Supervisory Control and Data Acquisition (SCADA) systems are used for remote monitoring and control in the delivery of essential services products such as electricity, natural gas, water, waste treatment and transportation. SCADA software runs on regular computers, but is used by owners of critical infrastructure and other various types of industrial facilities to monitor and control industrial processes.
This blog post will introduce SCADA systems fundamentals that will help analyze security considerations.
Remote monitoring is widely considered one of the most difficult applications to do in a cost-effective way. Remote monitoring using SCADA systems has traditionally been a very difficult and expensive task. SCADA systems have traditionally used their own communications networks, and the security has been largly based on keeping the SCADA network separate from public networks and fact that not many people know the special protocols used on those systems (=security by obscurity).
Internet technologies have made the remote monitoring easier and more cost effective in many applications, but on the other hand has created new set of risks related to hacking. If you connect a remote monitoring system that uses insecure communications protocol to Internet, sooner or later somebody can figure out how to hack into your system. If your system is just doing monitoring, somebody hacking can stop our communications or worse can feed you with false data. If your remote monitoring system is also used to control something, then risks are far greater.
There isn’t a single security solution capable of addressing all existing and future risks. It’s necessary to implement a series of different defenses across the system. Deploy safeguards throughout the platform to provide a robust protection against the vast majority of attacks.
Modern SCADA systems are typically designed for security using platforms similar to typical networked clients, such as laptops and workstations. There are also some specific considerations. Security systems easily become complicated. Unfortunately as the complexity of securing devices increases, so does the risk of vulnerabilities slipping past equipment manufacturers and IT organizations. Industrial control systems (ICS), distributed control systems (DCS), supervisory control and data acquisition systems (SCADA) have all been around for decades, but thanks to Stuxnet, DuQu and other major incidents, these systems have recently began receiving serious security consideration.
Cyber security is war. You have to defend your systems from all sorts of outside attackers, and if one that’s skilled and determined gets you in his sights, defending yourself may be tougher than you think. Once an attacker breaks through a hardened perimeter, moving around inside is usually pretty easy. That’s why defense in depth with incident detection, response, and attribution is so important.
Security is all about layers. You can’t ever block everything on one place so you need layers of security to protect yourself. The enterprise can put lots of devices and layers to protect themselves and customers, because you can’t be 100 percent protected against everything with only one solution.
Want it Secure? Target Both Design and Data Security article says that in today’s increasingly connected world, security applies to servers as well as mobile and remote embedded devices. The latter are often exposed to physical tampering while data travelling over networks is exposed to compromise and hacking. Security depends on securing the complete connected universe.
How safe is your network? Is Your Network Safe? article tells that just a few years ago, plants didn’t have to worry about the safety of their networks. From an IT point of view, plants were silos — succinct and secure. That changed over the past decade. To improve efficiency, plants connected out to the company’s back office and beyond to suppliers and customers. Most of the connectivity runs along Internet connections. This extended network prompted a battle between the organization’s IT team and the control folks on the factory floor. If your plant is running 24/7, you can’t add patches and reboot without shutting down the plant. In addition, the plant is now vulnerable to hacking (terrorists, hackers, competitors and disgruntled employees).
Six Ways to Improve SCADA Security blog article tells that when it comes to securing SCADA networks, we are usually years or even decades behind when compared to securing typical IT networks. The article presents some of the SCADA security’s most daunting challenges along with some recommendations to secure SCADA networks.
1. A SCADA network is inadvertently connected to a company’s IT network or even to the internet
2. ‘Data presentation and control’ now runs off-the-shelf software
3. Control systems not patched
4. Authentication and authorization
5. Insecure ‘datacommunication’ protocols
6. Long life span of SCADA systems
Understanding cyberspace is key to defending against digital attacks article tells that in recent years, there has been one stunning revelation after the next about how such unknown vulnerabilities were used to break into systems that were assumed to be secure.
Growing numbers of other kinds of machines and “smart” devices are also linked in to Internet: security cameras, elevators and CT scan machines; global positioning systems and satellites; jet fighters and global banking networks; commuter trains and the computers that control power grids and water systems. “We have built our future upon a capability that we have not learned how to protect,” former CIA director George J. Tenet has said.
“Companies want to make money” “They don’t want to sit around and make their software perfect.” Many of vulnerabilities are related to errors in code designed to parse data sent over the Internet. The software makers often failed to heed the warnings from security researchers and some vulnerabilities remained for a long time. And even in cases where the manufacturer has a fix, the customer might hot apply it any time soon because in many cases you can’t add patches and reboot without shutting down the plant.
Want it Secure? Target Both Design and Data Security article says that adding robust security features to a design can substantially impact the complexity, power consumption and cost of a system. These challenges include supporting the computational complexity required to run advanced cryptographic algorithms; providing secure insertion and storage of encryption keys, and authenticating and encrypting data exchanged over public network connections.
344 Comments
Tomi Engdahl says:
Control Engineering 2014 Cyber Security Study
http://www.controleng.com/single-article/control-engineering-2014-cyber-security-study/992cf83959f0b11837250236e375da48.html
Cyber threats to control systems are high, frequencies of vulnerability assessments are low, and many organizations are lacking a capable cyber incident response team. Are your systems at risk?
Tomi Engdahl says:
Wireless mobility: architecture, apps, and tips
http://www.controleng.com/single-article/wireless-mobility-architecture-apps-and-tips/bbc675a7756e4980bce80e1d024d614d.html
Tomi Engdahl says:
8 ways the cloud is a no-brainer for manufacturers
http://www.controleng.com/single-article/8-ways-the-cloud-is-a-no-brainer-for-manufacturers/366ea5e82616dff083c2f10f0ecf3bc6.html
Cloud computing: Some people still debate the merits of using cloud computing in manufacturing, but there are specific cases when a cloud solution is the obvious choice. Here are eight reasons why cloud computing works for manufacturers. Cloud computing is the quickest, most economical way to make things happen in a hurry.
Tomi Engdahl says:
HART Communication adapts for the Internet world
http://www.controleng.com/single-article/hart-communication-adapts-for-the-internet-world/75f8ce99088a623b8e24f82baf3abb01.html
A closer look at the benefits offered by HART-IP, which is the latest enhancement to the HART Protocol Specification
To address growing industry demand for accessing data over the Ethernet, the HART Communication Foundation added a new capability to the HART Protocol Specification, HART-IP. HART-IP takes HART technology as it exists today and adapts it for the world of the Internet, allowing the exact same HART protocol to run over an IP-based connection delivering valuable HART data at the speed of Ethernet.
This means that the standard Ethernet infrastructure that is used today in most control systems is now able to run the HART application layer and protocol over the same Ethernet and TCP/IP layer. A HART-IP backhaul network enables software to gain direct access to information in WirelessHART devices for example, without having to perform any data mapping through intermediate Modbus or OPC.
Why HART-IP?
HART-IP offers the most straightforward way to access all the standard HART information available in a HART device. It allows the information from these devices to be brought up to the Ethernet level easily, without the need to go through any translation processes and with no loss of information.
HART-IP works with any IP-enabled PHY, including packet radio, SAT-radio, WiFi, cell nets, etc., which makes the HART network – including WirelessHART devices – compatible with commercial and industrial grade LAN switches, fibre optic media converters, Wi-Fi access points, and related equipment.
