Here’s a scary headline: “BlackEnergy crimeware coursing through US control systems.”
That’s from a report on a security vulnerability discovered in the Internet-connected pieces of industrial infrastructure that control things like electricity generation and water systems.
A Seattle startup says its technology, first developed to help secure robotic tooling on Boeing’s 777 assembly lines, can help.
Tempered Networks is relying on a little-used networking protocol to “orchestrate” components of industrial systems and limit communication to trusted entities only, said former Boeing network security expert David Mattes, who co-founded the company with F5 Networks founder Jeff Hussey.
“What we can do with orchestration is manage trust very effectively to block out the 99.9 percent of background radiation of communications that systems are exposed to, and only allow communications from other entities that are explicitly trusted,” Mattes said.
Industrial customers such as oil refineries are trying to balance the need to access, monitor, and control systems over a connected network, while also isolating those systems from the broader Internet, where they are vulnerable to things like BlackEnergy – malware that targets the human-machine interfaces for systems from companies including GE and Siemens.
It was the subject of an alert last week from the Department of Homeland Security.
Mattes began working on this problem within Boeing’s research and development organization in the mid-2000s.
“Boeing, as you can probably guess, is pretty much the World Cup of state-sponsored and recreational espionage and hacking,” he said. “It’s a prime target.”
Those threats only intensified for the aircraft maker—as they have for other industrial companies, utilities, and critical infrastructure operators—as more of its manufacturing equipment became directly connected to enterprise networks, Mattes said.
“As the perimeter networks became more porous and the awareness of these threats became greater, people realized, ‘We’ve got to do something,’” he said. “These manufacturing systems are the revenue-generating components of the business.”
It started with mobile robotic crawlers that move large pieces of the 777 fuselage around the factory floor.
They needed to be connected, via wireless networks, to each other, to supervisory and data-collection stations, to engineers, and to outside vendors, among others.
Yet they also had to be secure, given that each hour of downtime in the 777 plant cost about $4 million, Mattes said.
Rather than go to the IT department in search of a fix just for the crawlers, Boeing tasked Mattes and other colleagues in research and development with finding a solution that could address this general class of problem—the tension between connectivity and security of industrial equipment.
It’s a problem that is becoming more widespread with the proliferation of Internet-connected devices.
“There was a lot of desire to see commercial products emerge around this capability, and so a lot of my work and my colleagues’ work at Boeing was focused around making sure that what we were building at Boeing was also applicable industry-wide, and we did that through participation in standards organizations,” Mattes said.
These include standards supported by the Trusted Computing Group, Internet Engineering Task Force, and International Society of Automation.
Fast-forward to 2012. Mattes left Boeing—just in time, given the cuts to its Puget Sound research engineering workforce—and founded a company, originally called Asguard Networks, to further commercialize this technology.
Mattes met Hussey in April of this year. Hussey is CEO of the renamed Tempered Networks, which has about 15 employees—including former Boeing engineers—working from offices in Seattle’s Queen Anne neighborhood. The company said Hussey has raised $2 million in seed funding this year from unnamed angel and institutional investors.
Tempered Networks sells a networking appliance called a HIPswitch—after the Host Identity Protocol that limits communications to trusted sources—that secures individual pieces of infrastructure, while still allowing them to communicate across a network. A central server handles the “orchestration” across the network. A basic setup—enough for an enterprise to “get its feet wet” with the technology, Mattes said—runs nearly $10,000, plus annual maintenance and service fees.