Tag Archives: Industrial

How autonomous systems use AI that learns from the world around it

Millions of engineers across industries such as automotive, aerospace, industrial machinery and medical devices have already built models of the systems they work on using MATLAB or Simulink. This new partnership allows users to bring simulation models built using MATLAB and Simulink to Microsoft’s Azure cloud computing platform, enabling unprecedented scalability and making it easier for developers and engineers building autonomous systems.

“Our core interest really comes down to engineering productivity — the ability to succeed at a task in the least amount of time possible,” said Loren Dean, MathWorks senior director of engineering for MATLAB products.  “This partnership allows engineers to stay in a familiar workflow to learn and apply AI without having to do the things that are non-traditional for them, like setting up the infrastructure to run a bunch of simulations at once. They’re shielded from all that.”

By running hundreds or thousands of simulations in parallel in Azure and learning from massive amounts of data at once, deep reinforcement learning algorithms can find optimal solutions to chaotic, real-world control problems that other types of AI still struggle to solve.

It turns out these problems are everywhere, said Gurdeep Pall, Microsoft’s corporate vice president for Business AI. Microsoft received three times more interest than it expected after opening its autonomous systems limited preview program in May.

The companies who have applied to work with Microsoft’s autonomous systems team and partners are looking to develop control systems to intelligently stitch fabric, optimize chemical engineering processes, manufacture durable consumer goods and even process food. The potential goes far beyond robotics or autonomous vehicles, Microsoft says.

“These are the kinds of diverse use cases for autonomous systems that we’re starting to see emerge,” Pall said.  “As customers learn about the capabilities of our toolchain, we’re seeing them apply it in really interesting ways because these control problems exist almost everywhere you look.”

Most customer use cases Microsoft has seen so far involve helping existing employees do their jobs more efficiently, safely or with higher quality, said Mark Hammond, Microsoft general manager for Business AI and the former CEO of the startup Bonsai, which Microsoft acquired last year. As sensors in modern workplaces collect ever more data, it can become difficult for any one operator — such as someone who is guiding a drill bit or calibrating expensive equipment — to track it all. AI tools can process that data and bring the most relevant patterns to that operator’s attention, enabling them to make more informed decisions.

“The journey from automated to autonomous systems is a spectrum of solutions, and very few of the engagements we’re seeing are in that fully autonomous with no humans in the loop zone,” Hammond said. “The vast majority are assistive technologies that work with people.”

Training AI systems in virtual worlds

Traditionally, AI models have often relied on labor-intensive labeled data for training, which works well for many problems but not for those that lack real-world data. Now, Microsoft and partners like MathWorks are expanding the use of AI into more areas such as those that require learning from the three-dimensional physical world around them — through the power of reinforcement learning and simulation.

Engineers have long used simulations to mathematically model the systems they work with in the real world. This allows them to estimate how a particular change in a chemical, manufacturing or industrial process may affect performance, without having to worry about slowing production or putting people or equipment at risk.

Now, those same simulations can be used to train reinforcement learning algorithms to find optimal solutions, Dean said.

“The AI is really augmenting how these traditional systems have worked — it just gives you greater confidence in your design and gives you additional capabilities that either had to be done manually before or were difficult to solve,” Dean said.

Imagine a building engineer whose job is to calibrate all the heating and cooling systems in a large commercial building to keep each room at a comfortable temperature as people stream in and out for meetings and outside weather fluctuates — while using as little energy as possible. That could involve tuning dozens of different parameters and might take many cycles of modeling and measuring changes for that engineer to find the best balance of controls.

With the new Microsoft and MathWorks partnership, that engineering expert could use machine teaching tools to help an AI system focus on the most important dimensions of the problem, set safety limits and figure out how to reward success as the algorithms learn. This allows for greater transparency and trust in how the AI system is making decisions and also helps it work more efficiently than randomly exploring all possibilities.

The engineer could train the AI using models that he or she already developed in MATLAB or Simulink. The simulations can be automatically scaled up in the Azure cloud — which means the engineer doesn’t have to worry about learning how to host and manage computing clusters.

The end result is the building engineer uses AI to zero in on promising solutions much faster — but still uses his or her judgment to decide what works best.

“This partnership really marries the best of MathWorks’ capabilities for modeling and simulation with the best of Microsoft’s capabilities for cloud computing and AI,” Microsoft’s Hammond said.

