US Gas Pipeline Ransomware Shutdown – A Ready Solution

An entire US gas pipeline was shut down for two days due to a ransomware attack according to a recent report from the US Cybersecurity and Infrastructure Security Agency (CISA). The hackers sent a spear-phishing email to someone on the IT network that crossed over into the OT network and infected HMIs, data historians, and polling servers on the process control system. Although only one facility was hit, management shut down the whole pipeline for two days, resulting in loss of productivity and revenue to the pipeline, as well as to upstream production systems and downstream distribution networks.

This need not have happened. There is a simple remedy―isolate the OT network. They could have used Skkynet software on a DMZ to keep their firewalls closed and their gas pipeline system secure.

Using a DMZ

The first technical recommendation in the CISA report is to segment networks using a DMZ: “Implement and ensure robust Network Segmentation between IT and OT networks to limit the ability of adversaries to pivot to the OT network even if the IT network is compromised. Define a demilitarized zone (DMZ) that eliminates unregulated communication between the IT and OT networks.”

The easiest and most cost-effective way to pass production data securely through a DMZ is using DataHub tunnelling. Because it is secure by design, DataHub tunnelling can provide bidirectional data flow with no open inbound firewall ports, and no VPNs. The key is to access the data, not the network. This technology has been deployed in mission-critical systems worldwide for over 20 years, and was implemented recently in the TANAP project in which DataHub software was used to securely transmit process data from an 1800 km pipeline into a central control system through closed firewall ports.

Secure OT Assets

The second technical requirement recommended by CISA is to secure OT assets as much as possible.  The report said, “Organize OT assets into logical zones by taking into account criticality, consequence, and operational necessity. Define acceptable communication conduits between the zones and deploy security controls to Filter Network Traffic and monitor communications between zones. Prohibit Industrial Control System (ICS) protocols from traversing the IT network.”

Again, DataHub tunnelling is a ready, off-the-shelf conduit for making the necessary connections.  It provides secure, bidirectional real-time data mirroring between logical zones of OT assets, and from OT to IT. Data traverses the tunnel using the DHTP protocol, and can be converted to or from industrial protocols at either end.

Of course, the most secure system relies on sound planning and operational strategies in addition to strong technical and architectural solutions. The choice of software is one element of a larger picture. But in this case, simply using Skkynet IoT software would have prevented this gas pipeline shutdown altogether.

IIoT Security: Attacks Grow More Likely, Users Unaware

A few weeks ago hackers of industrial systems reached a new milestone. For the first time in history, someone was able to break into the safety shutdown system of a critical infrastructure facility. Roaming undetected through the system for an unknown amount of time, the hackers finally got stopped when they inadvertently put some controllers into a “fail-safe” mode that shut down other processes, which alerted plant staff that something was wrong.

The danger was not just in the safety mechanisms themselves, but for the whole plant. “Compromising a safety system could let hackers shut them down in advance of attacking other parts of an industrial plant, potentially preventing operators from identifying and halting destructive attacks,” said cyber experts interviewed by Reuters.

Plan Ahead

That facility was lucky this time around. What about next time? What about the next plant? Rather than relying on luck, it is better to plan for the future. As attacks grow more likely, those systems that are secure by design, that offer zero attack surface, that are undetectable on the Internet, stand a much better chance. This has always been Skkynet’s approach, and as the threats increase, it makes more and more sense.

In fact, the industrial world is largely unprepared for these kinds of attacks. Having evolved for decades cut off from the Internet, until recently there has been little need to change. And a surprising number of users seem unwilling to acknowledge the risks. According to a recent article in ARS Technica, hundreds of companies across Europe are running a popular model of Siemens PLC (Programmable logic controller) with TCP port 102 open to the Internet. “It’s an open goal,” commented security researcher Kevin Beaumont.

