Posts

Industrial IoT Myths – Busted!

/by

It looks like the Industrial IoT is growing and spreading so quickly that a whole mythology is getting built up around it.  In a recent blog, Teri Maltais at RtTech Software identifies four Industrial IoT myths, and deconstructs them.  From what we can see, these myths are founded on real concerns among industrial users.  Here is how Maltais addresses them:

Cost concerns: Maltais says that on-premise and IIoT solutions offer essentially the same functionality, and provide the same ROI.  However, IIoT solutions replace the cost of up-front capital investment with monthly operating-expense payments, making them more cost-effective.

Security concerns: She breaks down the topic of security into three areas: 1) on-site, 2) communication, and 3) cloud level security.  On-site security is the same as always, he says—pay attention to passwords, physical access, anti-virus software, etc.  Her discussion of inbound and outbound communication covers the security features of a few data protocols (a discussion which we believe could be strengthened by mentioning a secure-by-design approach like Skkynet’s).  At the cloud level she suggests what to look for in a good service provider, and quotes a Microsoft study in which small and midsize companies were shown to gain security benefits.

Concerns about too much data: RtTech Software, whom Maltais works for, provides tools for collecting and analyzing production data.  She says that tools such as theirs can be used to manage the large amount of data generated from IIoT systems.

Concerns about a track record: Maltais acknowledges that the IIoT has a limited track record, due in large part to the fact that it is new.  But, she adds, many IIoT applications are essentially the same as on-premise software, as mentioned above.

One take-away is that the Industrial IoT may have more in common with on-premise systems than you would expect. This point of view fits well with Skkynet’s evolutionary approach to the Industrial IoT, which provides a secure and seamless path of growth from in-plant to remote data access that can be implemented gradually, and on an as-needed basis.

Industrial SaaS Whitepaper

/by

We just posted a new whitepaper discussion on “What is a Good Approach to Industrial SaaS.”  Software as a Service (“SaaS”) provides access to hosted software over a network, typically the Internet, and is closely related to the concepts of smart factories, cloud computing, industrial Internet, machine-to-machine (M2M), and the Internet of Things (IoT).

“A chain is only as strong as its weakest link,” goes the old saying. How true that is in industrial control systems. … Factory automation, power generation, resource extraction and processing, transportation and logistics are all supported by chains of mechanisms, hardware, and software, as well as operators and engineers that must each carry out their mission to produce the expected output, product, or service.

The whitepaper goes into a discussion of the key qualities a what is necessary for widespread acceptance of industrial SaaS, such as:

  1. Security: industrial systems require the highest possible level of security, and achieving it over unsecured networks involves a comprehensive approach from the design stage of the overall system.
  2. Robustness: industrial software as a service should provide as close to real-time performance as the network or Internet infrastructure will support, such as milliseconds updates, thousands of data changes per second, and support redundant connections with hot swap over capability.
  3. Adaptability: industrial SaaS should be able to connect seamlessly to any new or installed system at any number of locations with no changes to hardware or software, using open data protocols and APIs, and readily scale up or down depending on user needs.
  4. Convenience: industrial SaaS should be convenient to use, from ease of demoing, to sign up, configuration, usage monitoring and low cost.  It should offer off-the-shelf tools to get your data to and from the cloud with no programming, provide the ability to easily integrate data from multiple sources, and include options like data storage and HMI displays–all without disrupting the industrial process in any way.

Read the Whitepaper.

Connecting Enterprises Need Secure-by-Design

/by

All over the world, enterprises are connecting. Inspired or pushed by the growing interest in the Internet of Things (IoT), companies are looking into how they can connect and exchange data with their customers, their suppliers, their branches, and among themselves. And they are quickly discovering that current security models are not adequate. A recent Frost & Sullivan report points towards “security-by-design” instead of “security-by-default” as critical for the connected enterprise.

How did we get to this point? On the industrial side, operational technology (OT) has garnered a wealth of experience in data connectivity through SCADA (Supervisory Control and Data Acquisition) systems that provide plant-wide real-time communications for mission-critical industrial processes. In this space, the promise of the Internet of Things (IoT) is being embraced and extended as the Industrial IoT (or IIoT) among the likes of GE, IBM, and others.

At the same time, these new opportunities for connecting to the plant have caught the interest of the traditional information technology (IT) people within the enterprise. For decades the “top floor” of management has been cut off from what happens on the “shop floor” of operations. Now, using IIoT technologies, it seems that there may be new ways of connecting IT to OT, and integrating enterprise systems directly with operations and production.

