Securing at the perimeter

Even though edge computing is getting better at running on its own, it still needs to network to remote users, enterprise systems and cloud-computing services—so it also needs security. Sahil Yadav, senior product manger for Predix Edge at GE Digital, reports security must be a key characteristic for edge computing because, even though it usually runs closer to production assets, it must also collect, organize, process and transmit their data over networks for analysis onsite or in the cloud.

"Just like the Industrial Internet of Things (IIoT), edge computing is possible for all kinds of devices, but users are still mainly concerned with optimizing their processes and preventing downtime," says Yadav. "Edge computing can help them at less cost, but it has to be secure, especially when it's working with legacy sensors and protocols, or enabling remote management of devices in hard-to-reach locations. For example, our Predix Edge suite runs on-premise and computes close to plant-floor data sources, but it also includes a ruggedized gateway for connecting to cloud-computing services, enabling analytics, and allowing users to remotely manage numerous field devices. This is more than an interface because automatic scripts in Predix Edge Manager software allows remote device management of hundreds of thousands of devices."

Instead of trying to add after-the-fact security functions to existing devices, Yadav says that GE Digital takes the preferred and more effective route of building cybersecurity from its Wurldtech division into its products ahead of time. "Many edge devices are more secure because they can run without always being connected to external entities, and instead reach out, connect to other networks as needed, and don't accept incoming communications," says Yadav. "For instance, we only open one port, and don't accept incoming connection. We send a signal to the manager in the cloud, complete a handshake, and only connect on demand."  

Josh Eastburn, technical marketing director at Opto 22, reports, "Because our pedigree is in field I/O to begin with, we like the definition that the Industrial Internet Consortium provides in its IIoT Vocabulary report that the edge is the boundary between OT's physical assets and IT's digital systems. However, IT seeks conformance with best practices for cybersecurity and data integrity, and often has to say 'whoa' when OT wants to carry out a project or reconfigure something on the edge."

Eastburn reports Opto 22 often helps OT and IT stakeholders talk through cybersecurity policies and procedures, and develop simple data architectures that conform. “It’s usually just a matter of realizing that automation is capable of following the basics steps they need.” These steps include:

• Setting up user authentication and authorization, which determine who users are and what they're allowed to do on a device;
• Managing network traffic routes, so trusted and untrusted traffic is segregated, and unused device firewall ports are closed;
• Evaluating which encryption methods are in use, establishing security certificate exchanges, and avoiding or patching holes in edge networks, components and software. 

"Until recently, PLCs and RTUs were on networks that didn't have a connection to the IT level, so they didn't need the ability to be locked down," adds Eastburn. "Now, we're looking at automation that needs to exchange data with other systems in the enterprise, so they need security from the IT side, too. Unfortunately, it's still an afterthought in many cases. While there may be security at the workstation level, many field devices can still be accessed because they're still unsecured."

Eastburn explains that Opto 22’s solution is adding network security protocols to field devices, requiring users to log into devices with passwords or software-based API access keys, and using MQTT-based architectures that prevent incoming connection requests. "These are the same security strategies that IT uses, so we've put them into groov EPIC controllers and groov RIO I/O modules."