Government Mandates

The situation has attracted the attention of governments, who realize the need to protect critical infrastructure for the sake of their citizens. The United Kingdom has issued a new directive authorizing regulators to inspect cyber security precautions taken by energy, transport, water and health companies, reports the BBC. The National Cyber Security Centre has published guidelines, and companies that fail to comply are liable for fines of up to 17 million pounds. “We want our essential services and infrastructure to be primed and ready to tackle cyber-attacks and be resilient against major disruption to services,” said Margot James, Minister for Digital.

IT to OT Challenges

What has brought all of this into focus over the past few years has been the increased awareness of a need for process data outside of the production facility. Companies are recognizing the value of the data in their OT (operational technology) systems, and want to integrate it into their IT systems to help cut costs and improve overall efficiency for the company as a whole. What they may not realize is that the tools of IT were not designed for the world of OT, and the security practices of OT are not adequate for the Internet.

The WannaCry virus that affected many companies worldwide last year is a case in point. Companies using VPNs to protect their IT-to-OT connections found out first-hand that a VPN merely extends the security perimeter of the plant out into an insecure world. A breach in an employee email can expose the whole plant to the threat of a shutdown. “WannaCry is the personification of why computers on the corporate networks should not be directly connected to OT networks,” according to Gartner Analyst Barika Pace in a recent report, Why IIoT Security Leaders Should Worry About Cyberattacks Like WannaCry, January 30, 2018. “It is also the reflection of the inevitable convergence of IT and OT. Based on your risk tolerance and operational process, segmentation, where possible, is still critical.”

Segment Your Systems

By segmentation, Pace means dividing networks into security zones, and maintaining security between each zone through the use of firewalls, DMZs, data diodes and other similar technologies to ensure that if one system gets hacked, it cannot affect others. Segmentation is part of a secure-by-design approach that Skkynet endorses and provides. Our software and services offer a way to connect IT and OT systems through DMZs or the cloud without opening any outbound firewall ports.

A Siemens PLC in this kind of segmented system could be accessed by authorized parties, and exchange data in both directions, without opening TCP port 102 to the Internet. Managers of critical infrastructure that implement this secure-by-design approach to segmentation are not only ready for government inspection, they have taken the best precaution against those who would intrude, hack, and attack their mission-critical systems.

As attacks on critical infrastructure become more likely, users must become aware, and prepare. The acknowledged benefits of IIoT need not entail unnecessary risk—securing an industrial system can be done, and done well. A big step is to segment your OT system though a secure-by-design approach, such as that offered by Skkynet.

Don’t WannaCry on your Industrial IoT System

Pretty much anyone who has a computer or listens to the news has heard about the WannaCry virus that swept across the world a few days ago, installing itself on computers in businesses, hospitals, government agencies, and homes, encrypting hard drives and demanding ransom payments.  After scrambling to ensure that our operating systems are up-to-date and protected against this latest threat, the question soon comes up: How can we protect ourselves against similar threats in the future?

“How?” indeed.  That would seem difficult.  Our reliance on networked computers for business and personal use is fully entrenched, and business/personal PCs will remain vulnerable for the foreseeable future.  In the industrial arena, some may conclude this latest attack is yet another reason to hold off on their IoT strategy.  Or, at least: “You should use a VPN to keep it safe.”

And yet neither of these instincts is necessarily correct because (i) it is possible to build a secure Industrial IoT (“IIoT”) system, and (ii) VPN is not the way to do it.  Industrial control systems may use the same underlying operating systems as PCs but they are different in one critical aspect.  They exchange real-time control data, not files and emails.

How WannaCry Got In

WannaCry comes in two parts – an email “bomb” that exploits your anti-virus software and a “worm” that propagates throughout your network by exploiting configuration weaknesses and operating system bugs.  The special danger of WannaCry is that it can infect a computer through email even if you never open the email message.  Once WannaCry arrives through email, the worm takes over to attack the rest of the computers on your network.