Because the application layer is the same for HART field devices and HART-IP, time consuming and error-prone data mapping is eliminated, making HART-IP the most suitable backhaul network for WirelessHART gateways and 4-20 mA HART multiplexers.
Tomi Engdahl says:
System integration is a critical element in project design
http://www.controleng.com/single-article/system-integration-is-a-critical-element-in-project-design/9de7e150569179e1ce1e4467280360ec.html
Involve a system integrator early in project design to help ensure high-quality projects that satisfy project requirements. See project cost influence graphic.
Tomi Engdahl says:
Standardized sensor profiles improve safety-related process data
http://www.controleng.com/single-article/standardized-sensor-profiles-improve-safety-related-process-data/9c80998d53e141fa5474734ec6f998fe.html
Controller Area Network (CAN) in Automation (CiA) recently released CAN device profiles that aim to standardize safety-related process data.
Both profiles specify safety-related sensor data and its mapping into safety-related data objects (SRDOs) as defined in CANopen-Safety (EN 50325-5). These specifications are the first ones standardizing functional safety on a device’s profile level.
Tomi Engdahl says:
Smart I/O systems vs. fieldbus networks
New configurable I/O systems bring greater flexibility to conventional instrumentation. How do they stand up to fieldbus networking for capabilities and convenience?
http://www.controleng.com/single-article/smart-io-systems-vs-fieldbus-networks/0fd928fd170d042e0b02b624049a07db.html
Over the last few years, one-by-one, major process control system suppliers have been introducing new field I/O systems that offer some sort of simplified wiring scheme and easier configurability.
hese new systems are far less complex than traditional analog field wiring using junction boxes, marshalling cabinets, and techniques like half-knit and fan-out.
Bastone says he has seen many plants with small isolated fieldbus deployments that were tried as an experiment but never used more widely. These can be problematic if technicians don’t work on them often enough to keep their skills sharp.
The new smart I/O systems still use conventional analog and HART devices. In that context, a digital device is strictly on-off. The new systems do not provide any more diagnostic information than conventional HART-enabled I/O; however, they do take full advantage of what HART offers. Traditionally, the working assumption was that fieldbus networks were capable of providing more diagnostic information than HART. That is still true, but more current versions of HART have closed that gap somewhat. Devices using HART 6 and 7 have added new capabilities since version 5, and the new I/O systems can read it.
While Erni sees sales of fieldbus equipment solid but flat, Emerson’s electronic marshalling product line is growing steadily.
What’s next?
There’s no question that the influence of cloud technologies is beginning to change how we think about field devices. The ability to direct information from any kind of device to any point in the control architecture by typing a few keystrokes is pretty compelling to anybody who has had to troubleshoot a hardwired device or redirect its output by moving the relevant cable.
Fieldbus architecture is easier to work with than traditional wiring, and it represents the ultimate in diagnostic capabilities so it will still have loyal followers for years to come. Even so, the simplicity and convenience of newer I/O systems that move closer to a true instrumentation cloud are difficult to ignore. Either way, there is little reason to continue using old-fashioned hardwired I/O. As Henning reminded us, it is 2014 after all.
Tomi Engdahl says:
XP Is a Sitting Duck for Cyberattacks
http://www.designnews.com/author.asp?section_id=1386&doc_id=272969&
If you’re still running Windows XP in your plant, you better duck. Microsoft’s support for the XP operating system officially ended on April 8, 2014. Windows will no longer provide users with security updates or technical support for the 12-year-old system. Microsoft stated that “PCs running Windows XP after April 8, 2014, should not be considered to be protected, and it is important that you migrate to a current supported operating system.”
In a research note, IHS Technology noted that cybersecurity is the largest concern related to the continued use of Windows XP in industrial automation.
“Without the ongoing security updates to protect systems from attacks, users will be exposed to new threats that can exploit vulnerabilities of the operating system. Such threats exist to industrial automation equipment operating on Windows XP, perhaps most notably industrial PCs and distributed control systems.”
According to Andrew Orbinson, an analyst for process, instrumentation, and machinery at IHS, XP users are now at risk for attacks. “Quite simply, there will be no future security updates for XP. The systems will continue to function, but will be more vulnerable to cyberattacks without the continued support,”
Switching to a new operating system is no small matter for a plant. “The two main considerations are common to all upgrades — cost and time,” said Orbinson. As for cost, a number of factors add up.
Tomi Engdahl says:
Hackers Can Tinker With Traffic Lights, Other Road Systems
New research shows how easy it is to infiltrate key traffic-control systems
http://autos.aol.com/article/hackers-can-tinker-with-traffic-lights-other-road-systems/
Alarming new research released this week details how cyber hackers can infiltrate and manipulate traffic-control systems that govern traffic lights and other road systems in more than 40 major cities across the United States, including New York, Los Angeles and Washington D.C.
Cyber attackers could change light colors, delay signal changes and alter digital speed limits, causing traffic jams, gridlock or – in a worst-case scenario – car accidents. Cesar Cerrudo, a cyber researcher at IOActive, said security measures in the traffic-control devices were practically nonexistent.
“This is a really big problem in security that these devices are not secure,” he told AOL Autos. “Sooner or later, attacks on these devices will impact more of our regular life, because we depend on these devices and these products.”
Cerrudo didn’t directly infiltrate the traffic lights. Rather, he infiltrated the access points that provide the system data.
“The data goes out over the air without any encryption, so you can basically, with some specific hardware, capture all the information sent over the air,” he said. “At the same time, you could send information over the air and make the access points believe you are a sensor. If you’re an attacker sending fake data, you can manipulate the system. And they don’t have any security.”
What’s worse: Cerrudo said there’s no way for authorities to necessarily detect an attack. The first indication would be an unexplained traffic jam or reports of malfunctioning lights. If someone was monitoring the data streams or making subtle adjustments, no one would know. It could be happening right now.
More than 50,000 of the systems have been deployed across the globe, most of them in the U.S.
ncreasingly, cars and traffic systems are both run by computers and wirelessly connected to the online world. Consequently, they’re more vulnerable to cyber security breaches or attacks. The Department of Homeland Security monitors such threats, and last year, the National Highway Traffic Safety Administration opened a division that deals with electronic security.
Tomi Engdahl says:
Google Glass meets control systems
http://www.controleng.com/single-article/google-glass-meets-control-systems/17c65fe56b425b7a806d2c31a1834d22.html
Technology Update: New visualization technologies offer opportunities for hands-free computer displays, potentially useful in manufacturing, control system programming, warehousing, process operations training, and maintenance applications.
Tomi Engdahl says:
Goodbye Windows XP; Hello IsXP?
Microsoft Windows XP support ends April 8. What happens April 9? Three things to remember. NEW: Updated with answers to reader feedback on April 14.
http://www.controleng.com/single-article/goodbye-windows-xp-hello-isxp/7225421fd76472019f77c6899654717d.html
Because Windows XP was the first truly reliable commercial multi-windowed system, it became the “go-to” standard for control, human machine interface (HMI), and instrumentation systems. Companies have invested billions of dollars in these systems and expected them to have the same multi-decade lifetime of other industrial systems. Lifetimes of 15 to 30 years are common in industrial systems.
