By Gregory Hale
In the often jaded, cynical world of cyber security where reactionary thinking often takes hold of manufacturers trying to hold attackers at bay, it is difficult to see progress. But there is.
Take the Russellville, Arkansas Water and Sewer System which replaced a legacy PLC with a Bedrock Automation industrial control system. While replacing one PLC with another may not seem like a big deal, it really is because the system’s board was thinking security first.
“We have a very forward thinking board and we have five intelligent business folks in the corporation that are tuned into issues facing the private and public sector and they asked me if we were looking into the physical and electronic security of our systems,” said Steve Mallett, Jr., P.E., general manager of the City Corporation, which is responsible for the Arkansas pollution control facility. “Previously, we focused on the physical security like fences and gates and cameras. We were looking at security options looking forward and we had a work session and it seemed to fit. One of our existing PLCs went down and we decided to migrate over to the Bedrock controllers. As far as we are concerned, it performs like any other, but it has a layer of security and gives us a little more piece of mind knowing we are not at any risk of cyber attack through that piece of equipment. We may not be able to do it overnight, but we will eventually get to the point where we have Bedrock controllers throughout our facilities.”
Bedrock launched last July and it is an industrial control system that united a basic understanding of current systems, but featured a pin-less, electromagnetic backplane and embedded cyber security. The technology operates like a PLC. The new system addresses control applications with fewer than a dozen part numbers, which cuts down on cyber attack vectors, cuts lifecycle costs and looks at simplifying engineering, commissioning and maintenance.
“As a municipality with a lot of water and wastewater expansion over the years we have a variety of controllers in place, different brands, different manufacturers, different integrators with different programming styles, so there is a variety of equipment out there, said Dee Brown, PE of Brown Engineers, a Bedrock Certified Solution Provider. “We see it as an opportunity to think about protecting the utility and to standardize on a nice control system platform that can serve them for many years to come.”
“We probably have 10 controllers over at the water plant, five over at the sewer facility and anther 35 to 40 at our remote sites,” Brown said. “There are quite a number of controllers throughout the water and sewer systems.”
Thinking more about a proactive security plan compared to the reactionary approach manufacturers often take is a bold step forward for a small community water company. So along those lines, the idea of rolling out one security-focused PLC and bringing out more in a phased approach seems appealing to Mallett.
“We have one board member that is a retired three-star Army general that worked in intelligence and he has a much better understanding of the types of threats people are facing,” Mallett said. “He felt it was imperative to shore up our security system physically and through cyber security.”
One of the other thoughts the board member had, Mallett said, was he wants to make sure there is no way the current system can act as a pivot point into other systems that may interact with the plant.
“He wanted to make sure there was no way to access any other business through our system,” Mallett said. “So there would be no chain reaction in any kind of attack. He wanted to make sure our system was safe.”
In terms of adding security to systems, one of the fears for operators is learning new languages and new terminology. Brown said that was not an issue when they implemented the new device.
“We have an Ignition HMI system and so it had all the standard protocols including OPC UA which is native to Ignition and native to Bedrock,” Brown said. “So, compatibility-wise that was easy. We also had programmers that are familiar with the CODESYS programming language and being able to implement that for Bedrock was not difficult at all.”
Although it is performing essentially the same function as the legacy PLC, the Bedrock system is different.
It uses an electromagnetic backplane instead of a traditional pin-based backplane. The electromagnetic backplane eliminates pin corrosion and breakage, which should improve long term reliability and also enable embedded security by preventing the possibility of using counterfeit I/O modules. It also creates a galvanic isolation barrier between field wiring and the controller and provides a high performance, deterministic I/O update rate to support current functionality and additional planned expansions.
The new system is also different from the legacy PLCs in the following ways:
• The Bedrock system runs a military-grade safe and secure real-time operating system, further embedding security into the software and firmware used to control the facility
• It can operate from 90-260VAC or DC power without fans or DIP switches for simplicity and robustness and embeds standard, open system technologies including OPC UA, a fully compliant IEC61131-3 programming environment and standard Ethernet support at the control and I/O networks
• The Bedrock system consists of only a dozen part numbers, reducing installation and maintenance costs
• The system is scalable for more advanced control functions, such as serving as a SCADA Remote Transfer Unit (RTU) or distributed control system (DCS)
In an environment where the same old technology often wins out and change often ends up scoffed at, there are choices to move into new technology that enables a more secure system.
“Cyber security is a part of our world now and it is not going to go away, so we thought we should be proactive and not reactive if there is a controller on the market that can allow us put away those fears that would allow us rest easy at night knowing we are not at risk for an attack,” Mallett said. Why not take advantage of the technology?”