Go to Original Article
Author: Microsoft News Center

ICS security fails the Black Hat test

The news at Black Hat 2018 wasn’t great when it came to industrial control systems. But while numerous sessions added up to sweeping condemnation of ICS security, there was at least the occasional saving grace that some vendors will correct some problems — at least some of the time. Still, the apparent lack of a security-conscious culture within these organizations means they’ll only fix the minimum, leaving similar products with the same underlying hardware, firmware and fatal bugs untouched and unsecured.

Speaking in a session, called “Breaking the IIoT: Hacking Industrial Control Gateways,” Thomas Roth, security researcher and founder of Leveldown Security, an embedded and ICS security consulting and research company based in Esslingen, Germany, walked through the security faults of a series of five gateway devices he’d found at prices he could afford on eBay. He wanted to look at commonly deployed, relatively current devices — things you find in the real world.

“If you go out on the network and start scanning, you’ll find thousands of these devices. In fact, you’ll find entire network ranges that are used almost exclusively for these devices,” he said.

“Often, they use static IP addresses with no VPN protection.” One device he looked at had a proprietary protocol for its wireless communications. But if you could break it — and he did — you had access to every one of those devices in the field, because the network addressing architecture was flat and unsegmented.

The first device he looked at was typical of his various experiments, tackling a Moxa W2150A which connects ICS devices to wireless networks via an Ethernet port on the device side and a wireless interface on the other side. In between the two interfaces is an easily opened case that reveals a circuit board with pads for connecting to a debugging port. Roth discovered, in a common theme across many of the devices discussed at the conference, the port was a serial terminal connection that booted directly to a root shell in Linux.

“This is a design decision, not a bug,” Roth said. But he noted that if you have the device and you can access a root shell, then as you are writing exploits, you can debug them directly on the device, “which is a pretty nice situation to be in.”

Roth noted the firmware for the device was available on the internet from the Moxa website, but it was encrypted. At first, this seemed like a dead end. But in looking at earlier firmware versions, he noticed one of the upgrades included adding the feature of encrypting the firmware.

This led him to an unencrypted update version, which included a package called “upgrade_firmware.” This, in turn, led to a function called “firmware_decrypt” — a function name that gave the audience a chuckle — which gave him plaintext access to the current version of the software. The decryption key was, needless to say, included in the upgrade code.

Roth raised an issue that hasn’t been much discussed in ICS security: supply chain security issues caused by the wide prevalence of openly accessible terminal access ports on devices. You can change the firmware, he said, write the changed version back to the device, return it to your distributor without mentioning the change, “and they will happily resell it to someone else.” In fact, he knows this because he conducted an experiment and was sold a device with firmware he had previously rewritten.

Roth discussed four more devices in some detail, with two of them still in the process of disclosure, “and there are a lot of fun issues.”

Beyond Roth’s pathway strewn with pwned gateways, there were other such sessions, including ones that found significant vulnerabilities in medical devices, cellular gateways, smart city infrastructure and satellite communications.

Jonathan Butts, CEO of security consultancy QED Secure Solutions, located in Coppell, Texas, noted in a press conference at the event that dealing with vendors around ICS security disclosure had been particularly frustrating. In the case of a pacemaker made by Medtronic, a protracted process leading to the company deciding that changes in the product weren’t necessary led Butts and co-speaker Billy Rios, founder of WhiteScope LLC, a cybersecurity company based in Half Moon Bay, Calif., to demonstrate their attack live and let the audience judge for themselves.

“To be honest,” Butts said, “after about the one-and-a-half-year mark, and you see stuff like [Medtronic’s response], you get fed up.”

ICS security: Protection? Not

While it’s theoretically possible to protect at least the devices that aren’t implanted in human bodies by placing the ICS equivalents of a firewall at strategic network junction points, a session by Airbus security evaluators Julien Lenoir and Benoit Camredon showed a widely deployed ICS firewall made by Belden could be remotely exploited.

The Tofino Xenon device is typically situated between the IP-based control network and local ICS assets that use Modbus, EtherNet/IP or OPC protocols. Interestingly, the device itself doesn’t have an IP address; it is essentially invisible to ordinary interrogation on the network.