The big challenge is security. “Solution providers in the IT and the OT ecosystems must join hands to deploy end-to-end cyber security solutions for industrial systems,” according to Julia Nikishkina at Frost & Sullivan in a summary of the report.

The traditional security model for OT networks has until recently relied mainly on physically restricting all access. Many companies simply do not connect their plant operations network to the Internet―at all. As demand for inbound and outbound data access has grown, companies have been turning to VPNs or other add-on security measures to allow some level of connectivity. These, according to the Frost & Sullivan report, are woefully inadequate.

“The influx of IT solutions into the operational technology space highlights the need for security-by-design rather than security-by-default,” says Nikishkina. “As a majority of industries upgrade to smart systems and processes, industrial cybersecurity will soon make the inevitable shift from a reactive operating model to a proactive design philosophy.”

The Frost & Sullivan report describes what is a daily reality for us at Skkynet. Our SkkyHub service demonstrates how secure-by-design actually works, providing a platform for seamless, end-to-end data connectivity between OT and IT. By keeping all firewall ports closed at both the OT and IT ends, it exposes no attack surface to the Internet, and yet provides bidirectional data flow in real time.

Security: Connected Car vs Connected Plant

/by

Over the last few weeks I have been reading articles on security breaches with the connected car; hackers remotely control a Jeep, VW hides a security flaw , researchers hack a Corvette. But these challenges are not as unique as car manufacturers would like you to believe, and they are absolutely avoidable.

The main issue at hand is that we as consumers see our car as an engine with four wheels and a few seats. We don’t think of our car as a production system; with hundreds of sensors, control panels and a visual HMI to display the information in an easy-to-understand screen. But that is exactly what your car is: a mobile automation platform, with a fully integrated supervisory control and data acquisition (SCADA) system, no different than the systems found on a traditional factory floor.

So why can’t we learn from the factory to build a secure car? For the same reason that industry is having challenges securing the plant. SCADA systems were first designed in the 70’s. At that time security was not the primary concern for factories, data acquisition was. Your modern SCADA system is designed around the same principles that were founded almost half a century ago; client-server architecture, where you request the information and the system will give it to you. Sensors connected to PLCs are not programmed to automatically give you values, they must be asked for their values, and once asked they will happily provide you with those values in milliseconds. The same holds true for your car, since the control systems in your vehicle are based on exactly the same principles as industrial automation.

In your typical plant, the SCADA network is protected from operations, and again protected from business planning systems. Since the plant does not require the Internet, its network does not need to be protected against unsecured access. In some cases, plants will allow access through proxy servers, firewalls, and the use of a VPN, all in place to secure the connection. To support this access, the plant must expose a port on a firewall to allow for incoming connections. The problem is that you’re vulnerable at your weakest point as was the case with the Target hack.

Today if you asked a nuclear power facility to attach a black box on their SCADA network which uses a cellular connection to monitor water flow, they would throw you out of the office. So why is the manufacturer of your car or your insurance company doing just that? That black box that you attach to your OBD-II port, the SIM card in your vehicle or your remote key are all potential attack surfaces; exposed ports with an IP address waiting to be hacked.

The only way to prevent a hacker is to remove all attack surfaces, and keep all inbound firewall ports closed, which requires a different approach. At Skkynet, that is exactly what we do. Skkynet’s SkkyHub is a secure end-to-end platform used to connect virtually any industrial or embedded data source, visualize the data, and monitor or control your process or system from afar. Secure by design, there are no Internet attack surfaces, no VPN’s, and yet it allows for bi-directional communications and supervisory control.

Since onboard car systems are so similar to industrial automation systems in this way, the solution for providing secure remote access on industrial systems applies to cars as well.   With today’s technology there is no reason to expose a plant, device, or a connected car to Internet attack. What manufacturers need to do is change the conversation. The plant, device, or car should publish the information, to which authorized individuals or devices should subscribe in order to receive the information. It is a simple change that addresses security: no open firewall ports, no attack surfaces.

Secure Remote Monitoring and Supervisory Control

/by
New technologies such as Software as a Service, the Internet of Things and cloud computing for industrial process temperature bring new challenges, but there are solutions.

Interest in using cloud computing — also known as Software as a Service (SaaS) — to provide remote access to industrial systems continues to rise. Vendors and company personnel alike point to potential productivity improvements and cost savings as well as convenience. Operators and plant engineers may want to receive alarms and adjust heating controls while moving around the plant. Managers would like to see production data in real time — not just in end-of-shift or daily reports. Hardware vendors could benefit from getting live readings from their installed equipment for maintenance and troubleshooting operations.

