Networking

The Bedrock of a security plan

The never-ending road to network, data, equipment and device security starts in the driver's seat.

By Jeremy Pollard, CET

Well, there is a new player in town called Bedrock Automation. While positive that the name is a play on the cartoon series, "The Flintstones," the architecture is nothing short of disruptive. So, for new and improved processes, this may be a good solution, although pricy. It has built-in security, which provides a connection between the devices and the software using resident, embedded crypto keys.

The keys are onboard in the hardware design, so that they cannot be tampered with. The automation controller uses these keys to validate devices and software that want to connect to the controller. Even with the keys, common network security implementations such as firewalls should still be employed.

So, with the Internet of Things (IoT), bring your own device (BYOD) and mobility, along with the fact that tablets as such are becoming so yesterday, according to IT research firm, IDC, and are turning into extra-large-screen smartphones, also known as “phablets,” it is no wonder that security is still a very hot topic in our space. Stuxnet, the computer worm that attacked programmable controllers, really brought the issues to the forefront. But how far do we go to secure our networks, our data, our processes and devices?

I recently wrote about the talking Barbie that has Wi-Fi capability. In order to talk to the Barbie server, a port has to be opened from the network side. I can only imagine what a hacker may be able to do with that open port and a connection to the network.

Bedrock isn’t worried about that because of its authentication scheme. But what if you are not using a controller with those types of capabilities, such as the millions of legacy PLCs that have been running for 20 years?

Also read: U.S. government resources for cybersecurity 

Behind the firewall there is no authentication as such for these devices—all you need is an IP address and the connectivity software, and you’re in. But is this our biggest worry?

Regardless of device, is a password simply enough to protect this precious commodity?

Well, it seems that most of us are leaning toward a shift in where to store our data and how we access it.

Two-factor authentication (2FA) is common practice in the security world. Sometimes three-factor authentication (3FA) can be used, as it is in the U.S. government with Route1’s MobiKey Fusion. To gain entry into the government servers, the user has to have the MobiKey password, the ID-1 smart card inserted into a Fusion-compatible device and the logon password for the server level.

Recently, a Canadian company called Nymi has developed a heartbeat monitor that works over Bluetooth and connects to your device—phone/tablet/laptop—to authenticate you as the mother ship. Innovative idea. But it brings to the forefront that security has become a focal point for our society and our industrial space.

This brings us back to IoT, and the big data that it will provide and where to store it. Most will select a cloud-based provider, such as Microsoft Azure. This data will be the lifeblood of decision making for companies and operating departments. Regardless of the level of decision making, this data can make or break a process change or aid development of a new process and/or product. The data needs to be protected.

Most users who would access this data will do so over the Internet. Regardless of device, is a password simply enough to protect this precious commodity? According to TechRepublic, it is the users’ responsibility to explore the cloud provider’s security practices. Other issues to explore are the server redundancy, data offload functionality and Internet access redundancy.

The cloud provider however doesn’t really care how you access your own data, but having two-factor authentication sounds like a solid idea. This level of access protection should be local to the user. Very local, as Nymi has been testing its biometric authentication device for the banking industry to provide a layer of security comfort to its online users.

“Defense in depth” has been a mantra in our space for a while now, and, while Bedrock has succeeded in providing a certain layer of security in their controllers, all of the other bump-in-the-night issues still remain. And with the gobs of data that may be vulnerable in the cloud, one must evaluate security as a frontline line item, and not as an afterthought.

There is a security audit called statement on standards for attestation engagements (SSAE), which should be asked for. Most cloud providers also perform penetration and vulnerability tests on a regular basis. Ask to see these reports and also ask how often they are performed. It also may be worthwhile asking, if an unauthorized user tries to connect to your cloud storage, how the provider handles it and how it notifies the client.

Bedrock’s security platform may or may not fit into your security plan, but you won’t know unless you have a plan. Go get one.

Homepage image courtesy of Stuart Miles at FreeDigitalPhotos.net