A custom protocol allows a Windows machine running a configurator to discover and then send configuration data to a Xenon device. The configurator knows the addresses of protected ICS devices and knows the Xenon is somewhere between the configurator and the devices. The Xenon knows to watch for packets that carry a specific payload and recognizes them as packets from a configurator.

The two researchers were able to reverse-engineer the protocol enough to understand the arrangement that was used for encryption keys. The configurator discovers devices using a common key and then generates two additional keys that are unique to the particular pairing of that configurator and that specific firewall. All of these keys could be extracted from the discovery session, and then the keys unique to the device were used to establish a connection with the device.

“We were able to get a root shell,” Lenoir told the audience, heralding the familiar theme that almost all ICS devices are actually outdated Linux kernels. “Once everything was running as root, now the appliance was no longer a black box, but was instead a Linux kernel.”

From here, they settled on an attack model that used the devices’ ability to be updated from files on a USB stick. Camredon explained the updates comprised two files, both encrypted. “One is an update script, and one is a data file that is an image, including an image of the kernel.”

It turned out that all configurators and all Tofino Xenon devices used the same key for decrypting the update files. Because they had access to root on the Xenon, they were able to extract this key, at which point they further discovered there were no checks in the update script to ensure the data file hadn’t been tampered with since it was created.

Thus, a breached Xenon could be modified in whatever way the attackers wanted, an image of that system made, and the image could be encrypted and included in an update package without the separate installation script detecting the change.

The Xenon has been updated to correct these problems since the researchers disclosed their findings. So, in theory, the firewall is back in business. One problem Roth noted, though, is these systems often come in dozens of variants, with different names and model numbers.

“If you report a bug to some of these vendors,” Roth said, “the vulnerability gets fixed, but then there are 10 different devices which run the same firmware, and they are left completely unpatched.”

Roth suggested this was a clear indication of the lack of security culture at many ICS vendors.

“It’s like exploiting in the ’90s,” he concluded. “We have no integrity protections on any of these devices.”

At another moment, he made a sweeping generalization: “Everything runs as root; everything runs on outdated Linux kernels; everything runs on outdated web servers. If any of these components fails, you have root permission.”

Industrial cloud moving from public to hybrid systems

The industrial cloud runs largely in the public domain currently, but that may be about to change.

Over the next few years, manufacturers will move industrial cloud deployments from the public cloud to hybrid cloud systems, according to a new report from ABI Research, an Oyster Bay, N.Y., research firm that specializes in industrial technologies. Public cloud accounts for almost half of the industrial IoT market share in 2018 (49%), while hybrid cloud systems have just 20%. But by 2023 this script will flip, according to the report, with hybrid cloud systems making up 52% of the IIoT market and public cloud just 25%.

The U.S.-based report surveyed vice presidents and other high-level decision-makers from manufacturing firms of various types and sizes, according to Ryan Martin, ABI Research principal analyst. The main focus of the report was IoT industrial cloud and it surveyed the manufacturers and their predisposition to technology adoption.

According to the report, the industrial cloud encompasses the entirety of the manufacturing process  and unifies the digital supply chain. This unification can lead to a number of benefits. Companies can streamline internal and external operations through digital business, product, manufacturing, asset and logistics processes; use data and the insights generated to enable new services; and improve control over environmental, health and safety issues.

Changing needs will drive move to hybrid systems

Historically, most data and applications in the IoT resided on premises, often in proprietary systems, but as IoT exploded the public cloud became more prevalent, according to Martin. 

The cloud, whether public or private, made sense because it offers a centralized location for storing large amounts of data and computing power at a reasonable cost, but organizational needs are changing, Martin said. Manufacturers are finding that a hybrid approach makes sense because it’s better to perform analytics on the device or activity that’s generating the data, such as equipment at a remote site, than to perform analytics in the cloud.

You don’t want to be shipping data to and from the cloud every time you need to perform a query or a search because you’re paying for that processing power, as well as the bandwidth.
Ryan Martinprincipal analyst, ABI Research

“There’s a desire to keep certain system information on site, and it makes a lot of business sense to do that, because you don’t want to be shipping data to and from the cloud every time you need to perform a query or a search because you’re paying for that processing power, as well as the bandwidth,” Martin said. “Instead it’s better to ship the code to the data for processing then shoot the results back to the edge. The heavy lifting for the analytics, primarily for machine learning types of applications, would happen in the cloud, and then the inferences or insights would be sent to a more localized server or gateway.”