Some industrial processors are attempting to provide this kind of window into their production systems. Yet, many question the wisdom of opening up a plant’s mission-critical control network to the possibility of malicious attack or even misguided errors. With a proper understanding of what is at stake, what is being proposed and how it can best be implemented, you can better decide whether remote access to your production data could benefit your company.

Security First for Industrial Networks

When talking about remote access to plant data, the first concern is security. Any approach that exposes the control system to unauthorized entry should be off the table. One popular approach is to secure the network against any potential intruders and open it only to trusted parties. Connections into the plant typically originate from smartphones, tablets, laptops or desktop computers. These systems usually are running a human-machine interface (HMI), remote desktop application, database browser or other proprietary connector.

In most cases, the plant engineering staff or IT department can grant client access to the network via a virtual private network (VPN), so authorized users can get the data they need. However, a typical VPN connection provides link-layer integration between network participants. This means that once on a network, an outsider has access to all other systems on the network. Thus, the company must either fully trust each person who comes is granted access to the network, or the company must task the IT manager with securing and protecting the resources within the network.

It would be unwise to risk giving visitors full access to everything that a VPN exposes. Using a VPN this way is a little like having a visitor come into your plant. Suppose a service technician arrives at the gate saying he needs to check a piece of equipment. You could just tell the guard to check his credentials, and if he checks out, give him a hardhat, directions and send him in. That is the limited-security approach. A better way would be to provide a guide to ensure that the technician finds his destination, does his work and leaves with only the information he came to get. It takes more effort and planning, but if you are going to allow someone to enter the premises, such effort is necessary to ensure security.

Better than VPN

An even better approach is to only allow access to the data itself. Consider this: the user of the data — be it vendor, customer or even corporate manager — does not need access to the whole network. Instead, they just need the data. So, rather than allowing a client to log on via a VPN connection while the IT manager works to secure confidential areas of the network from the inside, wouldn’t it be better to provide access to the data outside of the network altogether?

To continue our analogy, this would be like the guard handing the service technician exactly the data he need he arrived at the gate. There is no need to open the gate and no need to let him into the plant. In fact, the service company, vendor or other authorized party could request the data be sent to their own location, so they do not even have to go to the plant in the first place. This approach to remote monitoring is far more secure.

Is such a scenario realistic? Yes, if you use the right technology in the right way. For example, WebSocket is a protocol that supports communication over TCP, similar to HTML. But unlike HTML, once a WebSocket connection is established, client and server can exchange data indefinitely. The protocol also supports SSL encryption, a well-tested security protocol. Thus, WebSocket technology can be used to open and maintain a secure data tunnel over TCP from a plant to a cloud server without opening any ports in any firewalls. Once the tunnel connection is established, data can flow bi-directionally.

Isolating the Industrial Process Data

Such a data-centric approach to remote monitoring and supervisory control has several benefits. One key advantage is that the process can run in complete isolation from the remote client. Low-level control — and, in fact, all systems within the plant — remain completely invisible to the remote clients. The only point of contact for the remote client is the selected data set being streamed from the plant, and that data resides in the cloud.

While nobody seriously imagines making low-level control changes over a cloud connection, a solution based on WebSocket technology could allow both read-only and read/write client connections for those applications where remote changes are deemed acceptable. Authorized personnel then would have the ability to effect change in plant processes for diagnostic or maintenance purposes via a secure connection. This approach would not require any open firewall ports, so the plant remains invisible to the Internet.

Regardless of the intended use of the data, a correctly provisioned WebSocket connection to the cloud provides the process isolation needed to provide access to data without jeopardizing your in-plant systems.

Any Data Protocols

Another advantage to this approach is that it can be protocol-agnostic. Ideally, the system would carry only the raw data over TCP in a simple format: name, value and timestamp for each change in value. The connector would convert the plant protocol, such as OPC or Modbus, to a simple data feed to the cloud. Requiring a minimum of bandwidth and system resources, the data would flow in real time to all registered clients.

Each client, in turn, can convert the data into whatever format is most convenient and appropriate for their application. Options include spreadsheets, databases, web pages or custom programs.

Better yet, this approach to remote monitoring is not necessarily limited to in-plant connections. Custom-developed WebSocket connectors small enough to fit on embedded devices such as temperature sensors or flowmeters could be placed at remote locations any distance from the plant. Then, by wired or cellular connections to the Internet, the devices would connect directly to the cloud via WebSocket tunnels, without going through the traditional SCADA system, if need be. Such high-performance connectivity would support secure, real-time M2M communications and meet essential requirements of the industrial Internet of Things (IoT).