If Windows XP had been built on an open source model, there would probably still be an active community to support the operating system, just as other open source software has lasted 30 or more years. However, the Windows XP system is Microsoft’s property and the only support is through Microsoft. Microsoft may continue to offer extended support, but that seems unlikely
A better solution would be for Microsoft to outsource Windows XP support to an independent third party, to provide Lifetime Support XP (lsXP). That organization could then provide critical and important security patches on a subscription basis. It could quickly respond to zero day attacks, and help protect the millions of XP systems in critical infrastructure or mission critical systems. This approach is a win-win for Microsoft and users. Eventually the Windows XP systems will be replaced
3 things to remember after XP
If lsXP doesn’t develop, then there are only three things to remember to keep your XP systems running: protect, protect, and protect.
Unfortunately, there is no easy answer to the upcoming loss of support for Windows XP. These systems will become more expensive to maintain and replace. This is the hidden future cost of using commercial software on systems that have lifetimes of 15-30 years. If this is not a wakeup call for vendors to take a long, hard look at the systems they use for their systems, then it is a wakeup call for end users to demand software that lasts as long as the hardware.
1. Do you know if a Lifetime Support XP (lsXP) has become available?
Unfortunately, Lifetime Support is not available.
2. We have McAfee and Verizon anti-virus software on our computers. Is this enough to protect us from attacks or computer virus?
This is a good start, but zero-day attacks, which are vulnerabilities that are exploited before the anti-virus vendors can respond, are still a problem. To help in those attacks, the systems should also be protected behind firewalls, all unused programs and application removed, any unused accounts removed, and make sure that you are not using default passwords on any applications. These changes will reduce your risk, and if the systems have no direct connection to the intranet, or even your company’s business network, then this reduces your risk about as low as it can get for an XP system.
White listing tools are extensions to the operating system that checks that only approved (white listed) programs are running, and that the running programs have the signature. This means that have not been modified by a virus or hacker.
Root kit inspection tools check that the startup parts of the computer have not be modified or changes by a virus or hacker.
Tomi Engdahl says:
100x the systems with the Industrial Internet of Things
http://www.controleng.com/single-article/100x-the-systems-with-the-industrial-internet-of-things/c9f9f8a91a710bad8d346234712f6df1.html
Engineering and IT Insight: Does your manufacturing IT infrastructure have tools to handle 100 times the number of current connections and manage tens of thousands of new smart network connected devices, as industry moves to the Industrial Internet of Things (I2oT) and distributed control, with every device in a facility connected to a plant-wide Ethernet network? What got you here won’t get you there.
Tomi Engdahl says:
7 things noncontrol people should know about control engineers
http://www.controleng.com/single-article/7-things-noncontrol-people-should-know-about-control-engineers/f5ed3372159d196c6879f4af789d120b.html
A few basic differences between control engineers and others in the plant can hinder progress toward optimization. Start a conversation to improve communications and controls. See examples and career advice. Send a link to these seven things other people should know about control engineers, so they understand.
1. Process engineering is steady-state; control engineering is real-time.
2. Computer geeks are not control experts.
3. Physics rules.
4. Senior control experts know things they do not teach in school.
5. How to pick a process control system (PCS): Total installed cost (TIC) rules.
6. The PCS choice must be made by an expert in control systems.
7. How do I measure the performance of my system?
Tomi Engdahl says:
GE patches gap in infosec capabilities with Wurldtech buy
SCADA bug-hunter slurped to secure the ‘Industrial Internet’
http://www.theregister.co.uk/2014/05/12/ge_patches_gap_in_capabilities_with_infosec_buy/
Years after the infosec world noticed the chronic insecurity of SCADA kit, industrial giant GE has decided it needs to improve its in-house capabilities by announcing that it’s to acquire Wurldtech.
Founded in 2006, Wurldtech’s product portfolio, sold under the Achilles brand, includes a test suite and industrial firewall software. It’s also got a service operation under which it evaluates device communication looking for troublesome behaviours.
The test suite is based on hardware designed to sit between the control system and the target industrial device – stuff like SCADA, distributed control systems and smart meters – firing off test traffic to detect vulnerabilities as well as other faults. It covers Ethernet, Foundation Fieldbus, Modbus IP, OPC UA and Profinet IO systems.
The Achilles Threat Intelligence Software is designed to add an industrial-network wrinkle to the more prosaic business of network protection. Since industrial plant managers really dislike being told to take their systems down so the IT crowd can apply a patch, ATIS instead lets the user wrap up a system in extra security when a bug of vulnerability is published, letting the patching happen later.
Tomi Engdahl says:
Spotty solar power management platform could crash the grid
Flaky firmware makes power panels p0wnage possible
http://www.theregister.co.uk/2014/05/12/hackable_solar_systems_spurt_free_money/
Criminals could potentially cause black-outs and mess with power grid configurations by exploiting flaws in a popular solar panel management system used by thousands of homes and businesses.
Details of how the attacks could be executed were kept under wraps while solar panel monitoring kit vendor Solar-Log distributed a patch for the flaws.
The threat is substantial because, as the company boasts, its eponymous management system runs globally on roughly 229,300 solar plants that typically pump out 566TWh of electrical energy, or so we’re told.
“For instance a massive attack can cause power grid reconfiguration and chains of blackouts [and] bad guys can try to monetise it via blackmail,” Goreychik said.”
“At moment we can’t disclose more detail [about the vulnerabilities] because thousands of households around the globe are using vulnerable version of Solar-Log and can be attacked by cyber criminals.
Tomi Engdahl says:
Why Windows Will Always Be High-Risk
http://www.themobilityhub.com/author.asp?doc_id=266957&_mc=sem_otb_edt_mobilityhub
Year after year, new Windows versions and upgrades arrive, and mobile PC users dutifully use the enhanced operating system (OS) on their systems. Just as reliably, Microsoft representatives assure customers that the latest Windows edition is the most secure version ever.
There’s no doubt that Windows has become much safer over the years, but few would say it is even close to being secure. Microsoft’s OS is like a house where the owner gradually adds locks to more doors and windows over the years, yet many entryways remain wide open.
Despite Microsoft’s repeated promises and best intentions, malware continues to plague enterprise Windows users. Even businesses that are fastidious about installing and maintaining anti-malware tools face the threat of a zero-day attack that will immediately render their Windows-based systems insecure.
Windows’ soft underbelly is its registry.
Microsoft has struggled over the years to make the registry more secure, manageable, and self-repairing, yet hackers continue to find ways to bypass and defeat these changes. It doesn’t have to be this way.
Windows, sadly, is hobbled by its own legacy. Microsoft can’t get rid of the registry because it’s required by a huge stockpile of legacy applications — virtually every Windows application created to date.
To help loyal users worldwide, Microsoft needs to offer a version of Windows that sheds the registry in favor of a decentralized configuration and preferences model.
Tomi Engdahl says:
Do Embedded Systems Need a Time To Die?
http://hardware.slashdot.org/story/14/05/14/029236/do-embedded-systems-need-a-time-to-die
“Dan Geer, the CISO of In-Q-Tel, has proposed giving embedded devices such as industrial control and SCADA systems a scheduled end-of-life in order to manage a future in which hundreds of billions of them will populate every corner of our personal, professional and lived environments. Individually, these devices may not be particularly valuable. But, together, IoT systems are tremendously powerful and capable of causing tremendous social disruption.”
“Geer proposes a novel solution: embedded systems that do not have a means of being (securely) managed and updated remotely should be configured with some kind of ‘end of life,’ past which they will cease to operate.”
