart phones, manipulating the controls on the panel in real-time.

“On behalf of Crossfire Media, TMC and M2M Evolution, I am excited to announce Skkynet as a 2015 Battle of the Platforms Winner,” said Carl Ford, CEO, Crossfire Media, executive director of content, M2M Evolution. “Its award-winning SkkyHub is driving machine-to-machine advancements that are transforming what is possible in the Internet of Things. Skkynet truly deserves this award and I look forward to more innovative solutions from them in the future.”

“We are honored to win the Battle of the Platforms, particularly in the category of security,” said Ken Collins, Director of Product Development for Skkynet. “Our secure-by-design approach to the IoT means that individual devices, remote systems, and whole industrial plants can connect to each other via the cloud without any additional hardware or VPN, and without opening any firewalls or exposing any data to the Internet.”

Skkynet’s SkkyHub™ service allows industrial and embedded systems to securely network live data in real time from any location. Secure by design, it requires no VPN, no open firewall ports, no special programming, and no additional hardware. It enables bidirectional supervisory control, integration, and sharing of data with multiple users, and real-time access to selected data sets in a web browser. The service is capable of handling over 50,000 data changes per second per client, at speeds just a few milliseconds over Internet latency.

About Skkynet Cloud Systems, Inc.:

Skkynet Cloud Systems, Inc. (OTCQB:SKKY) is a global leader in real-time cloud information systems. The Skkynet Connected Systems platform includes the award-winning SkkyHub™ service, DataHub®, WebView™, and embedded toolkit software. The platform enables real-time data connectivity for industrial, embedded, and financial systems, with no programming required. Skkynet’s platform is uniquely positioned for the “Internet of Things” and “Industry 4.0” because unlike the traditional approach for networked systems, SkkyHub is secure-by-design. Customers include Microsoft, Siemens, Metso, ABB, Honeywell, IBM, GE, Statoil, Goodyear, BASF, Cadbury Chocolate, and the Bank of Canada. For more information, see http://skkynet.com.

About Crossfire Media

Crossfire Media is an integrated marketing company with a core focus on future trends in technology. We service communities of interest with conferences, tradeshows, webinars and newsletters. Crossfire Media has a partnership with Technology Marketing Corporation (TMC) to produce events and websites related to disruptive technologies. Crossfire Media is a division of Crossfire Consulting, a full service Information Technology company based in New York.

About TMC

TMC is a global, integrated media company that supports clients’ goals by building communities in print, online, and face to face. TMC publishes multiple magazines including Cloud Computing, M2M Evolution, Customer, and Internet Telephony. TMCnet is the leading source of news and articles for the communications and technology industries, and is read by as many as 1.5 million unique visitors monthly. TMC produces a variety of trade events, including ITEXPO, the world’s leading business technology event, as well as industry events: Asterisk World; AstriCon; ChannelVision (CVx) Expo; Cloud4SMB Expo; Customer Experience (CX) Hot Trends Symposium; DevCon5 – HTML5 & Mobile App Developer Conference; LatinComm Conference and Expo; M2M Evolution Conference & Expo; Mobile Payment Conference; Software Telco Congress; Super Wi-Fi Summit – The Global Spectrum Sharing and TV White Space Event; SIP Trunking, Unified Communications & WebRTC Seminars; Wearable Tech Conference & Expo III; Fitness and Sports Wearable Technology (FAST) Expo II, WebRTC Conference & Expo IV; and more. Visit TMC Events for additional information.

Safe Harbor:

This news release contains “forward-looking statements” as that term is defined in the United States Securities Act of 1933, as amended and the Securities Exchange Act of 1934, as amended. Statements in this press release that are not purely historical are forward-looking statements, including beliefs, plans, expectations or intentions regarding the future, and results of new business opportunities. Actual results could differ from those projected in any forward-looking statements due to numerous factors, such as the inherent uncertainties associated with new business opportunities and development stage companies. We assume no obligation to update the forward-looking statements. Although we believe that any beliefs, plans, expectations and intentions contained in this press release are reasonable, there can be no assurance that they will prove to be accurate. Investors should refer to the risk factors disclosure outlined in our annual report on Form 10-K for the most recent fiscal year, our quarterly reports on Form 10-Q and other periodic reports filed from time-to-time with the Securities and Exchange Commission.

BYOD Impacts the Factory Floor

The growing worldwide trend for workers to “bring your own device” (BYOD) to work has impacted the industrial space, according an IHS Technology survey.

The past few years have witnessed a remarkable growth in the popularity of smart phones and tablet computers. The Pew Research Center’s Mobile Technology Fact Sheet reported that by January 2014 58% of adults in the USA owned a smartphone, and 42% of them had a tablet computer.  A Nielsen Company report says that people in the UK used their smartphones nearly twice as much by the end of 2013 as they did in the beginning of that year.

With such broad usage of smartphones and tablets, it is not surprising that people expect to bring that power and convenience into the workplace. Indeed, this is rapidly becoming the case, as reported in the 2nd Annual State of BYOD Report issued last year by Good Technology.  According to their survey, 95% enterprises either support BYOD in the workplace, or are at some stage in planning or considering it.

These worldwide trends are resonating in the industrial space, according to Toby Colquhoun and Tom Moore at IHS Technology.  In a recent article, Mobile devices spread to the factory floor, they share the results of an IHS global survey of companies in the manufacturing and energy sectors.  Of the companies surveyed, almost half of them (46%) are currently allowing their employees to use smartphones and tablets at work, and another 11% plan to adopt such technologies within the next three years.

Integration of smartphones and tablets into the company network adds a potential new point of vulnerability for hackers/malware to exploit.

To clarify, this is not actually BYOD in most cases.  You won’t find many factory workers monitoring mission-critical systems on their personal cell phones.  Typically, companies that allow smartphones and tablets on the shop floor issue them to the personnel, preconfigured for the data they are authorized to access.  The investment in equipment is offset by the advantages of this portable technology for monitoring processes from anywhere in the plant, responding quickly to alarms, and in some cases doing supervisory control.

But not everyone sees it this way.  About 7% of the participating companies that are currently using mobile devices plan to discontine this kind of program within the next three years, and another 20% surveyed responded that that they have no plans to adopt the technology over that time period.  The reasons for this reluctance include device performance in an industrial setting, as well as concerns for the security of the data.

“Integration of smartphones and tablets into the company network adds a potential new point of vulnerability for hackers/malware to exploit,” states the report.  It also mentions concerns related to human error and carelessness, which can be addressed by company policy.  But the report does not mention how companies can protect their vital data from exposure to the Internet.

To ensure the success of BYOD in the industrial sector, security questions must be resolved. The approach of Skkynet’s Secure Cloud Service™ addresses these questions in a unique way. Details about the service will be shared in a Skkynet white paper to be published soon. Put briefly, the traditional architecture for industrial networking was not designed for access via the public Internet, because it requires opening the firewall into the production system. With the proper design, as implemented in the Secure Cloud Service, BYOD is not only possible in the industrial space, it can be secure, quick, and convenient. As this kind of high quality service becomes widely adopted over the next few years, we can expect to witness some remarkable changes taking place on the factory floor.