Providers like AWS and Microsoft Azure will likely carry the bulk of the cloud load, according to Martin, but several vendors will be prominent in providing services for the industrial cloud.

“There will be participation from companies like SAP, as well as more traditional industrial organizations like ABB, Siemens, and so forth,” Martin said. “Then we have companies like PTC, which has recently partnered with Rockwell Automation, doing aggregation and integration, and activation to the ThingWorx platform.”

The industrial cloud will increasingly move from public cloud to hybrid cloud systems.
The hybrid cloud market for IIOT will double by 2023.

Transformation not disruption

However, companies face challenges as they move to implement the new technologies and systems that comprise the hybrid industrial cloud. The most prominent challenge is to implement the changes without interrupting current operations, Martin said.

“It will be a challenge to bring all these components like AI, machine learning and robotics together, because their lifecycles operate on different cadences and have different stakeholders in different parts of the value chain,” Martin said. “Also they’re producing heterogeneous data, so there needs to be normalization of mass proportion, not just for the data, but for the application providers, partners and supplier networks to make this all work.”

The overall strategy should be about incremental change that focuses on transformation over disruption, he explained.

“This is analogous to change management in business, but the parallel for IIoT providers is that these markets in manufacturing favor those suppliers whose hardware, software and services can be acquired incrementally with minimal disruption to existing operations,” he said. “We refer to this as minimal viable change. The goal should be business transformation; it’s not disruption.”

Escaping the middle-income trap – Asia News Center

David Arnold, President, The Asia Foundation

With the advent of the 4th Industrial Revolution and the rapid spread and adoption of cloud computing, cutting-edge technological solutions are now widely available around the world.

But to effectively tap this tech-driven potential, Asia’s emerging economies must pursue new ways of educating and training present and future workers – including women and girls who too often languish at the bottom of the employment pool with few educational opportunities.

“Ultimately it is the matter of human capital and developing relevant skills,” Arnold says. “That is currently a big constraint in many countries. So, we see this as an area of importance and priority.”

READ: Unlocking the Economic Impact of Digital Transformation in Asia Pacific

Breaking down and replacing long-held institutional and bureaucratic practices and barriers are high on the list of must-dos as well. It also happens to be a mantra that has been internalized by the Foundation, which has itself embraced technology to do its work better. Arnold sees the Foundation’s own internal digital transformation dividend as being a sort of microcosm of where the region should be heading.

Established by forward-thinking business people, academics, and U.S. government officials in 1954, The Asia Foundation is a non-profit international development organization committed to improving lives across the region. It works both at the high-end of public policymaking and at grassroots levels with local communities. It has an effective, integrated strategy to help Asian countries promote good governance, empower women, expand economic opportunity, boost education, increase environmental resilience, and promote international cooperation. It fosters deep, long-term partnerships with local organizations and individuals and relies on support from governments and a myriad of donors.

The Asia Foundation

In short, its goals are high, its reach wide, its challenges big and complex, and its stakeholders demanding. So, to boost its impact it embraced change.

For most of its early life, the Foundation was a largely paper-based, administratively disjointed, highly siloed and decentralized operation that stretched from its headquarters in San Francisco across a network of offices in 18 Asian countries.

READ: Microsoft Philanthropies Asia – Advancing a future for everyone

Ken Krug joined its ranks in 2011 to become Vice President for Finance, Chief Financial Officer, and a champion for digital transformation. “We were in the Middle Ages as far as technology was concerned,” he recalls.

Previous attempts to create in-house IT solutions had been unsuccessful. But about five years ago, the Foundation adopted “OneTAF” – a cloud-based Microsoft Office 365 solution named for the abbreviation of The Asia Foundation.

Now all sorts of files and knowledge are linked and made accessible across the Foundation’s diverse geographic footprint. One can imagine the unique challenges of being stretched from Colombo to Kabul and from Ulaanbaatar to Jakarta, and how much freedom and ease can be derived from sharing information and materials in real time.