Tomi Engdahl says:
Blade Runner Redux: Do Embedded Systems Need A Time To Die?
https://securityledger.com/2014/05/blade-runner-redux-do-embedded-systems-need-a-time-to-die/
The Chief Information Security Officer at In-Q-Tel, the CIA’s venture capital arm, Geer is an astute observer of the security zeitgeist. He used his speech to zero in on a central tension of the Internet of Things: the Herculean task of securing billions of smart, connected embedded devices.
“The embedded systems space, already bigger than what is normally thought of as ‘a computer,’ makes the attack surface of the non-embedded space trivial if not irrelevant,” Geer said.
Beyond their sheer numbers, embedded devices have a way of hanging around. Geer noted they persist in computing environments long after their (supposed) useful life has passed – achieving a kind of immortality that’s a common problem in managing industrial IT environments and critical infrastructure. “If those embedded devices are immortal, are they angelic?” Geer wondered.
He returned to that idea in his talk at the Security of Things Forum. The problem with embedded systems (like replicants) becoming ‘immortal’ is that the longer embedded systems persist in IT environments, the harder they become to manage and defend, he said.
Computing monocultures, Geer said, raise the likelihood of what he terms “cascade failures” in which the ripple effects of attacks against a wide range of computing systems cause disruption far in excess of what would be possible by attacks on any one system.
In the coming Internet of Things, Geer warned, we are at risk of establishing a Windows-like monoculture of embedded devices all relying on a short list of hardware and software. Individually, these devices aren’t particularly valuable targets compared to, say, a Web application server or enterprise desktop system. But, together, IoT systems are tremendously powerful. That means the effects of an attack on that infrastructure (think Code Red or SQL Slammer) will be harder to detect and more damaging than the Windows worms of a decade ago or today’s ‘advanced persistent’ attacks.
“The Internet of Things, which is to say the appearance of network connected micro controllers in seemingly every device, should raise hackles on every neck,” he told attendees.
Geer isn’t hostile to the idea of monocultures. Rather, he argues that if we are to opt in favor of monolithic computing infrastructures, we need “tight central control” of that infrastructure. That might come either in the form of a robust and secure management infrastructure that keeps close tabs on the operation and behavior of connected devices and allows them to be rapidly updated (a la Windows update). Or it could come in the form of a kind of designed obsolescence – a ‘mortality.’
“By ‘more like humans’ I mean this: embedded systems, if having no remote management interface and thus out of reach, are a life form and as the purpose of life is to end, an embedded system without a remote management interface must be so designed as to be certain to die no later than some fixed time,”
Tomi Engdahl says:
Machine Safety: Can machine operators be safe with Google Glass?
http://www.controleng.com/single-article/machine-safety-can-machine-operators-be-safe-with-google-glass/0145a2fcbc7cf7f379aa5ba45cd11797.html
Special technology for machine safety can be applied in special ways to provide compliant machine safeguarding. Technologies such as Google Glass are starting to merge into human activity. How will safety behavior be impacted if employees are allowed to wear Google Glass near operating machinery?
The concerns listed concerning “new technology” were things like: maintaining access control, preventing spurious signals, unexpected motion, hacking vulnerability, flash distractions or unexpected noise on control networks.
With Google Glass how will industry react if an employee wears prescription glasses outfitted with Google Glass to work? An eye doctor has prescribed corrective glasses for this employee to perform daily functions; however, the supervisor cannot truly know if the employee is looking at photos, reading e-mail or surfing the Internet. In contrast, a supervisor can see an employee wearing ear plugs with a wire going to his iPhone, and corrective action can be applied.
Tomi Engdahl says:
Machine Safety: Networks can enable advancements in machine safety
http://www.controleng.com/single-article/machine-safety-networks-can-enable-advancements-in-machine-safety/7289c817c65b201dbf198b692996be9d.html
Networks have seen significant advancements over the past 10 years to include safety certified networks. Have these technological achievements really advanced machine safety?
And now the next point. If you can connect the safety related parts of the control system via a safety certified network, you now have a fully integrated safety control system. Some advantages of these systems include built in features like:
1. Watch dog timers
2. Diversity of code
3. Data integrity checks
4. Internal health checks with diagnostics, and
5. Component addresses within the control system.
Tomi Engdahl says:
Safety: Is it the Sixth ‘S’ in a 5S system?
Make safety an integral part of your productivity improvement plan
http://www.controleng.com/single-article/safety-is-it-the-sixth-s-in-a-5s-system/d3beade23a190f42bdae09d6b7365598.html
Performance and compliance
An organization can comply with safety regulations and yet not perform as well as another organization that also complies with regulations. The difference lies in management support and a culture that integrates safety into all aspects of its continuous improvement programs such as Lean. In high-performing organizations, safety becomes part of the same continuous improvement programs that drive productivity, efficiency, and business results.
Safety is inherent to Lean principles
Two key pillars of Lean are standardization and employee empowerment. Though often considered paradoxical, the pillars represent basic tenets of a safety culture. Plant safety is ensured, in part, by establishing standard operating procedures (SOPs) and work instructions (WIs). However, as operations change, employees at the source are often more aware of potentially unsafe conditions. Empowerment gives these employees an opportunity to challenge a standard and provide a corrective action before an incident occurs.
5S methodology
The basic 5S methodology is:
Sort: Remove unnecessary tools from the work area; keep needed tools in an easily accessible place.
Straighten/Sift: Arrange tools in an orderly workflow; “There’s a place for everything and everything in its place.”
Sweep: Keep the work area clean; ensure the area is in order.
Standardize: Promote interchangeability by using uniform procedures.
Sustain: Ensure adherence to procedures.
Connections have also been made between reliability excellence and improved safety. In fact, the Aberdeen Study mentioned previously indicated that Best-in-Class companies had a 5% higher OEE compared to peers in the Industry Average category.
When routine maintenance is not conducted, the alternative is emergency repair. Such unplanned downtime often leads to poor housekeeping—repair debris and clutter left at the work area following an urgent repair—which can often result in accidents in addition to reduced operational efficiency and OEE. Most reliability-based maintenance programs apply Lean principles to improve not only OEE, but also worker safety.
Tomi Engdahl says:
Top 5 Control Engineering articles: Microsoft Windows XP
http://www.controleng.com/single-article/top-5-control-engineering-articles-microsoft-windows-xp/bbf09f42151bb9dd4992da0c2be18a6d.html
Should Microsoft think again? The end of Microsoft Windows XP support and related topics remained hot among the Top 5 Control Engineering articles posted weekly on http://www.controleng.com in April.
Tomi Engdahl says:
Improper relay logic threatens your electrical assets and investments
Four programmable relay logic settings that will improve protection and add value
http://www.controleng.com/single-article/improper-relay-logic-threatens-your-electrical-assets-and-investments/0f1d25b381d634866da836bba7b1dc04.html
In the event of an electrical system fault, the protective relay system isolates the affected components while maintaining stability within the rest of the grid distribution system. Many utilities and industrial facilities are replacing aging electromechanical and solid-state relays with new generation microprocessor-based relays that deliver many benefits including self-testing and diagnosis, reduced maintenance, simplified regulatory compliance, arc flash mitigation, event recording and reporting capabilities, and improved protection.
While microprocessor-based relays have vast potential functionality, many of the relays’ capabilities and advantages often go unrealized. This happens for a number of reasons, including:
Lack of owner awareness: Custom relay configuration has only recently become an option.
Simple oversight: Owners may overlook the need for relay customization and programming during the estimating, bidding, and specification processes.
