Well, true. But it’s still difficult to see how LabVIEW or NI can achieve anything beyond niche market status in industrial applications if they persist in regarding compliance with the relevant IEC standard as somehow beneath them.
Vendors seek security behind Berlin firewall
Ever since the issue first came to wider public attention in the wake of 9/11, discussion of industrial cyber security has been largely dominated by North American voices, notably those of Industrial Defender, formerly Verano, president and CEO Brian Ahern and Eric Byres, late of the British Columbia Institute of Technology and, more recently, partner with MTL in the development of its Tofino offering. But while Ahern, Byres and others have done a great job in raising awareness of the potential threat, it’s less well-known that Europe has been making its own contribution to producing workable solutions. Indeed the Berlin-based start up Innominate Security
Technologies has been developing a range of industrial solutions since 2001 and deploying them since 2003.
Invisible and undetectable
Given the nature of its technology and its chosen route to market, it is perhaps not surprising that the Innominate name is not as widely known as it should be. A fundamental principle of the patented “stealth-mode” technology on which its mGuard range of products and solutions is based is that they should be “invisible, undetectable and invulnerable” while it goes to market principally through partners and OEMs including Hirschmann, Phoenix Contact, Siemens and SAGEM, who either embed the technology in their own products or rebrand the Innominate products under their own names. “We have a field proven technology that is installed 10,000 times in the field. It’s absolutely reliable technology,” explained CEO Joachim Fietz, who nevertheless acknowledges that, to date, “What we have missed is in sales and marketing.”
Innominate has based its approach from the outset on a recognition that plant-floor security needs are radically different from those of conventional IT, and that there is, therefore, as Fietz puts it “a specific market of industrial security.”
Vendors of practical security solutions must be able to cope with heterogeneous collections of hardware and software, obsolete operating systems lacking any kind of security support, system life cycles of between 10 and 20 years, sales cycles of 24 months or more, and an almost total lack of security expertise at the plant level, says Fietz. Above all they must recognize that, for most industrial users, irrespective of how seriously they take the cyber security threat, the golden rule is “Never touch a running system.”
Moreover, says Fietz, it’s all too easy for industrial cyber security to fall down the gap between corporate IT, which doesn’t wish to get involved with plant-level systems, and production personnel who lack IT security expertise. It’s that recognition which led to the development of the other key characteristic of Innominate’s offering, Auto Configuration. The “Plug &Protect” solutions are designed to be entirely compatible with all operating systems, entirely transparent to and in no way to interfere with the systems being protected, and to require no changes to existing networks. Most important of all they don’t require any IT security expertise for their installation and implementation.
The mGuard firmware, now in its fifth release since its original introduction in 2003, has three primary functions: VPN (Virtual Private Network) for secure data transmission in remote service applications; configurable firewall; and, optionally, integrated virus protection. Transparency and invisibility are achieved by mGuard itself having no IP address, but sharing the address of the device which it is protecting, thus ensuring that it cannot itself be attacked. The complementary hardware is based on a special network processor running embedded Linux and comes in a number of configurations which can be incorporated into the protected device at the network cable, integrated as a PCI card or deployed in a top-hat rail mounting version. In addition the mGuard bladePack provides for the protection of up to 12 devices simultaneously or six in hot standby mode. Common to all configurations is the fact that the protected system does not have to be reconfigured, nor driver units or other software loaded. Moreover, the company claims that the operating system never has to be updated again with security patches.
mGuard effectively allows the appropriate level of protection to be applied to each individual device but the potential administrative burden created by such an approach is mitigated by a rule-based Configuration Manager which, using a graphic network model, allows multiple mGuard systems to be configured. Firewall rules, VPN configurations and NAT settings are then loaded directly on to all devices and activated, and VPN connections both between mGuard devices and with other vendors’ gateways set up and managed.
Blue chip clients
Joachim Fietz is careful not to make direct comparisons with other vendors’ offerings although he did ask somewhat pointedly whether and where INSIDER had actually seen an installed Tofino, as well as acknowledging that the company had yet to get its hands on a Honeywell Control Firewall. What is clear is that mGuard has persuaded vendors such as Hirschmann and Phoenix Contact, and through them even bigger names, including Emerson Process Management who, we understand, are using the technology with DeltaV, of the futility of developing its own industrial cyber security technology when such a comprehensive solution is already available. With such blue- chip names being added to the customer and partner base, its seems unlikely that Innominate will much longer remain in that peculiarly European category of “best kept secret”—nor that it will be much longer before its European and U.S.-based venture capital backers receive an offer that they find it impossible to refuse.