The worm portion of the virus spreads itself by finding other machines on the network.  According to analysis of the code by Zammis Clark at Malwarebytes Labs, “After initializing the functionality used by the worm, two threads are created. The first thread scans hosts on the LAN. … The scanning thread tries to connect to port 445, and if so creates a new thread to try to exploit the system using MS17-010/EternalBlue.” (the bug that the virus exploits)

If there is no open port on the other computer, the virus cannot spread.  But the VPN is not much help here.  If anyone on the VPN is struck by the virus, then every machine on the LAN is exposed.  Suppose you have an IIoT system connecting a corporate office to a process control system over a VPN.  If the virus activates on any of the connected machines in the IT department, it can easily propagate itself to any of the connected machines on the industrial LAN.

How to Keep WannaCry Out

The tongue-in-cheek answer is “don’t use email”.  More seriously, industrial systems and IT systems should be separated from one another.  There is no need to read email from the industrial LAN.  Don’t install email software on your industrial computers, and don’t allow email traffic through your firewall.

But industrial systems still need to communicate their data.  How can you reach the data without exposing the industrial network?  The solution is spelled out in detail in the latest white paper from Cogent (a Skkynet company) titled: Access Your Data, Not Your Network. This paper explains why the traditional architecture of industrial systems is not suitable for secure Industrial IoT or Industrie 4.0 applications, and discusses the inherent risks of using a VPN.  But most important, it introduces the best approach for secure IIoT and Industrie 4.0, which is to provide access to industrial data without exposing the network at all.

Specifically, the Skkynet-provisioned devices and the DataHub can make outbound connections to SkkyHub without opening any firewall ports.  These connections are robust channels that support bidirectional, real-time communications for doing monitoring and supervisory control.  The WannaCry virus or anything similar cannot spread into this system because they can’t see anything to infect.  The devices on the network are completely invisible.  Skkynet’s approach provides access to the data only, not to the network.

Industrial IoT, Big Data & M2M Summit―Takeaways

Last week several of us here at Skkynet had the pleasure to attend and present a case study at the Industrial IoT, Big Data & M2M Summit in Toronto.  IoT specialists representing a wide range of industries, from mining, manufacturing, and energy to telecom and software gathered to share insights and learn from collective experience how to get the most out of Industrial IoT.

Challenges to IoT adoption was a key topic of discussion.  There was considerable agreement among summit participants that one of the primary challenges is not technical, but cultural.  Switching from software ownership to data as a service requires a new mind-set, which not everyone is willing to adopt.  Speaker after speaker underlined the need to communicate value and get buy-in from all concerned parties. You should start with a small pilot project, with minimal investment, and demonstrate ROI.  Other challenges discussed included incompatible protocols and security risks.

Summit Theme: Partnerships

A common theme that prevailed in presentations and comments throughout the summit was that the IoT casts such a wide net that nobody can do all of it well.  We need to work together.

“IoT is all around partnerships,” said Christopher Beridge, Director of Business Development – IoT and Business Solutions at Bell Mobility.

“A lot of people have a part to play when you are talking IoT,” according to Matthew Wells, Senior Product General Manager at GE Digital.

“Smartness depends on how interconnected you are,” commented Steven Liang, Associate Professor at the University of Calgary, and conference chair.

Above all, there was agreement that the IoT is here to stay. “Our focus is to make things more efficient, reliable, affordable, and convenient, and the IoT is a way to do it,” said Michael Della Fortune, Chief Executive Officer of Nexeya Canada.  “It powers and upholds the 4 Vs—Variety, Volume, Velocity, and Veracity—of Big Data.”

Perhaps Timon LeDain, Director, Internet of Things at Macadamian summed it up best when he said, “IoT will be done by you, or done to you.”

Case Study: Wind Turbine Farm, USA

DataHub Scripting solution calms the conflict of bats vs. blades

Required by law to protect a rare species of bat, a major wind power generation company finds a solution using the Cogent DataHub®.

A rapid expansion of wind farms across the Eastern and Central United States has been checked in the past couple of years due to growing concerns for wildlife. An endangered bat species lives in that area, and is protected by law. Fears that the whirring blades of wind turbines could be harmful to this species of bat were sufficient to halt construction of a wind farm in West Virginia in 2009, and the discovery of a dead bat near a wind turbine in Pennsylvania in 2011 caused the power company to shut down the whole 35-turbine system for several weeks.