Lack of knowledge and expertise: Engineers may not have the skill levels needed to program relays, or the designers and installing electricians may be unfamiliar with the relay’s capabilities.
Complexity issues: Custom programming can sometimes cause the system design to become overly complex. For simple applications, the effort needed to configure all the available features would not be worthwhile.
Unfortunately, relay capabilities have outpaced industry skill levels. Often a relay is installed as a direct replacement for aged or defective equipment and the subsequent logic programming is performed by personnel unfamiliar with the new equipment.
Simplification of the control system through the reduction of necessary components and single points of failure is a tremendous benefit which can be further compounded by adding real-time monitoring and failure alert functionality. However, these benefits can only be realized if custom logic has been programmed and tested.
Tomi Engdahl says:
Machine Safety: Integrated safety can learn from the 1960s
http://www.controleng.com/single-article/machine-safety-integrated-safety-can-learn-from-the-1960s/abcf26d8eb5fe6f4f983abf8b5fd149c.html
Machine safety thought leaders of tomorrow can learn from the evolution of machine guarding since the 1960s. Some safety was integrated even before PLCs.
Since these early PLCs needed time to evolve and improve their reliability the machine safety standards quickly updated to require that “everything safety” be hard wired. This action probably was warranted but in my opinion it caused the unintended consequence for 30 plus years of unplanned machine downtime. The “safety layer” of technology within the machine control architecture was almost frozen in time in contrast to general automation technology as shown in the graphic.
Since 2002 and the introduction of safety PLC technology the “safety layer” has quickly advanced and, in my opinion, actually caught up with and can be merged with general automation technology. And that’s why we call it – integrated safety.
Tomi Engdahl says:
Schneider Electric asks users to patch Heartbleed again
We’d have gotten away with it if it weren’t for those meddling kids and their plug-ins
http://www.theregister.co.uk/2014/05/21/schneider_to_users_patch_heartbeed/
Industrial controller vendor Schneider Electric has found that while its own kit wasn’t affected by the Heartbleed OpenSSL bug, there are some third party components that need work.
Tableau is an analytical data visualisation suite. The vulnerable server component has now been upgraded by Tableau Software, but users that applied a recent update from Schneider may have reverted to an older version of the server.
Tomi Engdahl says:
U.S. utility’s control system was hacked, says Homeland Security
http://www.reuters.com/article/2014/05/21/us-usa-cybercrime-infrastructure-idUSBREA4J10D20140521
A sophisticated hacking group recently attacked a U.S. public utility and compromised its control system network, but there was no evidence that the utility’s operations were affected, according to the Department of Homeland Security.
DHS did not identify the utility in a report that was issued this week by the agency’s Industrial Control Systems Cyber Emergency Response Team, or ICS-CERT.
Such cyber attacks are rarely disclosed by ICS-CERT, which typically keeps details about its investigations secret to encourage businesses to share information with the government. Companies are often reluctant to go public about attacks to avoid potentially negative publicity.
“In most cases, systems that are so antiquated to be susceptible to such brute forcing technologies would not have the detailed logging required to aid in an investigation like this,” Clarke said.
“Internet facing devices have become a serious concern over the past few years,” the agency said in the report.
Tomi Engdahl says:
Internet of things creates control engineering resources for distributed control
https://www.controleng.com/single-article/internet-of-things-creates-control-engineering-resources-for-distributed-control/12b70d9045ad5fb537cc0cf6ace2f1f0.html
Engineering and IT Insight: Internet of things (IoT) will provide for a new generation of automation systems, and these new systems will have unparalleled capability and extensibility. What can we do with the extra cycles offered by IoT to help distributed control strategies defined in IEC 61158-2, IEC 61804-2, ISA88, and ISA106? IoT will offer efficiency gains in line with Moore’s Law.
Tomi Engdahl says:
Overcoming challenges in securing the Internet of things
https://www.controleng.com/single-article/overcoming-challenges-in-securing-the-internet-of-things/c4f75c87d05a666361f91f18fb87d24d.html
Vendors are now working together to develop best practices and blueprints for securing things, data generated from those things, and the automation of those things across different industrial environments.
Tomi Engdahl says:
When Troubleshooting Is Like Going Down a Rathole
http://www.eetimes.com/author.asp?section_id=30&doc_id=1322545&
Sometimes there’s an easy solution to a machine problem. At other times, well, it’s really mind-boggling to think of what my hourly rate would be if I were paid for the actual time that I spent troubleshooting a problem to get to a fix. The challenge is to avoid going down a rathole.
The main problem was that I tried to program it without a clear hierarchy of “who” was in control. This robot had a processor that was capable of being used as a PLC, but I was advised that it would probably be better to have an actual PLC handle the logic and let the robot controller do what it was good at: Controlling a robot.
I originally implemented a PLC that communicated via discreet IO points with the robot controller. This strategy was fine, but in order to save IO points, I decided to let the robot do some of the “thinking” on its own, instead of relaying everything back to the PLC.
This strategy ended up being a nightmare, code-wise. Although I think I could have made it work eventually, I eventually ditched that strategy in favor of a system in which the PLC told the controller what point to go to, and the controller simply obeyed. This was much simpler programming-wise, and it’s running to this day as far as I know.
Lesson: Machines, like some humans, really need to know who is in charge
I don’t think I’ve ever met an engineer who didn’t think that their solution was was the best.
Lesson: When you’re called on to troubleshoot a problem or make something that isn’t working right work, sometimes you just have to bite the bullet and get it done.
Tomi Engdahl says:
The Coming IT Nightmare of Unpatchable Systems
http://it.slashdot.org/story/14/06/02/1843253/the-coming-it-nightmare-of-unpatchable-systems
“Routers, smart refrigerators, in-pavement traffic-monitoring systems, or crop-monitoring drones — ‘the trend toward systems and devices that, once deployed, stubbornly “keep on ticking” regardless of the wishes of those who deploy them is fast becoming an IT security nightmare made real, affecting everything from mom-and-pop shops to power stations.”
Tomi Engdahl says:
Beware the next circle of hell: Unpatchable systems
Insecure by design and trusted by default, embedded systems present security concerns that could prove crippling
http://www.infoworld.com/d/security/beware-the-next-circle-of-hell-unpatchable-systems-243397
Microsoft’s decision to end support for Windows XP in April was met with a collective gulp by the IT community.
But Windows XP is just the tip of an ever-widening iceberg: software and hardware that is unpatchable and unsupportable — by policy or design. In fact, the trend toward systems and devices that, once deployed, stubbornly “keep on ticking” regardless of the wishes of those who deploy them is fast becoming an IT security nightmare made real, affecting everything from mom-and-pop shops to power stations.
This unpatchable hell is a problem with many fathers, from recalcitrant vendors to customers wary of — or hostile to — change. But with the number and diversity of connected endpoints expected to skyrocket in the next decade, radical measures are fast becoming necessary to ensure that today’s “smart” devices and embedded systems don’t haunt us for years down the line.
The problem of unsupported or undersupported devices hits close to home for millions of broadband users in the United States and Europe. Broadband routers humming away peacefully in attics and home offices have become the latest targets of sophisticated cyber criminal groups.
“As embedded systems begin to proliferate in both corporate and consumer networks, greater attention needs to be given to what vulnerabilities these devices introduce,”
Beyond traditional IT, the problems are even worse. Embedded systems are proliferating in nearly every corner of daily life.
