Bedrock Automation has announced a newly upgraded control system firmware that extends its intrinsic cyber security protection to networks, the Industrial Internet of Things (IIoT) and third-party applications.
Bedrock Cybershield 2.0 firmware not only enables authentication and encryption of I/O networks and field devices, it now protects compliant networks and user applications such as controller configuration, engineering and SCADA. It achieves this with the world’s first industrial control system (ICS) certification authority (CA) – drawing on the power and flexibility of public key infrastructure (PKI) and Transport Layer Security (TLS). Bedrock Automation also announced today a controller that enables end users to obtain customized, company specific root keys and certificates.
With the inclusion of more than 40 intrinsic technologies, the Bedrock Open Secure Automation (OSA) platform initially delivered on two fundamentals of cyber defense: a secure control platform and secure component supply chain. The resulting endpoint root of trust leverages hardware-based secret root keys and certificates for advanced cryptographic authentication of Bedrock hardware and software components, which are further fortified with layers of anti-tamper protection.
“Our first objective was to deliver a hardware-based endpoint root of trust, which we did with the Cybershield 1.0, which was built into last year’s product release. Cybershield 2.0 is our next giant leap. It validates our built-in versus bolted-on technologies and is forward and backward compatible. This 2.0 firmware upgrade demonstrates how we continuously enhance intrinsic defense and lead the digital convergence of OT cyber security with enterprise class technologies,”said Bedrock founder, CTO and VP of Engineering Albert Rooyakkers.
Attempting a similar level of protection with conventional, bolt-on technologies increases operational cost and complexity with minimal certainty of protection against inside-out or outside-in attacks like Stuxnet or stolen credentials. Because cyber security hardening is a standard feature of all Bedrock system components, the cost of obtaining this protection with Bedrock is negligible.
Bedrock Automation created the Bedrock OSA as both an open and a secure platform for hardware, networks and software. Software developers who want to take advantage of this opportunity can now receive certificates of authorization (CAs) to incorporate Bedrock encryption keys into their software, which will give their programs secure access to Bedrock controllers. Several leading software providers are releasing or testing this secure integration. The first cyber secure software partners include 3S of Germany, with its IEC61131 configuration and runtime engines now running over TLS with authentication to the Bedrock system root of trust, as well as a Field Device Tool (FDT) frame application by M&M Software for HART configuration. This will be followed closely with Inductive Automation’s Ignition SCADA and other SCADA partners later this year.
“The increasing adoption of OPC UA, IEC61131-3 and Ethernet standards lays a key foundation for operational and information technology domain convergence,” said Don Pearson, Chief Strategy Officer of Inductive Automation. “Everyone stands to benefit from improved communication among people, devices and applications, but overcoming related cybersecurity concerns has taken on new urgency for many. Just as Ignition introduced a visionary SCADA paradigm, Bedrock is revolutionizing control systems-based cyber security. We applaud them for taking a leadership role in this important endeavor, and we look forward to collaborating with the introduction and evolution of the first intrinsically cyber secure SCADA that leverages this visionary technology.”
Bedrock Automation also announced today an option for users who want to increase protection of their IP, infrastructure and human resources by restricting access to only registered, company-controlled assets. The SCC.X Controller is injected at factory birth with company-unique root keys and certificates, effectively limiting connections to company mandated, approved devices.
Managing the human factor is a key factor in comprehensive ICS cyber security. At this week’s ARC Forum in Orlando, FL, Bedrock Automation will demonstrate early technology to extend intrinsic cyber outside the machine through multi-factor authentication with smart cards, biometrics and role-based access management authenticated to the root of trust inside the machine. These features will be available in subsequent Cybershield releases this year.
“ARC is not aware of any other supplier implementing a cyber strategy as stringent and comprehensive. In examining the current portfolio, the Bedrock engineers and architects are tackling cybersecurity in a more intrinsic and holistic fashion than many end users have considered. The message? Air gaps and firewalls are not enough,” said ARC Analyst Mark Sen Gupta in his recent ARC View report, “Bedrock Automations Cyber Defense Makes Cyber Security Easier for End Users.”
Cybershield 2.0 is available and will be standard in all Bedrock systems going forward. Current customers receive it through a firmware upgrade. Customers who want to apply Bedrock technology in maintaining their own custom root of trust can do so by specifying the Bedrock SCC.X Controller at time of purchase. Software developers who want to release applications on the Bedrock OSA platform should contact Bedrock Support. Availability of smart cards and biometric technology will be rolled out through 2017.