GE and Microsoft enter into their largest partnership to date, accelerating industrial IoT adoption for customers | Stories

Expanded partnership will help industrial companies capture greater intelligence from IoT and asset data, boosts GE innovation across its business

SAN RAMON, Calif. & REDMOND, Wash. — JULY 16, 2018 — GE (NYSE: GE) and Microsoft Corp. (Nasdaq: “MSFT”) today announced an expanded partnership, bringing together operational technology and information technology to eliminate hurdles industrial companies face in advancing digital transformation projects. As part of the union, GE Digital plans to standardize its Predix solutions on Microsoft Azure and will deeply integrate the Predix portfolio with Azure’s native cloud capabilities, including Azure IoT and Azure Data and Analytics. The parties will also co-sell and go-to-market together, offering end customers premier Industrial IoT (IIoT) solutions across verticals. In addition, GE will leverage Microsoft Azure across its business for additional IT workloads and productivity tools, including internal Predix-based deployments, to drive innovation across the company.

According to Gartner, companies have evolved from “talking about” to implementing IoT proofs of concept (POCs) and pilots. While POC projects tend to be easy to start, few enterprises have ramped up large-scale initiatives.* The GE-Microsoft partnership helps industrial customers streamline their digital transformations by combining GE Digital’s leading IIoT solutions that ingest, store, analyze and act on data to drive greater insight with Microsoft’s vast cloud footprint, helping customers transform their operations at the enterprise level.

Advancing Industrial IoT Applications

GE Digital’s Predix is the application development platform that equips industrial organizations with everything they need to rapidly build, securely deploy and effectively run IIoT applications from edge to cloud, turning asset data into actionable insights. Leading industrial companies such as BP, Exelon, Schindler and Maersk are using GE Digital’s solutions – including flagship applications  Predix Asset Performance Management and Predix ServiceMax – as well as thousands of Predix-based apps created by customers and partners to improve operations and efficiency of their assets. Tapping into the power of Azure will help accelerate adoption of the Predix portfolio. The partnership brings together GE Digital’s expertise in industrial data and applications with Microsoft’s enterprise cloud, helping customers speed deployment of industrial applications and achieve tangible outcomes faster, ultimately fueling growth and business innovation.

Driving Innovation across GE

GE also plans to leverage Azure across the company for a wide range of IT workloads and productivity tools, accelerating digital innovation and driving efficiencies. This partnership also enables the different GE businesses to tap into Microsoft’s advanced enterprise capabilities, which will support the petabytes of data managed by the Predix platform, such as GE’s monitoring and diagnostics centers, internal manufacturing and services programs.

Microsoft Azure has announced 54 regions across the globe, with 42 currently available – more than any other major cloud provider. Its cloud meets a broad set of international standards and compliance requirements to ensure customer solutions can scale globally. This partnership also enhances the security layer within the Predix platform, which meets the specialized requirements of industries such as aviation, power and utilities. Leveraging Azure enables GE to expand its cloud footprint globally, helping the companies’ mutual customers rapidly deploy IIoT applications.

The global IoT market is expected to be worth $1.1 trillion in revenue by 2025 as market value shifts from connectivity to platforms, applications and services, according to new data from GSMA Intelligence.

“Every industrial company will have to master digital to compete in the future, connecting machines and making them more intelligent to drive efficiency and productivity,” said Bill Ruh, Chief Digital Officer, GE and CEO, GE Digital. “Our customers are asking for us to make a deeper connection between our two companies. Through this expanded partnership, Microsoft and GE are enabling customers around the world to harness the power of the Predix portfolio, including Predix Asset Performance Management, to unlock new capabilities to drive growth.”

“The industrial sector plays an important role in fueling economies around the world,” said Judson Althoff, Executive Vice President, Microsoft. “With this strategic partnership, GE and our mutual customers will benefit from a trusted platform with the flexibility and scalability to deliver unprecedented results and help advance their business potential.” 

As part of this expanded partnership, the companies will go-to-market together and also explore deeper integration of Predix IIoT solutions with Power BI, PowerApps and other third-party solutions, as well as integration with Microsoft Azure Stack to enable hybrid deployments across public and private clouds.

*Gartner, Hype Cycle for the Internet of Things, 2017, 24 July 2017

###

About GE Digital

GE Digital is reimagining how industrials build, operate and service their assets, unlocking machine data to turn valuable insights into powerful business outcomes. GE Digital’s Predix portfolio – including the leading Asset Performance Management, Field Service Management and MES applications – helps its customers manage the entire asset lifecycle. Underpinned by Predix, the leading application development platform for the Industrial Internet, GE Digital enables industrial businesses to operate faster, smarter and more efficiently. For more information, visit www.ge.com/digital.