Worse, these customers often defer to the hardware vendors on matters relating to security or conclude (wrongly) that embedded systems are too obscure to warrant protection, Cerrudo says.
For industrial control systems, customer trust in unsupported and unsupportable embedded devices is a disaster in waiting.
“Vendors will try to sell you on it being easy to use and low maintenance,” Cerrudo says. “The problem is that when the system has a security issue, you don’t have the proper mechanism to update them.”
Industrial control systems too are being targeted by attacks, thanks to security problems stemming from embedded devices and other legacy hardware.
Many industrial control systems and protocols are “insecure by design.”
“An attacker with ICS knowledge would use the features rather than an unpatched [vulnerability] to compromise the system,” Peterson says.
Critical infrastructure vendors and operators often rely on cellular networks and wireless technology to remotely manage their infrastructure.
This presents a tremendous convenience, but customers and vendors often fail to comprehend the risks that go along with that convenience.
If security issues around unmanageable devices look bad now, the near future is even worse.
thanks to growing adoption of portable, sensor-rich, Internet-connected devices — the so-called Internet of things.
may be of negligible importance individually, but already pose a serious threat “at scale,”
“That combination — long lived and not reachable — is the trend that must be dealt with, possibly even reversed,”
Tomi Engdahl says:
Self-Organizing Factories
http://www.siemens.com/innovation/apps/pof_microsite/_pof-spring-2013/_html_en/industry-40.html
Europe and the U.S. plan to significantly increase their industrial value creation. The German media are treating the next stage of industrial manufacturing as a sensation, describing it as a paradigm shift toward smart factories, and even proclaiming the advent of a fourth industrial revolution.
The German federal government has set aside approximately €200 million to help industry associations, research institutes, and companies develop an implementation strategy. The U.S. government also understands how important it is to develop innovative manufacturing strategies. It therefore plans to provide up to $1 billion in funding for the establishment of a national network of research institutes and businesses.
“Achieving Industry 4.0 will require us to eliminate a large number of discontinuities in terms of media and data transmission,”
he union coined the term “Industry 4.0.” This term is hardly used anywhere outside of Germany. Still, that doesn’t change the fact that other industrialized nations share the same goal of making production operations cheaper and as flexible as possible, with ever more rapid innovation cycles.
“For years, Siemens has been expanding all of its activities related to vertical IT systems,” Horstmann points out that behind every Siemens acquisition of a software firm over the last few years is a strategy for combining and further developing all the expertise needed for Industry 4.0.
Just as a USB port can be used today to connect different types of devices to a PC, so too will field devices, machines, and other equipment one day be linked in an Industry 4.0 production system, without any need for further parameterization or programming. However, the devices and machines will need to interact perfectly. Siemens’ Totally Integrated Automation (TIA) portal already makes it possible to utilize recurring data seta to plan, test, and implement automation processes auf. “Automation has long since moved beyond the simple controlling of production processes. It’s now also about rapidly adjusting machinery and plants to new products,”
Overcoming Data Discontinuity.
”The first thing we need to do now is to determine which data is relevant to production,”
The specific objectives of these projects are currently being defined.
Data security will be another major research issue, because if an entire product can be manufactured with one data set, companies will need to protect themselves even more effectively against industrial espionage and product piracy.
Many of the technologies needed for Industry 4.0 already exist. These include the Internet, Profinet as a standardized data connection for industrial facilities, simulation software, and the TIA portal for rapid engineering. Experts are therefore certain that the transition to Industry 4.0 is unstoppable. “Industry 4.0 isn’t an idea without any basis in reality,” says Herweck. Unlike similar concepts that were propagated in the past – for example, computer-integrated manufacturing (CIM) – the Industry 4.0 trend is developing through the merger and refinement of existing technologies.
Tomi Engdahl says:
Security tools for Industry 4.0
http://www.fraunhofer.de/en/press/research-news/2014/march/security-tools.html
An increasing number of unsecured, computer-guided production machinery and networks in production facilities are gradually evolving into gateways for data theft. New security technologies may directly shield the sensitive data that is kept there.
Manufacturing data determine the production process for a product, and are just as valuable today as the design plans. They contain distinctive, inimitable information about the product and its manufacture. Whoever possesses this info merely needs the right equipment, et voilà: the pirated or counterfeit product is done. Whereas design data are well-protected from unauthorized outside access today, production data often lie exposed and unsecured in the computer-assisted machinery. An infected computer on the network, or just a USB stick, are all a thief would need to heist the data. Or hackers could directly attack the IT network – for instance, through unsecured network components, like routers or switches.
Researchers at the Fraunhofer Institute for Secure Information Technology SIT in Darmstadt are exhibiting how these security gaps can be closed up at this year’s CeBIT from 10 to 14 March, 2014 (Hall 9, Booth E40). They will be presenting, for example, a software application that immediately encrypts manufacturing data as soon as they emerge. Integrated into computer and equipment, they ensure that both communicate with each other through a protected transportation channel and that only licensed actions are executed
His colleague at SIT, Dr. Carsten Rudolph, is more involved with secured networks. At CeBIT, Rudolph will exhibit his “Trusted Core Network”. “Hackers can also gain access to sensitive production data via unsecured network components. These are small computers themselves, and can be easily manipulated,” says the “Trust and Compliance” department head at SIT. In order to prevent this, he called upon one piece of technology that, for the most part, lies dormant (in deep slumber) and, for all intents and purposes, unused on our PCs: the Trusted Platform Module.
“Both security technologies are important building blocks for the targeted Industry 4.0 scenario,”
Tomi Engdahl says:
Industry 4.0 -The Security Risks of Networked Production
http://www.dw.de/industry-40-the-security-risks-of-networked-production/av-17649868
Industry 4.0 looks to be the wave of the future. But will it create new jobs – or eliminate them? And can data protection be ensured when machines and processes communicate with each other? How can companies protect themselves against product piracy and computer sabotage?
Tomi Engdahl says:
Cyber crims smash through Windows into the great beyond
How malware became a multi-platform game
By Tom Brewster, 29 May 2014
http://www.theregister.co.uk/2014/05/29/cyber_crime_vaults_beyond_the_pc/
Microsoft’s operating system has been the most popular one for the past 20 years, so it has attracted the most malware.
“The time when Windows was the only platform associated with malware is long gone,” says Marta Janus, security researcher at Kaspersky Lab.
“Nowadays, cyber criminals target every system that is potentially exploitable and attack any that may result in a profit.”
The most sophisticated malware types seen to date, from Stuxnet to Flame, were Windows based.
The attackers targeted government organisations and energy companies using a complex set of attack tools, including rootkits, bootkits and other malware for PC, Linux and, yes, Mac OS X.
These were seriously talented hackers, looking for SSH keys and access to remote desktop clients while scooping up communications and files from victims’ machines.
attacks on Apple’s mobile offering, iOS, as well as its desktop software can no longer be ignored
“The biggest growth of malware is in Android, which like Windows is widely used and open – both good things but they make it a worthwhile target,” says Tarzey.
Other mobile operating systems too are targeted by cyber criminals, and many attacks, such as those over public Wi-Fi networks, work regardless of operating system.
As with Mac and iPhone, espionage malware has also been seen hitting Android devices.
“The statement that niche systems are less prone to infections is no longer true. Even the least popular platforms are at risk as long as there is any potential reason for attacking them,” says Janus.
