◂ Back to the blog

Bring cyber security to your operations with Vitesse

November 19, 2024

The threat is real

Cyber attacks have become an important issue for the world of manufacturing and logistics operations.

Even when machines are thought to be disconnected and offline, the danger remains present.

Malicious organisations can be motivated to target your operations for different reasons. They don't target operations because of their fame, and many companies that thought to be below the radar because they were "not very famous" got it wrong, and paid a high price for neglecting their information security.

Malicious hackers seek ways to steal or corrupt data, affect operations or block production, typically for a ransom

Ransomware

Ransomware is a serious and growing issue in the manufacturing sector.

In recent years, the number of ransomware attacks targeting manufacturing has significantly increased. For example, 2020 saw 167 attacks, while 2021 had 148, and though the number dipped in 2022 to 81, attacks in 2023 have started to rise again, with 55 incidents reported by July.

These attacks have caused substantial financial and operational impacts, leading to increased downtime -averaging over 12 days in 2022, which can disrupt production and cause significant losses​.

The estimated cost of downtime from ransomware in manufacturing is staggering, with reports suggesting around $46 billion in losses annually due to operational shutdowns. While the actual ransom amounts demanded vary, some high-profile cases saw demands reaching as high as $50 million.

Hybrid warfare

In the context of hybrid warfare, where states or non-state actors use a mix of conventional and unconventional tactics, cyberattacks targeting operations and manufacturing sectors pose significant risks.

In hybrid warfare, manufacturing becomes both a direct and indirect target due to its critical role in national and economic security. A robust cybersecurity posture is essential to mitigate these risks and ensure operational continuity during conflicts.

Espionnage and intellectual property theft

Cyberattacks can also aim to steal trade secrets or designs for advanced technologies, including military applications. This weakens a nation’s competitive edge and bolsters adversaries' capabilities.

Intellectual property theft and espionage are significant challenges in the manufacturing sector as it is one of the top sectors targeted for cyber-espionage, with about 27% of breaches linked to espionage activities in recent years. These breaches often target trade secrets, production methods, and blueprints, which can provide a competitive advantage to rivals or nation-states

IP theft in manufacturing occurs through multiple channels, including unauthorized access, misuse by employees, supply chain vulnerabilities, and cyberattacks.

A more secure approach is needed

Vitesse aims to bring the latest software and security practices to the production floor, including better information security.

The Vitesse leadership team has successfully contributed to building mission-critical connected software solutions for leading manufacturers in the fields of aerospace, automotive and defense for more than a decade.

Vitesse is hosted on Linux and takes advantage of proven containerized services and applications. Vitesse applications are containerized themselves.

Building the VITESSE platform on Linux with containerized services and applications follows many best practices in modern information security (InfoSec) especially when compared to traditional automation control platforms. Containers offer significant advantages in security and flexibility, particularly when isolated from the host system.

Traditional automation systems often run on centralized, embedded systems or isolated, legacy software stacks. These systems can be harder (and sometimes impossible) to patch, upgrade, or secure due to their tightly integrated nature and lack of modularity.

By contrast, our containerized, micro-services architecture allows for easier scaling, isolation, and patching. Vitesse is always ahead in terms of agility and security when compared to legacy industrial control systems.

In August 2024, two of the most digitally advanced global manufacturers shared that “Vitesse is at least a decade ahead of traditional controls providers when it comes to cybersecurity” and “probably 5 years before competitors provide similar agility and ability to deploy distributed systems for operations, which is critical for security”.

Security advantages when using Vitesse and Linux

  • Isolation: Containers provide strong isolation between applications, preventing them from interfering with each other, which improves security compared to traditional monolithic automation platforms.
  • Reduced Attack Surface: Containers tend to be more lightweight, running only essential services. This reduces the attack surface by minimizing the number of processes running on each container.
  • Consistency: Using containers ensures consistency across environments (development, staging, and production), which reduces the chances of misconfigurations that can typically lead to vulnerabilities.
  • Automated Updates & Patch Management: With a containerized approach, Vitesse can easily be rebuilt and redeployed as containers to patch specific vulnerabilities quickly, avoiding the slower patch cycles common in traditional automation systems.
  • Immutable Infrastructure: Containers are often treated as immutable—rather than patching running systems, you simply replace them. This ensures systems remain clean, reducing the risk of security drifts over time.

Recommended Architecture

The Vitesse Gateway is a software application that has been developed to bridge the Operation Technology layer, PLC networks and other networks such as the Information Technology layer. Gateway is a containerized application, and it’s recommended to run it on Linux and ideally in Kubernetes for ultimate security.

The Vitesse controller is an extremely reliable industrial PC that is optimized to run Gateway, to host the overall Vitesse solution, to run any Linux container and to form cost-efficient clusters on edge.  