Although wind turbines are known to cause a few fatalities among common tree-dwelling bats, the endangered bat was thought to be largely safe, as it lives in caves, hibernates for more than half the year, and is seldom found in the vicinity of wind turbines. However, in the fall these bats migrate from their feeding grounds to their home caves for the winter. During this time, the chances of them passing through a wind farm are greatly increased.

In March a few years ago a major power company in the USA was informed by the US Fish & Wildlife Service that a number of turbines on the bat migration routes would need to be shut down while the bats are migrating. This caused quite a stir. The migration period for the bats is two months long―from mid-August to mid-October. Shutting down the whole system for that length of time would be very costly, not to mention the loss of clean energy which would need to be replaced by fossil fuels.

To maximize uptime, the company gained permission to let the turbines run during the times that the bats were not flying – all daylight hours, and in the night time when air temperatures drop below a specific temperature setpoint, or when the wind is fairly strong. The challenge was to implement a complete solution. A single bat fatality could mean full shut-down, legal penalties, and even lawsuits.

Top management at the company immediately took action, contacting the wind turbine manufacturer, who also provides the control systems. After several months of emails and meetings, it became apparent that the manufacturer would not have anything ready in time for the mid-August deadline.

“With three weeks to go, they told us there was no solution in sight,” said the SCADA engineer responsible for the project, “and we would need to go to manual operation, and reconfigure the cut-in speed on every turbine, twice a day.”

Most wind turbines are designed to “cut in”, or start turning to produce energy, when the wind is blowing at a certain speed. For these turbines, the normal cut-in speed is 3.5 meters per second. As the bats are active in low to moderate wind speeds, the company would need to raise that to 7 meters per second each night, and then drop it back down to 3.5 the following morning. This would mean manually reconfiguring the PLCs for 100 turbines, twice a day.

A better way

“I thought there must be a better way,” the project manager continued. “We’d been using the DataHub for years, and knew the potential was there to leverage this asset further. I gave Skkynet a call, and told them what we were up against. They delivered by helping us to develop a very efficient program using the native scripting language of the DataHub. The code ran right on the SCADA interface of the OEM system – so it’s as reliable as you can get.”

“Working together with Skkynet, we came up with a DataHub script that doesn’t change the cut-in speed of the turbines at all. We just blocked them from starting. The script tells each turbine to stay off, and keeps measuring wind speed. When it picks up to 7 meters per second, the script releases the turbine to start, and it ramps right up to the operating state. At the end of the day, we have a complete audit trail of every turbine controlled, including a history of critical parameters, such as rotational and wind speeds, and energy curtailed.”

“The script also has a temperature component. On cool nights in September and October, when the temperature drops below the dew point, it uses the same algorithm for starting and stopping the wind turbines.”

By the first week of August a test script was written, and after a few days of testing and last-minute tweaks, it was ready. The system went live on August 15th, and is meeting all expectations. Every night, whenever the air temperature is above the setpoint and the wind speed falls below 7 meters per second, the wind turbines stop, allowing the endangered bats to return safely to their caves for a long winter hibernation.

“I call the DataHub the Canadian Swiss Army Knife,” said the project manager. “We are able to accomplish a host of required functions with a single product solution. The ability to provide sophisticated logic and control algorithms with the built-in functionality of this product is the game changer. Being able to securely deliver real-time data between a site and the control center system allows the dispatch team to monitor the control process and maximize the production of clean, renewable, energy sources. Talk about a smart grid – who would have thought we’d be doing this type of thing in real time?”

Skkynet to Showcase Complete Industrial IoT Solution for Top Manufacturing Executives

Manufacturing and control system executives to receive hands-on demos of Skkynet’s IoT technology.