State-sponsored attackers are less concerned about the nature of a target’s operating system than they are about the applications sitting on those operating systems.
Clients are not the only targets either. Any piece of infrastructure connected to the internet is attractive to hackers for various reasons.
Servers, given the valuable data passing through them, have become increasingly tempting for digital crooks, as evidenced by Operation Windigo,
Routers are also receiving a lot of attention.
Attacks on network devices have become more severe in recent months.
The myriad platforms entering the workplace and the vulnerabilities residing in all of them have brought about a hugely complex environment, one fraught with risk.
“The greater the diversity of a company’s IT infrastructure, the harder it becomes to keep everything updated and secure. Multiple devices running different versions of software mean not only more problems for IT administrators but also more opportunities for cyber criminals to get in,” says Janus.
There is some sort of good news here: threats that are not cross-platform obviously won’t affect the entire client environment.
“This is a difficult balancing act, just like it is in a global supply chain – one low-cost specialist supplier or three higher cost ones with possibly lower quality overall.”
“In a modern multi-platform environment it is essential for IT managers to pay close attention to the security of every single device, not only the ones that are considered to be most at risk of being targeted.”
“The alternative to not making people aware of the security implications is to lock down tight, but this is often unpleasantly restrictive.” It encourages workarounds that in turn create security holes because people do not understand the implications of what they are doing.
Tomi Engdahl says:
After the cyberpunks, prepare to fight a new wave of nasties
Sometimes the FUD is real
http://www.theregister.co.uk/2014/05/27/data_malware/
As the Internet of Things builds up and objects that weren’t previously connected get an IP address, it is easy to forget some of those devices managing critical systems are already accessible over the web and therefore hackable.
“Everything that is connected to the internet can become a potential entry point to the home or office network for the attacker,”
As a prime example, Scada machines, used in energy and water plants, transport and various other national infrastructure systems, have been shown to carry serious vulnerabilities. It is unclear how many of these systems are being hacked, but there is no doubt they can be compromised.
Due to the numerous weaknesses in critical machines, from those managing traffic lights to those helping to run the power grid, many security experts believe there will be an increase in digital attacks with a real destructive effect.
“There are those threats which kind of drop off the radar and no one is really quite sure how they are being used or if they have been used at all because they don’t need to be used en masse,” says Malik.
“For example, industrial control systems have been shown to be vulnerable but there isn’t enough public data available to show that they have been actively exploited.
“On the other hand, you have threats to medical equipment and facilities. How many people’s pacemakers have been remotely turned off, or insulin levels tampered with?
“The long and short of it is that just because something isn’t widespread, does that mean it hasn’t become a reality?”
Tomi Engdahl says:
Programming PLCs: Keep the documentation clear and simple
http://www.controleng.com/single-article/programming-plcs-keep-the-documentation-clear-and-simple/4d626f1e2ed6d7de25dbfa0bc3d6525d.html
Poor programmable logic controller documentation and housekeeping can lead to unnecessary troubleshooting and downtime. Keep it simple in order to avoid the possible risks and confusion.
Different rules and programming methods are needed based on the hardware and software being used. Programming in a Siemens programmable logic controller (PLC) is not identical to programming in an Allen-Bradley PLC. There are general good practices that should be followed in any programming. The obvious is to have the program function and control as desired. Maintaining good documentation and housekeeping are good general practices in programming. Code should be easily read and understood by programming colleagues and customers. Poor documentation and housekeeping can add unnecessary time to troubleshooting, downtime, and programming.
I suggest following the KISS principle: “Keep it simple, stupid.” Avoid unnecessary complexity and keep it simple and straightforward.
Documentation is critical in that it helps the customer/programmer understand more easily what is going on or the code’s intent. I suggest to program with the mind-set that you, the programmer, will need to maintain it. Typically, we program and walk away from a site and might not return to the site for a long period of time.
With documentation, another good practice is housekeeping: keeping the code clean and removing tags and code that simply go nowhere and are not needed.
Tomi Engdahl says:
7 things noncontrol people should know about control engineers
http://www.controleng.com/single-article/7-things-noncontrol-people-should-know-about-control-engineers/f5ed3372159d196c6879f4af789d120b.html
A few basic differences between control engineers and others in the plant can hinder progress toward optimization. Start a conversation to improve communications and controls. See examples and career advice. Send a link to these seven things other people should know about control engineers, so they understand.
Tomi Engdahl says:
UglyGorilla Hack of U.S. Utility Exposes Cyberwar Threat
http://www.bloomberg.com/news/2014-06-13/uglygorilla-hack-of-u-s-utility-exposes-cyberwar-threat.html
Somewhere in China, a man typed his user name, “ghost,” and password, “hijack,” and proceeded to rifle the computers of a utility in the Northeastern U.S.
He plucked schematics of its pipelines. He copied security-guard patrol memos. He sought access to systems that regulate the flow of natural gas. He cruised channels where keystrokes could cut off a city’s heat, or make a pipeline explode.
That didn’t appear to be his intention, and neither was economic espionage. While he was one of the Chinese officers the U.S. charged last month with infiltrating computers to steal corporate secrets, this raid was different. The hacker called UglyGorilla invaded the utility on what was probably a scouting mission, looking for information China could use to wage war.
UglyGorilla is one of many hackers the FBI has watched.
“This is as big a national security threat as I have ever seen in the history of this country that we are not prepared for,”
“They’re practicing,” is how retired Army General Keith Alexander, then head of the National Security Agency
Cyberweapons are far easier and cheaper to obtain than nuclear materials, and so is data about the vulnerabilities in industrial control systems that run the electrical grid and water purification plants. The data could be used to develop and experiment with more sophisticated attacks, according to people familiar with the operations.
Nation-state hackers are also often freelancers, and the U.S. has identified cases where some employed by Russia and China provided their services to others for a price, according to intelligence officials.
They were “preparing a scenario where they might be able to perform a very serious attack,”
“‘Trust but verify’ was a phrase made popular under Reagan. We’re worse off here. It’s more like ‘don’t trust and can’t verify,’”
While UglyGorilla accessed a gateway to systems that regulate the flow of natural gas, it wasn’t clear if he was probing the security of the system or trying to gain control of it
Tomi Engdahl says:
Animation outlines network cabling, physical infrastructure for industrial automation site
http://www.cablinginstall.com/articles/2014/06/panduit-industrial-cabling-video.html
Tomi Engdahl says:
Microsoft Azure cloud platform connects with Rockwell Automation as first industrial partner
http://www.plantengineering.com/single-article/microsoft-azure-cloud-platform-connects-with-rockwell-automation-as-first-industrial-partner/804861e061da3f0765f9d66ffc3f186b.html
Microsoft Azure Intelligent Systems Service selected Rockwell Automation as an early adopter, the first partner in the industrial space, as part of Microsoft’s effort to bring greater connectivity to its customers, according to Barb Edson, general manager of Microsoft IoT commercial. Edson was the RSTechED keynote speaker for June 17. She said it’s not about billions of connected devices in the Internet of Things; it’s about connecting your things.
Tomi Engdahl says:
Remote energy monitoring improves plant performance, reduces downtime
A single dashboard can display power quality information to head off problems
http://www.plantengineering.com/single-article/remote-energy-monitoring-improves-plant-performance-reduces-downtime/eec9fbc9daf15beb0690ee12c4ae408a.html
In the past decade, significant changes have occurred in industrial environments. With the growing cost of downtime and rise of complex, high-density electrical equipment, power distribution systems are increasingly relied on to provide a clean, steady supply of power. Today’s electrical equipment is also far more intelligent, relying on sensitive electronic controls and microprocessors to maintain optimal plant performance around the clock.