About Microsoft

Microsoft (Nasdaq “MSFT” @microsoft) enables digital transformation for the era of an intelligent cloud and an intelligent edge. Its mission is to empower every person and every organization on the planet to achieve more.

Contacts:

Amy Sarosiek, GE Digital

+1 224 239 6028

[email protected]

 

Microsoft Media Relations

WE Communications for Microsoft

(425) 638-7777

Yokogawa Stardom vulnerability leaves hardcoded creds in ICS controllers

Industrial control systems around the world might be at risk as hardcoded credentials are found in flawed software.

The Yokogawa Stardom vulnerability (CVE-2018-10592) affects the FCJ, FCN-100, FCN-RTU and FCN-500 controllers running firmware version R4.02 or earlier. These industrial control systems (ICS) are used around the world in various infrastructure capacities including the energy sector, food production and manufacturing.

According to the security advisory for the Yokogawa Stardom vulnerability, an attacker could remotely log in with the hardcoded credentials and be able to execute system commands. The official advisory from Yokogawa and the advisory from ICS-CERT disagree slightly though: Yokogawa labels the issue as being of medium difficulty to exploit, while ICS-CERT notes that it takes “low skill level.”

Yokogawa suggests users upgrade to firmware version R4.10 and ICS-CERT adds that the National Cybersecurity and Communications Integration Center (NCCIC) also recommends that industrial control systems be isolated from networks if possible, protected behind firewalls or restricting logins.

It is unclear how widespread the Yokogawa Stardom vulnerability might be. Yokogawa did not respond to requests for comment at the time of this post.

Hardcoding passwords and other login credentials is a practice that security professionals have frowned upon for decades, but still affects products ranging from IoT to firewalls and more. Meanwhile, industrial control systems have become a bigger target for attackers looking to cause real-world havoc with cyberattacks.

Trisis ICS malware was publicly available after attack

The malware used in an industrial control system attack in December has been found circulating publicly on the internet after being copied from an online database.

The

Trisis
industrial control system (ICS) malware was first disclosed by FireEye’s Mandiant threat research team on Dec. 14,

2017
after an attack on an unknown organization. The malware specifically targeted the Triconex Safety Instrumented System (SIS) controllers made by Schneider Electric and has been called either Triton or

Trisis
because of this. One week after the initial reveal by Mandiant, Schneider Electric reportedly posted a file containing sensitive pieces of the

Trisis
malware framework to VirusTotal — an antivirus scan database owned by Google — on Dec. 22nd.

Cyberscoop, which first reported the story, said Schneider Electric quickly received a notice to remove the file from VirusTotal, but before the file could be removed it had already been copied and reposted to other code repositories like GitHub and has been freely available ever since.

Although the

Trisis
framework accidentally posted by Schneider Electric by itself would not be enough to recreate the ICS malware, the main

Trisis
executable — Trilog.exe — had also been published.

Paul Brager Jr., technical product security leader at Baker Hughes, based in Houston, Texas, and former cybersecurity project manager focused on ICS at Booz Allen Hamilton, said “it is highly conceivable that variants of

Trisis
could surface that are tailored toward control systems by Siemens, Rockwell Automation, Honeywell or other digital industrial manufacturers.” 

“Because most control environments are not homogenous, patching one series of vulnerabilities for a particular manufacturer does not necessarily lessen the exposure to the infrastructure from something like

Trisis
, or a variant therein,” Brager told SearchSecurity. “What we are seeing is an effort to engage control systems not only at the constituent

components,
but the underlying systems that seek to manage those control environments.  Just as

Trisis
was written to target a specific Schneider SIS, there is nothing preventing

nation state
actors with the means and resources to refashion

Trisis
to target any SIS or other ICS subsystem with vulnerabilities that can be exploited.”

Eddie Habibi, founder and CEO of PAS Global, an ICS cybersecurity company headquartered in Houston, Texas, said the problem is that “there are two speeds in ICS cybersecurity — industry speed and hacker speed.” 

“Hackers can move much more quickly than industry. 

Industry
may not patch a system for months or ever, depending on assessed risk,” Habibi told SearchSecurity. “Although this may sound ominous,

industry
does have safeguards in place that protect reliability and safety. The problem is that hackers are learning more about these systems and how to manipulate them as we saw in the

Trisis
attack.”

