The world's most capable, rugged and secure
industrial control system...
Introducing Bedrock OSA® Remote
- Intrinsically-secure PLC and RTU control
- 10 or 20 channels of universal I/O
- Free IEC 61131-3 engineering software
- -40ºC to +80ºC temperature range
- Rugged, all-metal case 5.4 in x 8.9 in x 2.3 in
An Internet Cyber Security Cookbook
April 26, 2022 | Robert Bergman
A March 21, 2022 fact sheet from the White House briefing room urges technology companies to build cyber security in from the ground up, telling them “bake it in, don’t bolt it on.” Also released last month was a preliminary NIST document “Protecting Information and System Integrity in Industrial Control System Environments: Cybersecurity for the Manufacturing Sector,” which contained an appendix that could be an ingredient list for baking cyber security into IoT devices.
The NIST Cybersecurity for IoT program defines a set of device cybersecurity capabilities that device manufacturers should consider integrating into their IoT devices to enhance the security of the manufacturing environment, which by their definition, includes both process and discrete manufacturing. The recommendations target connected devices and their environments.
NIST does qualify its suggestions with an acknowledgment that IoT capabilities are constantly evolving and that boundaries between IoT devices and other industrial equipment are blurring. That said, they still managed to generate a 50-page table of desirable security capabilities for internet-connected devices.
What’s on the table?
The NIST table lists capabilities in 17 categories, including access control, data protection, software and system integrity, software maintenance, network management, and data management. And these decompose further into subcategories.
For example, the access control capability “managing, verifying, revoking and auditing identities for authorized devices, users, and processes,” decomposes into 15 technical subcategories such as uniquely identifying on premise IoT devices, managing remote IoT devices, managing unique IDs along with other “nontechnical supporting” capability, such as providing information about software updates, instructions for configuration settings, and supply chain information.
In total, NIST suggests more than 200 technical and non-technical characteristics that it believes device manufacturers should incorporate in their devices to enhance internet cyber security. However, they developed main document to which the internet recommendations append, on the stated assumption that most manufacturing devices in use today do not have the capability to deliver these characteristics and must therefore rely on other system components such as gateways, proxies, IoT platforms, and other hardware and software add-ons. The main document provides guidance in helping companies configure such functionality with existing applications, sometimes requiring two or more applications to configure the protection.
While adding so much external functionality to the industrial network may indeed have some value, automation users should not have to contend with it at all. Their attention must be on process control, safety, environmental stewardship and profitability. All cyber security should be invisible to the end users. It should come standard with the controls. When the cyber security is built into the device electronics, security just happens. NIST would no doubt align with the White House position that cyber security should be baked in, but the fact that they have created a 300 plus page document providing guidance on how to bolt security onto insecure legacy systems indicates they also think of it as something for the future.
Except for well-executed proxies, however, these extrinsic solutions do not free users from cyber security concerns at all. Instead, they put cyber security right in the face — and the budget – of the automation end users. And by a “well-executed proxy,” we mean processes in which existing control data can route through an intrinsically secure edge control device that will manage authentication and encryption of critical data and controls in phases, while the plant transitions to a fully secure system.
For an example of a company that is doing that exactly, download this Bedrock Automation Case Study.