Application Security Testing: An Integral Part of DevOps
Predix is an industrial IoT platform specifically designed for the unique and complex challenges of industrial data. General Electric (GE) initially created Predix to drive their own businesses devices, spanning over 10 industries from aviation to utilities. In fact, Predix began as a tool to monitor products sold.
Geared towards industrial instruments, Predix provides a Cloud-based PaaS (platform as a service), which enables industrial-grade analytics for operations optimization and performance management. Moreover, it connects data, individuals, and equipment in a standard way.
Predix is one of a number of IoT Platforms made the Codeguru list of Top IoT platforms. In evaluating Predix, the structure recommended in "Top IoT Platforms for Developers" was used. This will make it easier for you to compare various IoT platforms.
IoT Hardware Support
The Predix Kit is a hardware and software bundle designed to easily and quickly connect industrial assets. Developers can use the Predix Developer Kits as a quick, affordable on-ramp to Predix.
The process of connecting industrial assets can be burdensome. It often can take hours to set up boards, download Edge software, create an asset model, build visualization screens, and so forth. With a simple, intuitive setup process and a pre-configured set of asset models, charts, and other tools, Predix Kits can reduce that time to less than 15 minutes, according to GE.
GE plans to release a variety of industry-specific kits in the months ahead, but their developer kit already is equipped with all of the basic components developers need to start building with Predix, including:
- Configuration with Raspberry Pi, Intel Edison, and GE Field Agent (for more secure, ruggedized, industrialized use cases)
- Compatibility with GE and non-GE assets
- Utilizes Predix Edge microservices
- Connected to Predix Time Series, Predix Asset, and UAA cloud microservices
IoT OS Support
The Predix developer kit comes with its own Machine SDK that includes:
- The Predix Machine Eclipse-based SDK, which has plug-ins for developers who want to develop applications for Predix Machine running in Docker containers
- The Edge SDK for developing applications in various languages that run in Docker containers and communicate with the Docker container-based Predix Machine through the Data Bus
There are SDKs for Windows, MacOS X, Linux, and Centos.
Key Sensor Support
GE has bet big on the Industrial Internet, which is the convergence of industrial machines, data, and the Internet. The company is putting sensors on gas turbines, jet engines, and other machines; connecting them to the Cloud; and analyzing the resulting flow of data. The goal is to identify ways to improve machine productivity and reliability.
GE has long had the ability to collect machine data: Sensors have been riding on GE machines for years. But, these pre-Internet of Things (IoT) sensors were used to conduct real-time operational performance monitoring, such as displaying a pressure reading on a machine, not to collect data. In those days, a technician would often take a reading from a machine to check its performance and then discard the data.
By using Predix, you can communicate with your existing systems via Modbus and configure Predix Machine to talk to sensors on your equipment. Predix Machine can communicate via ModBus to your equipment, and then push data to the cloud via HTTPS or Web socket.
GE recommends pushing your data to the Predix Cloud if you want to aggregate data from various locations.
Developers can deploy Predix Machine in a factory, or on the edge, near equipment. It can act as a gateway to collect data from machines, and push to the Cloud.
The machine adapter module of Predix Machine is capable only of reading data from devices which support the opcua, ModBus, or MQTT protocol.
IoT Data Considerations
It didn't take long for GE engineers to realize that they could find interesting and unique patterns in the data. They thought the patterns of sensor data could be used to provide an early—albeit weak—signal of future performance problems and better predict when its machines should be scheduled for maintenance. In early 2013, GE began to use Predix to analyze data across its fleet of machines. By analyzing what differentiated one machine's performance from another—what made one more efficient, for example—GE could more tightly hone its operations.
Predix provides out-of-the box analytic models to develop analytic applications and workflows. You can subscribe to, configure, and deploy these analytics in your own Analytics Library to solve your use cases and shorten the time to market.
- Anomaly Detection
- Data Exploration and Preprocessing
- Text Analytics
- Text Mining
- Time Series
- Feature Engineering
- Machine Learning
- Network Analysis
- Optimization Methods
- Predictive Models
- Quality Control
- Signal Processing
- Statistical Methods and Analysis
IoT Security Considerations
The data that flows between big machines tends to be highly sensitive, heavily regulated, and extremely valuable. The deep interconnectivity between the machines—the very thing that makes the Internet of Things so powerful—can make them vulnerable to cyber attacks. That's why integrating security into every part of your IoT apps is essential.
Predix employs customer asset and data classification guidelines to enforce security. Predix also works closely with developers should the data require an additional level of protection or special handling. Predix protects data by maintaining strict isolation between production and development environments. Security policies at multiple layers are applied to limit access to users who possess a legitimate business need for such access. Additionally, data is de-identified where needed and transmitted in encrypted form using Transport Layer Security (TLS) and tokenization.