Bryan Singer, director of industrial cybersecurity services at IOActive, the cybersecurity company headquartered in Seattle, Wash., said the threat of

Trisis
being repurposed may not have sunk in with organizations.

“Wake up calls haven’t woke anybody up. In watershed moments such as Equifax, Target

and
Triconex, everyone freaks out but doesn’t do anything,” Singer told SearchSecurity. “We’ll see a lot of the same here — people like to dismiss the threat and think it won’t happen because they’re not being targeted. IT proves this completely untrue. There are far too many attack mechanisms to say it won’t happen to us.”

ICS patching issues

Experts noted that if organizations don’t fully recognize the threat, it may be even more difficult to harden security because of the inherent differences in patching ICS.

Brager noted that patching in ICS environments can be especially tricky since “many of the components, applications, and services are proprietary and highly interdependent.”

“Because of the critical process potential of ICS systems and their components, significant testing is usually required to ensure that an applied patch yields an expected outcome and does not interfere with, or degrade in any fashion, the operations of the control system,” Brager said. “This requirement and diligence typically

extends
out the patching cycle within [operational technology (OT)] environments, often months, and ultimately depends on the ability to patch and the resource availability to do so.”

Emily Miller, ‎director of national security and critical infrastructure programs at Mocana, and formerly the chief of process management for the DHS ICS Cyber Emergency Response Team, said the flaws that allowed the

Trisis
attack were not an inherent vulnerability in the device, but “due to poor cyber hygiene.”

“In operational

environments
patching is tricky business — remember, in OT we’re talking about devices that control physical processes that can impact lives, not just bits

and
bytes of data,” Miller told SearchSecurity. “Quickly patching devices, as you would expect to see in an IT environment, can have real, catastrophic consequences in an operational environment.”

ICS defense

Brager said that traditionally ICS systems are kept isolated from external networks but growing interconnectivity is making security more difficult.

“For many years, ICS environments were largely thought to be physically and logically isolated from other networks and/or environments. Connectivity was largely a function of interconnected buses and

short run
links that allowed communication through a closed loop architecture,” Brager said. “Network enablement of components within ICS expanded the threat landscape exponentially, as systems that were not originally designed to be internet/network facing, suddenly were — and the facilities needed to patch these devices were largely immature and arduous.

Habibi agreed that isolating ICS is no longer a sufficient security strategy.

“After years of reconnaissance, the bad guys have shown they can penetrate those defensive layers, bridge the illusory air gap, and take deliberate control over

process
. CRASHOVERRIDE did not need a vulnerability to bring down power in

the Ukraine
— only ICS and process knowledge that had been built over time,” Habibi said. “A successful

Trisis
-like attack, under certain circumstances, can lead to a catastrophic accident. Consider a scenario where a skilled malicious attacker breaches a Triconex system, which is designed to safely shut down a reactor in a fluid catalytic cracking unit in a refinery, by bypassing the trip function. This simple change could act as a time bomb and remove the failsafe that ultimately protects the plant from a catastrophic event.”

Miller said the

Trisis
attack is “more evidence that we need to start approaching this problem differently.” 

“Rather than continuing to chase vulnerabilities and trying to implement an IT approach to OT security, we should instead think about how we can make critical devices inherently secure and more difficult for hackers to gain access,” Miller said. “Without access to an ICS device, hackers cannot begin to take advantage of a vulnerability. Certainly, defense in depth methodologies and good cyber hygiene are a part of the solution, but what happens when those techniques fail, and the actors can remotely access a device and potentially manipulate it?”

Adoption of IIOT applications rising but full value yet to come

Manufacturers are adopting industrial IOT technology at high rates and the vast majority are satisfied with the results, yet it appears that most are not yet taking advantage of benefits like advanced analytics.

These were some of the results gleaned from a new survey from Bsquare, a Bellevue, Wash., firm that provides IIOT services and products. The 2017 Annual IIOT Maturity Study examines the adoption attitudes and progress of IIoT technology across three industry segments — manufacturing, transportation, and oil and gas — according to Dave McCarthy, Bsquare senior director of products.

The main impetus for conducting the survey was to determine how companies are adopting IIOT applications and the overall satisfaction with the results, McCarthy said.

