Emerging on the automation technology scene less than five years ago, Bedrock Automation has been a visible and vocal advocate for greater industrial control system security. From the start, the company has focused on the embedded hardware that enables its products' open and secure capabilities—in particular, the secure ARM processing in its controller, I/O and power modules.
Since then, the company’s core messaging has revolved around the public key infrastructure (PKI) functionality designed into Bedrock Automation products’ computing core, which is sealed in all-metal, anti-tamper housing. According to Bedrock, the crypto keys in its products’ root of trust are authenticated by Bedrock’s certificate authority (CA) and use advanced signing and encryption technologies—like those used by secure military, aerospace and online financial transaction systems.
More recently, the company announced that its OSA (Open Secure Automation) remote controller had achieved Achilles Level 2 certification—signifying that the device has passed a series of tests, primarily demonstrating it’s ability to withstand denial of service (DoS) attacks while maintaining control of output variables. Other attack vectors tested for the Achilles certification include unauthorized access to the control system hardware, software and applications.
While visiting Bedrock Automation founder and CEO Albert Rooyakkers at the ARC Industry Forum 2019, he showed me the company’s forthcoming OSA Proxy device. The planned release date for the device is Summer 2019. Rooyakkers said this device is a firewall type of system that allows customers to secure legacy devices behind Bedrock's root of trust technology.
In addition to the embedded Bedrock PKI, the OSA Proxy also connects to industrial protocols such as Modbus, EtherNet/IP, and Common Industrial Protocol (CIP) and can translate these legacy protocols in real time to open and secure communications standards including OPC UA and MQTT.
Speaking of MQTT, Bedrock also announced at the ARC Industry Forum that it now offers a secureimplementation of the Cirrus Link Sparkplug B protocol in its OSA Proxy and OSA Remote. Bedrock explains that the Sparkplug specification defines how edge of network gateways, native MQTT-enabled end devices, and MQTT applications communicate bi-directionally within an MQTT infrastructure, and include support for complex data types, datasets, lower bandwidth requirements, and access to historical data.
Bedrock Automation says its Sparkplug B implementation is the only MQTT authentication and encryption agent providing a secure root of trust built on an intrinsically secure control platform.
The Proxy also features built-in anomaly detection on all of its ports to monitor traffic across the control network. This feature is enabled by the device’s 64-bit, quad-core processor, which allows for advanced cyber analytics of end-user applications.
“These features provide cyber defense for a legacy control network at minimal cost and complexity;,and it helps avoid the need for rip and replace,” said Rooyakkers.
Looking at the OSA Proxy and OSA Remote while speaking with Rooyakkers at the ARC event, it struck me that the form factors of both devices were very similar. The most obvious differences were the connection port types. He explained that this similarity is not by accident, and that this form factor for the two devices is actually a hardware platform design that Bedrock will continue to use for other forthcoming products.
“It fits in your hand and can be installed just about anywhere,” he said.
Despite the outward similarities of the two devices, Rooyakkers stressed that the OSAProxy is not a (remote terminal unit) RTU like the remote controller. "It’s an edge platform that can perform PLC-like functions, but with the power of blade server—with gigabytes of RAM and terabytes of storage," he said. "The Proxy talks to both IT and OT systems; it sits in between the two—above the PLC or DCS—and connects the controller data to the IT network. It's basically a device for gateway conversion of PLC data to the IT realm.
Rooyakkers said learning how to operate the OSA Proxy only requires about 15 minutes of training. “It provides ‘intelligent isolation’ of the downstream control networks with no configuration or maintenance required. It’s an intrinsic white-listing device that automatically white-lists all trusted devices on the control network; and any changes that are made in the PLC database get changed in the MQTT or OPC UA database. This device is designed so that OT owns it, not IT. This means you don't have to do IT maintenance in an OT environment.”