Predix product security is fundamentally about protecting the applications and services that make up the Predix platform, ecosystem, and sensitive data. The Secure Development Lifecycle (SDL) framework serves during the development process to secure Predix applications and services. Predix especially empowers you, the developer, to:
- Apply the appropriate architecture and design
- Understand threats and choose the right controls for protection
- Conduct proper security testing
- Remediate vulnerabilities before production deployment
Predix employs industry-leading technical controls at the infrastructure, network, and platform layers to ensure threat mitigation capabilities meet stringent requirements and are highly effective. Predix understands that, as a developer, you need to work with isolated environments. As such, Predix utilizes virtualization technologies at specific layers to ensure that application runtimes are separated from the operational and control elements in the network. This separation allows the user and application interactions to be monitored from the specific application instance and user, in and out of the Internet, and through all the services. Predix regularly audits its network security posture and specific technologies to verify they are compliant with policies and technical standards, and has implemented penetration testing procedures to further validate effectiveness of the applied controls.
The Predix vulnerability management program identifies vulnerabilities that may affect the platform and performs rapid remediation and mitigation to reduce other exposure to such vulnerabilities. The program maintains a network of recognized security researchers dedicated to continually evaluating the platform for vulnerabilities and identifying potential threats. The integration between the cyber research team and vulnerability management functions enables the rapid and focused remediation of critical issues to ensure that the platform is secure.
Predix Third-Party Security and Risk Management Services ensures that vendors implement stringent security controls to protect sensitive data. Predix Third-Party Security assesses GE vendors, third-party vendors, and their sub-vendors. Predix is built on a common infrastructure governance model based on ISO 27001/2, NIST 800-53, and FIPS 140-2. This common "matrix" of controls is mapped to the Cloud Security Alliance Cloud Controls Matrix and enables Predix to support compliance to over 60 national, international, and governing body regulations. Predix Security Assessors maintain IT security certifications, including but not limited to CISSP, CISM, CISA, CRISC, CEH, CSOE, CHP, GPEN, and CPT. The Predix Assurance Program continuously assesses security hygiene, spanning from policy and technical security standards and controls to application and server configurations, including virtual environments, physical data centers, applications, databases, networks, and host servers.
The Predix Edge-to-Cloud strategy encompasses a scalable and resilient architecture where security is inherent at all phases and layers. By ensuring any embedded or on-prem software follows "security by design" principles and development practices, Predix extends protection to devices beyond the Cloud, running mission-critical analytics, the Incident Command System (ICS), manufacturing, and other industrial IoT and critical infrastructures.
GE believes that security starts with establishing identities of things for objects of interest—including people, devices, applications, and data—defining relationships for those objects, and enforcing appropriate controls for how these identities access resources. Predix therefore supports mechanisms to prove identities, create roles, and effectively authenticate and authorize access while privileged accounts are further contained and managed. In addition, Predix offers User Account and Authentication and Access Control services to help secure applications and services.
Reliable encryption ensures that data is secure at rest and in transit. Predix encrypts at different layers of the platform to ensure that data is exposed on a need-to-know basis. Predix supports hardware security modules, key management systems, and public and private key infrastructures to effectively protect and manage keys. In addition, the Predix platform provides APIs to integrate encryption and data protection with any of the services developed or deployed in the Predix environment. Credential Store services help secure applications and services.
Development and Deployment Considerations
Cloud Foundry is an open source Cloud foundation used by many Fortune 500 companies. GE Digital leverages Cloud Foundry as the foundation of the Predix cloud.
At the time GE first set out to develop Predix, they couldn't find a Cloud platform that could handle the velocity, variety, and volume of industrial data from millions of machines. Most Cloud platforms were built to handle enterprise data such as that generated by systems of record and systems of engagement. In addition, they weren't originally designed for industry's security and reliability requirements. Finally, general business platforms didn't offer the tools industrial developers need to work efficiently and cost effectively.
They chose Cloud Foundry as the initial foundation for the Predix cloud for several reasons. First and foremost, Cloud Foundry provides the flexibility needed to tailor their implementation to deliver the reliability, scalability, and security demanded by the IoT.
Cost and Licensing of IoT Platforms and Solutions
Predix offers two types of accounts: Individual and Enterprise:
- Individual Accounts are available for single access point developers; in other words, this type of account allows only one account owner and user of Predix services. Individual Accounts are available from 4GB (free) to 10GB (paid) memory plans.
- Enterprise Accounts allow the account owner to act as the master Administrator and grant access to a team of users. Enterprise Accounts are available from 25GB up to 3TB memory (all paid plans). All services outside of the basic memory plans are available in both Individual and Enterprise Accounts (for example, Time Series).
Predix offers a free 4GB memory plan and paid 10GB memory plan for Individual Accounts. Predix accounts are also subject to charges if Services, Analytics, and/or Apps are added to your account that are not listed as free and have associated usage.