With its rugged enclosure, built-in power backup and voltage regulation allowing it to run on virtually any DC sources from 12 to 28V, the Vitesse Controller is the ideal compute node for clustering in the fields of operations.  

Secure cluster on edge

For instance, it takes only 3 GALAXY controllers and a managed 4-port switch to create a cost-effective, highly reliable and secure Kubernetes cluster capable of managing the connections to dozens of controllers, multiple databases and several instances of the Vitesse Gateway:

A cluster of Vitesse GALAXY controllers offers reliability, security and performance on edge.

Dedicated gateways

Deployed in the PLC network, the Vitesse Gateway can communicate with your equipment (PLCs, robot controllers, cameras, testers, scanners, etc.) using the native protocol when it’s possible:

Gateway is a rugged, secure and powerful IoT Gateway, ideal to bridge equipement and networks

GATEWAY can connect to modern and legacy controllers. The insulated USB ports, when enabled, can host adapters such as Modbus or RS485 serial, scanners, printers, etc. Its deported wireless antenna can be used to populate data to a secure, dedicated wireless network, or to create a private Gateway-to-Gateway connection.

It can also use a secured connection with other endpoints or services in a different layer, being white-listed and ideally through a virtual network, so that it can exchange encrypted data through this bridge, and therefore enable specific and monitored communication between different networks.

For instance, Vitesse Gateway is ideal to enable telemetry bottoms-up and to receive fabrication orders from an MES, top-down.

Solid network topology

While this isn’t a mandatory model, one successful implementation includes deploying a secure, highly reliable cluster on edge, and using Gateway as the bridge to control and map data between networks. With a managed network switch, this architecture allows our clients to comply with NIS2, NIST and FISMA:

Basic architecture to secure operations layers and their connections to other networks

While it is preferred to use Kubernetes clusters for higher security, to use containers on a single Linux computer following essential security practices is already an important step towards better security practices. This can allow for the hosting of secure applications in the operations and PLC networks.

The Vitesse team is available to assist our customers in increasing their information security progressively.

Managed, updated firewalls

It's critical to use trusted, managed and up-to-date switches and firewalls.

Simple solutions such as a FortiGate firewall by Fortinet offer a cost efficient solution to secure the operations network.

Keeping Vitesse secure

The first commitment of Vitesse is to provide our customers with a secure software solution that is free of known vulnerabilities, and that enables the adoption of the best security tools and practices.

Containerization

Vitesse runs in containers on Linux, which offers some advantages over virtualization, including a more defined perimeter regarding information security, especially when using Kubernetes. The primary advantages are the reduced attack surface and ability to patch software quickly.

Reduced Attack Surface

  • Containerization: Uses lightweight containers that share the host operating system kernel, reducing overhead and minimizing the attack surface compared to full-blown VMs that each have their own OS.
  • Traditional Virtualization: Each VM runs its own OS, which increases the potential for vulnerabilities within each OS.

Faster Security Patching

  • Kubernetes: Container images can be quickly patched and redeployed, minimizing downtime and speeding up the response to vulnerabilities.
  • Traditional Virtualization: Updating VMs often involves patching entire OS environments, which is more complex and time-consuming and requires a re-validation of the entire VM.

Kubernetes is more secure in many cases, but proper configuration and securing the underlying host system are essential, therefore the importance of running Kubernetes on a well-managed distribution of Linux.

Third party library scan

All third-party libraries used by Vitesse are automatically scanned for vulnerabilities. We currently use Aquasecurity Trivy and Snyk Scan in our Continuous Integration pipeline, and constantly explore and consider other solutions to add to - or replace, the current tools in use. The scan takes less than an hour and runs daily.

Whenever a vulnerability is identified or introduced with a new package, Vitesse either remains on the previous version of the package, assuming the vulnerability wasn’t already present in the previous builds, while ways to mitigate the risk are found.

Security patches are typically available from the software vendor within 1 to 8 days.

When a library containing a vulnerability is necessary, then the Vitesse engineers identify the entry point and develop some workaround for the potential exploit with a combination of input validation and code hardening, to ensure that the know vulnerability can unlikely be exploited.

The deliverables would still mention the vulnerability with release notes explaining the risk and workaround, so that stakeholders can make an informed decision before deploying this release in the field.

An example of containerized application scanned with Snyp Scan. No exploitable vulnerability has been identified and this application can be deployed, with a warning (orange) highlighting that error handling should be improved...

Static code analysis

When new code is written and submitted in the Vitesse codebase, static code analysis checks for anything that could lead to vulnerabilities such as buffer overflows, non-initialized variables, etc.

Like with unit tests, engineers cannot submit code changes into the Continuous Integration pipeline before it has been cleared by the static analyzer.

In addition to scan dependencies to detect potential vulnerabilities, Snyk also scans our native code using semantic analysis to detect potential bugs and vulnerabilities that our own code could inject into the codebase.