Changes and Challenges

However you look at it, change is on the horizon for industrial process control systems. The current state of the art for networked control systems was made possible by dramatic technical breakthroughs in the 80s and 90s. Many industry experts say that we are now on the verge of similar breakthroughs in remote monitoring and supervisory control. Whether they call it cloud computing, Software as a Service (SaaS), Industry 4.0 or the Industrial Internet of Things (IIoT), most will agree that the biggest challenge right now is security.

New technology provides new capabilities, and it also presents new demands that may challenge our way of thinking. Accessing data from a plant or remote sensor halfway across the world needs a different approach to security than our current models were designed for. Yet, there is no need to remain attached to the status quo if it does not truly meet the needs. These are engineering problems, and there are engineering solutions.

Bob McIlvride is the director of communications with Skkynet Cloud Systems Inc., Mississauga, Ontario, Canada. Skkynet provides secure cloud-service remote monitoring services and can be reached at 888-628-2028 or visit the website at http://skkynet.com.

Click here for original article

Skkynet Welcomes New Advisory Board Member

/by

Internet and SCADA security expert Dr. José Fernandez to oversee security strategy and development for SkkyHub™ as new Advisory Board Member.

Mississauga, Ontario, February 9, 2015 – Skkynet Cloud Systems, Inc. (“Skkynet” or “the Company”) (OTCQB:SKKY), a global leader in real-time cloud information systems, is pleased to announce that Dr. José M. Fernandez, Associate Professor in the Department of Computer Engineering and Software at the École Polytechnique de Montréal has joined Skkynet’s Advisory Board. Dr. Fernandez is currently involved in research in computer security for Internet applications and SCADA systems, and will be a valuable asset to ensuring the integrity of the SkkyHub™ service.

“We are fortunate to gain the benefit of Dr. Fernandez’s wisdom and experience,” said Paul Thomas, President of Skkynet. “There are strong and growing concerns for the security of the Internet of Things (IoT), particularly in the industrial area. From the start Skkynet has striven to put security the forefront in the design of SkkyHub, and we expect Dr. Fernandez to contribute significantly to our efforts.”

“I’m looking forward to working with the Skkynet security team,” said Dr. Fernandez. “The approach to security taken by the SkkyHub service is unique, and may well become a key factor in ensuring the success of cloud-based industrial computing.”

Skkynet’s SkkyHub allows industrial and embedded systems to securely network live data in real time from any location. Secure by design, it requires no VPN, no open firewall ports, no special programming, and no additional hardware. It enables bidirectional supervisory control, integration, and sharing of data with multiple users, and real-time access to selected data sets in a web browser. The service is capable of handling over 50,000 data changes per second per client, at speeds just a few milliseconds over Internet latency.

About Skkynet Cloud Systems, Inc.:

Skkynet Cloud Systems, Inc. (OTCQB:SKKY) is a global leader in real-time cloud information systems. The Skkynet Connected Systems platform includes the award-winning SkkyHub™ service, DataHub®, WebView™, and embedded toolkit software. The platform enables real-time data connectivity for industrial, embedded, and financial systems, with no programming required. Skkynet’s platform is uniquely positioned for the “Internet of Things” and “Industry 4.0” because unlike the traditional approach for networked systems, SkkyHub is secure-by-design. Customers include Microsoft, Siemens, Metso, ABB, Honeywell, IBM, GE, Statoil, Goodyear, BASF, Cadbury Chocolate, and the Bank of Canada. For more information, see http://skkynet.com.

Safe Harbor:

This news release contains “forward-looking statements” as that term is defined in the United States Securities Act of 1933, as amended and the Securities Exchange Act of 1934, as amended. Statements in this press release that are not purely historical are forward-looking statements, including beliefs, plans, expectations or intentions regarding the future, and results of new business opportunities. Actual results could differ from those projected in any forward-looking statements due to numerous factors, such as the inherent uncertainties associated with new business opportunities and development stage companies. We assume no obligation to update the forward-looking statements. Although we believe that any beliefs, plans, expectations and intentions contained in this press release are reasonable, there can be no assurance that they will prove to be accurate. Investors should refer to the risk factors disclosure outlined in our annual report on Form 10-K for the most recent fiscal year, our quarterly reports on Form 10-Q and other periodic reports filed from time-to-time with the Securities and Exchange Commission.