The amount of memory that is available for usage is capped at the memory enrollment level and can be increased by request to Predix Support (go to http://predix.io/support/ and select the File a ticket option). Your account memory enrollment level will not increase or decrease based on memory usage, but your applications and usage will stop running if the memory goes beyond your enrollment level (for example, 52GB is used on a 50GB plan).
Predix products consist of either tiered or fixed pricing structures. All accounts have memory plans, called Predix.io on your monthly invoice, which charge a set of monthly reoccurring fees based on the amount of memory purchased.
Charges for Services, Analytics, and/or Apps have tiered or fixed pricing, based on the plan(s) on the Predix.io Catalog page. Tiered pricing plans are paid based on your usage of Services, Analytics, and/or Apps. When an account is invoiced, the Usage section reflects how many units were used and what the cost is. Pricing tiers can be viewed on the Predix.io Web site by clicking the Catalog link and reviewing the information on the appropriate Services, Analytics, and/or App page.
Company: General Electric
- Edge-to-Cloud platform
- Digital twin
- Analytics and machine learning
- Applications catalog
- Developer productivity
- DevBox has many tools installed (Cloud Foundry CLI, git, Java, Node.js, and many more): a CentOS virtual machine with all the tools and the environment setup to start coding, Cloud Foundry CLI, User Authentication and Authorization CLI, Maven, Java, Ruby, Python, RabbitMQ and Predix Machine 16.x, included.
- Predix Developer Kit
OS: Predix development is supported on Windows, Mac, and Linux.
Languages: The languages inherently supported are Java, Node.js, .NET Core, PHP, Python, Ruby, and Go. It also has support for frameworks such as Grails, Java Main, Play Framework, Spring Boot, and so on.
Predix Machine does not provide memory management-related directives to the Java Virtual Machine (JVM), allowing the Ergonomics feature in the JVM to make intelligent choices that it can tune dynamically. The JVM makes these choices based on the class of the server Predix Machine is installed on, which in turn is determined by the total available memory, the number of CPUs, and platform architecture (32-bit or 64-bit).
In the absence of explicit command line parameters specifying memory allocation, the JVM determines the minimum and maximum heap sizes at start-up, and ensures that the usage stays between these limits, growing and shrinking the committed heap allocation as necessary. For example, Java 7 and 8 set the minimum heap size to 1/64 of available physical memory, and the maximum heap size to 1/4 of available physical memory up to 1 GB, for a 32-bit system with two or more CPUs and 2 or more GB of RAM. The default maximum heap size can be up to 32 GB on a 64-bit system with 128 GB RAM or more.
Therefore, on a 64-bit Linux server with 64 GB RAM and 16 CPUs, Predix Machine (or any Java process that does not explicitly specify heap parameters) will be given a minimum heap size of 1 GB and maximum heap size of 16 GB. On the other hand, Predix Machine running on a smaller device, such as a Raspberry Pi with 434 MB RAM, will be given a minimum heap size of about 7 MB and a maximum heap size of about 110 MB. Predix Machine has been found to operate well using the defaults on a variety of systems, including Raspberry Pi.
Unless the situation demands otherwise, it is best practice to leave the heap configuration and tuning to the JVM. However, it is possible that the operating characteristics of application bundles running under Predix Machine may require more heap space than what is allocated by default. Heap space also depends on the features you selected in the Predix Machine container. Additionally, the heap usage may need to be reduced due to other applications running on the system.
See the docs for more info.
- Developers: Predix is a comprehensive platform and development environment for you with all the right services, tools, techniques, and supporting community to create innovative industrial IoT apps.
- Data Scientists: Predix is readymade for data scientists to manage and implement the latest, most meaningful statistical analysis, data mining, and retrieval processes for Big Data that help identify key insights and trends.
- Controls Engineers: Predix tools and techniques help controls engineers develop Edge software solutions that seamlessly connect intelligent machines securely to the Cloud for apt remote monitoring, diagnostics, and control.
License: The Predix licence grants the licensee a worldwide, perpetual, royalty-free, non-exclusive license to:
- Install the Licensed Programs on Licensee's premises, and permit Licensee's users to use the Licensed Programs, solely for Licensee's own development, testing, demonstration, staging, and production of Licensee's own software that makes use of the Licensed Programs in a way that adds substantial functionality not present in the Licensed Programs.
- Permit Licensee to permit third-party hosts ("Hosts") to install the Licensee Application on such Hosts' respective premises on Licensee's behalf, and permit Licensee's users to access and use the Licensed Programs so installed, solely for Licensee's own development, testing, demonstration, staging and production purposes.
- Install the Licensee Application on Licensee's own premises and permit its own users to use the Licensee Application so installed on the same terms as sub-sections (i) and (ii) above.
The License.md file contains the full details.
Predix is one of several IoT Platforms to make our list. You can find the others in the IoT area of Codeguru!