Benefits in numbers

Security Attack Surface

Traditional Platforms:

  • Many legacy automation systems run on tightly coupled, monolithic hardware and software. These systems often expose multiple unnecessary services or protocols that are harder to patch or disable.
  • Established platforms such as Siemens and Allen Bradley use proprietary operating systems, firmware, and communication protocols. In an audit, legacy systems expose 20–30 vulnerable services on average.

Vitesse:

  • Containers running only necessary services reduce the attack surface drastically. By stripping down the container to minimal components only 5 to 10 services may be exposed, and they are isolated within the container. Vulnerabilities are limited to container boundaries.
  • Estimated reduction in attack surface: ~50-70% fewer exposed services due to containerized architecture.

Concrete Benefit: Vitesse can reduce the attack surface by up to 70% compared to traditional platforms, significantly lowering the likelihood of successful attacks.

System Patching & Vulnerabilities

Traditional Platforms:

  • Traditional systems are often not updated as frequently due to the need for planned downtime and complex integration with proprietary systems. These systems may take weeks to months for patches to be developed, certified, and deployed. In practice, industrial environments often see patches delayed by up to 6 months.
  • Vulnerability discovery to patch deployment (mean time) typically range from 50-180 days.

Vitesse:

  • Built on Linux and container-based systems, Vitesse benefits from a rich ecosystem of continuous security patches. Patches can be applied within days or even hours using our automated CI/CD pipelines.
  • Containerized environments allow for "rolling" updates, meaning downtime can be minimized, and patch deployment can occur without disrupting operations.
  • Estimated patching time (mean time): ~2-8 days for critical vulnerabilities.

Concrete Benefit: Vitesse can reduce patching delays by over 90% compared to traditional platforms.

Incident Response Time

Traditional Platforms:

  • Response to a cyber security incident in legacy systems can be very slow, as industrial automation software lacks built-in security monitoring and logging. It often takes days to weeks to detect and respond to security incidents due to the lack of real-time visibility.
  • For example, an industry report found that response times for incidents involving proprietary systems averaged around 72-96 hours.

Vitesse (Linux & Containers):

  • Linux containers leverage advanced monitoring and intrusion detection systems like Falco or Sysdig, which provide real-time alerting. Incidents can be detected and mitigated in near-real-time, with response times ranging from minutes to hours.
  • Response time for containerized systems such as Vitesse: ~0-4 hours with proper monitoring in place.

Concrete Benefit: Vitesse reduces incident response time by up to 95%, drastically minimizing potential damage and downtime from security breaches.

Costs Related to Security Failures

Traditional Platforms:

  • Due to longer patch cycles and higher attack surfaces, legacy systems face more frequent incidents, which can lead to costly downtime, breaches, or production halts.
  • The average cost of a security breach in industrial systems can be $5 million per major incident, including recovery time, data loss, and production delays.

Vitesse (Linux & Containers):

  • With faster patching, lower attack surfaces, and quicker incident response, Vitesse reduces the likelihood of severe security failures.
  • A containerized platform may reduce security-related downtime by 60-80%, saving millions over time.
  • Cost reduction in major incidents can lead to savings of up to $2-3 million per incident.

Concrete Benefit: By minimizing vulnerabilities and downtime, Vitesse can lower breach costs by up to 60%, potentially saving millions per incident.

Operational Flexibility and Isolation

Traditional Platforms:

  • Legacy systems rely on tightly integrated software and hardware, which makes it difficult to isolate processes or upgrade parts of the system. Any upgrade or security patch typically requires the entire system to be taken offline.
  • System downtime for updates/patches: ~30-50 hours/year on average for traditional automation systems.

Vitesse:

  • Containers enable the isolation of services and applications, making it easy to update individual components without affecting the rest of the system. Rolling updates mean near-zero downtime.
  • Estimated downtime for updates/patches: Less than 5-10 hours/year due to containerized design.

Concrete Benefit: Vitesse can reduce downtime by over 80%, greatly improving operational efficiency and reducing disruptions.

Summary

The above advantages provide Vitesse with unfair security advantages over traditional automation platforms, matching today’s best software solutions:

  • Reduced attack surface: Up to 70% fewer exposed services.
  • Faster patching: Patching delays reduced by 90%, from months to days.
  • Quicker incident response: Incident response times reduced by 95%, from days to hours.
  • Cost savings in breaches: Potential cost reduction of 60%, saving millions per incident.
  • Downtime for updates/patches: Reduced downtime by over 80%, increasing operational uptime.

By adopting modern containerized approaches on Linux, Vitesse demonstrates significant security advantages, making it more secure, flexible, and cost-efficient than the established automation platforms.

These benefits not only provide enhanced security but also contribute to reduced operational costs and improved uptime, critical in high-stakes manufacturing environments.


Request a demo
Share your project with us or arrange for a personalized demo of Vitesse.
Book a demo