This is how revolutions start

Malware is an ever-changing attacker that requires intrinsic cybersecurity to keep moving the target

By Jeremy Pollard, CET

Intel put out a letter to the U.S. Congress stating that industrial control systems were not vulnerable to the Spectre and Meltdown malware. Hmmmm.

I asked Bedrock Automation if its products were vulnerable and didn’t get a response; but Intel shouldn’t be.

Bedrock is by far the most secure industrial control system out there, based on the material I’ve read, which includes Bedrock’s white paper, “The Bedrock Revolution, Chapter Three: Intrinsic Cyber Security Fundamentals.” In the white paper, Bedrock refers to its approach as Open Secure Automation (OSA).

Intrinsic means “belonging naturally,” which in layman’s terms means it’s built in. And, after reading the white paper, I was dazzled by the length and breadth that Bedrock’s design went to.

Back to Intel for a minute: It states four different premises that would protect an industrial control system (ICS) from these two malware actors—Spectre and Meltdown.

The safety of these systems revolves around the inability of an ICS executing malicious code. I’m not sure if Intel hadn’t heard of Stuxnet, but I’m sure Intel thinks it’s different than what these malwares can do.

There have been many reports by Department of Homeland Security, Industrial Control Systems—Cyber Emergency Response Team (DHS, ICS-CERT) of industrial control systems that have the ability to have stack overflows, which would allow a hacker, generally speaking, to gain access to the PLC and execute code. So, I’m not sure under what pretenses Intel is making the statements it made.

RELATED GUIDE: Control design for smart machines

So, do we really need Bedrock? Let’s see what it says about intrinsic fundamentals.

Bedrock comments on total system isolation and building a bubble of complex enterprise defenses being used for legacy systems. With my knowledge of remote access and the marketing of automation vendors, I am not sure I agree with that statement as such.

Security by obscurity isn’t an option.

I do agree with the bubble statement. There is a ton of effort that goes into securing the automation enterprise, but it’s mainly for remote access and authentication. Some of the comments made in the white paper still escape me, however.

The white paper talks about how every aspect of the control system has been designed from the ground up, including the power supplies, backplane and module housings. The housings are made from metal, which should add better shielding and protection from electromagnetic interference (EMI) and electromagnetic pulse (EMP) issues. It is mentioned that a power tool can disrupt normal industrial control systems.

I submit that the cabinet that the industrial control systems are mounted in has provided this protection in the past.

The white paper references communication ports on existing industrial control systems, which Bedrock suggests can all be hacked. Most of these ports are independent of each other, but still allow access to the brains of the system. Bedrock maintains that all ports should encrypt and authenticate all devices and networks that communicate on them.

Now this makes sense, and it is done using standards such as those from the National Institute of Standards and Technology (NIST).

I posed a question on an automation board about a statement made in the white paper which states that ICS module counterfeiting is “widespread.” I asked the question and got zero responses with regard to anyone having experienced this.

We have heard of fake firmware updates being available on the Internet, but I have yet to hear of a Rockwell PLC-5 being sold to a user that was counterfeited as such. Maybe they were referring to the fact that it could happen, but it wasn’t worded that way.

If it were an issue, then the authentication and encryption tools would be well-served. It suggests to me that Bedrock is under the belief that its hardware and firmware cannot be duplicated. Based on the complex construction and multiple authentication paths, I would have to agree on the outside looking in.

Tell me the time, not how to build a watch.

There is pseudo random number generator (PRNG) and true random number generator (TRNG) in industrial control systems, and Bedrock believes that true random numbers are the key to the overall strength of security, due to the fact that they are far less vulnerable to discovery through malware and the like. While it’s not mentioned, I would assume Bedrock uses TRNG.

The white paper discusses the hardware root of trust (HRT) and provides a diagram, which is very busy—lots of boxes and arrows. The intent I believe is to indicate that all systems, devices and networks have to be authenticated to each other through the use of encryption keys and certificates. Public key infrastructure (PKI) for OSA is what Bedrock calls the backbone of the HRT. So, one will probably never know how it really works, but, if the explanation is accurate, then it is a very complicated process that is hidden from the user.

I am not familiar with the pricing but can only imagine how it compares to the stalwarts of the industry.

Bedrock concludes the white paper by stating that intrinsic OSA done right is intuitive and transparent to the user. I hope so because this is one complex design. It’s the same old story though: Tell me the time, not how to build a watch. It will be interesting to see how those stalwarts respond to the new kid on the block.