Bsquare conducted the 2017 Annual IIOT Maturity Study in August 2017 with more than 300 respondents from companies with annual revenues of at least $250 million, according to McCarthy. The respondents were evenly divided among the three industry groups and all were senior-level personnel with direct operational responsibilities. The survey made no mention of Bsquare or its products and services.

The survey indicates that enthusiasm for IIOT applications is very high, but the majority of projects are still at a relatively low level.

According to the survey, 86% of the respondents are currently adopting IIOT applications and 84% of the adopters believe that the applications are very or extremely effective. Further, 95% responded that the IIOT applications are having a significant or tremendous impact on their industry.

However, the higher-level benefits that IIOT promises may not yet be realized. The survey shows that 78% of IIOT projects are focused on connecting devices and machines, while 83% involve data visualization. Projects that involve higher-level functionality are in the minority, with only 48% of respondents doing advanced analytics on the data collected by IIOT devices, and just 28% are automating the application of insights derived from analytics.

People feel that they have to collect this [IIOT] data even if they don’t know what they want to do with it.
Dave McCarthysenior director of products, Bsquare

McCarthy believes that satisfaction from IIOT applications may be high because more than half of the 84% who believe the applications have been effective are less than one year into the IIOT implementation.

“This could mean that they’re in the honeymoon period because they’re doing some things that they’ve never done before and even if they are very simple things it seems like they’re a huge step forward and they’re happy about it, or they’re doing things in a POC or pilot environment where it’s always easier to do things in a lab than at scale,” he said. “But there’s a huge drop in people who are collecting data and people who are using it in some way with a dashboard or monitored activity. People feel that they have to collect this data even if they don’t know what they want to do with it.”

Other key findings from the survey:

  • Of the 86% of organizations that are adopting IIOT applications, most are in construction and transportation (93%), followed by oil and gas (89%) and manufacturing (77%).
  • The organizations are using IIOT applications primarily for connecting devices and forwarding data (78%), real-time data monitoring (56%) and advanced data analytics (48%).
  • The majority of the respondents (73%) plan to increase their investments in IIOT over the next year, while at the same time almost all acknowledge the complexity of IIOT deployments.

Don’t start the 4th Industrial Revolution without me

The 4th Industrial Revolution is happening right now, driven by leading manufacturing organizations and largely enabled by cloud technology, according to a new report from Plex Systems, a provider of cloud ERP systems based in Troy, Mich.

The third annual “State of Manufacturing Technology (SoMT) Report” surveyed more than 150 manufacturers on their attitudes about and how they are actually using next-generation technologies in their manufacturing processes, according to Andrew McCarthy, Plex Systems vice president of communications. The survey participants represented manufacturing companies in a variety of industries, including automotive equipment, industrial parts and systems, aerospace, high technology, plastics, and food and beverages.

“What we found from the survey is that as a result of the cloud, this promise of ubiquity or universal connectivity that’s often talked about as out in the future is stuff that these organizations are doing today,” McCarthy said. “There are simple examples like the deployment of consumer mobile devices on the shop floor, all the way to things like wearable technology in the shop floor environment, and using location-based services to get contextual information from a piece of equipment.”

Some of the reasons for this increased adoption include lowered barriers to connectivity and the rapidly decreasing costs of next-generation technology and equipment, McCarthy said.

“We find that customers are experimenting with those capabilities to figure out how to stand up a new stack because they don’t have to make a material investment in them,” he said.

Overall, the survey indicates that next-generation technologies are very important to manufacturers today, primarily enabled by the cloud; however there are also significant challenges to be overcome, including a widening skills gap for manufacturing workers.

Some of the specific findings from the survey:

  • Eighty percent of respondents said the technology was either important or very important to their ability to innovate.
  • Ninety percent said that they are using cloud-based applications in some form, which is twice the number as the 2016 survey.
  • Seventy percent said that the cloud has made it easier to manage fluctuating customer demand.
  • Forty-five percent said that the cloud contributes significantly to new product research and introduction.
  • Thirty percent are focusing on implementing a digitally connected supply chain now, and another 30% expect to implement it in the next five years.
  • Thirty-five percent believe that a shortage of skilled workers will be the biggest challenge to organizational growth in the next year, and the most needed skills are lean manufacturing (68%), mechanical engineering (48%) and data analysis (48%).