To keep a close eye on equipment and power status, equipment vendors and OEMs have moved away from proprietary technology and toward industry standard communications. Many pieces of modern equipment are embedded with Internet Protocol (IP) addresses, which allow plant management to actively and remotely monitor equipment by visiting a dedicated Web address for each device.
Offering a cost-effective solution, modern electric power management software can prove a critical tool in any enterprise’s daily operation.
Tomi Engdahl says:
Ensure network availability in an industrial environment
http://www.controleng.com/single-article/ensure-network-availability-in-an-industrial-environment/59feed4b3ea81f251a7dc87204ea94c7.html
These 9 tests show why you need industrial cables, rather than commercial-grade cables. Control Engineering International: Industrial grade cables can improve the long-term performance and reliability of industrial networks, explained Loredana Coscotin, product marketing manager for Industrial Cable EMEA at Belden, in a Control Engineering Europe article.
Tomi Engdahl says:
Machine Safety: Verification is not validation
http://www.controleng.com/single-article/machine-safety-verification-is-not-validation/92607df5de6b9cd86c572d158725b844.html
Know the 5 steps of the functional safety lifecycle. To perform functional safety and comply with safety standards like ISO 13849-1 and ISO 13849-2, design engineers need to know how to perform verification and validation measures; they are not the same step.
Tomi Engdahl says:
Machine Safety: Wireless and cableless are similar but different
http://www.controleng.com/single-article/machine-safety-wireless-and-cableless-are-similar-but-different/0ffd00a56336d83b396da585da952efb.html
Know the differences, when considering machine safety, between wireless and cableless. As an analogy, is your hand held smart phone, with all its Internet, social media, photograph and movie capabilities, wireless or cableless?
Tomi Engdahl says:
Importance of safety and security on the rise
When it comes to safety, or even running a process, everyone has to be on the same page to ensure a smooth running operation.
http://www.controleng.com/single-article/importance-of-safety-and-security-on-the-rise/3d3998f35a89cca8a94804ec64ce54c9.html
When it comes to safety, or even running a process, everyone has to be on the same page to ensure a smooth running operation.
“You have to make sure the teams work together,” said Mahesh Kailasam, solutions experience director of energy, process and utilities at Dassault Systemes. “They all start from the same platform, but sometimes Team A does not know what Team B is doing.”
When it comes to safety, Stephane Declee, vice president of energy, process and utilities at Dassault sees the levels of importance continuing to rise.
“We see constraints and opportunities moving forward,” Declee said. “There are more and more constraints today. What we want to do is connect all the different sectors.”
“It is all about communications,” Kailasam said.
“Protecting the environment, assets and people are important values in safety strategies,” Gamboa said. “Making safety decisions based on compliance and social responsibilities is one thing, but shutdowns cost money. We have to engage in safety strategies to keep systems up and running.”
Tomi Engdahl says:
Devices generate an average of 10,000 security events per day
The number of security events sheds light on why recent high profile attacks go undetected for so long.
http://www.controleng.com/single-article/devices-generate-an-average-of-10000-security-events-per-day/376dbfb11ddcfaf6acaba27cd1cc4cf9.html
Devices in an average company’s network are generating an aggregate average of 10,000 security events per day, with the most active generating around 150,000 events per day, a new report said.
In addition, large, globally-dispersed enterprises were averaging 97 active infected devices each day and leaking an aggregate average of more than 10GB of data per day, according to Damballa’s Q1 2014 State of Infections Report, compiled from analysis of 50 percent of North American ISP Internet traffic and 33 percent of mobile traffic, plus large volumes of traffic from global ISPs and enterprise customers.
That is just one small indication showing how daunting it is for security staff to manually go through mountains of alerts in order to discover which (if any) constitute a real and present threat.
“We are already facing a profound scarcity of skilled security professionals, which the latest Frost & Sullivan figures estimate will equate to a 47 percent shortfall by 2017,” said Brian Foster, CTO of Damballa. “If we compound this fact with the increase in data breaches and the scope of work required to identify a genuine infection from the deluge of security events hitting businesses every day, we can see why security staff are struggling to cope.”
Tomi Engdahl says:
HMI best practices in technology
Advances in connectivity, PC-based control and multi-touch functionality boost value of human machine interfaces (HMIs).
http://www.controleng.com/single-article/hmi-best-practices-in-technology/1f1d0a07b4ecb28ec93a83025680af48.html
Tomi Engdahl says:
Attackers poison legitimate apps to infect sensitive industrial control systems
Havex operators target mission-critical controllers around the world.
http://arstechnica.com/security/2014/06/attackers-poison-legitimate-apps-to-infect-sensitive-industrial-control-systems/
Corporate spies have found an effective way to plant their malware on the networks of energy companies and other industrial heavyweights—by hacking the websites of software companies and waiting for the targets to install trojanized versions of legitimate apps.
That’s what operators of the Havex malware family have done with aplomb, according to a report published Tuesday by researchers from antivirus provider F-Secure. Over the past few months, the malware group has taken a specific interest in the types of industrial control systems (ICS) used to automate everything from switches in electrical substations to sensitive equipment in nuclear power plants. In addition to the normal infection channels of spam e-mail, the malware operators have added a new tack—replacing the normal installation files of third-party software with tainted copies that surreptitiously install a remote access trojan (RAT) on the computers of targeted companies.
“It appears the attackers abuse vulnerabilities in the software used to run the websites to break in and replace legitimate software installers available for download to customers,” F-Secure researchers Daavid Hentunen and Antti Tikkanen wrote. “Our research uncovered three software vendor sites that were compromised in this manner. The software installers available on the sites were trojanized to include the Havex RAT. We suspect more similar cases exist but have not been identified yet.”
“Trojanizing ISC/SCADA software installers is an effective method in gaining access to target systems, potentially even including critical infrastructure.”
Tomi Engdahl says:
Attackers fling Stuxnet-style RATs at critical control software in EUROPE
SCADA/ICS systems under attack, warns F-Secure
http://www.theregister.co.uk/2014/06/26/industrial_control_trojan/
Security researchers have uncovered a series of Trojan-based attacks which have infiltrated several targets by infecting industrial control system software from the makers of SCADA and ICS systems.
The majority of the victims are located in Europe, though at the time of writing at least one US firm’s compromised gear appears to be phoning home to botnet control servers set up by the attackers.
Two of the European victims are major educational institutions in France known for technology-related research; two are German industrial application or machine producers; one is a French industrial machine producer; and one is a Russian construction firm.
The motive for the attacks – much less the identity of its perpetrators – remains unclear.
“The attackers have [made] Trojanised software available for download from ICS/SCADA manufacturer websites in an attempt to infect the computers where the software is installed”, Finnish security software firm F-Secure reports.
“We gathered and analysed 88 variants of the Havex RAT used to gain access to, and harvest data from, networks and machines of interest.”
The Havex RAT at the centre of the assault is distributed through either spam emails, exploit kits or (much more unusually) trojan-laden installers planted on compromised vendor sites.
“It appears the attackers abuse vulnerabilities in the software used to run the websites to break in and replace legitimate software installers available for download to customers,”