The world's most capable, rugged and secure
industrial control system...

Introducing Bedrock OSA® Remote

  • Intrinsically-secure PLC and RTU control
  • 10 or 20 channels of universal I/O
  • Free IEC 61131-3 engineering software
  • -40ºC to +80ºC temperature range
  • Rugged, all-metal case 5.4 in x 8.9 in x 2.3 in
Learn More

Industry News

Cyber Security & Standards
 

New Executive Order Bans Procurement of Some Electrical Devices from U.S. Adversaries

May 28, 2020
Robert Bergman

On May 1, 2020, President Trump declared a national emergency with respect to the threat to the U.S. bulk-power systems and issued an executive order prohibiting federal agencies and U.S. persons from acquiring, importing, transferring or installing certain electrical equipment used in bulk-power substations, control rooms, or power generating stations.

 

The prohibitions apply to equipment that is designed, developed, manufactured, or supplied by a foreign adversary or by anyone under the “control, direction, or jurisdiction” of such and where such equipment poses an unacceptable risk to national security and America’s safety.

 

In his recent Controlglobal.com blog, Joe Weiss, process control system security authority and ControlGlobal.com columnist, hails the Executive Order (EO) believing it will reopen the dialogue regarding security and policy issues among regulators, policymakers, manufacturers (OEMs) and owner/operators.

 

The EO defines foreign adversaries as any foreign government or non-government person engaged in a long-term pattern or serious instance of conduct “significantly adverse” to the national security of the United States or its allies.

 

“It is clear the Chinese, Russians, North Koreans, Iranians, etc. have been actively trying to hack into the U.S. grid and other critical infrastructures as well as the control system supply chains for many years. There are acknowledged supply chain issues with critical infrastructure equipment made in the U.S. as they often come with computer chips or software made in China, etc.,” writes Weiss.

 

Weiss says that government and public utility procurement rules often push organizations into buying lower-priced equipment without regard to origin or risk. He gives an example of a large bulk transmission transformer that was purchased from China and arrived with hardware back doors that were extraneous to the system design.

 

“Procuring a large electric transformer with hardware backdoors is much more significant than having keystroke loggers in Lenovo laptops. An attacker does not install backdoors into a transformer to steal data – you do that to cause damage,” he says.

 

Preventing that kind of damage is why, Weiss believes, the list of equipment in the EO is so exhaustive. He says it is also why network devices such as firewalls were not included “as they are ineffective with embedded hardware vulnerabilities that can initiate communications from inside the firewall-protected perimeter.”

 

The Executive Order defines bulk-power system electric equipment to include “items used in bulk-power system substations, control rooms, or power generating stations, including, reactors, capacitors, substation transformers, current coupling capacitors, large generators, backup generators, substation voltage regulators, shunt capacitor equipment, automatic circuit reclosers, instrument transformers, coupling capacity voltage transformers, protective relaying, metering equipment, high voltage circuit breakers, generation turbines, industrial control systems, distributed control systems, and safety instrumented systems.”

 

Weiss notes especially that the Oil and Natural Gas Subsector Coordinating Council is involved in developing the recommendations and evaluation related to the order, which demonstrates a real understanding of the complexity.

 

The EO also charges the DOE to develop a “pre-qualified” list of vendors to ensure that future equipment transactions are not in violation of the order; seeks to identify, isolate, monitor, or replace existing bulk-power system electric equipment presenting a security risk from foreign adversaries; and create a task force to update the Federal government’s acquisition regulations and to develop policy recommendations and issue reports.

 
Cyber Security & Standards

New OT Cyber Security Training and Information Resources Now Available from Bedrock

June 25, 2020
Robert Bergman

Bedrock Automation is announcing that the OT cyber security resources developed over the past few months are now available for […]

Cyber Security & Standards

Cut the cards: Zero Trust in the Critical Infrastructure.

June 25, 2020
Robert Bergman

“Trust everyone — but cut the cards,”   is essentially the premise of Zero Trust cyber security. Zero Trust assumes that […]

Cyber Security & Standards

Trust factors in COVID-19 pandemic recovery

June 25, 2020
Robert Bergman

As countries, states and businesses begin to reopen, we do so with cause and some anticipation. Deloitte & Touche explores […]