Mississauga, Ontario, March 30, 2016 – Skkynet Cloud Systems, Inc. (“Skkynet” or “the Company”) (OTCQB:SKKY), a global leader in real-time cloud information systems, will present and demonstrate its fully integrated SkkyHub™ service, DataHub® industrial middleware, and Skkynet ETK at the North American Manufacturing Excellence Summit (NAMES) on April 5-6 in Chicago, and at the Control System Integrators Association (CSIA) 2015 Executive Conference on April 19-22 in Puerto Rico.

“The top decision-makers and leaders in manufacturing and industrial automation attending these events are looking for ways to gain a competitive edge,” said Paul Thomas, President of Skkynet. “What they will find in our demos is an end-to-end solution that they can connect to new or existing systems, and immediately start reaping the benefits of the Industrial IoT (Internet of Things).”

Each of these conferences brings together executives in leading manufacturing and system integration firms, as well as plant managers and supply chain leaders.  At the NAMES summit, managers and leaders from GE and John Deere will be discussing the Industrial IoT, and how it offers a competitive edge for manufacturers.  At the CSIA event, presidents and managers of system integration companies will meet to pool their experience and catch up on the latest methods and technologies for industrial automation and control.

Skkynet’s contribution to these gatherings is to demonstrate the complete solution offered by using the DataHub with in-plant systems and the Skkynet ETK with embedded devices to connect to the SkkyHub service.  This approach to the Industrial IoT offers a secure, robust, end-to-end solution for remote monitoring and supervisory process control.  The integration of both in-plant and field device connections allows plant engineers and system integrators to bridge the gap between industrial control systems and the Internet of Things (IoT).

Skkynet’s SkkyHub service allows industrial and embedded systems to securely network live data in real time from any location. It enables bidirectional supervisory control, integration and sharing of data with multiple users, and real-time access to selected data sets in a web browser. The service is capable of handling over 50,000 data changes per second per client, at speeds of just microseconds over Internet latency. Secure by design, it requires no VPN, no open firewall ports, no special programming, and no additional hardware.

Skkynet’s Cogent DataHub industrial middleware solution connects to virtually any industrial system using standard protocols such as OPC, Modbus, TCP, and ODBC to support OPC networking, server-server bridging, aggregation, data logging, redundancy, and web-based HMI. The Skkynet Embedded Toolkit (ETK) allows embedded devices to make a secure connection to the Internet of Things, enabling real-time, bidirectional data flow and edge computing using a built-in scripting language.

About Skkynet Cloud Systems, Inc.

Skkynet Cloud Systems, Inc. (OTCQB:SKKY) is a global leader in real-time cloud information systems. The Skkynet Connected Systems platform includes the award-winning SkkyHub™ service, DataHub®, WebView™, and Embedded Toolkit (ETK) software. The platform enables real-time data connectivity for industrial, embedded, and financial systems, with no programming required. Skkynet’s platform is uniquely positioned for the “Internet of Things” and “Industry 4.0” because unlike the traditional approach for networked systems, SkkyHub is secure-by-design. Customers include Microsoft, Caterpillar, Siemens, Metso, ABB, Honeywell, IBM, GE, Statoil, Goodyear, BASF, E.ON, Bombardier, and the Bank of Canada. For more information, see

Safe Harbor:

This news release contains “forward-looking statements” as that term is defined in the United States Securities Act of 1933, as amended and the Securities Exchange Act of 1934, as amended. Statements in this press release that are not purely historical are forward-looking statements, including beliefs, plans, expectations or intentions regarding the future, and results of new business opportunities. Actual results could differ from those projected in any forward-looking statements due to numerous factors, such as the inherent uncertainties associated with new business opportunities and development stage companies. We assume no obligation to update the forward-looking statements. Although we believe that any beliefs, plans, expectations and intentions contained in this press release are reasonable, there can be no assurance that they will prove to be accurate. Investors should refer to the risk factors disclosure outlined in our annual report on Form 10-K for the most recent fiscal year, our quarterly reports on Form 10-Q and other periodic reports filed from time-to-time with the Securities and Exchange Commission.